From 238ac2293b9f5973d6e539062ec7b8fb3ae670b8 Mon Sep 17 00:00:00 2001
From: Aditya Patwardhan <aditya.patwardhan@espressif.com>
Date: Mon, 11 Jan 2021 12:41:07 +0530
Subject: [PATCH] esp_tls: Add warning if the CA chain provided contains
 one/more invalid cert

---
 components/esp-tls/esp_tls.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/components/esp-tls/esp_tls.c b/components/esp-tls/esp_tls.c
index d4869fc3e9..c523238810 100644
--- a/components/esp-tls/esp_tls.c
+++ b/components/esp-tls/esp_tls.c
@@ -276,6 +276,12 @@ static esp_err_t set_ca_cert(esp_tls_t *tls, const unsigned char *cacert, size_t
         ESP_INT_EVENT_TRACKER_CAPTURE(tls->error_handle, ERR_TYPE_MBEDTLS, -ret);
         return ESP_ERR_MBEDTLS_X509_CRT_PARSE_FAILED;
     }
+    if (ret > 0) {
+        /* This will happen if the CA chain contains one or more invalid certs, going ahead as the hadshake
+         * may still succeed if the other certificates in the CA chain are enough for the authentication */
+        ESP_LOGW(TAG, "mbedtls_x509_crt_parse was partly successful. No. of failed certificates: %d", ret);
+    }
+
     mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_REQUIRED);
     mbedtls_ssl_conf_ca_chain(&tls->conf, tls->cacert_ptr, NULL);
     return ESP_OK;