How to get client SSL certificate?

Martin_Zdila · June 17, 2019, 3:45pm

Hello

We would like to get client’s SSL certificate in HTTP endpoint handler. We tried to access it according to https://forum.mongoose-os.com/discussion/comment/7404/#Comment_7404 but in our case ssl->session->peer_cert is NULL.

struct mg_ssl_if_ctx {
  mbedtls_ssl_config *conf;
  mbedtls_ssl_context *ssl;
  mbedtls_x509_crt *cert;
  mbedtls_pk_context *key;
  mbedtls_x509_crt *ca_cert;
  struct mbuf cipher_suites;
  size_t saved_len;
};

static void deviceinfo_http_endpoint_handler(struct mg_connection *c, int ev, void *p, void *user_data) {
  struct mg_ssl_if_ctx *ssl_ctx = (struct mg_ssl_if_ctx *) c->ssl_if_data;

  if (ssl_ctx->ssl->session->peer_cert) {
    LOG(LL_INFO, ("Peer cert is not NULL"));
  } else {
    LOG(LL_INFO, ("Peer cert is NULL")); // <--- this is always getting printed
  }

  // ...
}

// mgos_register_http_endpoint("/deviceinfo", deviceinfo_handler, NULL);

We have configured mutual TLS according to https://mongoose-os.com/docs/mongoose-os/userguide/security.md#self-signed-certificate-for-mutual-tls and we test with curl -k --cert client.crt --key client.key https://192.168.0.108/deviceinfo.

Please give us some hint what is wrong in our approach.

Thanks in advance.

Martin_Zdila · June 18, 2019, 11:06am

It is probably causes by mongoose-os compiled with -DMG_SSL_IF_MBEDTLS_FREE_CERTS=1. Is there a way to recompile it without that cdef?

Martin_Zdila · July 16, 2019, 8:33am

I’ve found the hacky way to do it:

remove mongoose.c.o from deps/mongoose/lib/esp8266/libmongoose.a archive
put mongoose.c to deps/mongoose/src
modify deps/mongoose/mos.yml:
- add:
```
binary_libs:
   - lib/esp8266/libmongoose.a
```
- comment out line MG_SSL_IF_MBEDTLS_FREE_CERTS: 1

I wonder why this is not the default setup so that developer can easily enable/disable this feature by adding MG_SSL_IF_MBEDTLS_FREE_CERTS in his mos.yml.