libraries/SocketWrapper: Support loading CA certs from the file system. #249
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Using a curated list of certificates that covers most of the Internet. This reduces the certificates size to 20KBs which can be loaded on all boards. Created with: https://github.com/arduino/cacert-utils/ Signed-off-by: iabdalkader <[email protected]>
This patch adds support for automatically loading CA certificates from the filesystem. The file system certs are loaded on the first call to connectSSL(), once, and shared between all sockets. If filesystem support is not enabled, or CA loading fails, the connection proceeds without error. Custom CA certificates can still be passed via the 'cert' parameter, and both filesystem and custom certificates are registered with using different TLS tags. This allows users to add their own certs without recreating the whole file. Signed-off-by: iabdalkader <[email protected]>
Signed-off-by: iabdalkader <[email protected]>
iabdalkader
changed the title
iabdalkader
changed the title
pillo79
reviewed
Nov 6, 2025
Those options are going to be required by every board and at least 80KBs of heap for mbedtls, if we want to parse and load all of the certificates. I only enabled it for C33 because that's the only one I tested. Note, I've managed to reduce the certs size from 64KBs to 20KBs with https://github.com/arduino/cacert-utils/ the file we have right now needs 140KBs of heap for mbedtls, and at least 64KBs of system heap. |
pillo79
approved these changes
Nov 6, 2025
|
@pillo79 Please don't merge this yet, it's not intended for the next release. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Main changes:
Update CA data:
Use a curated list of certificates that covers most of the Internet. This reduces the certificates size to 20KBs which can be loaded on all boards. The certs file is generated with: https://github.com/arduino/cacert-utils/
Support loading CA certs from the file system.
This patch adds support for automatically loading CA certificates from the filesystem. The file system certs are loaded on the first call to connectSSL(), once, and shared between all sockets.
If filesystem support is not enabled, or CA loading fails, the connection proceeds without error.
Custom CA certificates can still be passed via the 'cert' parameter, and both filesystem and custom certificates are registered with using different TLS tags. This allows users to add their own certs without recreating the whole file.
Testing
Enabled and tested on C33.