Allow the https server to request client certs only with OPTIONAL

components/esp-tls/esp_tls.h

@@ -271,6 +271,9 @@ typedef struct esp_tls_cfg_server {
     unsigned int cacert_pem_bytes;          /*!< Size of client CA certificate legacy name */
     };
 
+    bool cacert_authmode_optional;          /*!< Enable this option to set the authmode
+                                                 to OPTIONAL (only useful when cacert is set) */
+
     union {
     const unsigned char *servercert_buf;        /*!< Server certificate in a buffer
                                                      This buffer should be NULL terminated */

components/esp-tls/esp_tls_mbedtls.c

@@ -681,7 +681,8 @@ static esp_err_t set_server_config(esp_tls_cfg_server_t *cfg, esp_tls_t *tls)
         if (esp_ret != ESP_OK) {
             return esp_ret;
         }
-        mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
+        if (cfg->cacert_authmode_optional)
+            mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
     } else {
 #ifdef CONFIG_ESP_TLS_SERVER_MIN_AUTH_MODE_OPTIONAL
         mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_OPTIONAL);

components/esp_https_server/include/esp_https_server.h

@@ -91,6 +91,9 @@ struct httpd_ssl_config {
     /** CA certificate byte length */
     size_t cacert_len;
 
+    /** CA certificate verification optional */
+    bool cacert_authmode_optional;
+
     /** Private key */
     const uint8_t *prvtkey_pem;
 

components/esp_https_server/src/https_server.c

@@ -278,6 +278,7 @@ static esp_err_t create_secure_context(const struct httpd_ssl_config *config, ht
     cfg->userdata = config->ssl_userdata;
     cfg->alpn_protos = config->alpn_protos;
     cfg->tls_handshake_timeout_ms = config->tls_handshake_timeout_ms;
+    cfg->cacert_authmode_optional = config->cacert_authmode_optional;
 
 #if defined(CONFIG_ESP_HTTPS_SERVER_CERT_SELECT_HOOK)
     cfg->cert_select_cb = config->cert_select_cb;