Merge branch 'feat/update_mbedtls_3.6.3_v5.0' into 'release/v5.0'

feat(component/mbedtls): update to upstream v3.6.3 (v5.0) See merge request espressif/esp-idf!38183
2025-04-10 10:34:35 +08:00
parent a8e0e0b1f7 905f73a4ab
commit 34240b11c6
5 changed files with 26 additions and 1 deletions
--- a/components/esp-tls/esp_tls_mbedtls.c
+++ b/components/esp-tls/esp_tls_mbedtls.c
@@ -666,6 +666,8 @@ esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls_cfg_t
            return ESP_ERR_MBEDTLS_SSL_SET_HOSTNAME_FAILED;
        }
        free(use_host);
+    } else {
+        mbedtls_ssl_set_hostname(&tls->ssl, NULL);
    }

    if ((ret = mbedtls_ssl_config_defaults(&tls->conf,
--- a/components/mbedtls/Kconfig
+++ b/components/mbedtls/Kconfig
@@ -1084,4 +1084,11 @@ menu "mbedTLS"
            the flash footprint and hence care must be taken to keep some reserved space
            for the application binary in flash layout.

+    config MBEDTLS_ALLOW_WEAK_CERTIFICATE_VERIFICATION
+        bool "Allow weak certificate verification"
+        default n
+        help
+            This options allows weak certificate verification by skipping the hostname verification.
+            It is not recommended to use this option.
+
 endmenu  # mbedTLS
--- a/components/mbedtls/mbedtls
+++ b/components/mbedtls/mbedtls
--- a/components/mbedtls/port/include/mbedtls/esp_config.h
+++ b/components/mbedtls/port/include/mbedtls/esp_config.h
@@ -2073,6 +2073,21 @@
 */
 #define MBEDTLS_ERROR_C

+/**
+ * \def MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
+ *
+ * Caller: library/ssl_tls.c
+ *
+ * Allow weak certificate verification without a hostname.
+ * This option is not recommended for production use.
+ */
+
+#if CONFIG_MBEDTLS_ALLOW_WEAK_CERTIFICATE_VERIFICATION
+#define MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
+#else
+#undef MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
+#endif
+
 /**
 * \def MBEDTLS_GCM_C
 *
--- a/docs/en/api-reference/protocols/mbedtls.rst
+++ b/docs/en/api-reference/protocols/mbedtls.rst
@@ -94,3 +94,4 @@ Reducing Binary Size
 ^^^^^^^^^^^^^^^^^^^^

 Under ``Component Config -> mbedTLS``, there are multiple Mbed TLS features which are enabled by default but can be disabled if not needed to save code size. More information can be about this can be found in :ref:`Minimizing Binary Size <minimizing_binary_mbedtls>` docs.
+