Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Find replacement for CONFIG_MBEDTLS_ALLOW_UNSUPPORTED_CRITICAL_EXT (IDFGH-11195) #12362

Closed
3 tasks done
torkleyy opened this issue Oct 6, 2023 · 2 comments
Closed
3 tasks done

Find replacement for CONFIG_MBEDTLS_ALLOW_UNSUPPORTED_CRITICAL_EXT (IDFGH-11195) #12362

torkleyy opened this issue Oct 6, 2023 · 2 comments
Labels
Resolution: Done Issue is done internally Status: Done Issue is done internally

Comments

@torkleyy
Copy link

torkleyy commented Oct 6, 2023

Answers checklist.

  • I have read the documentation ESP-IDF Programming Guide and the issue is not addressed there.
  • I have updated my IDF branch (master or release) to the latest version and checked that the issue is present there.
  • I have searched the issue tracker for a similar issue and not found a similar issue.

General issue report

This flag is currently without any effect, as it has been removed upstream (see Mbed-TLS/mbedtls#4477).

This feature is crucial as major vendors of certificates use such unsupported extensions (see Mbed-TLS/mbedtls#2605).

I think there are two options to replace this functionality:

  1. Replicate this functionality by implementing the callback (mbedtls_x509_crt_parse_der_with_ext_cb) and ignore unknown extensions (this is deemed insecure by mbedtls maintainers)
  2. Allow the user to service such a callback
@espressif-bot espressif-bot added the Status: Opened Issue is new label Oct 6, 2023
@github-actions github-actions bot changed the title Find replacement for CONFIG_MBEDTLS_ALLOW_UNSUPPORTED_CRITICAL_EXT Find replacement for CONFIG_MBEDTLS_ALLOW_UNSUPPORTED_CRITICAL_EXT (IDFGH-11195) Oct 6, 2023
@espressif-bot espressif-bot added Status: In Progress Work is in progress and removed Status: Opened Issue is new labels Oct 9, 2023
@mahavirj
Copy link
Member

Thanks for notifying. We will remove this config from ESP32 mbedtls port. However, the alternative solution for this must be discussed in the upstream community itself. One of the suggestion can be found here: Mbed-TLS/mbedtls#3564 (comment)

@espressif-bot espressif-bot added Status: Done Issue is done internally Resolution: Done Issue is done internally and removed Status: In Progress Work is in progress labels Oct 23, 2023
@mahavirj
Copy link
Member

Fixed with 0c3ed4f

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Resolution: Done Issue is done internally Status: Done Issue is done internally
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mahavirj @torkleyy @espressif-bot