feat(mqtt): enable custom TLS cipher suites for MQTTs

- Add `ciphersuites_list` to `esp_mqtt_client_config_t` for specifying TLS cipher suites. - Update SSL transport configuration to use the provided cipher suites. - Users are responsible for managing the cipher suites list memory.
2025-06-25 01:11:39 +02:00 · 2025-05-21 10:05:00 +02:00
parent 6af4446a48
commit 00cc9dbd9a
3 changed files with 10 additions and 0 deletions
--- a/include/mqtt_client.h
+++ b/include/mqtt_client.h
@ -274,6 +274,8 @@ typedef struct esp_mqtt_client_config_t {
                                                               If NULL, server certificate CN must match hostname.
                                                               This is ignored if skip_cert_common_name_check=true.
                                                  It's not copied nor freed by the client, user needs to clean up.*/
+            const int *ciphersuites_list;    /*!< Pointer to a zero-terminated array of IANA identifiers of TLS cipher suites. 
+                                              Please ensure the validity of the list, and note that it is not copied or freed by the client. */
        } verification; /*!< Security verification of the broker */
    } broker; /*!< Broker address and security verification */
    /**
--- a/lib/include/mqtt_client_priv.h
+++ b/lib/include/mqtt_client_priv.h
@ -85,6 +85,7 @@ typedef struct {
    int clientkey_password_len;
    bool use_global_ca_store;
    esp_err_t ((*crt_bundle_attach)(void *conf));
+    const int *ciphersuites_list;
    const char *cacert_buf;
    size_t cacert_bytes;
    const char *clientcert_buf;
--- a/mqtt_client.c
+++ b/mqtt_client.c
@ -158,6 +158,12 @@ static esp_err_t esp_mqtt_set_ssl_transport_properties(esp_transport_list_handle
                     goto esp_mqtt_set_transport_failed);

    }
+
+    if(cfg->ciphersuites_list)
+    {
+        esp_transport_ssl_set_ciphersuites_list(ssl,cfg->ciphersuites_list);
+    }
+
    if (cfg->psk_hint_key) {
 #if defined(MQTT_SUPPORTED_FEATURE_PSK_AUTHENTICATION) && MQTT_ENABLE_SSL
 #ifdef CONFIG_ESP_TLS_PSK_VERIFICATION
@ -578,6 +584,7 @@ esp_err_t esp_mqtt_set_config(esp_mqtt_client_handle_t client, const esp_mqtt_cl
    client->config->cacert_bytes = config->broker.verification.certificate_len;
    client->config->psk_hint_key = config->broker.verification.psk_hint_key;
    client->config->crt_bundle_attach = config->broker.verification.crt_bundle_attach;
+    client->config->ciphersuites_list = config->broker.verification.ciphersuites_list;
    client->config->clientcert_buf = config->credentials.authentication.certificate;
    client->config->clientcert_bytes = config->credentials.authentication.certificate_len;
    client->config->clientkey_buf = config->credentials.authentication.key;