From 605206b69fd642a51a1e9e0d760b994c6481c9bd Mon Sep 17 00:00:00 2001 From: Ashish Sharma Date: Fri, 28 Mar 2025 15:46:48 +0800 Subject: [PATCH] feat(mbedtls): new config to allow weak cert verification --- components/esp-tls/esp_tls_mbedtls.c | 4 ++-- components/mbedtls/Kconfig | 7 +++++++ .../mbedtls/port/include/mbedtls/esp_config.h | 15 +++++++++++++++ 3 files changed, 24 insertions(+), 2 deletions(-) diff --git a/components/esp-tls/esp_tls_mbedtls.c b/components/esp-tls/esp_tls_mbedtls.c index 74b053cd73..e8e39cb340 100644 --- a/components/esp-tls/esp_tls_mbedtls.c +++ b/components/esp-tls/esp_tls_mbedtls.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2019-2024 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2019-2025 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -791,7 +791,7 @@ esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls_cfg_t #endif #ifdef CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS } else if (cfg->client_session != NULL) { - ESP_LOGD(TAG, "Resuing the saved client session"); + ESP_LOGD(TAG, "Reusing the saved client session"); #endif } else { #ifdef CONFIG_ESP_TLS_SKIP_SERVER_CERT_VERIFY diff --git a/components/mbedtls/Kconfig b/components/mbedtls/Kconfig index 534f2ea6da..fab5a91960 100644 --- a/components/mbedtls/Kconfig +++ b/components/mbedtls/Kconfig @@ -1262,4 +1262,11 @@ menu "mbedTLS" which is added through vfs component for ESP32 based targets or by the host system when the target is Linux. + config MBEDTLS_ALLOW_WEAK_CERTIFICATE_VERIFICATION + bool "Allow weak certificate verification" + default n + help + This options allows weak certificate verification by skipping the hostname verification. + It is not recommended to use this option. + endmenu # mbedTLS diff --git a/components/mbedtls/port/include/mbedtls/esp_config.h b/components/mbedtls/port/include/mbedtls/esp_config.h index 93e8e81eef..c5707dd6f3 100644 --- a/components/mbedtls/port/include/mbedtls/esp_config.h +++ b/components/mbedtls/port/include/mbedtls/esp_config.h @@ -2117,6 +2117,21 @@ #undef MBEDTLS_ERROR_C #endif +/** + * \def MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME + * + * Caller: library/ssl_tls.c + * + * Allow weak certificate verification without a hostname. + * This option is not recommended for production use. + */ + +#if CONFIG_MBEDTLS_ALLOW_WEAK_CERTIFICATE_VERIFICATION +#define MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME +#else +#undef MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME +#endif + /** * \def MBEDTLS_GCM_C *