Skip to content

Commit b073954

Browse files
gluapgluap
authored
add two-fold avoidance of tls issues. (#360)
1 parent 26b4019 commit b073954

File tree

5 files changed

+82
-33
lines changed

5 files changed

+82
-33
lines changed

.gitignore

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,3 +24,9 @@ docs/.jekyll-metadata
2424
docs/vendor
2525

2626
.DS_Store
27+
28+
# for people installing pio venv style
29+
venv
30+
31+
# jetbrains
32+
.idea

src/Firmware.cpp

Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -35,9 +35,10 @@ static const size_t APP_PARTITION_SIZE = 0x380000; // read from part?
3535
static const int SHA256_HASH_LEN = 32;
3636

3737
// todo: error handling
38-
void Firmware::downloadToSd(String url, String filename) {
38+
void Firmware::downloadToSd(String url, String filename, bool unsafe) {
3939
WiFiClientSecure client;
40-
client.setCACert(trustedRootCACertificates);
40+
if (!unsafe) client.setCACert(trustedRootCACertificates);
41+
else client.setInsecure();
4142
HTTPClient http;
4243
http.setUserAgent(mUserAgent);
4344
http.setFollowRedirects(HTTPC_STRICT_FOLLOW_REDIRECTS);
@@ -58,10 +59,12 @@ void Firmware::downloadToSd(String url, String filename) {
5859
}
5960

6061
bool Firmware::downloadToFlash(String url,
61-
std::function<void(uint32_t pos, uint32_t size)> progress) {
62+
std::function<void(uint32_t pos, uint32_t size)> progress,
63+
bool unsafe) {
6264
bool success = false;
6365
WiFiClientSecure client;
64-
client.setCACert(trustedRootCACertificates);
66+
if (!unsafe) client.setCACert(trustedRootCACertificates);
67+
if (unsafe) client.setInsecure();
6568
HTTPClient http;
6669
http.setUserAgent(mUserAgent);
6770
http.setFollowRedirects(HTTPC_STRICT_FOLLOW_REDIRECTS);

src/Firmware.h

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -29,8 +29,8 @@
2929
class Firmware {
3030
public:
3131
explicit Firmware(String userAgent) : mUserAgent(userAgent) {};
32-
void downloadToSd(String url, String filename);
33-
bool downloadToFlash(String url, std::function<void(uint32_t, uint32_t)> progress);
32+
void downloadToSd(String url, String filename, bool unsafe);
33+
bool downloadToFlash(String url, std::function<void(uint32_t, uint32_t)> progress, bool unsafe);
3434
String getLastMessage();
3535

3636
static String getFlashAppVersion();

src/configServer.cpp

Lines changed: 19 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -249,6 +249,7 @@ static const char* const updateSdIndex = R""""(
249249
<p>{description}</p>
250250
<h3>From Github (preferred)</h3>
251251
List also pre-releases<br><input type='checkbox' id='preReleases' onchange='selectFirmware()'>
252+
Ignore TLS Errors (see documentation)<br><input type='checkbox' id='ignoreSSL' onchange='selectFirmware()'>
252253
<script>
253254
let availableReleases;
254255
async function updateFirmwareList() {
@@ -259,6 +260,7 @@ async function updateFirmwareList() {
259260
}
260261
function selectFirmware() {
261262
const displayPreReleases = (document.getElementById('preReleases').checked == true);
263+
const ignoreSSL = (document.getElementById('ignoreSSL').checked == true);
262264
url = "";
263265
version = "";
264266
availableReleases.filter(r => displayPreReleases || !r.prerelease).forEach(release => {
@@ -276,16 +278,25 @@ function selectFirmware() {
276278
document.getElementById('version').value = "Update to " + version;
277279
document.getElementById('version').disabled = false;
278280
document.getElementById('downloadUrl').value = url;
281+
document.getElementById('directlink').href = url;
279282
} else {
280283
document.getElementById('version').value = "No version found";
281284
document.getElementById('version').disabled = true;
282285
document.getElementById('downloadUrl').value = "";
286+
document.getElementById('directlink').href = "";
287+
}
288+
if (ignoreSSL) {
289+
document.getElementById('unsafe').value = "1";
290+
} else {
291+
document.getElementById('unsafe').value = "0";
283292
}
284293
}
285294
updateFirmwareList();
286295
</script>
287296
<input type='hidden' name='downloadUrl' id='downloadUrl' value=''/>
297+
<input type='hidden' name='unsafe' id='unsafe' value='0'/>
288298
<input type='submit' name='version' id='version' class=btn value='Update' />
299+
If the upgrade via the button above does not work<br/><a id="directlink" href="">download firmware.bin</a><br/> and upload manually below.
289300
<h3>File Upload</h3>
290301
)"""";
291302

