You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi @nikias
The mbedTLS SSL handshake process is producing certificates that are invalid, causing the device to have to trust the host on every connection.
mbedTLS (as opposed to OpenSSL and GnuTLS) strictly follows the RFC and requires an issuer name and subject name to be set for a certificate. It will happily generate certificates with these fields empty, but will not parse them.
I've produced a simple patchset which fixes this for the project I'm working on. I'd be happy to open a PR against your repo, but please provide guidance on what DN you want as the default. For this purpose I think it really is arbitrary and doesn't matter, but obviously the values I have in my patch are specific to our project and also the byproduct of frustration after finally discovering the issue after many hours.
Hi @nikias
The mbedTLS SSL handshake process is producing certificates that are invalid, causing the device to have to trust the host on every connection.
mbedTLS (as opposed to OpenSSL and GnuTLS) strictly follows the RFC and requires an issuer name and subject name to be set for a certificate. It will happily generate certificates with these fields empty, but will not parse them.
I've produced a simple patchset which fixes this for the project I'm working on. I'd be happy to open a PR against your repo, but please provide guidance on what DN you want as the default. For this purpose I think it really is arbitrary and doesn't matter, but obviously the values I have in my patch are specific to our project and also the byproduct of frustration after finally discovering the issue after many hours.
https://github.com/ericpaulbishop/gargoyle/blob/base_on_openwrt_2305/package/libimobiledevice/patches/030-set_subject_and_issuer_name_certs.patch
Kind regards
The text was updated successfully, but these errors were encountered: