Skip to content

MEN-8351: fix(build): Set default value for secondary CA cert to false + misc #207

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

MEN-8351: fix(build): Set default value for secondary CA cert to false + misc #207

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
20d4047
chore: Fix typo in Kconfig
lluiscampos May 9, 2025
f4436de
doc: Document how to skip TLS peer verification
lluiscampos May 9, 2025
092a79f
fix(build): Set default value for secondary CA cert to false
lluiscampos May 9, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 5 additions & 3 deletions target/zephyr/Kconfig
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,10 +43,12 @@ if MENDER_MCU_CLIENT

config MENDER_SERVER_HOST_US
bool "https://hosted.mender.io"
select MENDER_NET_CA_CERTIFICATE_TAG_SECONDARY_ENABLED
help
hosted Mender US
config MENDER_SERVER_HOST_EU
bool "https://eu.hosted.mender.io"
select MENDER_NET_CA_CERTIFICATE_TAG_SECONDARY_ENABLED
help
hosted Mender EU
config MENDER_SERVER_HOST_ON_PREM
Expand Down Expand Up @@ -452,15 +454,15 @@ if MENDER_MCU_CLIENT

config MENDER_NET_CA_CERTIFICATE_TAG_DORMANT
int "Dormant CA certificate tag for Server rescue"
# the tag is arbirtrarily set to 9
# the tag is arbitrarily set to 9
default 9
depends on MENDER_SERVER_DORMANT_CERTIFICATE
help
A security tag that the dormant certificate will be referenced with, typically used for backup in disaster recovery scenarios. See tls_credential_add.

config MENDER_NET_CA_CERTIFICATE_TAG_SECONDARY_ENABLED
bool "Enable MENDER_NET_CA_CERTIFICATE_TAG_SECONDARY"
default y
default n
help
Enables the secondary CA tag. If this option is enabled, the user must add the two certificates with tls_credential_add

Expand All @@ -469,7 +471,7 @@ if MENDER_MCU_CLIENT
range 0 2
default 2
help
Peer verification level for TLS connection.
Peer verification level for TLS connection. For testing purposes, set to 0 to skip TLS peer verify
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So what does 1 mean?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It means optional. See here and here.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO we don't really support "optional", because to properly use it we would need to check the handshake result and print a warning or something.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right. The help should say it then. And perhaps create a task to make sure 1 is handled gracefully?


endmenu

Expand Down