@@ -1675,11 +1686,13 @@ void updateProgress(size_t pos, size_t all) {
16751686
static void handleFlashUpdateUrlAction(HTTPRequest * req, HTTPResponse * res) {
16761687
const auto params = extractParameters(req);
16771688
const auto url = getParameter(params, "downloadUrl");
1689+
const auto unsafe = getParameter(params,"unsafe");
1690+
16781691
log_i("Flash App Url is '%s'", url.c_str());
16791692

16801693
Firmware f(String("OBS/") + String(OBSVersion));
16811694
sensorManager->detachInterrupts();
1682-
if (f.downloadToFlash(url, updateProgress)) {
1695+
if (f.downloadToFlash(url, updateProgress, unsafe[0] == '1')) {
16831696
obsDisplay->showTextOnGrid(0, 3, "Success!");
16841697
sendRedirect(res, "/updatesd");
16851698
} else {
@@ -2111,6 +2124,8 @@ static bool mkSdFlashDir() {
21112124
static void handleFirmwareUpdateSdUrlAction(HTTPRequest * req, HTTPResponse * res) {
21122125
const auto params = extractParameters(req);
21132126
const auto url = getParameter(params, "downloadUrl");
2127+
const auto unsafe = getParameter(params, "unsafe");
2128+
21142129
log_i("OBS Firmware URL is '%s'", url.c_str());
21152130

21162131
if (!mkSdFlashDir()) {
@@ -2121,7 +2136,9 @@ static void handleFirmwareUpdateSdUrlAction(HTTPRequest * req, HTTPResponse * re
21212136
}
21222137
// TODO: Progress bar display && http!
21232138
Firmware f(String("OBS/") + String(OBSVersion));
2124-
f.downloadToSd(url, "/sdflash/app.bin");
2139+
f.downloadToSd(url, "/sdflash/app.bin", unsafe[0] == '1');
2140+
obsDisplay->showTextOnGrid(0, 3, unsafe);
2141+
21252142

