From a0959fd1bc2251f4c23642f3b1733294d96ad152 Mon Sep 17 00:00:00 2001
From: 0xFEEDC0DE64 <daniel@brunner.ninja>
Date: Tue, 23 Sep 2025 17:07:05 +0200
Subject: [PATCH] Allow the https server to request client certs only with
 OPTIONAL

---
 components/esp-tls/esp_tls.h                           | 3 +++
 components/esp-tls/esp_tls_mbedtls.c                   | 3 ++-
 components/esp_https_server/include/esp_https_server.h | 3 +++
 components/esp_https_server/src/https_server.c         | 1 +
 4 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/components/esp-tls/esp_tls.h b/components/esp-tls/esp_tls.h
index 7fb76370bb..4c1f2a31e3 100644
--- a/components/esp-tls/esp_tls.h
+++ b/components/esp-tls/esp_tls.h
@@ -271,6 +271,9 @@ typedef struct esp_tls_cfg_server {
     unsigned int cacert_pem_bytes;          /*!< Size of client CA certificate legacy name */
     };
 
+    bool cacert_authmode_optional;          /*!< Enable this option to set the authmode
+                                                 to OPTIONAL (only useful when cacert is set) */
+
     union {
     const unsigned char *servercert_buf;        /*!< Server certificate in a buffer
                                                      This buffer should be NULL terminated */
diff --git a/components/esp-tls/esp_tls_mbedtls.c b/components/esp-tls/esp_tls_mbedtls.c
index 7bdc45b9f9..5584ea5501 100644
--- a/components/esp-tls/esp_tls_mbedtls.c
+++ b/components/esp-tls/esp_tls_mbedtls.c
@@ -681,7 +681,8 @@ static esp_err_t set_server_config(esp_tls_cfg_server_t *cfg, esp_tls_t *tls)
         if (esp_ret != ESP_OK) {
             return esp_ret;
         }
-        mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
+        if (cfg->cacert_authmode_optional)
+            mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
     } else {
 #ifdef CONFIG_ESP_TLS_SERVER_MIN_AUTH_MODE_OPTIONAL
         mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
diff --git a/components/esp_https_server/include/esp_https_server.h b/components/esp_https_server/include/esp_https_server.h
index 6f4e59f1b2..36e7f34f5e 100644
--- a/components/esp_https_server/include/esp_https_server.h
+++ b/components/esp_https_server/include/esp_https_server.h
@@ -91,6 +91,9 @@ struct httpd_ssl_config {
     /** CA certificate byte length */
     size_t cacert_len;
 
+    /** CA certificate verification optional */
+    bool cacert_authmode_optional;
+
     /** Private key */
     const uint8_t *prvtkey_pem;
 
diff --git a/components/esp_https_server/src/https_server.c b/components/esp_https_server/src/https_server.c
index b3d22e5346..4ba6e9fcba 100644
--- a/components/esp_https_server/src/https_server.c
+++ b/components/esp_https_server/src/https_server.c
@@ -278,6 +278,7 @@ static esp_err_t create_secure_context(const struct httpd_ssl_config *config, ht
     cfg->userdata = config->ssl_userdata;
     cfg->alpn_protos = config->alpn_protos;
     cfg->tls_handshake_timeout_ms = config->tls_handshake_timeout_ms;
+    cfg->cacert_authmode_optional = config->cacert_authmode_optional;
 
 #if defined(CONFIG_ESP_HTTPS_SERVER_CERT_SELECT_HOOK)
     cfg->cert_select_cb = config->cert_select_cb;