ESP32 Forum

Posted: **Tue Jan 26, 2021 9:37 pm**

Hello guys,

I'm testing the HTTPs module with esp_http_client but I've gotten a bit stuck.

I want to make a request using HTTPS and without validating the server's CA, using the CA's validation works fine, but when I want it not to check the CA (using .skip_cert_common_name_check = true), the program returns the following error. (It seems that it continues to validate the ca

).

esp-idf: v4.3-dev-2586-g526f68239

=================== ERROR ===========================
E (5001) esp-tls-mbedtls: No server verification option set in esp_tls_cfg_t structure. Check esp_tls API reference
E (5001) esp-tls-mbedtls: Failed to set client configurations
E (5011) esp-tls: create_ssl_handle failed
E (5021) esp-tls: Failed to open new connection
E (5021) TRANS_SSL: Failed to open a new connection
E (5031) HTTP_CLIENT: Connection failed, sock < 0
E (5031) HTTP_CLIENT: Error perform http request ESP_ERR_HTTP_CONNECT
=================================================================

The configuration of the request that I am making is the following. Could you please help me?

Code: Untitled.c Select all

static void https_with_hostname_path(void)

{

    ESP_LOGI(TAG, "Test HTTPs skip CA");

    esp_http_client_config_t config = {

        .host = "www.howsmyssl.com",

        .path = "/",

        .transport_type = HTTP_TRANSPORT_OVER_SSL,

        .event_handler = _http_event_handler,

        .skip_cert_common_name_check = true

    };

    esp_http_client_handle_t client = esp_http_client_init(&config);

    esp_err_t err = esp_http_client_perform(client);



    if (err == ESP_OK) {

        ESP_LOGI(TAG, "HTTPS Status = %d, content_length = %d",

                esp_http_client_get_status_code(client),

                esp_http_client_get_content_length(client));

    } else {

        ESP_LOGE(TAG, "Error perform http request %s", esp_err_to_name(err));

    }

    esp_http_client_cleanup(client);

}

Posted: **Tue Jan 26, 2021 11:26 pm**

skip_cert_common_name_check will not allow you to bypass TLS, it will only avoid checking the certificate's CN (so a possible mismatch would not fail validation).

To completely disable the certificate check, you will need to go to ESP-TLS in menuconfig, enable "Allow potentially insecure options" and then enable "Skip server certificate verification by default" (accepting risks)

Posted: **Wed Jan 27, 2021 1:24 am**

skip_cert_common_name_check will not allow you to bypass TLS, it will only avoid checking the certificate's CN (so a possible mismatch would not fail validation).

To completely disable the certificate check, you will need to go to ESP-TLS in menuconfig, enable "Allow potentially insecure options" and then enable "Skip server certificate verification by default" (accepting risks)

Hi @boarchuz,

Thanks for the answer, you are right there I was making a mistake due to a confusion that I was having between the CN and the CA.

I'm going to change the name of this post to serve as a tutorial for some clueless like me.

Again thank you very much.

Posted: **Sun Jul 11, 2021 9:39 pm**

skip_cert_common_name_check will not allow you to bypass TLS, it will only avoid checking the certificate's CN (so a possible mismatch would not fail validation).

To completely disable the certificate check, you will need to go to ESP-TLS in menuconfig, enable "Allow potentially insecure options" and then enable "Skip server certificate verification by default" (accepting risks)

And you need to make changes in file "sdkconfig" in root directory of your project
it was really useful information for me because I spent an hour to find this file*

Posted: **Mon Mar 17, 2025 3:37 pm**

Is there any way to make the same menuconfig in IDF 4.2.1 ?

Code: Select all

CONFIG_ESP_TLS_INSECURE=y
CONFIG_ESP_TLS_SKIP_SERVER_CERT_VERIFY=y

ESP32 Forum

how to disable server validation (CA)

how to disable server validation (CA)

Re: skip server validation seems not to work

Re: skip server validation seems not to work

Re: skip server validation seems not to work

Re: how to disable server validation (CA)