SSL: add config option for skipping common name check

Closes IDFGH-3408 Closes https://github.com/espressif/esp-mqtt/issues/158
2025-07-29 18:28:24 +02:00 · 2020-06-09 11:59:07 +08:00
parent 6bc94add89
commit 5e8950e681
3 changed files with 15 additions and 1 deletions
--- a/include/mqtt_client.h
+++ b/include/mqtt_client.h
@ -182,6 +182,7 @@ typedef struct {
    int clientkey_password_len;             /*!< String length of the password pointed to by clientkey_password */
    esp_mqtt_protocol_ver_t protocol_ver;   /*!< MQTT protocol version used for connection, defaults to value from menuconfig*/
    int out_buffer_size;                    /*!< size of MQTT output buffer. If not defined, both output and input buffers have the same size defined as ``buffer_size`` */
+    bool skip_cert_common_name_check;       /*!< Skip any validation of server certificate CN field, this reduces the security of TLS and makes the mqtt client susceptible to MITM attacks  */
 } esp_mqtt_client_config_t;

 /**
--- a/include/mqtt_supported_features.h
+++ b/include/mqtt_supported_features.h
@ -31,6 +31,7 @@
 #if ESP_IDF_VERSION >= ESP_IDF_VERSION_VAL(3, 3, 0)
 // Features supported from 3.3
 #define MQTT_SUPPORTED_FEATURE_EVENT_LOOP
+#define MQTT_SUPPORTED_FEATURE_SKIP_CRT_CMN_NAME_CHECK
 #endif

 #if ESP_IDF_VERSION >= ESP_IDF_VERSION_VAL(4, 0, 0)
@ -48,4 +49,4 @@
 #endif
 #endif

-#endif // _MQTT_SUPPORTED_FEATURES_H_
+#endif // _MQTT_SUPPORTED_FEATURES_H_
--- a/mqtt_client.c
+++ b/mqtt_client.c
@ -80,6 +80,7 @@ typedef struct {
    const char *clientkey_buf;
    size_t clientkey_bytes;
    const struct psk_key_hint *psk_hint_key;
+    bool skip_cert_common_name_check;
 } mqtt_config_storage_t;

 typedef enum {
@ -239,6 +240,16 @@ static esp_err_t esp_mqtt_set_ssl_transport_properties(esp_transport_list_handle
 #endif
    }

+
+    if (cfg->skip_cert_common_name_check) {
+#if defined(MQTT_SUPPORTED_FEATURE_SKIP_CRT_CMN_NAME_CHECK) && MQTT_ENABLE_SSL
+        esp_transport_ssl_skip_common_name_check(ssl);
+#else
+        ESP_LOGE(TAG, "Skip certificate common name check is not available in IDF version %s", IDF_VER);
+        goto esp_mqtt_set_transport_failed;
+#endif
+    }
+
    return ESP_OK;

    esp_mqtt_set_transport_failed:
@ -416,6 +427,7 @@ esp_err_t esp_mqtt_set_config(esp_mqtt_client_handle_t client, const esp_mqtt_cl
    cfg->clientkey_buf = config->client_key_pem;
    cfg->clientkey_bytes = config->client_key_len;
    cfg->psk_hint_key = config->psk_hint_key;
+    cfg->skip_cert_common_name_check = config->skip_cert_common_name_check;

    if (config->clientkey_password && config->clientkey_password_len) {
        cfg->clientkey_password_len = config->clientkey_password_len;