SSL - httpUpdate - Synchronized Clock

I am using the httpUpdateSecure.ino example sketch from the Arduino IDE (code inline at bottom of post). I was going through the HTTPUpdate.h and the httpUpdate class the sketch uses to see how the time was getting passed to the server. I could find no evidence that it was.

I decided to comment out the time synchronization functionality from the example sketch and it still connects on port 443 and successfully downloads and installs the binary from the server.

Does this mean I am not securely connected? How can I go about testing whether the connection is secure?

Is this a problem on the server side for not processing the time and refusing the connection?

#include <WiFi.h>
#include <WiFiMulti.h>

#include <HTTPClient.h>
#include <HTTPUpdate.h>

#include <time.h>

WiFiMulti WiFiMulti;

// Set time via NTP, as required for x.509 validation
void setClock() {
  configTime(0, 0, "pool.ntp.org", "time.nist.gov");  // UTC

  Serial.print(F("Waiting for NTP time sync: "));
  time_t now = time(nullptr);
  while (now < 8 * 3600 * 2) {
    yield();
    delay(500);
    Serial.print(F("."));
    now = time(nullptr);
  }

  Serial.println(F(""));
  struct tm timeinfo;
  gmtime_r(&now, &timeinfo);
  Serial.print(F("Current time: "));
  Serial.print(asctime(&timeinfo));
}


const char* rootCACertificate = \
"-----BEGIN CERTIFICATE-----\n" \
"MY CERTIFICATE\n" \
"-----END CERTIFICATE-----\n";

void setup() {

  Serial.begin(115200);
  // Serial.setDebugOutput(true);

  Serial.println();
  Serial.println();
  Serial.println();

  for (uint8_t t = 4; t > 0; t--) {
    Serial.printf("[SETUP] WAIT %d...\n", t);
    Serial.flush();
    delay(1000);
  }

  WiFi.mode(WIFI_STA);
  WiFiMulti.addAP("MY_SSID", "MY_PASSWORD");
}

void loop() {
  // wait for WiFi connection
  if ((WiFiMulti.run() == WL_CONNECTED)) {

//    setClock();

    WiFiClientSecure client;
    client.setCACert(rootCACertificate);

    // Reading data over SSL may be slow, use an adequate timeout
    client.setTimeout(12000);



    t_httpUpdate_return ret = httpUpdate.update(client, MY_SERVER, 443, MY_PATH_TO_FIRMWARE);


    switch (ret) {
      case HTTP_UPDATE_FAILED:
        Serial.printf("HTTP_UPDATE_FAILED Error (%d): %s\n", httpUpdate.getLastError(), httpUpdate.getLastErrorString().c_str());
        break;

      case HTTP_UPDATE_NO_UPDATES:
        Serial.println("HTTP_UPDATE_NO_UPDATES");
        break;

      case HTTP_UPDATE_OK:
        Serial.println("HTTP_UPDATE_OK");
        break;
    }
  }
}

So I logged the headers on the server side and they are receiving the time. At first I thought these times were how long the request was taking, but it gives the correct date when converted to Unix Epoch.

s:18:"REQUEST_TIME_FLOAT";
d:1551756437.2473581;
s:12:"REQUEST_TIME";
i:1551756437;

I also went through httpClient.cpp and find no evidence of times being synchronized or sent here either.

Does anyone know what library is sending the time?

am using the httpUpdateSecure.ino example sketch from the Arduino IDE

Wrong, this is part of the Espressif cores but won't show up in a standard Arduino IDE install. You should mention if you use another architecture that is not installed by default in the Arduino IDE.

Does this mean I am not securely connected? How can I go about testing whether the connection is secure?

You probably are securely connected but the ESP isn't able to check if the certificate the server offered already expired. So the connection is encrypted but you may be presented an old certificate and your ESP won't notice.

If you want to test the security, sniff the traffic on the network. If you're able to see what happens, it isn't secure (for some definitions of security, you didn't define it, so I'm free to chose any definition I think is appropriate here).

Thank you for your input. I think I will continue to develop my sketch assuming no one is attempting to hijack the connection. I will test for encryption and certificate expiration closer to deployment.