mqtt_azure example uses the Baltimore certificate #73281
Comments
|
Hi @uriel-kluk! We appreciate you submitting your first issue for our open-source project. 🌟 Even though I'm a bot, I can assure you that the whole community is genuinely grateful for your time and effort. 🤖💙 |
|
Thanks for the report, it seems that for the time being it'd be most reasonable to support both certificates. As for the issues with As for the failures with Feel free to send a PR if it helps in your case. We could also add the second certificate if such a configuration works for you. |
|
Thanks Robert,
Here is the PR, but heads up, it is having trouble parsing the CA certificates:
Add SHA1 to project configuration and added new certificates to conne… by uriel-kluk · Pull Request #73426 · zephyrproject-rtos/zephyr (github.com)<#73426>
You should reject the PR
…________________________________
From: Robert Lubos ***@***.***>
Sent: Tuesday, May 28, 2024 9:19 AM
To: zephyrproject-rtos/zephyr ***@***.***>
Cc: Uriel Kluk ***@***.***>; Mention ***@***.***>
Subject: Re: [zephyrproject-rtos/zephyr] mqtt_azure example uses the Baltimore certificate (Issue #73281)
Thanks for the report, it seems that for the time being it'd be most reasonable to support both certificates.
As for the issues with Baltimore CyberTrust Root certificate registration, there's been a lot of happening recently in mbed TLS area, and it seems one of the PRs (#72078<#72078> specifically) might've affected the sample. Baltimore CyberTrust Root uses sha1WithRSAEncryption as a signature algorithm, and SHA1 is no longer enabled by default. Can you check if it works for you after enabling CONFIG_MBEDTLS_MAC_SHA1_ENABLED=y in the prj.conf file?
As for the failures with DigiCert Global Root G2, I guess the Azure transition is not complete, so it could be the case that we'd still need Baltimore for your case?
Feel free to send a PR if it helps in your case. We could also add the second certificate if such a configuration works for you.
—
Reply to this email directly, view it on GitHub<#73281 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AJ2NCAYCAFTVFDJ5ESN3YPDZESG7FAVCNFSM6AAAAABIH7V7UCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMZVGMZTOMZTHE>.
You are receiving this because you were mentioned.
|
|
I've opened #73557 with the fixes discussed. |
|
Great job! Thanks
Sent from my Verizon, Samsung Galaxy smartphone
Get Outlook for Android<https://aka.ms/AAb9ysg>
…________________________________
From: Robert Lubos ***@***.***>
Sent: Friday, May 31, 2024 3:19:18 AM
To: zephyrproject-rtos/zephyr ***@***.***>
Cc: Uriel Kluk ***@***.***>; Mention ***@***.***>
Subject: Re: [zephyrproject-rtos/zephyr] mqtt_azure example uses the Baltimore certificate (Issue #73281)
I've opened #73557<#73557> with the fixes discussed.
—
Reply to this email directly, view it on GitHub<#73281 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AJ2NCA53IZKG76TCEPHDLBTZFAXANAVCNFSM6AAAAABIH7V7UCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNBRGQ2TSOBWGI>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
Summary
Azure IoT Hub and Device Provisioning Service (DPS) use TLS certificates issued by the Baltimore CyberTrust Root, which expires in 2025. Starting in February 2023, all IoT hubs in the global Azure cloud will migrate to a new TLS certificate issued by the DigiCert Global Root G2.
Details
The example provided conatins a file named
digicert.cer, but it contains theBaltimore CyberTrust Root. The solution should includeDigiCert Global Root G2instead.Reproduce
Impact
It might be my configuration that is failing, but if developers base their code on the example provided, devices will stop connecting in 2025.
The text was updated successfully, but these errors were encountered: