You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Move BearSSLHelpers into BearSSL namespace (#5315)
BearSSLX509List, BearSSLSession, BearSSLPublicKey, and BearSSLPrivateKey
were all in the global namespace and not in the BearSSL:: one, due to an
oversight when they were originally created. Move them to the proper
namespace with the following mapping:
BearSSLX509List => BearSSL::X509List
BearSSLSession => BearSSL::Session
BearSSLPublicKey => BearSSL::PublicKey
BearSSLPrivateKey => BearSSL::PrivateKey
Copy file name to clipboardExpand all lines: doc/esp8266wifi/bearssl-client-secure-class.rst
+9-11
Original file line number
Diff line number
Diff line change
@@ -34,7 +34,7 @@ There are many configuration options that require passing in a pointer to an obj
34
34
BearSSL::WiFiClientSecure client;
35
35
const char x509CA PROGMEM = ".......";
36
36
void setup() {
37
-
BearSSLX509List x509(x509CA);
37
+
BearSSL::X509List x509(x509CA);
38
38
client.setTrustAnchor(&x509);
39
39
}
40
40
void loop() {
@@ -73,7 +73,7 @@ TLS Sessions
73
73
74
74
TLS supports the notion of a session (completely independent and different from HTTP sessions) which allow clients to reconnect to a server without having to renegotiate encryption settings or validate X509 certificates. This can save significant time (3-4 seconds in the case of EC keys) and can help save power by allowing the ESP8266 to sleep for a long time, reconnect and transmit some samples using the SSL session, and then jump back to sleep quicker.
75
75
76
-
`BearSSLSession` is an opaque class. Use the `BearSSL::WiFiClientSecure.setSession(&BearSSLSession)` method to apply it before the first `BearSSL::WiFiClientSecure.connect()` and it will be updated with session parameters during the operation of the connection. After the connection has had `.close()` called on it, serialize the `BearSSLSession` object to stable storage (EEPROM, RTC RAM, etc.) and restore it before trying to reconnect. See the `BearSSL_Sessions` example for a detailed example.
76
+
`BearSSL::Session` is an opaque class. Use the `BearSSL::WiFiClientSecure.setSession(&BearSSLSession)` method to apply it before the first `BearSSL::WiFiClientSecure.connect()` and it will be updated with session parameters during the operation of the connection. After the connection has had `.close()` called on it, serialize the `BearSSL::Session` object to stable storage (EEPROM, RTC RAM, etc.) and restore it before trying to reconnect. See the `BearSSL_Sessions` example for a detailed example.
77
77
78
78
`Sessions <#sessions-resuming-connections-fast>`__ contains additional information on the sessions API.
79
79
@@ -82,15 +82,15 @@ X.509 Certificate(s)
82
82
83
83
X509 certificates are used to identify peers in TLS connections. Normally only the server identifies itself, but the client can also supply an X509 certificate if desired (this is often done in MQTT applications). The certificate contains many fields, but the most interesting in our applications are the name, the public key, and potentially a chain of signing that leads back to a trusted authority (like a global internet CA or a company-wide private certificate authority).
84
84
85
-
Any call that takes an X509 certificate can also take a list of X509 certificates, so there is no special `X509` class, simply `BearSSLX509List` (which may only contain a single certificate).
85
+
Any call that takes an X509 certificate can also take a list of X509 certificates, so there is no special `X509` class, simply `BearSSL::X509List` (which may only contain a single certificate).
86
86
87
87
Generating a certificate to be used to validate using the constructor
If you need to add additional certificates (unlikely in normal operation), the `::append()` operation can be used.
96
96
@@ -100,7 +100,7 @@ Certificate Stores
100
100
101
101
The web browser you're using to read this document keeps a list of 100s of certification authorities (CAs) worldwide that it trusts to attest to the identity of websites.
102
102
103
-
In many cases your application will know the specific CA it needs to validate web or MQTT servers against (often just a single, self-signing CA private to your institution). Simply load your private CA in a `BearSSLX509List` and use that as your trust anchor.
103
+
In many cases your application will know the specific CA it needs to validate web or MQTT servers against (often just a single, self-signing CA private to your institution). Simply load your private CA in a `BearSSL::X509List` and use that as your trust anchor.
104
104
105
105
However, there are cases where you will not know beforehand which CA you will need (i.e. a user enters a website through a keypad), and you need to keep the list of CAs just like your web browser. In those cases, you need to generate a certificate bundle on the PC while compiling your application, upload the `certs.ar` bundle to SPIFFS or SD when uploading your application binary, and pass it to a `BearSSL::CertStore()` in order to validate TLS peers.
106
106
@@ -129,7 +129,7 @@ setInsecure()
129
129
130
130
Don't verify any X509 certificates. There is no guarantee that the server connected to is the one you think it is in this case, but this call will mimic the behavior of the deprecated axTLS code.
131
131
132
-
setKnownKey(const BearSSLPublicKey *pk)
132
+
setKnownKey(const BearSSL::PublicKey *pk)
133
133
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
134
134
135
135
Assume the server is using the specific public key. This does not verify the identity of the server or the X509 certificate it sends, it simply assumes that its public key is the one given. If the server updates its public key at a later point then connections will fail.
Verify the SHA1 fingerprint of the certificate returned matches this one. If the server certificate changes, it will fail. If an array of 20 bytes are sent in, it is assumed they are the binary SHA1 values. If a `char*` string is passed in, it is parsed as a series of human-readable hex values separated by spaces or colons (e.g. `setFingerprint("00:01:02:03:...:1f");`)
141
141
142
-
setTrustAnchors(BearSSLX509List *ta)
142
+
setTrustAnchors(BearSSL::X509List *ta)
143
143
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
144
144
145
145
Use the passed-in certificate(s) as a trust anchor, accepting remote certificates signed by any of these. If you have many trust anchors it may make sense to use a `BearSSL::CertStore` because it will only require RAM for a single trust anchor (while the `setTrustAnchors` call requires memory for all certificates in the list).
@@ -183,7 +183,7 @@ In certain applications where the TLS server does not support MFLN (not many do
183
183
Sessions (Resuming connections fast)
184
184
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
185
185
186
-
setSession(BearSSLSession &sess)
186
+
setSession(BearSSL::Session &sess)
187
187
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
188
188
189
189
If you are connecting to a server repeatedly in a fixed time period (usually 30 or 60 minutes, but normally configurable at the server), a TLS session can be used to cache crypto settings and speed up connections significantly.
@@ -212,5 +212,3 @@ setCiphersLessSecure()
212
212
^^^^^^^^^^^^^^^^^^^^^^
213
213
214
214
Helper function which essentially limits BearSSL to ciphers that were supported by the deprecated axTLS. These may be less secure than the ones BearSSL would natively choose, but they may be helpful and faster if your server depended on specific axTLS crypto options.
Sets an elliptic curve certificate and key for the server. Needs to be called before `begin()`.
@@ -38,7 +38,7 @@ Requiring Client Certificates
38
38
39
39
TLS servers can request the client to identify itself by transmitting a certificate during handshake. If the client cannot transmit the certificate, the connection will be dropped by the server.
0 commit comments