From 0291bee0ffa292711698a16cd5b38a6e0a71266d Mon Sep 17 00:00:00 2001 From: Ashish Sharma Date: Wed, 26 Mar 2025 18:07:14 +0800 Subject: [PATCH 1/2] feat(mbedtls): update to version 3.6.3 --- components/esp-tls/esp_tls_mbedtls.c | 2 ++ components/mbedtls/mbedtls | 2 +- docs/en/api-reference/protocols/mbedtls.rst | 2 +- docs/zh_CN/api-reference/protocols/mbedtls.rst | 2 +- 4 files changed, 5 insertions(+), 3 deletions(-) diff --git a/components/esp-tls/esp_tls_mbedtls.c b/components/esp-tls/esp_tls_mbedtls.c index bf6c530d16..b5af9312f4 100644 --- a/components/esp-tls/esp_tls_mbedtls.c +++ b/components/esp-tls/esp_tls_mbedtls.c @@ -726,6 +726,8 @@ esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls_cfg_t return ESP_ERR_MBEDTLS_SSL_SET_HOSTNAME_FAILED; } free(use_host); + } else { + mbedtls_ssl_set_hostname(&tls->ssl, NULL); } if ((ret = mbedtls_ssl_config_defaults(&tls->conf, diff --git a/components/mbedtls/mbedtls b/components/mbedtls/mbedtls index 98fcfd6d2c..601990b1d8 160000 --- a/components/mbedtls/mbedtls +++ b/components/mbedtls/mbedtls @@ -1 +1 @@ -Subproject commit 98fcfd6d2cea90d306e8fde8e5bffd6087c9cda8 +Subproject commit 601990b1d81510a135da9bb0476d6ed3cb8c011b diff --git a/docs/en/api-reference/protocols/mbedtls.rst b/docs/en/api-reference/protocols/mbedtls.rst index b02fd595d7..eded7b3053 100644 --- a/docs/en/api-reference/protocols/mbedtls.rst +++ b/docs/en/api-reference/protocols/mbedtls.rst @@ -118,5 +118,5 @@ Reducing Binary Size Under ``Component Config -> mbedTLS``, there are multiple Mbed TLS features which are enabled by default but can be disabled if not needed to save code size. More information can be about this can be found in :ref:`Minimizing Binary Size ` docs. -.. _`API Reference`: https://mbed-tls.readthedocs.io/projects/api/en/v3.6.2/ +.. _`API Reference`: https://mbed-tls.readthedocs.io/projects/api/en/v3.6.3/ .. _`Knowledge Base`: https://mbed-tls.readthedocs.io/en/latest/kb/ diff --git a/docs/zh_CN/api-reference/protocols/mbedtls.rst b/docs/zh_CN/api-reference/protocols/mbedtls.rst index f109476f86..88a7a87fb5 100644 --- a/docs/zh_CN/api-reference/protocols/mbedtls.rst +++ b/docs/zh_CN/api-reference/protocols/mbedtls.rst @@ -118,5 +118,5 @@ ESP-IDF 中的示例使用 :doc:`/api-reference/protocols/esp_tls`,为访问 在 ``Component Config -> mbedTLS`` 中,有多个 Mbed TLS 功能默认为启用状态。如果不需要这些功能,可将其禁用以减小固件大小。要了解更多信息,请参考 :ref:`Minimizing Binary Size ` 文档。 -.. _`API Reference`: https://mbed-tls.readthedocs.io/projects/api/en/v3.6.2/ +.. _`API Reference`: https://mbed-tls.readthedocs.io/projects/api/en/v3.6.3/ .. _`Knowledge Base`: https://mbed-tls.readthedocs.io/en/latest/kb/ From b126ebb596448d01c9e44d527a9442931b7c0640 Mon Sep 17 00:00:00 2001 From: Ashish Sharma Date: Fri, 28 Mar 2025 15:46:48 +0800 Subject: [PATCH 2/2] feat(mbedtls): new config to allow weak cert verification --- components/mbedtls/Kconfig | 7 +++++++ .../mbedtls/port/include/mbedtls/esp_config.h | 15 +++++++++++++++ 2 files changed, 22 insertions(+) diff --git a/components/mbedtls/Kconfig b/components/mbedtls/Kconfig index f693c67eee..ab633bff38 100644 --- a/components/mbedtls/Kconfig +++ b/components/mbedtls/Kconfig @@ -1273,4 +1273,11 @@ menu "mbedTLS" which is added through vfs component for ESP32 based targets or by the host system when the target is Linux. + config MBEDTLS_ALLOW_WEAK_CERTIFICATE_VERIFICATION + bool "Allow weak certificate verification" + default n + help + This options allows weak certificate verification by skipping the hostname verification. + It is not recommended to use this option. + endmenu # mbedTLS diff --git a/components/mbedtls/port/include/mbedtls/esp_config.h b/components/mbedtls/port/include/mbedtls/esp_config.h index 93e8e81eef..c5707dd6f3 100644 --- a/components/mbedtls/port/include/mbedtls/esp_config.h +++ b/components/mbedtls/port/include/mbedtls/esp_config.h @@ -2117,6 +2117,21 @@ #undef MBEDTLS_ERROR_C #endif +/** + * \def MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME + * + * Caller: library/ssl_tls.c + * + * Allow weak certificate verification without a hostname. + * This option is not recommended for production use. + */ + +#if CONFIG_MBEDTLS_ALLOW_WEAK_CERTIFICATE_VERIFICATION +#define MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME +#else +#undef MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME +#endif + /** * \def MBEDTLS_GCM_C *