arendst · s-hadinger · May 27, 2024 · May 27, 2024
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -13,6 +13,7 @@ All notable changes to this project will be documented in this file.
 - Update Telegram CA (Go Daddy Root Certificate Authority - G2)
 
 ### Fixed
+- Telegram TLS fingerprint, remove CA validation
 
 ### Removed
 

diff --git a/tasmota/my_user_config.h b/tasmota/my_user_config.h
@@ -460,7 +460,7 @@
 
 // -- Telegram Protocol ---------------------------
 //#define USE_TELEGRAM                             // Support for Telegram protocol (+49k code, +7.0k mem and +4.8k additional during connection handshake)
-  #define USE_TELEGRAM_FINGERPRINT "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" // Telegram api.telegram.org TLS public key fingerpring
+  #define USE_TELEGRAM_FINGERPRINT "\x4E\x7F\xF5\x6D\x1E\x29\x40\x58\xAB\x84\xDE\x63\x69\x7B\xCD\xDF\x44\x2E\xD2\xF6" // Telegram api.telegram.org TLS public key fingerpring
 
 // -- KNX IP Protocol -----------------------------
 //#define USE_KNX                                  // Enable KNX IP Protocol Support (+9.4k code, +3k7 mem)

diff --git a/tasmota/tasmota_support/tasmota_ca.ino b/tasmota/tasmota_support/tasmota_ca.ino
@@ -220,77 +220,77 @@ const br_x509_trust_anchor PROGMEM Tasmota_TA[] = {
 const size_t Tasmota_TA_size = nitems(Tasmota_TA);
 
