diff --git a/components/esp-tls/Kconfig b/components/esp-tls/Kconfig index 8dbaae4001..636860986e 100644 --- a/components/esp-tls/Kconfig +++ b/components/esp-tls/Kconfig @@ -41,6 +41,27 @@ menu "ESP-TLS" Enable support for creating server side SSL/TLS session, available for mbedTLS as well as wolfSSL TLS library. + config ESP_TLS_CLIENT_SESSION_TICKETS + bool "Enable client session tickets" + depends on ESP_TLS_USING_MBEDTLS && MBEDTLS_CLIENT_SSL_SESSION_TICKETS + default n + help + Enable session ticket support as specified in RFC5077. + + config ESP_TLS_SERVER_SESSION_TICKETS + bool "Enable server session tickets" + depends on ESP_TLS_SERVER && ESP_TLS_USING_MBEDTLS && MBEDTLS_SERVER_SSL_SESSION_TICKETS + default n + help + Enable session ticket support as specified in RFC5077 + + config ESP_TLS_SERVER_SESSION_TICKET_TIMEOUT + int "Server session ticket timeout in seconds" + depends on ESP_TLS_SERVER_SESSION_TICKETS + default 86400 + help + Sets the session ticket timeout used in the tls server. + config ESP_TLS_PSK_VERIFICATION bool "Enable PSK verification" select MBEDTLS_PSK_MODES if ESP_TLS_USING_MBEDTLS diff --git a/components/esp-tls/esp_tls.c b/components/esp-tls/esp_tls.c index 867e1012d9..29b14f508c 100644 --- a/components/esp-tls/esp_tls.c +++ b/components/esp-tls/esp_tls.c @@ -38,9 +38,12 @@ static const char *TAG = "esp-tls"; #define _esp_tls_write esp_mbedtls_write #define _esp_tls_conn_delete esp_mbedtls_conn_delete #define _esp_tls_net_init esp_mbedtls_net_init +#define _esp_tls_get_client_session esp_mbedtls_get_client_session #ifdef CONFIG_ESP_TLS_SERVER #define _esp_tls_server_session_create esp_mbedtls_server_session_create #define _esp_tls_server_session_delete esp_mbedtls_server_session_delete +#define _esp_tls_server_session_ticket_ctx_init esp_mbedtls_server_session_ticket_ctx_init +#define _esp_tls_server_session_ticket_ctx_free esp_mbedtls_server_session_ticket_ctx_free #endif /* CONFIG_ESP_TLS_SERVER */ #define _esp_tls_get_bytes_avail esp_mbedtls_get_bytes_avail #define _esp_tls_init_global_ca_store esp_mbedtls_init_global_ca_store @@ -568,7 +571,45 @@ mbedtls_x509_crt *esp_tls_get_global_ca_store(void) } #endif /* CONFIG_ESP_TLS_USING_MBEDTLS */ + +#ifdef CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS +esp_tls_client_session_t *esp_tls_get_client_session(esp_tls_t *tls) +{ + return _esp_tls_get_client_session(tls); +} +#endif /* CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS */ + + #ifdef CONFIG_ESP_TLS_SERVER +esp_err_t esp_tls_cfg_server_session_tickets_init(esp_tls_cfg_server_t *cfg) +{ +#if defined(CONFIG_ESP_TLS_SERVER_SESSION_TICKETS) + if (!cfg || cfg->ticket_ctx) { + return ESP_ERR_INVALID_ARG; + } + cfg->ticket_ctx = calloc(1, sizeof(esp_tls_server_session_ticket_ctx_t)); + if (!cfg->ticket_ctx) { + return ESP_ERR_NO_MEM; + } + esp_err_t ret = _esp_tls_server_session_ticket_ctx_init(cfg->ticket_ctx); + if (ret != ESP_OK) { + free(cfg->ticket_ctx); + } + return ret; +#else + return ESP_ERR_NOT_SUPPORTED; +#endif +} + +void esp_tls_cfg_server_session_tickets_free(esp_tls_cfg_server_t *cfg) +{ +#if defined(CONFIG_ESP_TLS_SERVER_SESSION_TICKETS) + if (cfg && cfg->ticket_ctx) { + _esp_tls_server_session_ticket_ctx_free(cfg->ticket_ctx); + } +#endif +} + /** * @brief Create a server side TLS/SSL connection */ diff --git a/components/esp-tls/esp_tls.h b/components/esp-tls/esp_tls.h index d6a22fc007..588f70d83f 100644 --- a/components/esp-tls/esp_tls.h +++ b/components/esp-tls/esp_tls.h @@ -20,6 +20,9 @@ #include "mbedtls/ctr_drbg.h" #include "mbedtls/error.h" #include "mbedtls/certs.h" +#ifdef CONFIG_ESP_TLS_SERVER_SESSION_TICKETS +#include "mbedtls/ssl_ticket.h" +#endif #elif CONFIG_ESP_TLS_USING_WOLFSSL #include "wolfssl/wolfcrypt/settings.h" #include "wolfssl/ssl.h" @@ -54,6 +57,15 @@ typedef struct psk_key_hint { const char* hint; /*!< hint in PSK authentication mode in string format */ } psk_hint_key_t; +/** + * @brief esp-tls client session ticket ctx + */ +#ifdef CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS +typedef struct esp_tls_client_session { + mbedtls_ssl_session saved_session; +} esp_tls_client_session_t; +#endif /* CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS */ + /** * @brief Keep alive parameters structure */ @@ -168,9 +180,27 @@ typedef struct esp_tls_cfg { directly with esp_tls_plain_tcp_connect() API */ struct ifreq *if_name; /*!< The name of interface for data to go through. Use the default interface without setting */ + +#ifdef CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS + esp_tls_client_session_t *client_session; /*! Pointer for the client session ticket context. */ +#endif /* CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS */ } esp_tls_cfg_t; #ifdef CONFIG_ESP_TLS_SERVER +#if defined(CONFIG_ESP_TLS_SERVER_SESSION_TICKETS) +/** + * @brief Data structures necessary to support TLS session tickets according to RFC5077 + */ +typedef struct esp_tls_server_session_ticket_ctx { + mbedtls_entropy_context entropy; /*!< mbedTLS entropy context structure */ + + mbedtls_ctr_drbg_context ctr_drbg; /*!< mbedTLS ctr drbg context structure. + CTR_DRBG is deterministic random + bit generation based on AES-256 */ + mbedtls_ssl_ticket_context ticket_ctx; /*!< Session ticket generation context */ +} esp_tls_server_session_ticket_ctx_t; +#endif + typedef struct esp_tls_cfg_server { const char **alpn_protos; /*!< Application protocols required for HTTP2. If HTTP2/ALPN support is required, a list @@ -222,7 +252,39 @@ typedef struct esp_tls_cfg_server { unsigned int serverkey_password_len; /*!< String length of the password pointed to by serverkey_password */ +#if defined(CONFIG_ESP_TLS_SERVER_SESSION_TICKETS) + esp_tls_server_session_ticket_ctx_t * ticket_ctx; /*!< Session ticket generation context. + You have to call esp_tls_cfg_server_session_tickets_init + to use it. + Call esp_tls_cfg_server_session_tickets_free + to free the data associated with this context. */ +#endif } esp_tls_cfg_server_t; + +/** + * @brief Initialize the server side TLS session ticket context + * + * This function initializes the server side tls session ticket context + * which holds all necessary data structures to enable tls session tickets + * according to RFC5077. + * Use esp_tls_cfg_server_session_tickets_free to free the data. + * + * @param[in] cfg server configuration as esp_tls_cfg_server_t + * @return + * ESP_OK if setup succeeded + * ESP_ERR_INVALID_ARG if context is already initialized + * ESP_ERR_NO_MEM if memory allocation failed + * ESP_ERR_NOT_SUPPORTED if session tickets are not available due to build configuration + * ESP_FAIL if setup failed + */ +esp_err_t esp_tls_cfg_server_session_tickets_init(esp_tls_cfg_server_t *cfg); + +/** + * @brief Free the server side TLS session ticket context + * + * @param cfg server configuration as esp_tls_cfg_server_t + */ +void esp_tls_cfg_server_session_tickets_free(esp_tls_cfg_server_t *cfg); #endif /* ! CONFIG_ESP_TLS_SERVER */ /** @@ -613,6 +675,20 @@ void esp_tls_server_session_delete(esp_tls_t *tls); */ esp_err_t esp_tls_plain_tcp_connect(const char *host, int hostlen, int port, const esp_tls_cfg_t *cfg, esp_tls_error_handle_t error_handle, int *sockfd); +#ifdef CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS +/** + * @brief Obtain the client session ticket + * + * This function should be called when the TLS connection is already established. + * This can be passed again in the esp_tls_cfg_t structure, to appropriate tls session create (e.g. esp_tls_conn_http_new) API for session resumption. + * + * @param[in] esp_tls context as esp_tls_t + * @return + * Pointer to the saved client session. + * NULL on Failure + */ +esp_tls_client_session_t *esp_tls_get_client_session(esp_tls_t *tls); +#endif /* CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS */ #ifdef __cplusplus } #endif diff --git a/components/esp-tls/esp_tls_errors.h b/components/esp-tls/esp_tls_errors.h index 5dfe74791c..ad104895aa 100644 --- a/components/esp-tls/esp_tls_errors.h +++ b/components/esp-tls/esp_tls_errors.h @@ -14,35 +14,42 @@ extern "C" { #endif #define ESP_ERR_ESP_TLS_BASE 0x8000 /*!< Starting number of ESP-TLS error codes */ + +/* generic esp-tls error codes */ #define ESP_ERR_ESP_TLS_CANNOT_RESOLVE_HOSTNAME (ESP_ERR_ESP_TLS_BASE + 0x01) /*!< Error if hostname couldn't be resolved upon tls connection */ #define ESP_ERR_ESP_TLS_CANNOT_CREATE_SOCKET (ESP_ERR_ESP_TLS_BASE + 0x02) /*!< Failed to create socket */ #define ESP_ERR_ESP_TLS_UNSUPPORTED_PROTOCOL_FAMILY (ESP_ERR_ESP_TLS_BASE + 0x03) /*!< Unsupported protocol family */ #define ESP_ERR_ESP_TLS_FAILED_CONNECT_TO_HOST (ESP_ERR_ESP_TLS_BASE + 0x04) /*!< Failed to connect to host */ #define ESP_ERR_ESP_TLS_SOCKET_SETOPT_FAILED (ESP_ERR_ESP_TLS_BASE + 0x05) /*!< failed to set/get socket option */ -#define ESP_ERR_MBEDTLS_CERT_PARTLY_OK (ESP_ERR_ESP_TLS_BASE + 0x06) /*!< mbedtls parse certificates was partly successful */ -#define ESP_ERR_MBEDTLS_CTR_DRBG_SEED_FAILED (ESP_ERR_ESP_TLS_BASE + 0x07) /*!< mbedtls api returned error */ -#define ESP_ERR_MBEDTLS_SSL_SET_HOSTNAME_FAILED (ESP_ERR_ESP_TLS_BASE + 0x08) /*!< mbedtls api returned error */ -#define ESP_ERR_MBEDTLS_SSL_CONFIG_DEFAULTS_FAILED (ESP_ERR_ESP_TLS_BASE + 0x09) /*!< mbedtls api returned error */ -#define ESP_ERR_MBEDTLS_SSL_CONF_ALPN_PROTOCOLS_FAILED (ESP_ERR_ESP_TLS_BASE + 0x0A) /*!