21262143
String firmwareError = Firmware::checkSdFirmware();
21272144
if (Firmware::getFlashAppVersion().isEmpty()) {

src/utils/cacerts.cpp

Lines changed: 48 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -147,30 +147,6 @@ const char *const trustedRootCACertificates =
147147
"MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX\n"
148148
"nLRbwHOoq7hHwg==\n"
149149
"-----END CERTIFICATE-----\n"
150-
// GITHUB_ROOT_CA
151-
"-----BEGIN CERTIFICATE-----\n"
152-
"MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBs\n"
153-
"MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\n"
154-
"d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j\n"
155-
"ZSBFViBSb290IENBMB4XDTA2MTExMDAwMDAwMFoXDTMxMTExMDAwMDAwMFowbDEL\n"
156-
"MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3\n"
157-
"LmRpZ2ljZXJ0LmNvbTErMCkGA1UEAxMiRGlnaUNlcnQgSGlnaCBBc3N1cmFuY2Ug\n"
158-
"RVYgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbM5XPm\n"
159-
"+9S75S0tMqbf5YE/yc0lSbZxKsPVlDRnogocsF9ppkCxxLeyj9CYpKlBWTrT3JTW\n"
160-
"PNt0OKRKzE0lgvdKpVMSOO7zSW1xkX5jtqumX8OkhPhPYlG++MXs2ziS4wblCJEM\n"
161-
"xChBVfvLWokVfnHoNb9Ncgk9vjo4UFt3MRuNs8ckRZqnrG0AFFoEt7oT61EKmEFB\n"
162-
"Ik5lYYeBQVCmeVyJ3hlKV9Uu5l0cUyx+mM0aBhakaHPQNAQTXKFx01p8VdteZOE3\n"
163-
"hzBWBOURtCmAEvF5OYiiAhF8J2a3iLd48soKqDirCmTCv2ZdlYTBoSUeh10aUAsg\n"
164-
"EsxBu24LUTi4S8sCAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQF\n"
165-
"MAMBAf8wHQYDVR0OBBYEFLE+w2kD+L9HAdSYJhoIAu9jZCvDMB8GA1UdIwQYMBaA\n"
166-
"FLE+w2kD+L9HAdSYJhoIAu9jZCvDMA0GCSqGSIb3DQEBBQUAA4IBAQAcGgaX3Nec\n"
167-
"nzyIZgYIVyHbIUf4KmeqvxgydkAQV8GK83rZEWWONfqe/EW1ntlMMUu4kehDLI6z\n"
168-
"eM7b41N5cdblIZQB2lWHmiRk9opmzN6cN82oNLFpmyPInngiK3BD41VHMWEZ71jF\n"
169-
"hS9OMPagMRYjyOfiZRYzy78aG6A9+MpeizGLYAiJLQwGXFK3xPkKmNEVX58Svnw2\n"
170-
"Yzi9RKR/5CYrCsSXaQ3pjOLAEFe4yHYSkVXySGnYvCoCWw9E1CAx2/S6cCZdkGCe\n"
171-
"vEsXCS+0yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep\n"
172-
"+OkuE6N36B9K\n"
173-
"-----END CERTIFICATE-----\n"
174150
// DigiCert Global Root CA (new github root CA 2022-03-15)
175151
"-----BEGIN CERTIFICATE-----\n"
176152
"MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh\n"
@@ -193,4 +169,51 @@ const char *const trustedRootCACertificates =
193169
"PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls\n"
194170
"YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk\n"
195171
"CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=\n"
196-
"-----END CERTIFICATE-----\n";
172+
"-----END CERTIFICATE-----\n"
173+
// USERTRUST ECC Certification Authority (new github root CA 2024-05-11)
174+
"-----BEGIN CERTIFICATE-----\n"
175+
"MIID0zCCArugAwIBAgIQVmcdBOpPmUxvEIFHWdJ1lDANBgkqhkiG9w0BAQwFADB7\n"
176+
"MQswCQYDVQQGEwJHQjEbMBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD\n"
177+
"VQQHDAdTYWxmb3JkMRowGAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UE\n"
178+
"AwwYQUFBIENlcnRpZmljYXRlIFNlcnZpY2VzMB4XDTE5MDMxMjAwMDAwMFoXDTI4\n"
179+
