From 00cc9dbd9af0dc8c8bc163ca899833f0e352d7b4 Mon Sep 17 00:00:00 2001
From: dhb <627971428@qq.com>
Date: Wed, 21 May 2025 10:05:00 +0200
Subject: [PATCH 1/2] feat(mqtt): enable custom TLS cipher suites for MQTTs

- Add `ciphersuites_list` to `esp_mqtt_client_config_t` for specifying TLS cipher suites.
- Update SSL transport configuration to use the provided cipher suites.
- Users are responsible for managing the cipher suites list memory.
---
 include/mqtt_client.h          | 2 ++
 lib/include/mqtt_client_priv.h | 1 +
 mqtt_client.c                  | 7 +++++++
 3 files changed, 10 insertions(+)

diff --git a/include/mqtt_client.h b/include/mqtt_client.h
index 0b4df87..4627585 100644
--- a/include/mqtt_client.h
+++ b/include/mqtt_client.h
@@ -274,6 +274,8 @@ typedef struct esp_mqtt_client_config_t {
                                                                If NULL, server certificate CN must match hostname.
                                                                This is ignored if skip_cert_common_name_check=true.
                                                   It's not copied nor freed by the client, user needs to clean up.*/
+            const int *ciphersuites_list;    /*!< Pointer to a zero-terminated array of IANA identifiers of TLS cipher suites. 
+                                              Please ensure the validity of the list, and note that it is not copied or freed by the client. */
         } verification; /*!< Security verification of the broker */
     } broker; /*!< Broker address and security verification */
     /**
diff --git a/lib/include/mqtt_client_priv.h b/lib/include/mqtt_client_priv.h
index 4aa0a9f..7ab5266 100644
--- a/lib/include/mqtt_client_priv.h
+++ b/lib/include/mqtt_client_priv.h
@@ -85,6 +85,7 @@ typedef struct {
     int clientkey_password_len;
     bool use_global_ca_store;
     esp_err_t ((*crt_bundle_attach)(void *conf));
+    const int *ciphersuites_list;
     const char *cacert_buf;
     size_t cacert_bytes;
     const char *clientcert_buf;
diff --git a/mqtt_client.c b/mqtt_client.c
index b70f518..c87ee74 100644
--- a/mqtt_client.c
+++ b/mqtt_client.c
@@ -158,6 +158,12 @@ static esp_err_t esp_mqtt_set_ssl_transport_properties(esp_transport_list_handle
                      goto esp_mqtt_set_transport_failed);
 
     }
+
+    if(cfg->ciphersuites_list)
+    {
+        esp_transport_ssl_set_ciphersuites_list(ssl,cfg->ciphersuites_list);
+    }
+
     if (cfg->psk_hint_key) {
 #if defined(MQTT_SUPPORTED_FEATURE_PSK_AUTHENTICATION) && MQTT_ENABLE_SSL
 #ifdef CONFIG_ESP_TLS_PSK_VERIFICATION
@@ -578,6 +584,7 @@ esp_err_t esp_mqtt_set_config(esp_mqtt_client_handle_t client, const esp_mqtt_cl
     client->config->cacert_bytes = config->broker.verification.certificate_len;
     client->config->psk_hint_key = config->broker.verification.psk_hint_key;
     client->config->crt_bundle_attach = config->broker.verification.crt_bundle_attach;
+    client->config->ciphersuites_list = config->broker.verification.ciphersuites_list;
     client->config->clientcert_buf = config->credentials.authentication.certificate;
     client->config->clientcert_bytes = config->credentials.authentication.certificate_len;
     client->config->clientkey_buf = config->credentials.authentication.key;

From 56799069af7306d8ce6ba35098ee81e53ec74e80 Mon Sep 17 00:00:00 2001
From: glmfe <g.ferreira@icloud.com>
Date: Wed, 21 May 2025 10:05:24 +0200
Subject: [PATCH 2/2] Enables cypher suite configurations on IDF => 5.5

Merges https://github.com/espressif/esp-mqtt/pull/298
---
 include/mqtt_supported_features.h | 4 ++++
 mqtt_client.c                     | 6 +++++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/include/mqtt_supported_features.h b/include/mqtt_supported_features.h
index b9e7c2d..6036e5f 100644
--- a/include/mqtt_supported_features.h
+++ b/include/mqtt_supported_features.h
@@ -74,6 +74,10 @@
 #define MQTT_SUPPORTED_FEATURE_ECDSA_PERIPHERAL
 #endif
 
+#if ESP_IDF_VERSION >= ESP_IDF_VERSION_VAL(5, 5, 0)
+// Features supported in 5.5.0
+#define MQTT_SUPPORTED_FEATURE_CIPHERSUITES_LIST
+#endif
 
 #endif /* ESP_IDF_VERSION */
 #endif // _MQTT_SUPPORTED_FEATURES_H_
diff --git a/mqtt_client.c b/mqtt_client.c
index c87ee74..5c4ba76 100644
--- a/mqtt_client.c
+++ b/mqtt_client.c
@@ -158,10 +158,14 @@ static esp_err_t esp_mqtt_set_ssl_transport_properties(esp_transport_list_handle
                      goto esp_mqtt_set_transport_failed);
 
     }
-
     if(cfg->ciphersuites_list)
     {
+#if defined(MQTT_SUPPORTED_FEATURE_CIPHERSUITES_LIST)
         esp_transport_ssl_set_ciphersuites_list(ssl,cfg->ciphersuites_list);
+#else
+        ESP_LOGE(TAG, "Cipher suites list feature is not available in IDF version %s", IDF_VER);
+        goto esp_mqtt_set_transport_failed;
+#endif /* MQTT_SUPPORTED_FEATURE_CIPHERSUITES_LIST */
     }
 
     if (cfg->psk_hint_key) {