Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

modules: mbedTLS: Add separate Kconfig entry for MBEDTLS_HAVE_TIME_DATE #35461

Merged
merged 1 commit into from
Jun 1, 2021
Merged

modules: mbedTLS: Add separate Kconfig entry for MBEDTLS_HAVE_TIME_DATE #35461

merged 1 commit into from
Jun 1, 2021

Conversation

rlubos
Copy link
Contributor

@rlubos rlubos commented May 19, 2021
edited
Loading

Currently the MBEDTLS_HAVE_TIME_DATE mbedTLS option is enabled based on
the CONFIG_POSIX_API option. This doesn't seem right, since enabling
the POSIX API does not guarantee that there is a valid time source in
the system. This was the case for the qemu_x86 platform, where enabling
POSIX_API caused TLS handshake failures due to certificate validation
errors caused by no valid time avaialble in the system.

Fix this by adding a specific KConfig entry for date/time configuration
in mbedTLS. Applications that need to enforce date verification in
mbedTLS should enable it explicitly instead of relying on the
non-obvious implicit configuration.

Fixes #35401

Signed-off-by: Robert Lubos robert.lubos@nordicsemi.no

@rlubos rlubos requested a review from nashif as a code owner May 19, 2021 14:40
@rlubos rlubos requested a review from jukkar May 19, 2021 14:40
@rlubos
modules: mbedTLS: Add separate Kconfig entry for MBEDTLS_HAVE_TIME_DATE
d030530 
Currently the MBEDTLS_HAVE_TIME_DATE mbedTLS option is enabled based on
the CONFIG_POSIX_API option. This doesn't seem right, since the enabling
the POSIX API does not guarantee that there is a valid time source in
the system. This was the case for the qemu_x86 platform, where enabling
POSIX_API caused TLS handshake failures due to certificate validation
errors caused by no valid time avaialble in the system.

Fix this by adding a specific KConfig entry for date/time configuration
in mbedTLS. Applications that need to enforce date verification in
mbedTLS should enable it explicitly instead of relying on the
non-obvious implicit configuration.

Fixes zephyrproject-rtos#35401

Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
@rlubos rlubos force-pushed the mbedlts/make-date-time-option-configurable branch from 0fa24fd to d030530 Compare May 20, 2021 12:58
@jukkar jukkar mentioned this pull request May 21, 2021
Closed
@mglettig
Copy link

@rlubos When do you think will this PR be merged back?

@rlubos rlubos added the bug The issue is a bug, or the PR is fixing a bug label May 31, 2021
@rlubos rlubos added this to the v2.6.0 milestone May 31, 2021
@rlubos
Copy link
Contributor Author

rlubos commented May 31, 2021

@mglettig That's not up to me really. I've added some labels though (I should've add them earlier, this PR addresses a bug-issue after all).

@jukkar jukkar requested a review from galak May 31, 2021 09:58
@galak galak merged commit 6ca9249 into zephyrproject-rtos:main Jun 1, 2021
mglettig added a commit to endresshauser-lp/mbedtls that referenced this pull request Jun 10, 2021
@mglettig
Disable datetime check for TLS for now. --> This will be resolved in …
b4d223a 
…the future with the following PR: zephyrproject-rtos/zephyr#35461.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@galak galak galak approved these changes

@jukkar jukkar jukkar approved these changes

@nashif nashif Awaiting requested review from nashif

Assignees
No one assigned
Labels
area: Modules bug The issue is a bug, or the PR is fixing a bug
Projects
None yet
Milestone
v2.6.0
Development

Successfully merging this pull request may close these issues.

Enabling POSIX_API leads to SSL handshake error
4 participants
@rlubos @mglettig @jukkar @galak