mirror of https://github.com/arendst/Tasmota.git
Added ``USE_MQTT_TLS_DROP_OLD_FINGERPRINT`` compile time option to drop old (less secure) TLS fingerprint (#10584)
Co-authored-by: Stephan Hadinger <stephan.hadinger@gmail.com>
This commit is contained in:
parent
8f0fb3ef35
commit
f52f26f566
|
@ -13,6 +13,7 @@ All notable changes to this project will be documented in this file.
|
|||
- ESP8266 Support for 2MB and up linker files with 1MB and up LittleFS
|
||||
- ESP32 support for TLS MQTT using BearSSL (same as ESP8266)
|
||||
- Support for 24/26/32/34 bit RFID Wiegand interface (D0/D1) by Sigurd Leuther (#3647)
|
||||
- Added ``USE_MQTT_TLS_DROP_OLD_FINGERPRINT`` compile time option to drop old (less secure) TLS fingerprint
|
||||
|
||||
### Breaking Changed
|
||||
- ESP32 switch from default SPIFFS to default LittleFS file system loosing current (zigbee) files
|
||||
|
|
|
@ -804,6 +804,7 @@ extern "C" {
|
|||
return 0;
|
||||
}
|
||||
|
||||
#ifndef USE_MQTT_TLS_DROP_OLD_FINGERPRINT
|
||||
// No match under new algorithm, do some basic checking on the key.
|
||||
//
|
||||
// RSA keys normally have an e value of 65537, which is three bytes long.
|
||||
|
@ -838,6 +839,9 @@ extern "C" {
|
|||
pubkeyfingerprint_pubkey_fingerprint(xc, false);
|
||||
|
||||
return 0;
|
||||
#else // USE_TLS_OLD_FINGERPRINT_COMPAT
|
||||
return 1; // no match, error
|
||||
#endif // USE_TLS_OLD_FINGERPRINT_COMPAT
|
||||
} else {
|
||||
// Default (no validation at all) or no errors in prior checks = success.
|
||||
return 0;
|
||||
|
|
|
@ -401,6 +401,9 @@
|
|||
// #define USE_MQTT_AWS_IOT // [Deprecated] Enable MQTT for AWS IoT - requires a private key (+11.9k code, +0.4k mem)
|
||||
// Note: you need to generate a private key + certificate per device and update 'tasmota/tasmota_aws_iot.cpp'
|
||||
// Full documentation here: https://github.com/arendst/Tasmota/wiki/AWS-IoT
|
||||
// #define USE_MQTT_TLS_DROP_OLD_FINGERPRINT // If you use fingerprint (i.e. not CA) validation, the algorithm changed to a more secure one.
|
||||
// Any valid fingerprint with the old algo will be automatically updated to the new algo.
|
||||
// Enable this if you want to disable the old algo check, which should be more secure
|
||||
// for USE_4K_RSA (support for 4096 bits certificates, instead of 2048), you need to uncommend `-DUSE_4K_RSA` in `build_flags` from `platform.ini` or `platform_override.ini`
|
||||
|
||||
// -- Telegram Protocol ---------------------------
|
||||
|
|
Loading…
Reference in New Issue