Merge branch 'cfg-common-name' into 'master'

PR: Added support to set server common name. See merge request espressif/esp-mqtt!173
2025-07-29 18:28:24 +02:00 · 2023-06-08 15:08:22 +08:00
parent ffd7d4df6c 6195762d28
commit a89af4bf8d
4 changed files with 21 additions and 0 deletions
--- a/include/mqtt_client.h
+++ b/include/mqtt_client.h
@ -260,6 +260,10 @@ typedef struct esp_mqtt_client_config_t {
            bool skip_cert_common_name_check; /*!< Skip any validation of server certificate CN field, this reduces the
                                      security of TLS and makes the *MQTT* client susceptible to MITM attacks  */
            const char **alpn_protos;        /*!< NULL-terminated list of supported application protocols to be used for ALPN */
+			const char *common_name;         /*!< Pointer to the string containing server certificate common name.
+                                                               If non-NULL, server certificate CN must match this name,
+                                                               If NULL, server certificate CN must match hostname.
+                                                               This is ignored if skip_cert_common_name_check=true. */
        } verification; /*!< Security verification of the broker */
    } broker; /*!< Broker address and security verification */
    /**
--- a/include/mqtt_supported_features.h
+++ b/include/mqtt_supported_features.h
@ -64,5 +64,11 @@
 #define MQTT_SUPPORTED_FEATURE_CERTIFICATE_BUNDLE
 #endif

+#if ESP_IDF_VERSION >= ESP_IDF_VERSION_VAL(5, 1, 0)
+// Features supported in 5.1.0
+#define MQTT_SUPPORTED_FEATURE_CRT_CMN_NAME
+#endif
+
+
 #endif /* ESP_IDF_VERSION */
 #endif // _MQTT_SUPPORTED_FEATURES_H_
--- a/lib/include/mqtt_client_priv.h
+++ b/lib/include/mqtt_client_priv.h
@ -88,6 +88,7 @@ typedef struct {
    size_t clientkey_bytes;
    const struct psk_key_hint *psk_hint_key;
    bool skip_cert_common_name_check;
+    const char *common_name;
    bool use_secure_element;
    void *ds_data;
    int message_retransmit_timeout;
--- a/mqtt_client.c
+++ b/mqtt_client.c
@ -181,6 +181,15 @@ static esp_err_t esp_mqtt_set_ssl_transport_properties(esp_transport_list_handle
 #endif
    }

+    if (cfg->common_name) {
+#if defined(MQTT_SUPPORTED_FEATURE_CRT_CMN_NAME) && MQTT_ENABLE_SSL
+        esp_transport_ssl_set_common_name(ssl, cfg->common_name);
+#else
+        ESP_LOGE(TAG, "Setting expected certificate common name is not available in IDF version %s", IDF_VER);
+        goto esp_mqtt_set_transport_failed;
+#endif
+    }
+
    if (cfg->use_secure_element) {
 #ifdef MQTT_SUPPORTED_FEATURE_SECURE_ELEMENT
 #ifdef CONFIG_ESP_TLS_USE_SECURE_ELEMENT
@ -509,6 +518,7 @@ esp_err_t esp_mqtt_set_config(esp_mqtt_client_handle_t client, const esp_mqtt_cl
    client->config->clientkey_buf = config->credentials.authentication.key;
    client->config->clientkey_bytes = config->credentials.authentication.key_len;
    client->config->skip_cert_common_name_check = config->broker.verification.skip_cert_common_name_check;
+    client->config->common_name = config->broker.verification.common_name;
    client->config->use_secure_element = config->credentials.authentication.use_secure_element;
    client->config->ds_data = config->credentials.authentication.ds_data;