Merge branch 'contrib/github_pr_298' into 'master'

feat(mqtt): enable custom TLS cipher suites for MQTTs

Closes IDFGH-15198

See merge request espressif/esp-mqtt!241

include/mqtt_client.h

@@ -274,6 +274,8 @@ typedef struct esp_mqtt_client_config_t {
                                                                If NULL, server certificate CN must match hostname.
                                                                This is ignored if skip_cert_common_name_check=true.
                                                   It's not copied nor freed by the client, user needs to clean up.*/
+            const int *ciphersuites_list;    /*!< Pointer to a zero-terminated array of IANA identifiers of TLS cipher suites. 
+                                              Please ensure the validity of the list, and note that it is not copied or freed by the client. */
         } verification; /*!< Security verification of the broker */
     } broker; /*!< Broker address and security verification */
     /**

include/mqtt_supported_features.h

@@ -74,6 +74,10 @@
 #define MQTT_SUPPORTED_FEATURE_ECDSA_PERIPHERAL
 #endif
 
+#if ESP_IDF_VERSION >= ESP_IDF_VERSION_VAL(5, 5, 0)
+// Features supported in 5.5.0
+#define MQTT_SUPPORTED_FEATURE_CIPHERSUITES_LIST
+#endif
 
 #endif /* ESP_IDF_VERSION */
 #endif // _MQTT_SUPPORTED_FEATURES_H_

lib/include/mqtt_client_priv.h

@@ -85,6 +85,7 @@ typedef struct {
     int clientkey_password_len;
     bool use_global_ca_store;
     esp_err_t ((*crt_bundle_attach)(void *conf));
+    const int *ciphersuites_list;
     const char *cacert_buf;
     size_t cacert_bytes;
     const char *clientcert_buf;

mqtt_client.c

@@ -158,6 +158,16 @@ static esp_err_t esp_mqtt_set_ssl_transport_properties(esp_transport_list_handle
                      goto esp_mqtt_set_transport_failed);
 
     }
+    if(cfg->ciphersuites_list)
+    {
+#if defined(MQTT_SUPPORTED_FEATURE_CIPHERSUITES_LIST)
+        esp_transport_ssl_set_ciphersuites_list(ssl,cfg->ciphersuites_list);
+#else
+        ESP_LOGE(TAG, "Cipher suites list feature is not available in IDF version %s", IDF_VER);
+        goto esp_mqtt_set_transport_failed;
+#endif /* MQTT_SUPPORTED_FEATURE_CIPHERSUITES_LIST */
+    }
+
     if (cfg->psk_hint_key) {
 #if defined(MQTT_SUPPORTED_FEATURE_PSK_AUTHENTICATION) && MQTT_ENABLE_SSL
 #ifdef CONFIG_ESP_TLS_PSK_VERIFICATION
@@ -578,6 +588,7 @@ esp_err_t esp_mqtt_set_config(esp_mqtt_client_handle_t client, const esp_mqtt_cl
     client->config->cacert_bytes = config->broker.verification.certificate_len;
     client->config->psk_hint_key = config->broker.verification.psk_hint_key;
     client->config->crt_bundle_attach = config->broker.verification.crt_bundle_attach;
+    client->config->ciphersuites_list = config->broker.verification.ciphersuites_list;
     client->config->clientcert_buf = config->credentials.authentication.certificate;
     client->config->clientcert_bytes = config->credentials.authentication.certificate_len;
     client->config->clientkey_buf = config->credentials.authentication.key;