< mbedtls api returned error */ -#define ESP_ERR_MBEDTLS_X509_CRT_PARSE_FAILED (ESP_ERR_ESP_TLS_BASE + 0x0B) /*!< mbedtls api returned error */ -#define ESP_ERR_MBEDTLS_SSL_CONF_OWN_CERT_FAILED (ESP_ERR_ESP_TLS_BASE + 0x0C) /*!< mbedtls api returned error */ -#define ESP_ERR_MBEDTLS_SSL_SETUP_FAILED (ESP_ERR_ESP_TLS_BASE + 0x0D) /*!< mbedtls api returned error */ -#define ESP_ERR_MBEDTLS_SSL_WRITE_FAILED (ESP_ERR_ESP_TLS_BASE + 0x0E) /*!< mbedtls api returned error */ -#define ESP_ERR_MBEDTLS_PK_PARSE_KEY_FAILED (ESP_ERR_ESP_TLS_BASE + 0x0F) /*!< mbedtls api returned failed */ -#define ESP_ERR_MBEDTLS_SSL_HANDSHAKE_FAILED (ESP_ERR_ESP_TLS_BASE + 0x10) /*!< mbedtls api returned failed */ -#define ESP_ERR_MBEDTLS_SSL_CONF_PSK_FAILED (ESP_ERR_ESP_TLS_BASE + 0x11) /*!< mbedtls api returned failed */ -#define ESP_ERR_ESP_TLS_CONNECTION_TIMEOUT (ESP_ERR_ESP_TLS_BASE + 0x12) /*!< new connection in esp_tls_low_level_conn connection timeouted */ -#define ESP_ERR_WOLFSSL_SSL_SET_HOSTNAME_FAILED (ESP_ERR_ESP_TLS_BASE + 0x13) /*!< wolfSSL api returned error */ -#define ESP_ERR_WOLFSSL_SSL_CONF_ALPN_PROTOCOLS_FAILED (ESP_ERR_ESP_TLS_BASE + 0x14) /*!< wolfSSL api returned error */ -#define ESP_ERR_WOLFSSL_CERT_VERIFY_SETUP_FAILED (ESP_ERR_ESP_TLS_BASE + 0x15) /*!< wolfSSL api returned error */ -#define ESP_ERR_WOLFSSL_KEY_VERIFY_SETUP_FAILED (ESP_ERR_ESP_TLS_BASE + 0x16) /*!< wolfSSL api returned error */ -#define ESP_ERR_WOLFSSL_SSL_HANDSHAKE_FAILED (ESP_ERR_ESP_TLS_BASE + 0x17) /*!< wolfSSL api returned failed */ -#define ESP_ERR_WOLFSSL_CTX_SETUP_FAILED (ESP_ERR_ESP_TLS_BASE + 0x18) /*!< wolfSSL api returned failed */ -#define ESP_ERR_WOLFSSL_SSL_SETUP_FAILED (ESP_ERR_ESP_TLS_BASE + 0x19) /*!< wolfSSL api returned failed */ -#define ESP_ERR_WOLFSSL_SSL_WRITE_FAILED (ESP_ERR_ESP_TLS_BASE + 0x1A) /*!< wolfSSL api returned failed */ +#define ESP_ERR_ESP_TLS_CONNECTION_TIMEOUT (ESP_ERR_ESP_TLS_BASE + 0x06) /*!< new connection in esp_tls_low_level_conn connection timeouted */ +#define ESP_ERR_ESP_TLS_SE_FAILED (ESP_ERR_ESP_TLS_BASE + 0x07) /*< esp-tls use Secure Element returned failed */ +#define ESP_ERR_ESP_TLS_TCP_CLOSED_FIN (ESP_ERR_ESP_TLS_BASE + 0x08) /*< esp-tls's TPC transport connection has benn closed (in a clean way) */ + +/* mbedtls specific error codes */ +#define ESP_ERR_MBEDTLS_CERT_PARTLY_OK (ESP_ERR_ESP_TLS_BASE + 0x10) /*!< mbedtls parse certificates was partly successful */ +#define ESP_ERR_MBEDTLS_CTR_DRBG_SEED_FAILED (ESP_ERR_ESP_TLS_BASE + 0x11) /*!< mbedtls api returned error */ +#define ESP_ERR_MBEDTLS_SSL_SET_HOSTNAME_FAILED (ESP_ERR_ESP_TLS_BASE + 0x12) /*!< mbedtls api returned error */ +#define ESP_ERR_MBEDTLS_SSL_CONFIG_DEFAULTS_FAILED (ESP_ERR_ESP_TLS_BASE + 0x13) /*!< mbedtls api returned error */ +#define ESP_ERR_MBEDTLS_SSL_CONF_ALPN_PROTOCOLS_FAILED (ESP_ERR_ESP_TLS_BASE + 0x14) /*!< mbedtls api returned error */ +#define ESP_ERR_MBEDTLS_X509_CRT_PARSE_FAILED (ESP_ERR_ESP_TLS_BASE + 0x15) /*!< mbedtls api returned error */ +#define ESP_ERR_MBEDTLS_SSL_CONF_OWN_CERT_FAILED (ESP_ERR_ESP_TLS_BASE + 0x16) /*!< mbedtls api returned error */ +#define ESP_ERR_MBEDTLS_SSL_SETUP_FAILED (ESP_ERR_ESP_TLS_BASE + 0x17) /*!< mbedtls api returned error */ +#define ESP_ERR_MBEDTLS_SSL_WRITE_FAILED (ESP_ERR_ESP_TLS_BASE + 0x18) /*!< mbedtls api returned error */ +#define ESP_ERR_MBEDTLS_PK_PARSE_KEY_FAILED (ESP_ERR_ESP_TLS_BASE + 0x19) /*!< mbedtls api returned failed */ +#define ESP_ERR_MBEDTLS_SSL_HANDSHAKE_FAILED (ESP_ERR_ESP_TLS_BASE + 0x1A) /*!< mbedtls api returned failed */ +#define ESP_ERR_MBEDTLS_SSL_CONF_PSK_FAILED (ESP_ERR_ESP_TLS_BASE + 0x1B) /*!< mbedtls api returned failed */ +#define ESP_ERR_MBEDTLS_SSL_TICKET_SETUP_FAILED (ESP_ERR_ESP_TLS_BASE + 0x1C) /*!< mbedtls api returned failed */ + +/* wolfssl specific error codes */ +#define ESP_ERR_WOLFSSL_SSL_SET_HOSTNAME_FAILED (ESP_ERR_ESP_TLS_BASE + 0x31) /*!< wolfSSL api returned error */ +#define ESP_ERR_WOLFSSL_SSL_CONF_ALPN_PROTOCOLS_FAILED (ESP_ERR_ESP_TLS_BASE + 0x32) /*!< wolfSSL api returned error */ +#define ESP_ERR_WOLFSSL_CERT_VERIFY_SETUP_FAILED (ESP_ERR_ESP_TLS_BASE + 0x33) /*!< wolfSSL api returned error */ +#define ESP_ERR_WOLFSSL_KEY_VERIFY_SETUP_FAILED (ESP_ERR_ESP_TLS_BASE + 0x34) /*!< wolfSSL api returned error */ +#define ESP_ERR_WOLFSSL_SSL_HANDSHAKE_FAILED (ESP_ERR_ESP_TLS_BASE + 0x35) /*!< wolfSSL api returned failed */ +#define ESP_ERR_WOLFSSL_CTX_SETUP_FAILED (ESP_ERR_ESP_TLS_BASE + 0x36) /*!< wolfSSL api returned failed */ +#define ESP_ERR_WOLFSSL_SSL_SETUP_FAILED (ESP_ERR_ESP_TLS_BASE + 0x37) /*!< wolfSSL api returned failed */ +#define ESP_ERR_WOLFSSL_SSL_WRITE_FAILED (ESP_ERR_ESP_TLS_BASE + 0x38) /*!