esp-idf-svc icon indicating copy to clipboard operation
esp-idf-svc copied to clipboard

Published 20 hours ago verified publisher icon esp-rs

WIP: Add mutual TLS for EspHttpClient

Open AnthonyGrondin opened this issue 2 years ago • 1 comments

Description

Add client_cert_pem and client_key_pem attributes to EspHttpClient for mutual TLS, as defined in https://docs.espressif.com/projects/esp-idf/en/latest/esp32/api-reference/protocols/esp_http_client.html#_CPPv424esp_http_client_config_t

This is currently a PoC. The feature still has a bug to resolve, described below.

Example

You can include certificates with the include_str!() macro

const client_cert: &str = include_str!("certs/client_cert.pem");
const client_key: &str = include_str!("certs/client_key.pem");

and specify them in EspHttpClientConfiguration

let mut client = EspHttpClient::new(&EspHttpClientConfiguration {
        crt_bundle_attach: Some(esp_idf_sys::esp_crt_bundle_attach),
        client_cert_pem: Some(client_cert),
        client_key_pem: Some(client_key),
        ..Default::default()
    })?;

~~Issue~~ (Fixed)

~~There's currently an issue with the underlying implementation~~, https://github.com/esp-rs/esp-idf-svc/blob/73b3e53e1f7fd87b4abcab68089509afbb5c7166/src/http/client.rs#L114-L131 ~~We specify the pointers to the certificates and pass them to native_config, but the value referenced by the pointers is dropped at the end of the scope. Similar as the problem detailed here:~~ https://github.com/esp-rs/esp-idf-svc/blob/554cad178e079b75e837885dffcf71a833f53107/src/http/server.rs#L198-L208

~~Contrary of the Https Server, the values referenced by the pointers need to be valid when doing a request, even after the initialization has ended.~~

AnthonyGrondin avatar Aug 30 '22 20:08 AnthonyGrondin

Each mutual TLS requests seem to take a couple of seconds, I believe this is because we don't take advantage of the TLS sessions feature.

https://github.com/espressif/esp-idf/issues/8852

EDIT: Upon further testing. It doesn't seem like it was the TLS connection that was responsible for the delay. I'll remove the WIP status of this PR and request a review, since it solves the main purpose of the issue, which was adding support for mutual TLS in the EspHttpClient

AnthonyGrondin avatar Sep 01 '22 04:09 AnthonyGrondin

@AnthonyGrondin Sorry for the huge delay here, but as you've probably noticed, I was overly busy with finishing the next branch and merging it into master. Now that this is done, we can follow up on all the outstanding merge requests. I'm absolutely for merging this now, but can you rebase it on top of latest master and fix the merge conflicts?

ivmarkov avatar Sep 22 '22 08:09 ivmarkov

@AnthonyGrondin The PR is unmergeable due to conflicts. Can you resolve these?

ivmarkov avatar Sep 25 '22 08:09 ivmarkov

@AnthonyGrondin The PR is unmergeable due to conflicts. Can you resolve these?

^^^ Disregard.

ivmarkov avatar Sep 25 '22 08:09 ivmarkov