From 421b9abd0d5d147966bfa57264d7f88aec793def Mon Sep 17 00:00:00 2001
From: "nilesh.kale" <nilesh.kale@espressif.com>
Date: Thu, 14 Aug 2025 14:03:27 +0530
Subject: [PATCH 1/2] fix(esp-tls): added missing event tracker capture during
 mbedtls read operation

This commit fixed missing event tracker capture and
added new error code ESP_ERR_MBEDTLS_SSL_READ_FAILED.

Closes https://github.com/espressif/esp-idf/issues/16239
---
 components/esp-tls/esp_tls_errors.h         | 1 +
 components/esp-tls/esp_tls_mbedtls.c        | 1 +
 components/esp_common/src/esp_err_to_name.c | 3 +++
 3 files changed, 5 insertions(+)

diff --git a/components/esp-tls/esp_tls_errors.h b/components/esp-tls/esp_tls_errors.h
index 9f6ee286c7..c9d196283f 100644
--- a/components/esp-tls/esp_tls_errors.h
+++ b/components/esp-tls/esp_tls_errors.h
@@ -47,6 +47,7 @@ extern "C" {
 #define ESP_ERR_MBEDTLS_SSL_HANDSHAKE_FAILED              (ESP_ERR_ESP_TLS_BASE + 0x1A)  /*!< mbedtls api returned failed  */
 #define ESP_ERR_MBEDTLS_SSL_CONF_PSK_FAILED               (ESP_ERR_ESP_TLS_BASE + 0x1B)  /*!< mbedtls api returned failed  */
 #define ESP_ERR_MBEDTLS_SSL_TICKET_SETUP_FAILED           (ESP_ERR_ESP_TLS_BASE + 0x1C)  /*!< mbedtls api returned failed  */
+#define ESP_ERR_MBEDTLS_SSL_READ_FAILED                   (ESP_ERR_ESP_TLS_BASE + 0x1D)  /*!< mbedtls api returned failed  */
 
 /* wolfssl specific error codes */
 #define ESP_ERR_WOLFSSL_SSL_SET_HOSTNAME_FAILED           (ESP_ERR_ESP_TLS_BASE + 0x31)  /*!< wolfSSL api returned error */
diff --git a/components/esp-tls/esp_tls_mbedtls.c b/components/esp-tls/esp_tls_mbedtls.c
index 4ece797adc..5bbe0bfb54 100644
--- a/components/esp-tls/esp_tls_mbedtls.c
+++ b/components/esp-tls/esp_tls_mbedtls.c
@@ -407,6 +407,7 @@ ssize_t esp_mbedtls_read(esp_tls_t *tls, char *data, size_t datalen)
         }
         if (ret != ESP_TLS_ERR_SSL_WANT_READ  && ret != ESP_TLS_ERR_SSL_WANT_WRITE) {
             ESP_INT_EVENT_TRACKER_CAPTURE(tls->error_handle, ESP_TLS_ERR_TYPE_MBEDTLS, -ret);
+            ESP_INT_EVENT_TRACKER_CAPTURE(tls->error_handle, ESP_TLS_ERR_TYPE_ESP, ESP_ERR_MBEDTLS_SSL_READ_FAILED);
             ESP_LOGE(TAG, "read error :-0x%04"NEWLIB_NANO_SSIZE_T_COMPAT_FORMAT, -ret);
             mbedtls_print_error_msg(ret);
         }
diff --git a/components/esp_common/src/esp_err_to_name.c b/components/esp_common/src/esp_err_to_name.c
index 69a8aa5337..cd505b60c6 100644
--- a/components/esp_common/src/esp_err_to_name.c
+++ b/components/esp_common/src/esp_err_to_name.c
@@ -746,6 +746,9 @@ static const esp_err_msg_t esp_err_msg_table[] = {
 #   ifdef      ESP_ERR_MBEDTLS_SSL_TICKET_SETUP_FAILED
     ERR_TBL_IT(ESP_ERR_MBEDTLS_SSL_TICKET_SETUP_FAILED),        /* 32796 0x801c mbedtls api returned failed */
 #   endif
+#   ifdef      ESP_ERR_MBEDTLS_SSL_READ_FAILED
+    ERR_TBL_IT(ESP_ERR_MBEDTLS_SSL_READ_FAILED),                /* 32797 0x801d mbedtls api returned failed */
+#   endif
 #   ifdef      ESP_ERR_WOLFSSL_SSL_SET_HOSTNAME_FAILED
     ERR_TBL_IT(ESP_ERR_WOLFSSL_SSL_SET_HOSTNAME_FAILED),        /* 32817 0x8031 wolfSSL api returned error */
 #   endif

From 54d97fdac1f45da8db3f55c67d9adc6cb512bdf6 Mon Sep 17 00:00:00 2001
From: "nilesh.kale" <nilesh.kale@espressif.com>
Date: Thu, 14 Aug 2025 14:06:40 +0530
Subject: [PATCH 2/2] fix(esp-tls): removed unncessary log for certificate
 verification

This commit removed unnecessary and confusing log for
certificate verify if there is another issue during tls connection.
---
 components/esp-tls/esp_tls_mbedtls.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/components/esp-tls/esp_tls_mbedtls.c b/components/esp-tls/esp_tls_mbedtls.c
index 5bbe0bfb54..134d212aa0 100644
--- a/components/esp-tls/esp_tls_mbedtls.c
+++ b/components/esp-tls/esp_tls_mbedtls.c
@@ -310,8 +310,12 @@ int esp_mbedtls_handshake(esp_tls_t *tls, const esp_tls_cfg_t *cfg)
             ESP_INT_EVENT_TRACKER_CAPTURE(tls->error_handle, ESP_TLS_ERR_TYPE_MBEDTLS, -ret);
             ESP_INT_EVENT_TRACKER_CAPTURE(tls->error_handle, ESP_TLS_ERR_TYPE_ESP, ESP_ERR_MBEDTLS_SSL_HANDSHAKE_FAILED);
             if (cfg->crt_bundle_attach != NULL || cfg->cacert_buf != NULL || cfg->use_global_ca_store == true) {
-                /* This is to check whether handshake failed due to invalid certificate*/
-                esp_mbedtls_verify_certificate(tls);
+                if (mbedtls_ssl_get_peer_cert(&tls->ssl) != NULL) {
+                    /* This is to check whether handshake failed due to invalid certificate*/
+                    esp_mbedtls_verify_certificate(tls);
+                } else {
+                    ESP_LOGD(TAG, "Skipping certificate verification - no peer certificate received");
+                }
             }
             tls->conn_state = ESP_TLS_FAIL;
             return -1;