updatehub: Require peer verification with DTLS

d3zd3z · jhedberg · commit 9a3aa3c9c3bb · 2020-05-28T22:28:36.000+03:00
DTLS without peer verification offers no security whatsoever (and is
arguably worse than not using DTLS in the first place).

Change the verification option to require this peer verification.  To
use this, it may be necessary to install and use a root certificate.

Signed-off-by: David Brown &lt;david.brown@linaro.org&gt;
diff --git a/lib/updatehub/updatehub.c b/lib/updatehub/updatehub.c
@@ -162,7 +162,7 @@ static bool start_coap_client(void)
 	}
 
 #if defined(CONFIG_UPDATEHUB_DTLS)
-	int verify = TLS_PEER_VERIFY_NONE;
+	int verify = TLS_PEER_VERIFY_REQUIRED;
 	sec_tag_t sec_list[] = { CA_CERTIFICATE_TAG };
 	int protocol = IPPROTO_DTLS_1_2;
 	char port[] = "5684";

Original file line number	Diff line number	Diff line change
`@@ -162,7 +162,7 @@ static bool start_coap_client(void)`
`162`	`162`	`}`
`163`	`163`
`164`	`164`	`#if defined(CONFIG_UPDATEHUB_DTLS)`
`165`		`- int verify = TLS_PEER_VERIFY_NONE;`
	`165`	`+ int verify = TLS_PEER_VERIFY_REQUIRED;`
`166`	`166`	`sec_tag_t sec_list[] = { CA_CERTIFICATE_TAG };`
`167`	`167`	`int protocol = IPPROTO_DTLS_1_2;`
`168`	`168`	`char port[] = "5684";`