From ea3bb21cf7ff1c9764b55fce4cbb9d0febbcd1a2 Mon Sep 17 00:00:00 2001 From: Mahavir Jain Date: Fri, 11 Aug 2023 17:24:30 +0530 Subject: [PATCH] fix(esp-tls): fix the certificate check failure logging for cert bundle case For ESP certificate bundle case, the certificate failure error from underlying TLS stack was not being tracked. Added the fix and also updated example code showcasing how to retrieve it. Closes https://github.com/espressif/esp-idf/issues/12034 --- components/esp-tls/esp_tls_mbedtls.c | 2 +- components/esp-tls/esp_tls_wolfssl.c | 2 +- .../https_request/main/https_request_example_main.c | 10 +++++++++- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/components/esp-tls/esp_tls_mbedtls.c b/components/esp-tls/esp_tls_mbedtls.c index 9168012f45..360f452ac6 100644 --- a/components/esp-tls/esp_tls_mbedtls.c +++ b/components/esp-tls/esp_tls_mbedtls.c @@ -212,7 +212,7 @@ int esp_mbedtls_handshake(esp_tls_t *tls, const esp_tls_cfg_t *cfg) mbedtls_print_error_msg(ret); ESP_INT_EVENT_TRACKER_CAPTURE(tls->error_handle, ESP_TLS_ERR_TYPE_MBEDTLS, -ret); ESP_INT_EVENT_TRACKER_CAPTURE(tls->error_handle, ESP_TLS_ERR_TYPE_ESP, ESP_ERR_MBEDTLS_SSL_HANDSHAKE_FAILED); - if (cfg->cacert_buf != NULL || cfg->use_global_ca_store == true) { + if (cfg->crt_bundle_attach != NULL || cfg->cacert_buf != NULL || cfg->use_global_ca_store == true) { /* This is to check whether handshake failed due to invalid certificate*/ esp_mbedtls_verify_certificate(tls); } diff --git a/components/esp-tls/esp_tls_wolfssl.c b/components/esp-tls/esp_tls_wolfssl.c index 05c017003c..9c4f1771a9 100644 --- a/components/esp-tls/esp_tls_wolfssl.c +++ b/components/esp-tls/esp_tls_wolfssl.c @@ -394,7 +394,7 @@ int esp_wolfssl_handshake(esp_tls_t *tls, const esp_tls_cfg_t *cfg) wolfssl_print_error_msg(err); ESP_INT_EVENT_TRACKER_CAPTURE(tls->error_handle, ESP_TLS_ERR_TYPE_WOLFSSL, err); ESP_INT_EVENT_TRACKER_CAPTURE(tls->error_handle, ESP_TLS_ERR_TYPE_ESP, ESP_ERR_WOLFSSL_SSL_HANDSHAKE_FAILED); - if (cfg->cacert_buf != NULL || cfg->use_global_ca_store == true) { + if (cfg->crt_bundle_attach != NULL || cfg->cacert_buf != NULL || cfg->use_global_ca_store == true) { /* This is to check whether handshake failed due to invalid certificate*/ esp_wolfssl_verify_certificate(tls); } diff --git a/examples/protocols/https_request/main/https_request_example_main.c b/examples/protocols/https_request/main/https_request_example_main.c index 81e96bdf7f..9b2981c3d2 100644 --- a/examples/protocols/https_request/main/https_request_example_main.c +++ b/examples/protocols/https_request/main/https_request_example_main.c @@ -10,7 +10,7 @@ * * SPDX-License-Identifier: Apache-2.0 * - * SPDX-FileContributor: 2015-2022 Espressif Systems (Shanghai) CO LTD + * SPDX-FileContributor: 2015-2023 Espressif Systems (Shanghai) CO LTD */ #include @@ -106,6 +106,14 @@ static void https_get_request(esp_tls_cfg_t cfg, const char *WEB_SERVER_URL, con ESP_LOGI(TAG, "Connection established..."); } else { ESP_LOGE(TAG, "Connection failed..."); + int esp_tls_code = 0, esp_tls_flags = 0; + esp_tls_error_handle_t tls_e = NULL; + esp_tls_get_error_handle(tls, &tls_e); + /* Try to get TLS stack level error and certificate failure flags, if any */ + ret = esp_tls_get_and_clear_last_error(tls_e, &esp_tls_code, &esp_tls_flags); + if (ret == ESP_OK) { + ESP_LOGE(TAG, "TLS error = -0x%x, TLS flags = -0x%x", esp_tls_code, esp_tls_flags); + } goto cleanup; }