Is it possible to skip certificate validation in https ?

RE: Is it possible to skip certificate validation in https ?

DucAnh — Thu, 09 Jul 2020 01:25:09 GMT

Hi Simon, look like it still needs cert_provision even skip certificate-validation.

RE: Is it possible to skip certificate validation in https ?

Simon — Wed, 08 Jul 2020 12:48:35 GMT

I just tested this with the https_client sample in NCS v1.3.0. I simply did the following in <..>\ncs\v1.3.0\nrf\samples\nrf9160\https_client\src\main.c-->tls_setup(..)

/* Set up TLS peer verification */
enum {
	NONE = 0,
	OPTIONAL = 1,
	REQUIRED = 2,
};

verify = NONE; //Changed it from REQUIRED

err = setsockopt(fd, SOL_TLS, TLS_PEER_VERIFY, &verify, sizeof(verify));
if (err) {
	printk("Failed to setup peer verification, err %d\n", errno);
	return err;
}else{
	printk("Successfully set peer verification to: %d\n", verify);
}

Why did you remove cert_provision()? Even though the domain name won't be verified, I think you still need the keys to encrypt the connection.

I am not too familiar with https/tls, so I may be mistaken.

Best regards,

Simon

RE: Is it possible to skip certificate validation in https ?

DucAnh — Fri, 03 Jul 2020 04:15:26 GMT

Hi Simon!

I have changed verify to 0, but the debug log print "Failed to setup peer verification, , err 109" (im using the code from https_client sample for nrf9160 and remove cert_provision). Do you know what this means ?

Thanks you!

RE: Is it possible to skip certificate validation in https ?

Simon — Thu, 02 Jul 2020 21:49:58 GMT

I think this can be done in the following manner:

int verify = 0; // NONE
setsockopt(fd, SOL_TLS, TLS_PEER_VERIFY, &verify, sizeof(verify));

Then the domain name won't be verified using the CA certificate.

Best regards,

Simon