Example esp_http_client postman-echo example fails (IDFGH-15491) #16132
Description
Answers checklist.
- I have read the documentation ESP-IDF Programming Guide and the issue is not addressed there.
- I have updated my IDF branch (master or release) to the latest version and checked that the issue is present there.
- I have searched the issue tracker for a similar issue and not found a similar issue.
General issue report
I'm working on adding esp-tls support for wolfSSL as noted in wolfSSL/wolfssl#7936 and PlatformIO Certificate Bundle support in wolfSSL/wolfssl#8847
Today while testing, I encountered a problem where the esp_http_client is failing to validate with the https://postman-echo.com/post URL using the postman_root_cert.pem certificate that is baked in at build time.
The problem seems to be that the postman-echo.com domain is now using a Let's Encrypt Root certificate:
Whereas the postman_root_cert.pem certificate file is currently an Amazon Root CA:
$ openssl crl2pkcs7 -nocrl -certfile postman_root_cert.pem | openssl pkcs7 -print_certs -noout
subject=C = US, O = Amazon, CN = Amazon Root CA 1
issuer=C = US, O = Amazon, CN = Amazon Root CA 1
There's a ISRG Root X1 PEM Let's Encrypt Certificate here:
https://letsencrypt.org/certs/isrgrootx1.pem.txt
When I download that cert and save it as postman_root_cert.pem, the example is successful for the https://postman-echo.com/post test.
See also:
$ openssl crl2pkcs7 -nocrl -certfile postman_root_cert.pem | openssl pkcs7 -print_certs -noout
subject=C = US, O = Internet Security Research Group, CN = ISRG Root X1
issuer=C = US, O = Internet Security Research Group, CN = ISRG Root X1
I'm happy to create a PR to fix this if someone else can take a look and confirm.
I should also point out that the howsmyssl site does not fully support TLS 1.3 as noted in #14496 (see also jmhodges/howsmyssl#716).
The tests using howsmyssl in the same esp_http_client_example will have unreliable and incorrect results for TLS1.3.