Hello.
After some great struggles, we've managed to enable WiFi and encrypted socket + TLS connection to google.com and various websites.
Since then, we've been looking into having a r1.pem that contains all trusted certificates. Since that entails around 143 certificates, that equates to 223kb so the file is too big. The team lead had a great idea: sha256 fingerprint checking, which would make the file ~4,5kb if we store just the fingerprints for the 143 certificates.
So I've been looking into enabling this instead of the normal certificate verification in mbedtls. Currently I'm dabbling with:
Note: devepment is done on Macbook (so MacOS), and we're using Nordic SDK v3.0.0.
#define MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
and:
mbedtls_ssl_conf_ca_cb(&conf, cert_verify_callback, NULL);
I've succeeded in hacking the SDK itself and overriding the certificate check from inside:
/opt/nordic/ncs/v3.0.0/modules/crypto/mbedtls/library/ssl_tls.c:10045: ret = mbedtls_x509_crt_verify_restartable( chain, ca_chain, ca_crl, ssl->conf->cert_profile, hostname, &ssl->session_negotiate->verify_result, f_vrfy, p_vrfy, rs_ctx);
with a custom one written by us.
But I doubt I'm doing it correctly given the define and callback mentioned above. Any hints regarding this from anyone?