 
-#if defined(USE_TELEGRAM)
-
-// we add a separate CA for telegram
-
-/*********************************************************************************************\
- * Go Daddy Root Certificate Authority - G2, RSA 2048 bits SHA 256, valid until 20310503
- *
- * to convert do: "brssl ta GoDaddyCA.pem"
- * then copy and paste below, chain the generic names to the same as below
- * remove "static" and add "PROGMEM"
-\*********************************************************************************************/
-
-const unsigned char PROGMEM GoDaddyCAG2_DN[] = {
-	0x30, 0x81, 0xB4, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
-	0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04,
-	0x08, 0x13, 0x07, 0x41, 0x72, 0x69, 0x7A, 0x6F, 0x6E, 0x61, 0x31, 0x13,
-	0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x0A, 0x53, 0x63, 0x6F,
-	0x74, 0x74, 0x73, 0x64, 0x61, 0x6C, 0x65, 0x31, 0x1A, 0x30, 0x18, 0x06,
-	0x03, 0x55, 0x04, 0x0A, 0x13, 0x11, 0x47, 0x6F, 0x44, 0x61, 0x64, 0x64,
-	0x79, 0x2E, 0x63, 0x6F, 0x6D, 0x2C, 0x20, 0x49, 0x6E, 0x63, 0x2E, 0x31,
-	0x2D, 0x30, 0x2B, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x13, 0x24, 0x68, 0x74,
-	0x74, 0x70, 0x3A, 0x2F, 0x2F, 0x63, 0x65, 0x72, 0x74, 0x73, 0x2E, 0x67,
-	0x6F, 0x64, 0x61, 0x64, 0x64, 0x79, 0x2E, 0x63, 0x6F, 0x6D, 0x2F, 0x72,
-	0x65, 0x70, 0x6F, 0x73, 0x69, 0x74, 0x6F, 0x72, 0x79, 0x2F, 0x31, 0x33,
-	0x30, 0x31, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x2A, 0x47, 0x6F, 0x20,
-	0x44, 0x61, 0x64, 0x64, 0x79, 0x20, 0x53, 0x65, 0x63, 0x75, 0x72, 0x65,
-	0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65,
-	0x20, 0x41, 0x75, 0x74, 0x68, 0x6F, 0x72, 0x69, 0x74, 0x79, 0x20, 0x2D,
-	0x20, 0x47, 0x32
-};
-
-const unsigned char PROGMEM GoDaddyCAG2_RSA_N[] = {
-	0xB9, 0xE0, 0xCB, 0x10, 0xD4, 0xAF, 0x76, 0xBD, 0xD4, 0x93, 0x62, 0xEB,
-	0x30, 0x64, 0xB8, 0x81, 0x08, 0x6C, 0xC3, 0x04, 0xD9, 0x62, 0x17, 0x8E,
-	0x2F, 0xFF, 0x3E, 0x65, 0xCF, 0x8F, 0xCE, 0x62, 0xE6, 0x3C, 0x52, 0x1C,
-	0xDA, 0x16, 0x45, 0x4B, 0x55, 0xAB, 0x78, 0x6B, 0x63, 0x83, 0x62, 0x90,
-	0xCE, 0x0F, 0x69, 0x6C, 0x99, 0xC8, 0x1A, 0x14, 0x8B, 0x4C, 0xCC, 0x45,
-	0x33, 0xEA, 0x88, 0xDC, 0x9E, 0xA3, 0xAF, 0x2B, 0xFE, 0x80, 0x61, 0x9D,
-	0x79, 0x57, 0xC4, 0xCF, 0x2E, 0xF4, 0x3F, 0x30, 0x3C, 0x5D, 0x47, 0xFC,
-	0x9A, 0x16, 0xBC, 0xC3, 0x37, 0x96, 0x41, 0x51, 0x8E, 0x11, 0x4B, 0x54,
-	0xF8, 0x28, 0xBE, 0xD0, 0x8C, 0xBE, 0xF0, 0x30, 0x38, 0x1E, 0xF3, 0xB0,
-	0x26, 0xF8, 0x66, 0x47, 0x63, 0x6D, 0xDE, 0x71, 0x26, 0x47, 0x8F, 0x38,
-	0x47, 0x53, 0xD1, 0x46, 0x1D, 0xB4, 0xE3, 0xDC, 0x00, 0xEA, 0x45, 0xAC,
-	0xBD, 0xBC, 0x71, 0xD9, 0xAA, 0x6F, 0x00, 0xDB, 0xDB, 0xCD, 0x30, 0x3A,
-	0x79, 0x4F, 0x5F, 0x4C, 0x47, 0xF8, 0x1D, 0xEF, 0x5B, 0xC2, 0xC4, 0x9D,
-	0x60, 0x3B, 0xB1, 0xB2, 0x43, 0x91, 0xD8, 0xA4, 0x33, 0x4E, 0xEA, 0xB3,
-	0xD6, 0x27, 0x4F, 0xAD, 0x25, 0x8A, 0xA5, 0xC6, 0xF4, 0xD5, 0xD0, 0xA6,
-	0xAE, 0x74, 0x05, 0x64, 0x57, 0x88, 0xB5, 0x44, 0x55, 0xD4, 0x2D, 0x2A,
-	0x3A, 0x3E, 0xF8, 0xB8, 0xBD, 0xE9, 0x32, 0x0A, 0x02, 0x94, 0x64, 0xC4,
-	0x16, 0x3A, 0x50, 0xF1, 0x4A, 0xAE, 0xE7, 0x79, 0x33, 0xAF, 0x0C, 0x20,
-	0x07, 0x7F, 0xE8, 0xDF, 0x04, 0x39, 0xC2, 0x69, 0x02, 0x6C, 0x63, 0x52,
-	0xFA, 0x77, 0xC1, 0x1B, 0xC8, 0x74, 0x87, 0xC8, 0xB9, 0x93, 0x18, 0x50,
-	0x54, 0x35, 0x4B, 0x69, 0x4E, 0xBC, 0x3B, 0xD3, 0x49, 0x2E, 0x1F, 0xDC,
-	0xC1, 0xD2, 0x52, 0xFB
-};
-
-const unsigned char PROGMEM GoDaddyCAG2_RSA_E[] = {
-	0x01, 0x00, 0x01
-};
-
-const br_x509_trust_anchor PROGMEM GoDaddyCAG2_TA = {
-	{ (unsigned char *)GoDaddyCAG2_DN, sizeof GoDaddyCAG2_DN },
-	0,
-	{
-		BR_KEYTYPE_RSA,
-		{ .rsa = {
-			(unsigned char *)GoDaddyCAG2_RSA_N, sizeof GoDaddyCAG2_RSA_N,
-			(unsigned char *)GoDaddyCAG2_RSA_E, sizeof GoDaddyCAG2_RSA_E,
-		} }
-	}
-};
-#endif
+// #if defined(USE_TELEGRAM)
+
+// // we add a separate CA for telegram
+
