Better TLS certificate validation

[ridercz]

It's great that this project supports HTTPS/TLS, but the current implementation is very close to worthless from security standpoint. Because when I can check only direct certificate fingerprint, it means that the certificate basically cannot be ever changed - when expires or is compromised.

I fully understand it's not possible to add full validation of certificate chain, but maybe it would be possible to add one-level validation to the CA? It would change the problem from "you can't change the server certificate, ever" to "you can't change the CA". Which is still far from ideal, but can actually provide some manageable security?

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

[igrr]

Validation of CA certificate is easy to add, but this alone doesn't let you deal with compromised certificates. You also need to support CRL/OCSP.
Until som

[bbx10]

There is a good reason to check the cert chain instead of server cert fingerprint. Some server certs expire every 90 days so that means the ESP program must be updated with a new fingerprint every 90 days or sooner. Root CA certs expiration dates are usually many years in the future so they only rarely need to be updated.

https://letsencrypt.org/2015/11/09/why-90-days.html

[Potato-Matic]

Side note: is storage is an issue, could the internal FS be used to store certs and such? Some modules have a rather large flash...

[Potato-Matic]

One issue I've found is with having my ESP8266 interact with various google APIs. I supply the correct fingerprint in the sketch, but it doesn't take long before the sketch starts to fail and eventually doesn't work at all, as google transitions to another certificate. (they have their own intermediate CA and can issue themselves as many as they like)

If it were possible to look up the chain a level at the CA to see if the certificate is valid it would be great, so that I don't have to keep changing the certificate fingerprint in my sketch. Alternatively, if there's a way to get an ESP8266 to just look for the new fingerprint or ignore it completely, that would be great. I have to use https, as it's the only way google's APIs will allow a connection, but can't seem to find a way around the frequently changing fingerprint causing things to fail.

[Potato-Matic]

After a fair length of testing, I've found that the cert(s) used by the outward facing interface of google scripts change about every week and a half, meaning I frequently have to patch my code with the new fp.

[igrr]

I got this working, will put up a pull request soon.

[igrr]

Pushed to master.