lmoskala/SSLClient
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Deploying to gh-pages from @ d5e9c6d1aa 🚀

Browse source
This commit is contained in:
prototypicalpro 2021-03-22 03:08:45 +00:00
parent 7452a745bf
commit c9dc6e9707
1 changed files with 6 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
index.html
View file

@ -218,7 +218,10 @@ $(document).ready(function(){initNavTree('index.html',''); initResizable(); });
<div class="line"> ...</div>
<div class="line">}</div>
<div class="line">...</div>
</div><!-- fragment --><p> The client certificate must be formatted correctly (according to <a href="https://bearssl.org/apidoc/bearssl__pem_8h.html">BearSSL's specification</a>) in order for mTLS to work. If the certificate is improperly formatted, <a class="el" href="class_s_s_l_client.html" title="The main SSLClient class. Check out README.md for more info.">SSLClient</a> will attempt to make a regular TLS connection instead of an mTLS one, and fail to connect as a result. Because of this, if you are seeing errors similar to <code>"peer did not send certificate chain"</code> on your server, check that your certificate and key are formatted correctly (see <a href="https://github.com/OPEnSLab-OSU/SSLClient/issues/7#issuecomment-593704969">https://github.com/OPEnSLab-OSU/SSLClient/issues/7#issuecomment-593704969</a>). For more information on <a class="el" href="class_s_s_l_client.html" title="The main SSLClient class. Check out README.md for more info.">SSLClient</a>'s mTLS functionality, please see the <a href="https://openslab-osu.github.io/SSLClient/class_s_s_l_client_parameters.html">SSLClientParameters documentation</a>.</p>
</div><!-- fragment --><blockquote class="doxtable">
<p>NOTE: Certificates are finicky, and it is easy to make mistakes when generating a certificate chain yourself. If <a class="el" href="class_s_s_l_client.html" title="The main SSLClient class. Check out README.md for more info.">SSLClient</a> raises an error that says <code>Expected server name not found in chain</code>, double check that the common name, distinguished name, and issuer name are being set correctly (check out <a href="https://medium.com/@superseb/get-your-certificate-chain-right-4b117a9c0fce">this article</a> for how to do that). </p>
</blockquote>
<p>The client certificate must be formatted correctly (according to <a href="https://bearssl.org/apidoc/bearssl__pem_8h.html">BearSSL's specification</a>) in order for mTLS to work. If the certificate is improperly formatted, <a class="el" href="class_s_s_l_client.html" title="The main SSLClient class. Check out README.md for more info.">SSLClient</a> will attempt to make a regular TLS connection instead of an mTLS one, and fail to connect as a result. Because of this, if you are seeing errors similar to <code>"peer did not send certificate chain"</code> on your server, check that your certificate and key are formatted correctly (see <a href="https://github.com/OPEnSLab-OSU/SSLClient/issues/7#issuecomment-593704969">https://github.com/OPEnSLab-OSU/SSLClient/issues/7#issuecomment-593704969</a>). For more information on <a class="el" href="class_s_s_l_client.html" title="The main SSLClient class. Check out README.md for more info.">SSLClient</a>'s mTLS functionality, please see the <a href="https://openslab-osu.github.io/SSLClient/class_s_s_l_client_parameters.html">SSLClientParameters documentation</a>.</p>
<p>Note that both the above client certificate information <em>as well as</em> the correct trust anchors associated with the server are needed for the connection to succeed. Trust anchors will typically be generated from the CA used to generate the server certificate. More information on generating trust anchors can be found in <a class="el" href="md__trust_anchors.html">TrustAnchors.md</a>.</p>
<h1>Implementation Gotchas</h1>
<p>Some ideas that didn't quite fit in the API documentation.</p>
@ -299,7 +302,8 @@ $(document).ready(function(){initNavTree('index.html',''); initResizable(); });
<li>When using PubSubClient on the ESP32, a stack overflow will occur if the user does not flush the buffer immediately after writing. The cause of this issue is under active investigation. More information in issue <a href="https://github.com/OPEnSLab-OSU/SSLClient/issues/9">https://github.com/OPEnSLab-OSU/SSLClient/issues/9</a>.</li>
<li>Previous to <a class="el" href="class_s_s_l_client.html" title="The main SSLClient class. Check out README.md for more info.">SSLClient</a> v1.6.7, calls to <code><a class="el" href="class_s_s_l_client.html#ad8ed697371748e31e01c3f697bc36cbe" title="Close the connection.">SSLClient::stop</a></code> would sometimes hang the device. More information in issue <a href="https://github.com/OPEnSLab-OSU/SSLClient/issues/13">https://github.com/OPEnSLab-OSU/SSLClient/issues/13</a>.</li>
<li>Previous to <a class="el" href="class_s_s_l_client.html" title="The main SSLClient class. Check out README.md for more info.">SSLClient</a> v1.6.6, calls to <code><a class="el" href="class_s_s_l_client.html#ab97c0745f65a6c6009ac938b3b9912c3" title="Connect over SSL to a host specified by an IP address.">SSLClient::connect</a></code> would fail if the driver indicated that a socket was already opened (<code>Client::connected</code> returned true). This behavior created unintentional permanent failures when <code>Client::stop</code> would fail to close the socket, and as a result was downgraded to a warning in v1.6.6.</li>
<li>Previous to <a class="el" href="class_s_s_l_client.html" title="The main SSLClient class. Check out README.md for more info.">SSLClient</a> v1.6.3, calling <code><a class="el" href="class_s_s_l_client.html#a03c7926938acd57cfc3b982edf725a86" title="Write some bytes to the SSL connection.">SSLClient::write</a></code> with more than 2Kb of total data before flushing the write buffer would cause a buffer overflow. </li>
<li>Previous to <a class="el" href="class_s_s_l_client.html" title="The main SSLClient class. Check out README.md for more info.">SSLClient</a> v1.6.3, calling <code><a class="el" href="class_s_s_l_client.html#a03c7926938acd57cfc3b982edf725a86" title="Write some bytes to the SSL connection.">SSLClient::write</a></code> with more than 2Kb of total data before flushing the write buffer would cause a buffer overflow.</li>
<li>Previous to <a class="el" href="class_s_s_l_client.html" title="The main SSLClient class. Check out README.md for more info.">SSLClient</a> v1.6.11, <code><a class="el" href="class_s_s_l_client.html#a03c7926938acd57cfc3b982edf725a86" title="Write some bytes to the SSL connection.">SSLClient::write</a></code> would sometimes call <code>br_ssl_engine_sendapp_ack</code> with zero bytes, which resulted in a variety of issues including (but not limited to) and infinite recursion loop on the esp32 ( <a href="https://github.com/OPEnSLab-OSU/SSLClient/issues/9">#9</a>, <a href="https://github.com/OPEnSLab-OSU/SSLClient/issues/30">#30</a>). </li>
</ul>
</div></div><!-- PageDoc -->
</div><!-- contents -->