+// /*********************************************************************************************\
+//  * Go Daddy Root Certificate Authority - G2, RSA 2048 bits SHA 256, valid until 20310503
+//  *
+//  * to convert do: "brssl ta GoDaddyCA.pem"
+//  * then copy and paste below, chain the generic names to the same as below
+//  * remove "static" and add "PROGMEM"
+// \*********************************************************************************************/
+
+// const unsigned char PROGMEM GoDaddyCAG2_DN[] = {
+// 	0x30, 0x81, 0xB4, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
+// 	0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04,
+// 	0x08, 0x13, 0x07, 0x41, 0x72, 0x69, 0x7A, 0x6F, 0x6E, 0x61, 0x31, 0x13,
+// 	0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x0A, 0x53, 0x63, 0x6F,
+// 	0x74, 0x74, 0x73, 0x64, 0x61, 0x6C, 0x65, 0x31, 0x1A, 0x30, 0x18, 0x06,
+// 	0x03, 0x55, 0x04, 0x0A, 0x13, 0x11, 0x47, 0x6F, 0x44, 0x61, 0x64, 0x64,
+// 	0x79, 0x2E, 0x63, 0x6F, 0x6D, 0x2C, 0x20, 0x49, 0x6E, 0x63, 0x2E, 0x31,
+// 	0x2D, 0x30, 0x2B, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x13, 0x24, 0x68, 0x74,
+// 	0x74, 0x70, 0x3A, 0x2F, 0x2F, 0x63, 0x65, 0x72, 0x74, 0x73, 0x2E, 0x67,
+// 	0x6F, 0x64, 0x61, 0x64, 0x64, 0x79, 0x2E, 0x63, 0x6F, 0x6D, 0x2F, 0x72,
+// 	0x65, 0x70, 0x6F, 0x73, 0x69, 0x74, 0x6F, 0x72, 0x79, 0x2F, 0x31, 0x33,
+// 	0x30, 0x31, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x2A, 0x47, 0x6F, 0x20,
+// 	0x44, 0x61, 0x64, 0x64, 0x79, 0x20, 0x53, 0x65, 0x63, 0x75, 0x72, 0x65,
+// 	0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65,
+// 	0x20, 0x41, 0x75, 0x74, 0x68, 0x6F, 0x72, 0x69, 0x74, 0x79, 0x20, 0x2D,
+// 	0x20, 0x47, 0x32
+// };
+
+// const unsigned char PROGMEM GoDaddyCAG2_RSA_N[] = {
+// 	0xB9, 0xE0, 0xCB, 0x10, 0xD4, 0xAF, 0x76, 0xBD, 0xD4, 0x93, 0x62, 0xEB,
+// 	0x30, 0x64, 0xB8, 0x81, 0x08, 0x6C, 0xC3, 0x04, 0xD9, 0x62, 0x17, 0x8E,
+// 	0x2F, 0xFF, 0x3E, 0x65, 0xCF, 0x8F, 0xCE, 0x62, 0xE6, 0x3C, 0x52, 0x1C,
+// 	0xDA, 0x16, 0x45, 0x4B, 0x55, 0xAB, 0x78, 0x6B, 0x63, 0x83, 0x62, 0x90,
+// 	0xCE, 0x0F, 0x69, 0x6C, 0x99, 0xC8, 0x1A, 0x14, 0x8B, 0x4C, 0xCC, 0x45,
+// 	0x33, 0xEA, 0x88, 0xDC, 0x9E, 0xA3, 0xAF, 0x2B, 0xFE, 0x80, 0x61, 0x9D,
+// 	0x79, 0x57, 0xC4, 0xCF, 0x2E, 0xF4, 0x3F, 0x30, 0x3C, 0x5D, 0x47, 0xFC,
+// 	0x9A, 0x16, 0xBC, 0xC3, 0x37, 0x96, 0x41, 0x51, 0x8E, 0x11, 0x4B, 0x54,
+// 	0xF8, 0x28, 0xBE, 0xD0, 0x8C, 0xBE, 0xF0, 0x30, 0x38, 0x1E, 0xF3, 0xB0,
+// 	0x26, 0xF8, 0x66, 0x47, 0x63, 0x6D, 0xDE, 0x71, 0x26, 0x47, 0x8F, 0x38,
+// 	0x47, 0x53, 0xD1, 0x46, 0x1D, 0xB4, 0xE3, 0xDC, 0x00, 0xEA, 0x45, 0xAC,
+// 	0xBD, 0xBC, 0x71, 0xD9, 0xAA, 0x6F, 0x00, 0xDB, 0xDB, 0xCD, 0x30, 0x3A,
+// 	0x79, 0x4F, 0x5F, 0x4C, 0x47, 0xF8, 0x1D, 0xEF, 0x5B, 0xC2, 0xC4, 0x9D,
+// 	0x60, 0x3B, 0xB1, 0xB2, 0x43, 0x91, 0xD8, 0xA4, 0x33, 0x4E, 0xEA, 0xB3,
+// 	0xD6, 0x27, 0x4F, 0xAD, 0x25, 0x8A, 0xA5, 0xC6, 0xF4, 0xD5, 0xD0, 0xA6,
+// 	0xAE, 0x74, 0x05, 0x64, 0x57, 0x88, 0xB5, 0x44, 0x55, 0xD4, 0x2D, 0x2A,
+// 	0x3A, 0x3E, 0xF8, 0xB8, 0xBD, 0xE9, 0x32, 0x0A, 0x02, 0x94, 0x64, 0xC4,
+// 	0x16, 0x3A, 0x50, 0xF1, 0x4A, 0xAE, 0xE7, 0x79, 0x33, 0xAF, 0x0C, 0x20,
+// 	0x07, 0x7F, 0xE8, 0xDF, 0x04, 0x39, 0xC2, 0x69, 0x02, 0x6C, 0x63, 0x52,
+// 	0xFA, 0x77, 0xC1, 0x1B, 0xC8, 0x74, 0x87, 0xC8, 0xB9, 0x93, 0x18, 0x50,
+// 	0x54, 0x35, 0x4B, 0x69, 0x4E, 0xBC, 0x3B, 0xD3, 0x49, 0x2E, 0x1F, 0xDC,
+// 	0xC1, 0xD2, 0x52, 0xFB
+// };
+
+// const unsigned char PROGMEM GoDaddyCAG2_RSA_E[] = {
+// 	0x01, 0x00, 0x01
+// };
+
+// const br_x509_trust_anchor PROGMEM GoDaddyCAG2_TA = {
+// 	{ (unsigned char *)GoDaddyCAG2_DN, sizeof GoDaddyCAG2_DN },
+// 	0,
+// 	{
+// 		BR_KEYTYPE_RSA,
+// 		{ .rsa = {
+// 			(unsigned char *)GoDaddyCAG2_RSA_N, sizeof GoDaddyCAG2_RSA_N,
+// 			(unsigned char *)GoDaddyCAG2_RSA_E, sizeof GoDaddyCAG2_RSA_E,
+// 		} }
+// 	}
+// };
+// #endif
 