< wolfSSL api returned failed */ -#define ESP_ERR_ESP_TLS_SE_FAILED (ESP_ERR_ESP_TLS_BASE + 0x1B) /*< esp-tls use Secure Element returned failed */ -#define ESP_ERR_ESP_TLS_TCP_CLOSED_FIN (ESP_ERR_ESP_TLS_BASE + 0x1C) /*< esp-tls's TPC transport connection has benn closed (in a clean way) */ /** * Definition of errors reported from IO API (potentially non-blocking) in case of error: diff --git a/components/esp-tls/esp_tls_mbedtls.c b/components/esp-tls/esp_tls_mbedtls.c index b976b85889..fb6e10366a 100644 --- a/components/esp-tls/esp_tls_mbedtls.c +++ b/components/esp-tls/esp_tls_mbedtls.c @@ -44,7 +44,6 @@ static esp_err_t esp_mbedtls_init_pk_ctx_for_ds(const void *pki); static const char *TAG = "esp-tls-mbedtls"; static mbedtls_x509_crt *global_cacert = NULL; - /* This function shall return the error message when appropriate log level has been set, otherwise this function shall do nothing */ static void mbedtls_print_error_msg(int error) { @@ -132,12 +131,48 @@ exit: } +#ifdef CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS +esp_tls_client_session_t *esp_mbedtls_get_client_session(esp_tls_t *tls) +{ + if (tls == NULL) { + ESP_LOGE(TAG, "esp_tls session context cannot be NULL"); + return NULL; + } + + esp_tls_client_session_t *client_session = (esp_tls_client_session_t*)calloc(1, sizeof(esp_tls_client_session_t)); + if (client_session == NULL) { + ESP_LOGE(TAG, "Failed to allocate memory for client session ctx"); + return NULL; + } + + int ret = mbedtls_ssl_get_session(&tls->ssl, &(client_session->saved_session)); + if (ret != 0) { + ESP_LOGE(TAG, "Error in obtaining the client ssl session"); + mbedtls_print_error_msg(ret); + free(client_session); + return NULL; + } + + return client_session; +} +#endif /* CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS */ + int esp_mbedtls_handshake(esp_tls_t *tls, const esp_tls_cfg_t *cfg) { int ret; +#ifdef CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS + if (cfg->client_session != NULL) { + ESP_LOGD(TAG, "Reusing the already saved client session context"); + if ((ret = mbedtls_ssl_set_session(&tls->ssl, &(cfg->client_session->saved_session))) != 0 ) { + ESP_LOGE(TAG, " mbedtls_ssl_conf_session returned -0x%04X", -ret); + return -1; + } + } +#endif ret = mbedtls_ssl_handshake(&tls->ssl); if (ret == 0) { tls->conn_state = ESP_TLS_DONE; + #ifdef CONFIG_ESP_TLS_USE_DS_PERIPHERAL esp_ds_release_ds_lock(); #endif @@ -368,8 +403,75 @@ static esp_err_t set_global_ca_store(esp_tls_t *tls) return ESP_OK; } - #ifdef CONFIG_ESP_TLS_SERVER +#ifdef CONFIG_ESP_TLS_SERVER_SESSION_TICKETS +int esp_mbedtls_server_session_ticket_write(void *p_ticket, const mbedtls_ssl_session *session, unsigned char *start, const unsigned char *end, size_t *tlen, uint32_t *lifetime) +{ + int ret = mbedtls_ssl_ticket_write(p_ticket, session, start, end, tlen, lifetime); +#ifndef NDEBUG + if (ret != 0) { + ESP_LOGE(TAG, "Writing session ticket resulted in error code -0x%04X", -ret); + mbedtls_print_error_msg(ret); + } +#endif + return ret; +} + +int esp_mbedtls_server_session_ticket_parse(void *p_ticket, mbedtls_ssl_session *session, unsigned char *buf, size_t len) +{ + int ret = mbedtls_ssl_ticket_parse(p_ticket, session, buf, len); +#ifndef NDEBUG + if (ret != 0) { + ESP_LOGD(TAG, "Parsing session ticket resulted in error code -0x%04X", -ret); + mbedtls_print_error_msg(ret); + } +#endif + return ret; +} + +esp_err_t esp_mbedtls_server_session_ticket_ctx_init(esp_tls_server_session_ticket_ctx_t *ctx) +{ + if (!ctx) { + return ESP_ERR_INVALID_ARG; + } + mbedtls_ctr_drbg_init(&ctx->ctr_drbg); + mbedtls_entropy_init(&ctx->entropy); + mbedtls_ssl_ticket_init(&ctx->ticket_ctx); + int ret; + esp_err_t esp_ret; + if ((ret = mbedtls_ctr_drbg_seed(&ctx->ctr_drbg, + mbedtls_entropy_func, &ctx->entropy, NULL, 0)) != 0) { + ESP_LOGE(TAG, "mbedtls_ctr_drbg_seed returned -0x%04X", -ret); + mbedtls_print_error_msg(ret); + esp_ret = ESP_ERR_MBEDTLS_CTR_DRBG_SEED_FAILED; + goto exit; + } + + if((ret = mbedtls_ssl_ticket_setup(&ctx->ticket_ctx, + mbedtls_ctr_drbg_random, &ctx->ctr_drbg, + MBEDTLS_CIPHER_AES_256_GCM, + CONFIG_ESP_TLS_SERVER_SESSION_TICKET_TIMEOUT)) != 0) { + ESP_LOGE(TAG, "mbedtls_ssl_ticket_setup returned -0x%04X", -ret); + mbedtls_print_error_msg(ret); + esp_ret = ESP_ERR_MBEDTLS_SSL_TICKET_SETUP_FAILED; + goto exit; + } + return ESP_OK; +exit: + esp_mbedtls_server_session_ticket_ctx_free(ctx); + return esp_ret; +} + +void esp_mbedtls_server_session_ticket_ctx_free(esp_tls_server_session_ticket_ctx_t *ctx) +{ + if (ctx) { + mbedtls_ssl_ticket_free(&ctx->ticket_ctx); + mbedtls_ctr_drbg_init(&ctx->ctr_drbg); + mbedtls_entropy_free(&ctx->entropy); + } +} +#endif + esp_err_t set_server_config(esp_tls_cfg_server_t *cfg, esp_tls_t *tls) { assert(cfg != NULL); @@ -421,6 +523,18 @@ esp_err_t set_server_config(esp_tls_cfg_server_t *cfg, esp_tls_t *tls) ESP_LOGE(TAG, "Missing server certificate and/or key"); return ESP_ERR_INVALID_STATE; } + +#ifdef CONFIG_ESP_TLS_SERVER_SESSION_TICKETS + if (cfg->ticket_ctx) { + ESP_LOGD(TAG, "Enabling server-side tls session ticket support"); + + mbedtls_ssl_conf_session_tickets_cb( &tls->conf, + esp_mbedtls_server_session_ticket_write, + esp_mbedtls_server_session_ticket_parse, + &cfg->ticket_ctx->ticket_ctx ); + } +#endif + return ESP_OK; } #endif /* ! CONFIG_ESP_TLS_SERVER */ @@ -480,6 +594,13 @@ esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls_cfg_t #endif } +#ifdef CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS + ESP_LOGD(TAG, "Enabling client-side tls session ticket support"); + mbedtls_ssl_conf_session_tickets(&tls->conf, MBEDTLS_SSL_SESSION_TICKETS_ENABLED); + mbedtls_ssl_conf_renegotiation(&tls->conf, MBEDTLS_SSL_RENEGOTIATION_ENABLED); + +#endif /* CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS */ + if (cfg->crt_bundle_attach != NULL) { #ifdef CONFIG_MBEDTLS_CERTIFICATE_BUNDLE ESP_LOGD(TAG, "Use certificate bundle"); @@ -516,6 +637,10 @@ esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls_cfg_t #else ESP_LOGE(TAG, "psk_hint_key configured but not enabled in menuconfig: Please enable ESP_TLS_PSK_VERIFICATION option"); return ESP_ERR_INVALID_STATE; +#endif +#ifdef CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS + } else if (cfg->client_session != NULL) { + ESP_LOGD(TAG, "Resuing the saved client session"); #endif } else { #ifdef CONFIG_ESP_TLS_SKIP_SERVER_CERT_VERIFY diff --git a/components/esp-tls/private_include/esp_tls_mbedtls.h b/components/esp-tls/private_include/esp_tls_mbedtls.h index 78694fc858..c1c5d4f328 100644 --- a/components/esp-tls/private_include/esp_tls_mbedtls.h +++ b/components/esp-tls/private_include/esp_tls_mbedtls.h @@ -76,6 +76,22 @@ int esp_mbedtls_server_session_create(esp_tls_cfg_server_t *cfg, int sockfd, esp * /note :- The function can only be used with mbedtls ssl library */ void esp_mbedtls_server_session_delete(esp_tls_t *tls); + +#ifdef CONFIG_ESP_TLS_SERVER_SESSION_TICKETS +/** + * Internal function to setup server side session ticket context + * + * /note :- The function can only be used with mbedtls ssl library + */ +esp_err_t esp_mbedtls_server_session_ticket_ctx_init(esp_tls_server_session_ticket_ctx_t *cfg); + +/** + * Internal function to free server side session ticket context + * + * /note :- The function can only be used with mbedtls ssl library + */ +void esp_mbedtls_server_session_ticket_ctx_free(esp_tls_server_session_ticket_ctx_t *cfg); +#endif #endif /** @@ -83,6 +99,13 @@ void esp_mbedtls_server_session_delete(esp_tls_t *tls); */ esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls_cfg_t *cfg, esp_tls_t *tls); +#ifdef CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS +/** + * Internal Callback for mbedtls_get_client_session + */ +esp_tls_client_session_t *esp_mbedtls_get_client_session(esp_tls_t *tls); +#endif + /** * Internal Callback for mbedtls_init_global_ca_store */ diff --git a/components/esp_common/src/esp_err_to_name.c b/components/esp_common/src/esp_err_to_name.c index c683e2004c..ac06862a0c 100644 --- a/components/esp_common/src/esp_err_to_name.c +++ b/components/esp_common/src/esp_err_to_name.c @@ -620,75 +620,78 @@ static const esp_err_msg_t esp_err_msg_table[] = { # ifdef ESP_ERR_ESP_TLS_SOCKET_SETOPT_FAILED ERR_TBL_IT(ESP_ERR_ESP_TLS_SOCKET_SETOPT_FAILED), /* 32773 0x8005 failed to set/get socket option */ # endif -# ifdef ESP_ERR_MBEDTLS_CERT_PARTLY_OK - ERR_TBL_IT(ESP_ERR_MBEDTLS_CERT_PARTLY_OK), /* 32774 0x8006 mbedtls parse certificates was partly successful */ -# endif -# ifdef ESP_ERR_MBEDTLS_CTR_DRBG_SEED_FAILED - ERR_TBL_IT(ESP_ERR_MBEDTLS_CTR_DRBG_SEED_FAILED), /* 32775 0x8007 mbedtls api returned error */ -# endif -# ifdef ESP_ERR_MBEDTLS_SSL_SET_HOSTNAME_FAILED - ERR_TBL_IT(ESP_ERR_MBEDTLS_SSL_SET_HOSTNAME_FAILED), /* 32776 0x8008 mbedtls api returned error */ -# endif -# ifdef ESP_ERR_MBEDTLS_SSL_CONFIG_DEFAULTS_FAILED - ERR_TBL_IT(ESP_ERR_MBEDTLS_SSL_CONFIG_DEFAULTS_FAILED), /* 32777 0x8009 mbedtls api returned error */ -# endif -# ifdef ESP_ERR_MBEDTLS_SSL_CONF_ALPN_PROTOCOLS_FAILED - ERR_TBL_IT(ESP_ERR_MBEDTLS_SSL_CONF_ALPN_PROTOCOLS_FAILED), /* 32778 0x800a mbedtls api returned error */ -# endif -# ifdef ESP_ERR_MBEDTLS_X509_CRT_PARSE_FAILED - ERR_TBL_IT(ESP_ERR_MBEDTLS_X509_CRT_PARSE_FAILED), /* 32779 0x800b mbedtls api returned error */ -# endif -# ifdef