Example of SSL/TLS using a rootCA

[pakalvoltan]

Build tool used:

• Arduino IDE
• Platformio (Visual Studio Code plugin)
• Platformio CLI
• Other

Board used (ESP32/ESP8266/Arudino):

• ESP8266-based
• ESP32-based

Other Libraries That are used:

Description of problem:
I have successfully used this library to send emails using gmail and SSL/TLS using port 587, but without setting the option to verify the certificate. However for security reasons it would be good to verify the root CA. I have tried in several ways to use it, and no connection. I always get in the debug log in my serial console,the following:

Send command, STARTTLS
C: send STARTTLS command
220 2.0.0 Ready to start TLS
< S: 220 2.0.0 Ready to start TLS
C: performing the SSL/TLS handshake
C: seeding the random number generator
C: setting up the SSL/TLS structure
C: cleaning SSL connection
Error, fail to set up the SSL/TLS structure
E: fail to set up the SSL/TLS structure

It would be great to include an example on how to use the
session.certificate.verify = true;

how to specify the root certificate and how to specify the other necessary options to be set.

Thank you!

Share code snippet to reproduce the issue:

PASTE .cpp / .ino code here

Additional information and things you've tried:

/* Set the session config */
session.server.host_name = SMTP_HOST; // This is "smtp.gmail.com"
session.server.port = SMTP_PORT; // This is 587
session.login.email = AUTHOR_EMAIL;
session.login.password = AUTHOR_PASSWORD;
session.login.user_domain = MY_DOMAIN; // here the real domain being used
session.certificate.verify = true;
session.certificate.cert_data = GSR2_PEM; // This is a pem of the GlobalSign R2 CA PEM

[mobizt]

This option will include in the specific platform example updates.

Because the certificate verification in other support platform e.g. SAMD21 using WiFiNINA firmware is different because arduino team manage the cert stores differently, the options in the session config for certificate data verification are for ESP8266 and ESP32 only.

[mobizt]

This discussion confirms that Root CA is missing on Google server
https://github.com/mobizt/Firebase-ESP-Client/discussions/108

[pakalvoltan]

Hello,
I found that there seems to be an issue with the ESP32_WCS.cpp code

in line 581:
The _CA_cert passed is NULL, and that is why no matter what certificate I pass, it is never passed to the start_ssl. Changing line 581 to:

ret = esp32_ssl_client.start_ssl_client(ssl, _host.c_str(), _port, _timeout, _CA_cert, NULL, NULL, _pskIdent, _psKey, _use_insecure);

Accepts the root CA, verifies it and the connection goes on succesfully. I also tried with a wrong CA and the certificate verification fails as expected, and the connection is stopped.

Could you verify that this change is actually correct?

Thanks for your help again.

[mobizt]

Yes, you are right.

That's a bugs which only affected the upgradable connection (ESP32 only) via STARTTLS (SMTP port 587) to choose between CA and pre-shared key verification.

The CA verification via SSL port (SMTP port 465) is not affected by this bugs

This will fix in the next update.

[mobizt]

This issue was fixed in the latest update. Please try to update the library.

[pakalvoltan]

I confirm that updating the library with the bug fix works.

Thanks for your help!