 #endif // defined(USE_TLS)
diff --git a/tasmota/tasmota_xdrv_driver/xdrv_40_telegram.ino b/tasmota/tasmota_xdrv_driver/xdrv_40_telegram.ino
@@ -83,11 +83,11 @@ bool TelegramInit(void) {
     if (!telegramClient) {
       telegramClient = new BearSSL::WiFiClientSecure_light(tls_rx_size, tls_tx_size);
 
-      if (Settings->flag5.tls_use_fingerprint) {  // SetOption132 - (TLS) Use fingerprint validation instead of CA based
-        telegramClient->setPubKeyFingerprint(Telegram_Fingerprint, Telegram_Fingerprint, false); // check server fingerprint
-      } else {
-        telegramClient->setTrustAnchor(&GoDaddyCAG2_TA, 1);
-      }
+      // if (Settings->flag5.tls_use_fingerprint) {  // SetOption132 - (TLS) Use fingerprint validation instead of CA based
+      telegramClient->setPubKeyFingerprint(Telegram_Fingerprint, Telegram_Fingerprint, false); // check server fingerprint
+      // } else {
+      //   telegramClient->setTrustAnchor(&GoDaddyCAG2_TA, 1);
+      // }
 
       Telegram.message_count = 0;     // Number of received messages
       Telegram.next_update_id = 0;    // Code of last read Message
@@ -113,8 +113,8 @@ String TelegramConnectToTelegram(const String &command) {
   uint32_t tls_connect_time = millis();
   if (telegramClient->connect(host.c_str(), 443)) {
 
-//    AddLog(LOG_LEVEL_DEBUG, PSTR("TGM: Connected in %d ms, max ThunkStack used %d"), millis() - tls_connect_time, telegramClient->getMaxThunkStackUse());
-
+    AddLog(LOG_LEVEL_DEBUG, PSTR("TGM: Connected in %d ms, max ThunkStack used %d"), millis() - tls_connect_time, telegramClient->getMaxThunkStackUse());
+    
 //    telegramClient->println("GET /"+command);  // Fails after 20210621
     String request = "GET /" + command + " HTTP/1.1\r\nHost: " + host + "\r\nConnection: close\r\n\r\n";
     telegramClient->print(request);
@@ -155,6 +155,14 @@ String TelegramConnectToTelegram(const String &command) {
     }
 
     telegramClient->stop();
+  } else {
+    AddLog(LOG_LEVEL_INFO, PSTR("TGM: TLS connection error: %d"), telegramClient->getLastError());
+
+    const uint8_t *recv_fingerprint = telegramClient->getRecvPubKeyFingerprint();
+    // create a printable version of the fingerprint received
+    char buf_fingerprint[64];
+    ToHex_P(recv_fingerprint, 20, buf_fingerprint, sizeof(buf_fingerprint), ' ');
+    AddLog(LOG_LEVEL_DEBUG, PSTR("TGM: Telegram fingerprint: %s"), buf_fingerprint);
   }
 
   return response;