ESP_ERR_MBEDTLS_SSL_CONF_OWN_CERT_FAILED - ERR_TBL_IT(ESP_ERR_MBEDTLS_SSL_CONF_OWN_CERT_FAILED), /* 32780 0x800c mbedtls api returned error */ -# endif -# ifdef ESP_ERR_MBEDTLS_SSL_SETUP_FAILED - ERR_TBL_IT(ESP_ERR_MBEDTLS_SSL_SETUP_FAILED), /* 32781 0x800d mbedtls api returned error */ -# endif -# ifdef ESP_ERR_MBEDTLS_SSL_WRITE_FAILED - ERR_TBL_IT(ESP_ERR_MBEDTLS_SSL_WRITE_FAILED), /* 32782 0x800e mbedtls api returned error */ -# endif -# ifdef ESP_ERR_MBEDTLS_PK_PARSE_KEY_FAILED - ERR_TBL_IT(ESP_ERR_MBEDTLS_PK_PARSE_KEY_FAILED), /* 32783 0x800f mbedtls api returned failed */ -# endif -# ifdef ESP_ERR_MBEDTLS_SSL_HANDSHAKE_FAILED - ERR_TBL_IT(ESP_ERR_MBEDTLS_SSL_HANDSHAKE_FAILED), /* 32784 0x8010 mbedtls api returned failed */ -# endif -# ifdef ESP_ERR_MBEDTLS_SSL_CONF_PSK_FAILED - ERR_TBL_IT(ESP_ERR_MBEDTLS_SSL_CONF_PSK_FAILED), /* 32785 0x8011 mbedtls api returned failed */ -# endif # ifdef ESP_ERR_ESP_TLS_CONNECTION_TIMEOUT - ERR_TBL_IT(ESP_ERR_ESP_TLS_CONNECTION_TIMEOUT), /* 32786 0x8012 new connection in esp_tls_low_level_conn + ERR_TBL_IT(ESP_ERR_ESP_TLS_CONNECTION_TIMEOUT), /* 32774 0x8006 new connection in esp_tls_low_level_conn connection timeouted */ # endif -# ifdef ESP_ERR_WOLFSSL_SSL_SET_HOSTNAME_FAILED - ERR_TBL_IT(ESP_ERR_WOLFSSL_SSL_SET_HOSTNAME_FAILED), /* 32787 0x8013 wolfSSL api returned error */ -# endif -# ifdef ESP_ERR_WOLFSSL_SSL_CONF_ALPN_PROTOCOLS_FAILED - ERR_TBL_IT(ESP_ERR_WOLFSSL_SSL_CONF_ALPN_PROTOCOLS_FAILED), /* 32788 0x8014 wolfSSL api returned error */ -# endif -# ifdef ESP_ERR_WOLFSSL_CERT_VERIFY_SETUP_FAILED - ERR_TBL_IT(ESP_ERR_WOLFSSL_CERT_VERIFY_SETUP_FAILED), /* 32789 0x8015 wolfSSL api returned error */ -# endif -# ifdef ESP_ERR_WOLFSSL_KEY_VERIFY_SETUP_FAILED - ERR_TBL_IT(ESP_ERR_WOLFSSL_KEY_VERIFY_SETUP_FAILED), /* 32790 0x8016 wolfSSL api returned error */ -# endif -# ifdef ESP_ERR_WOLFSSL_SSL_HANDSHAKE_FAILED - ERR_TBL_IT(ESP_ERR_WOLFSSL_SSL_HANDSHAKE_FAILED), /* 32791 0x8017 wolfSSL api returned failed */ -# endif -# ifdef ESP_ERR_WOLFSSL_CTX_SETUP_FAILED - ERR_TBL_IT(ESP_ERR_WOLFSSL_CTX_SETUP_FAILED), /* 32792 0x8018 wolfSSL api returned failed */ -# endif -# ifdef ESP_ERR_WOLFSSL_SSL_SETUP_FAILED - ERR_TBL_IT(ESP_ERR_WOLFSSL_SSL_SETUP_FAILED), /* 32793 0x8019 wolfSSL api returned failed */ -# endif -# ifdef ESP_ERR_WOLFSSL_SSL_WRITE_FAILED - ERR_TBL_IT(ESP_ERR_WOLFSSL_SSL_WRITE_FAILED), /* 32794 0x801a wolfSSL api returned failed */ -# endif # ifdef ESP_ERR_ESP_TLS_SE_FAILED - ERR_TBL_IT(ESP_ERR_ESP_TLS_SE_FAILED), /* 32795 0x801b */ + ERR_TBL_IT(ESP_ERR_ESP_TLS_SE_FAILED), /* 32775 0x8007 */ # endif # ifdef ESP_ERR_ESP_TLS_TCP_CLOSED_FIN - ERR_TBL_IT(ESP_ERR_ESP_TLS_TCP_CLOSED_FIN), /* 32796 0x801c */ + ERR_TBL_IT(ESP_ERR_ESP_TLS_TCP_CLOSED_FIN), /* 32776 0x8008 */ +# endif +# ifdef ESP_ERR_MBEDTLS_CERT_PARTLY_OK + ERR_TBL_IT(ESP_ERR_MBEDTLS_CERT_PARTLY_OK), /* 32784 0x8010 mbedtls parse certificates was partly successful */ +# endif +# ifdef ESP_ERR_MBEDTLS_CTR_DRBG_SEED_FAILED + ERR_TBL_IT(ESP_ERR_MBEDTLS_CTR_DRBG_SEED_FAILED), /* 32785 0x8011 mbedtls api returned error */ +# endif +# ifdef ESP_ERR_MBEDTLS_SSL_SET_HOSTNAME_FAILED + ERR_TBL_IT(ESP_ERR_MBEDTLS_SSL_SET_HOSTNAME_FAILED), /* 32786 0x8012 mbedtls api returned error */ +# endif +# ifdef ESP_ERR_MBEDTLS_SSL_CONFIG_DEFAULTS_FAILED + ERR_TBL_IT(ESP_ERR_MBEDTLS_SSL_CONFIG_DEFAULTS_FAILED), /* 32787 0x8013 mbedtls api returned error */ +# endif +# ifdef ESP_ERR_MBEDTLS_SSL_CONF_ALPN_PROTOCOLS_FAILED + ERR_TBL_IT(ESP_ERR_MBEDTLS_SSL_CONF_ALPN_PROTOCOLS_FAILED), /* 32788 0x8014 mbedtls api returned error */ +# endif +# ifdef ESP_ERR_MBEDTLS_X509_CRT_PARSE_FAILED + ERR_TBL_IT(ESP_ERR_MBEDTLS_X509_CRT_PARSE_FAILED), /* 32789 0x8015 mbedtls api returned error */ +# endif +# ifdef ESP_ERR_MBEDTLS_SSL_CONF_OWN_CERT_FAILED + ERR_TBL_IT(ESP_ERR_MBEDTLS_SSL_CONF_OWN_CERT_FAILED), /* 32790 0x8016 mbedtls api returned error */ +# endif +# ifdef ESP_ERR_MBEDTLS_SSL_SETUP_FAILED + ERR_TBL_IT(ESP_ERR_MBEDTLS_SSL_SETUP_FAILED), /* 32791 0x8017 mbedtls api returned error */ +# endif +# ifdef ESP_ERR_MBEDTLS_SSL_WRITE_FAILED + ERR_TBL_IT(ESP_ERR_MBEDTLS_SSL_WRITE_FAILED), /* 32792 0x8018 mbedtls api returned error */ +# endif +# ifdef ESP_ERR_MBEDTLS_PK_PARSE_KEY_FAILED + ERR_TBL_IT(ESP_ERR_MBEDTLS_PK_PARSE_KEY_FAILED), /* 32793 0x8019 mbedtls api returned failed */ +# endif +# ifdef ESP_ERR_MBEDTLS_SSL_HANDSHAKE_FAILED + ERR_TBL_IT(ESP_ERR_MBEDTLS_SSL_HANDSHAKE_FAILED), /* 32794 0x801a mbedtls api returned failed */ +# endif +# ifdef ESP_ERR_MBEDTLS_SSL_CONF_PSK_FAILED + ERR_TBL_IT(ESP_ERR_MBEDTLS_SSL_CONF_PSK_FAILED), /* 32795 0x801b mbedtls api returned failed */ +# endif +# ifdef ESP_ERR_MBEDTLS_SSL_TICKET_SETUP_FAILED + ERR_TBL_IT(ESP_ERR_MBEDTLS_SSL_TICKET_SETUP_FAILED), /* 32796 0x801c mbedtls api returned failed */ +# endif +# ifdef ESP_ERR_WOLFSSL_SSL_SET_HOSTNAME_FAILED + ERR_TBL_IT(ESP_ERR_WOLFSSL_SSL_SET_HOSTNAME_FAILED), /* 32817 0x8031 wolfSSL api returned error */ +# endif +# ifdef ESP_ERR_WOLFSSL_SSL_CONF_ALPN_PROTOCOLS_FAILED + ERR_TBL_IT(ESP_ERR_WOLFSSL_SSL_CONF_ALPN_PROTOCOLS_FAILED), /* 32818 0x8032 wolfSSL api returned error */ +# endif +# ifdef ESP_ERR_WOLFSSL_CERT_VERIFY_SETUP_FAILED + ERR_TBL_IT(ESP_ERR_WOLFSSL_CERT_VERIFY_SETUP_FAILED), /* 32819 0x8033 wolfSSL api returned error */ +# endif +# ifdef ESP_ERR_WOLFSSL_KEY_VERIFY_SETUP_FAILED + ERR_TBL_IT(ESP_ERR_WOLFSSL_KEY_VERIFY_SETUP_FAILED), /* 32820 0x8034 wolfSSL api returned error */ +# endif +# ifdef ESP_ERR_WOLFSSL_SSL_HANDSHAKE_FAILED + ERR_TBL_IT(ESP_ERR_WOLFSSL_SSL_HANDSHAKE_FAILED), /* 32821 0x8035 wolfSSL api returned failed */ +# endif +# ifdef ESP_ERR_WOLFSSL_CTX_SETUP_FAILED + ERR_TBL_IT(ESP_ERR_WOLFSSL_CTX_SETUP_FAILED), /* 32822 0x8036 wolfSSL api returned failed */ +# endif +# ifdef ESP_ERR_WOLFSSL_SSL_SETUP_FAILED + ERR_TBL_IT(ESP_ERR_WOLFSSL_SSL_SETUP_FAILED), /* 32823 0x8037 wolfSSL api returned failed */ +# endif +# ifdef ESP_ERR_WOLFSSL_SSL_WRITE_FAILED + ERR_TBL_IT(ESP_ERR_WOLFSSL_SSL_WRITE_FAILED), /* 32824 0x8038 wolfSSL api returned failed */ # endif // components/esp_https_ota/include/esp_https_ota.h # ifdef ESP_ERR_HTTPS_OTA_BASE diff --git a/components/esp_https_server/include/esp_https_server.h b/components/esp_https_server/include/esp_https_server.h index 52f9dc2132..00565a963a 100644 --- a/components/esp_https_server/include/esp_https_server.h +++ b/components/esp_https_server/include/esp_https_server.h @@ -63,6 +63,9 @@ struct httpd_ssl_config { /** Port used when transport mode is insecure (default 80) */ uint16_t port_insecure; + + /** Enable tls session tickets */ + bool session_tickets; }; typedef struct httpd_ssl_config httpd_ssl_config_t; @@ -109,6 +112,7 @@ typedef struct httpd_ssl_config httpd_ssl_config_t; .transport_mode = HTTPD_SSL_TRANSPORT_SECURE, \ .port_secure = 443, \ .port_insecure = 80, \ + .session_tickets = false, \ } /** diff --git a/components/esp_https_server/src/https_server.c b/components/esp_https_server/src/https_server.c index 6949bf52af..9864ead3b2 100644 --- a/components/esp_https_server/src/https_server.c +++ b/components/esp_https_server/src/https_server.c @@ -145,6 +145,7 @@ static void free_secure_context(void *ctx) if (cfg->serverkey_buf) { free((void *)cfg->serverkey_buf); } + esp_tls_cfg_server_session_tickets_free(cfg); free(cfg); free(ssl_ctx); } @@ -160,6 +161,16 @@ static httpd_ssl_ctx_t *create_secure_context(const struct httpd_ssl_config *con free(ssl_ctx); return NULL; } + + if (config->session_tickets) { + if ( esp_tls_cfg_server_session_tickets_init(cfg) != ESP_OK ) { + ESP_LOGE(TAG, "Failed to init session ticket support"); + free(ssl_ctx); + free(cfg); + return NULL; + } + } + ssl_ctx->tls_cfg = cfg; /* cacert = CA which signs client cert, or client cert itself , which is mapped to client_verify_cert_pem */ if(config->client_verify_cert_pem != NULL) { diff --git a/examples/protocols/https_request/README.md b/examples/protocols/https_request/README.md index 1b311892e1..05fed4de5a 100644 --- a/examples/protocols/https_request/README.md +++ b/examples/protocols/https_request/README.md @@ -4,6 +4,13 @@ Uses APIs from `esp-tls` component to make a very simple HTTPS request over a se (See the README.md file in the upper level 'examples' directory for more information about examples.) +### Session Tickets + +Session Tickets, specified in [RFC 5077](https://datatracker.ietf.org/doc/html/rfc5077) are a mechanism to distribute encrypted +session-state information to the client in the form of a ticket and a mechanism to present the ticket back to the server. The ticket is created by a TLS server and sent to a TLS client. The TLS client presents the ticket to the TLS server to resume a session. In TLS 1.2, this speeds up handshakes from two to one round-trip. + +In ESP-IDF, this feature is supported (for both server and client) when mbedTLS is used as the SSL library. + ## How to use example Before project configuration and build, be sure to set the correct chip target using `idf.py set-target `. @@ -19,6 +26,15 @@ idf.py menuconfig ``` Open the project configuration menu (`idf.py menuconfig`) to configure Wi-Fi or Ethernet. See "Establishing Wi-Fi or Ethernet Connection" section in [examples/protocols/README.md](../../README.md) for more details. +#### Configuring Client Session Tickets + +Note: This example has client session tickets enabled by default. + +* Open