"MTIzMTIzNTk1OVowgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5\n"
180+
"MRQwEgYDVQQHEwtKZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBO\n"
181+
"ZXR3b3JrMS4wLAYDVQQDEyVVU0VSVHJ1c3QgRUNDIENlcnRpZmljYXRpb24gQXV0\n"
182+
"aG9yaXR5MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEGqxUWqn5aCPnetUkb1PGWthL\n"
183+
"q8bVttHmc3Gu3ZzWDGH926CJA7gFFOxXzu5dP+Ihs8731Ip54KODfi2X0GHE8Znc\n"
184+
"JZFjq38wo7Rw4sehM5zzvy5cU7Ffs30yf4o043l5o4HyMIHvMB8GA1UdIwQYMBaA\n"
185+
"FKARCiM+lvEH7OKvKe+CpX/QMKS0MB0GA1UdDgQWBBQ64QmG1M8ZwpZ2dEl23OA1\n"
186+
"xmNjmjAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zARBgNVHSAECjAI\n"
187+
"MAYGBFUdIAAwQwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5j\n"
188+
"b20vQUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNAYIKwYBBQUHAQEEKDAmMCQG\n"
189+
"CCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wDQYJKoZIhvcNAQEM\n"
190+
"BQADggEBABns652JLCALBIAdGN5CmXKZFjK9Dpx1WywV4ilAbe7/ctvbq5AfjJXy\n"
191+
"ij0IckKJUAfiORVsAYfZFhr1wHUrxeZWEQff2Ji8fJ8ZOd+LygBkc7xGEJuTI42+\n"
192+
"FsMuCIKchjN0djsoTI0DQoWz4rIjQtUfenVqGtF8qmchxDM6OW1TyaLtYiKou+JV\n"
193+
"bJlsQ2uRl9EMC5MCHdK8aXdJ5htN978UeAOwproLtOGFfy/cQjutdAFI3tZs4RmY\n"
194+
"CV4Ks2dH/hzg1cEo70qLRDEmBDeNiXQ2Lu+lIg+DdEmSx/cQwgwp+7e9un/jX9Wf\n"
195+
"8qn0dNW44bOwgeThpWOjzOoEeJBuv/c=\n"
196+
"-----END CERTIFICATE-----\n"
197+
"-----BEGIN CERTIFICATE-----\n"
198+
"MIIDqDCCAy6gAwIBAgIRAPNkTmtuAFAjfglGvXvh9R0wCgYIKoZIzj0EAwMwgYgx\n"
199+
"CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtKZXJz\n"
200+
"ZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYDVQQD\n"
201+
"EyVVU0VSVHJ1c3QgRUNDIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTE4MTEw\n"
202+
"MjAwMDAwMFoXDTMwMTIzMTIzNTk1OVowgY8xCzAJBgNVBAYTAkdCMRswGQYDVQQI\n"
203+
"ExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoT\n"
204+
"D1NlY3RpZ28gTGltaXRlZDE3MDUGA1UEAxMuU2VjdGlnbyBFQ0MgRG9tYWluIFZh\n"
205+
"bGlkYXRpb24gU2VjdXJlIFNlcnZlciBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEH\n"
206+
"A0IABHkYk8qfbZ5sVwAjBTcLXw9YWsTef1Wj6R7W2SUKiKAgSh16TwUwimNJE4xk\n"
207+
"IQeV/To14UrOkPAY9z2vaKb71EijggFuMIIBajAfBgNVHSMEGDAWgBQ64QmG1M8Z\n"
208+
"wpZ2dEl23OA1xmNjmjAdBgNVHQ4EFgQU9oUKOxGG4QR9DqoLLNLuzGR7e64wDgYD\n"
209+
"VR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0lBBYwFAYIKwYB\n"
210+
"BQUHAwEGCCsGAQUFBwMCMBsGA1UdIAQUMBIwBgYEVR0gADAIBgZngQwBAgEwUAYD\n"
211+
"VR0fBEkwRzBFoEOgQYY/aHR0cDovL2NybC51c2VydHJ1c3QuY29tL1VTRVJUcnVz\n"
212+
"dEVDQ0NlcnRpZmljYXRpb25BdXRob3JpdHkuY3JsMHYGCCsGAQUFBwEBBGowaDA/\n"
213+
"BggrBgEFBQcwAoYzaHR0cDovL2NydC51c2VydHJ1c3QuY29tL1VTRVJUcnVzdEVD\n"
214+
"Q0FkZFRydXN0Q0EuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC51c2VydHJ1\n"
215+
"c3QuY29tMAoGCCqGSM49BAMDA2gAMGUCMEvnx3FcsVwJbZpCYF9z6fDWJtS1UVRs\n"
216+
"cS0chWBNKPFNpvDKdrdKRe+oAkr2jU+ubgIxAODheSr2XhcA7oz9HmedGdMhlrd9\n"
217+
"4ToKFbZl+/OnFFzqnvOhcjHvClECEQcKmc8fmA==\n"
218+
"-----END CERTIFICATE-----\n"
219+
;

0 commit comments

Comments
 (0)