feat(mbedtls): new config to allow weak cert verification

2025-07-30 02:37:19 +02:00 · 2025-03-28 15:46:48 +08:00
parent e6ad551c10
commit e1cec0d941
2 changed files with 22 additions and 0 deletions
--- a/components/mbedtls/Kconfig
+++ b/components/mbedtls/Kconfig
@ -1215,4 +1215,11 @@ menu "mbedTLS"
            which is added through vfs component for ESP32 based targets or by
            the host system when the target is Linux.

+    config MBEDTLS_ALLOW_WEAK_CERTIFICATE_VERIFICATION
+        bool "Allow weak certificate verification"
+        default n
+        help
+            This options allows weak certificate verification by skipping the hostname verification.
+            It is not recommended to use this option.
+
 endmenu  # mbedTLS
--- a/components/mbedtls/port/include/mbedtls/esp_config.h
+++ b/components/mbedtls/port/include/mbedtls/esp_config.h
@ -2084,6 +2084,21 @@
 #undef MBEDTLS_ERROR_C
 #endif

+/**
+ * \def MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
+ *
+ * Caller: library/ssl_tls.c
+ *
+ * Allow weak certificate verification without a hostname.
+ * This option is not recommended for production use.
+ */
+
+#if CONFIG_MBEDTLS_ALLOW_WEAK_CERTIFICATE_VERIFICATION
+#define MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
+#else
+#undef MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
+#endif
+
 /**
 * \def MBEDTLS_GCM_C
 *