the project configuration menu (`idf.py menuconfig`) +* In the `Component Config` -> `ESP-TLS` submenu, select the `Enable client session tickets` option. + +Ensure that the server has the session tickets feature enabled. + ### Build and Flash Build the project and flash it to the board, then run monitor tool to view serial output: diff --git a/examples/protocols/https_request/example_test.py b/examples/protocols/https_request/example_test.py index 970cf5533c..9fc9771b6f 100644 --- a/examples/protocols/https_request/example_test.py +++ b/examples/protocols/https_request/example_test.py @@ -63,6 +63,19 @@ def test_examples_protocol_https_request(env, extra_data): raise Utility.console_log("Passed the test for \"https_request using global ca_store\"") + # Check for connection using already saved client session + Utility.console_log("Testing for \"https_request using saved client session\"") + try: + dut1.expect(re.compile('https_request using saved client session'), timeout=20) + dut1.expect_all('Connection established...', + 'Reading HTTP response...', + 'HTTP/1.1 200 OK', + re.compile('connection closed')) + except Exception: + Utility.console_log("Failed the test for \"https_request using saved client session\"") + raise + Utility.console_log("Passed the test for \"https_request using saved client session\"") + # Check for connection using crt bundle with mbedtls dynamic resource enabled dut1 = env.get_dut('https_request', 'examples/protocols/https_request', dut_class=ttfw_idf.ESP32DUT, app_config_name='ssldyn') # check and log bin size diff --git a/examples/protocols/https_request/main/https_request_example_main.c b/examples/protocols/https_request/main/https_request_example_main.c index d333145953..6fa5fbaec9 100644 --- a/examples/protocols/https_request/main/https_request_example_main.c +++ b/examples/protocols/https_request/main/https_request_example_main.c @@ -67,7 +67,9 @@ static const char REQUEST[] = "GET " WEB_URL " HTTP/1.1\r\n" */ extern const uint8_t server_root_cert_pem_start[] asm("_binary_server_root_cert_pem_start"); extern const uint8_t server_root_cert_pem_end[] asm("_binary_server_root_cert_pem_end"); - +#ifdef CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS +esp_tls_client_session_t *tls_client_session = NULL; +#endif static void https_get_request(esp_tls_cfg_t cfg) { char buf[512]; @@ -82,6 +84,12 @@ static void https_get_request(esp_tls_cfg_t cfg) goto exit; } +#ifdef CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS + /* The TLS session is successfully established, now saving the session ctx for reuse */ + if (tls_client_session == NULL) { + tls_client_session = esp_tls_get_client_session(tls); + } +#endif size_t written_bytes = 0; do { ret = esp_tls_conn_write(tls, @@ -143,6 +151,8 @@ static void https_get_request_using_crt_bundle(void) https_get_request(cfg); } + + static void https_get_request_using_cacert_buf(void) { ESP_LOGI(TAG, "https_request using cacert_buf"); @@ -169,6 +179,19 @@ static void https_get_request_using_global_ca_store(void) esp_tls_free_global_ca_store(); } +#ifdef CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS +static void https_get_request_using_already_saved_session(void) +{ + ESP_LOGI(TAG, "https_request using saved client session"); + esp_tls_cfg_t cfg = { + .client_session = tls_client_session, + }; + https_get_request(cfg); + free(tls_client_session); + tls_client_session = NULL; +} +#endif + static void https_request_task(void *pvparameters) { ESP_LOGI(TAG, "Start https_request example"); @@ -176,7 +199,9 @@ static void https_request_task(void *pvparameters) https_get_request_using_crt_bundle(); https_get_request_using_cacert_buf(); https_get_request_using_global_ca_store(); - +#ifdef CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS + https_get_request_using_already_saved_session(); +#endif ESP_LOGI(TAG, "Finish https_request example"); vTaskDelete(NULL); } diff --git a/examples/protocols/https_request/sdkconfig.ci b/examples/protocols/https_request/sdkconfig.ci index 42f4b389e1..19398a6bb6 100644 --- a/examples/protocols/https_request/sdkconfig.ci +++ b/examples/protocols/https_request/sdkconfig.ci @@ -9,3 +9,4 @@ CONFIG_EXAMPLE_ETH_MDIO_GPIO=18 CONFIG_EXAMPLE_ETH_PHY_RST_GPIO=5 CONFIG_EXAMPLE_ETH_PHY_ADDR=1 CONFIG_EXAMPLE_CONNECT_IPV6=y +CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS=y diff --git a/examples/protocols/https_request/sdkconfig.defaults b/examples/protocols/https_request/sdkconfig.defaults new file mode 100644 index 0000000000..9215c9b61b --- /dev/null +++ b/examples/protocols/https_request/sdkconfig.defaults @@ -0,0 +1 @@ +CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS=y