Use root CAs to verify SSL certificates

[suyashkumar]

Hi there, I noticed that the core implementation of beginSSL requires a fingerprint of the SSL certificate for verification. Since SSL certs can change often (every 90 days for the popular LetsEncrypt certs) I was wondering if it would make sense to validate CAs using the Arduino WiFiClientSecure example which uses root CA certs to validate certificates (instead of child client certificate fingerprints, which is what this library uses right)?

Either common root certificates could be stored in the library, or clients could dependency-inject one all the way through to this library (as is done for the fingerprint in repos like https://github.com/timum-viw/socket.io-client ).

Has there been any thinking around this approach?

[Links2004]

no thinking yet, CA check where not around during the implementation of the LIB ;)
but It looks like it can be done relative easily.

• a new begin function to set the CA cert ptr
• storage of the ptr here: https://github.com/Links2004/arduinoWebSockets/blob/master/src/WebSocketsClient.h#L94
• CA loading here : https://github.com/Links2004/arduinoWebSockets/blob/master/src/WebSocketsClient.cpp#L144
• verifyCertChain here
  (when CA is configured) https://github.com/Links2004/arduinoWebSockets/blob/master/src/WebSocketsClient.cpp#L708

[suyashkumar]

@Links2004 that makes sense, thank you for pointing out the relevant locations for code addition! I am happy to give the implementation a try and submit a pull request if that is okay with you? I should have some time in the next two weeks. Just let me know :).

[Links2004]

sure, pull request are always welcome.

[Links2004]

CA support is Implement via native BareSSL for ESP8266 see #557