Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork34
libraries/SocketWrapper: Support loading CA certs from the file system.#249
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
base:main
Are you sure you want to change the base?
Uh oh!
There was an error while loading.Please reload this page.
Conversation
Using a curated list of certificates that covers most ofthe Internet. This reduces the certificates size to 20KBswhich can be loaded on all boards.Created with:https://github.com/arduino/cacert-utils/Signed-off-by: iabdalkader <i.abdalkader@gmail.com>
This patch adds support for automatically loading CA certificatesfrom the filesystem. The file system certs are loaded on the firstcall to connectSSL(), once, and shared between all sockets.If filesystem support is not enabled, or CA loading fails, theconnection proceeds without error.Custom CA certificates can still be passed via the 'cert' parameter,and both filesystem and custom certificates are registered withusing different TLS tags. This allows users to add their own certswithout recreating the whole file.Signed-off-by: iabdalkader <i.abdalkader@gmail.com>
Signed-off-by: iabdalkader <i.abdalkader@gmail.com>
pillo79 left a comment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Are the changes to C33 config needed to sync that with other boards, or should these be applied more commonly?
Otherwise LGTM!
iabdalkader commentedNov 6, 2025
Those options are going to be required by every board and at least 80KBs of heap for mbedtls, if we want to parse and load all of the certificates. I only enabled it for C33 because that's the only one I tested. Note, I've managed to reduce the certs size from 64KBs to 20KBs withhttps://github.com/arduino/cacert-utils/ the file we have right now needs 140KBs of heap for mbedtls, and at least 64KBs of system heap. |
iabdalkader commentedNov 6, 2025
@pillo79 Please don't merge this yet, it's not intended for the next release. |
Main changes:
Update CA data:
Use a curated list of certificates that covers most of the Internet. This reduces the certificates size to 20KBs which can be loaded on all boards. The certs file is generated with:https://github.com/arduino/cacert-utils/
Support loading CA certs from the file system.
This patch adds support for automatically loading CA certificates from the filesystem. The file system certs are loaded on the first call to connectSSL(), once, and shared between all sockets.
If filesystem support is not enabled, or CA loading fails, the connection proceeds without error.
Custom CA certificates can still be passed via the 'cert' parameter, and both filesystem and custom certificates are registered with using different TLS tags. This allows users to add their own certs without recreating the whole file.
Testing
Enabled and tested on C33.