Skip to content

Feature/tls verification fix#2

Merged
heshaoqiong-tuya merged 2 commits into
masterfrom
feature/tls-verification-fix
Jul 6, 2026
Merged

Feature/tls verification fix#2
heshaoqiong-tuya merged 2 commits into
masterfrom
feature/tls-verification-fix

Conversation

@sedawwk

@sedawwk sedawwk commented Jul 6, 2026

Copy link
Copy Markdown
Collaborator

Summary

Add cert_bundle_attach callback support to the IoT client module so that FreeRTOS/ESP-IDF devices can enable TLS certificate verification without needing a PEM string — closing a security gap where all iot-client connections fell back to VERIFY_NONE.

  • Thread cert_bundle_attach through all config structs (20 structs, ~33 assignment sites across 12 source files) from the public API (iot_client_config_t, iot_on_boarding_config_t, iot_qrcode_request_t) down to the two TLS connect sites (http_client_interface.c, mqtt.c). The shared tls_connect() in common/tls.c already supported this callback — this was purely a plumbing gap.

  • Update 3 ESP-IDF examples (rtc-tcp-client, ota-demo, pair-by-ble) to set .cert_bundle_attach = (tls_cert_bundle_attach_fn)esp_crt_bundle_attach, demonstrating verified TLS for iot-client connections.

  • Add user-facing documentation (docs-site/docs/guides/tls-cert-verification.md) covering both .cacert (PEM string, POSIX) and .cert_bundle_attach (platform callback, ESP-IDF/RTOS), with code examples, precedence rules, affected APIs, sdkconfig requirements, troubleshooting, and best practices. Updated the iot-client API reference and sidebar.

sedawwk and others added 2 commits July 6, 2026 15:26
…ication on FreeRTOS

Add a cert_bundle_attach callback field alongside cacert in every iot-client
config struct so ESP-IDF callers can pass esp_crt_bundle_attach for peer
verification without needing a PEM string. The shared tls_connect() already
supported this callback; this closes the plumbing gap.

When cacert is NULL and cert_bundle_attach is set, TLS connections use
VERIFY_REQUIRED with the platform cert bundle instead of falling back to
VERIFY_NONE. cacert takes precedence when both are provided. Existing
callers that set neither remain unchanged (VERIFY_NONE fallback).

Updated 3 ESP-IDF examples (rtc-tcp-client, ota-demo, pair-by-ble) to use
esp_crt_bundle_attach for iot-client TLS connections.
Covers both verification modes (.cacert PEM string for POSIX, .cert_bundle_attach
platform callback for ESP-IDF/RTOS), precedence rules, all affected APIs, runtime
CA fetch, sdkconfig requirements, troubleshooting, and best practices. Updates
iot-client reference tables and sidebar navigation.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@heshaoqiong-tuya heshaoqiong-tuya force-pushed the feature/tls-verification-fix branch from 3dd4651 to 98baa5c Compare July 6, 2026 09:31
@heshaoqiong-tuya heshaoqiong-tuya merged commit cc2e80f into master Jul 6, 2026
4 checks passed
@heshaoqiong-tuya heshaoqiong-tuya deleted the feature/tls-verification-fix branch July 6, 2026 09:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants