3 жил өмнө · d7090b4d52
--- a/components/esp-tls/Kconfig
+++ b/components/esp-tls/Kconfig
@@ -19,7 +19,6 @@ menu "ESP-TLS"
 
				         select ATCA_MBEDTLS_ECDSA
			
 
				         select ATCA_MBEDTLS_ECDSA_SIGN
			
 
				         select ATCA_MBEDTLS_ECDSA_VERIFY
			
 
				-        default n
			
 
				         help
			
 
				             Enable use of Secure Element for ESP-TLS, this enables internal support for
			
 
				             ATECC608A peripheral on ESPWROOM32SE, which can be used for TLS connection.
			
@@ -33,24 +32,21 @@ menu "ESP-TLS"
 
				             can only be used when it is appropriately configured for TLS.
			
 
				             Consult the ESP-TLS documentation in ESP-IDF Programming Guide for more details.
			
 
				 
			
 
				-    config ESP_TLS_SERVER
			
 
				-        bool "Enable ESP-TLS Server"
			
 
				-        default n
			
 
				-        help
			
 
				-            Enable support for creating server side SSL/TLS session, available for mbedTLS
			
 
				-            as well as wolfSSL TLS library.
			
 
				-
			
 
				     config ESP_TLS_CLIENT_SESSION_TICKETS
			
 
				         bool "Enable client session tickets"
			
 
				         depends on ESP_TLS_USING_MBEDTLS && MBEDTLS_CLIENT_SSL_SESSION_TICKETS
			
 
				-        default n
			
 
				         help
			
 
				             Enable session ticket support as specified in RFC5077.
			
 
				 
			
 
				+    config ESP_TLS_SERVER
			
 
				+        bool "Enable ESP-TLS Server"
			
 
				+        help
			
 
				+            Enable support for creating server side SSL/TLS session, available for mbedTLS
			
 
				+            as well as wolfSSL TLS library.
			
 
				+
			
 
				     config ESP_TLS_SERVER_SESSION_TICKETS
			
 
				         bool "Enable server session tickets"
			
 
				         depends on ESP_TLS_SERVER && ESP_TLS_USING_MBEDTLS && MBEDTLS_SERVER_SSL_SESSION_TICKETS
			
 
				-        default n
			
 
				         help
			
 
				             Enable session ticket support as specified in RFC5077
			
 
				 
			
@@ -61,6 +57,17 @@ menu "ESP-TLS"
 
				         help
			
 
				             Sets the session ticket timeout used in the tls server.
			
 
				 
			
 
				+    config ESP_TLS_SERVER_MIN_AUTH_MODE_OPTIONAL
			
 
				+        bool "ESP-TLS Server: Set minimum Certificate Verification mode to Optional"
			
 
				+        depends on ESP_TLS_SERVER && ESP_TLS_USING_MBEDTLS
			
 
				+        help
			
 
				+            When this option is enabled, the peer (here, the client) certificate is checked by the server,
			
 
				+            however the handshake continues even if verification failed. By default, the
			
 
				+            peer certificate is not checked and ignored by the server.
			
 
				+
			
 
				+            mbedtls_ssl_get_verify_result() can be called after the handshake is complete to
			
 
				+            retrieve status of verification.
			
 
				+
			
 
				     config ESP_TLS_PSK_VERIFICATION
			
 
				         bool "Enable PSK verification"
			
 
				         select MBEDTLS_PSK_MODES if ESP_TLS_USING_MBEDTLS
			
@@ -68,7 +75,6 @@ menu "ESP-TLS"
 
				         select MBEDTLS_KEY_EXCHANGE_DHE_PSK if ESP_TLS_USING_MBEDTLS && MBEDTLS_DHM_C
			
 
				         select MBEDTLS_KEY_EXCHANGE_ECDHE_PSK if ESP_TLS_USING_MBEDTLS && MBEDTLS_ECDH_C
			
 
				         select MBEDTLS_KEY_EXCHANGE_RSA_PSK if ESP_TLS_USING_MBEDTLS
			
 
				-        default n
			
 
				         help
			
 
				             Enable support for pre shared key ciphers, supported for both mbedTLS as well as
			
 
				             wolfSSL TLS library.
			
@@ -104,7 +110,6 @@ menu "ESP-TLS"
 
				     config ESP_DEBUG_WOLFSSL
			
 
				         bool "Enable debug logs for wolfSSL"
			
 
				         depends on ESP_TLS_USING_WOLFSSL
			
 
				-        default n
			
 
				         help
			
 
				             Enable detailed debug prints for wolfSSL SSL library.
			
 
				 
			
--- a/components/esp-tls/esp_tls_mbedtls.c
+++ b/components/esp-tls/esp_tls_mbedtls.c
@@ -509,7 +509,11 @@ esp_err_t set_server_config(esp_tls_cfg_server_t *cfg, esp_tls_t *tls)
 
				             return esp_ret;
			
 
				         }
			
 
				     } else {
			
 
				+#ifdef CONFIG_ESP_TLS_SERVER_MIN_AUTH_MODE_OPTIONAL
			
 
				         mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
			
 
				+#else
			
 
				+        mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_NONE);
			
 
				+#endif
			
 
				     }
			
 
				 
			
 
				     if (cfg->use_secure_element) {
			
--- a/examples/protocols/https_server/simple/main/Kconfig.projbuild
+++ b/examples/protocols/https_server/simple/main/Kconfig.projbuild
@@ -2,6 +2,7 @@ menu "Example Configuration"
 
				 
			
 
				     config EXAMPLE_ENABLE_HTTPS_USER_CALLBACK
			
 
				         bool "Enable user callback with HTTPS Server"
			
 
				+        select ESP_TLS_SERVER_MIN_AUTH_MODE_OPTIONAL
			
 
				         help
			
 
				             Enable user callback for esp_https_server which can be used to get SSL context (connection information)
			
 
				             E.g. Certificate of the connected client
			
--- a/examples/protocols/https_server/simple/main/main.c
+++ b/examples/protocols/https_server/simple/main/main.c
@@ -41,12 +41,20 @@ static esp_err_t root_get_handler(httpd_req_t *req)
 
				  * whenever a new SSL connection is created
			
 
				  *
			
 
				  * Can also be used to other information like Socket FD, Connection state, etc.
			
 
				+ *
			
 
				+ * NOTE: This callback will not be able to obtain the client certificate if the
			
 
				+ * following config `Set minimum Certificate Verification mode to Optional` is
			
 
				+ * not enabled (enabled by default in this example).
			
 
				+ *
			
 
				+ * The config option is found here - Component config → ESP-TLS
			
 
				+ *
			
 
				  */
			
 
				 void https_server_user_callback(esp_https_server_user_cb_arg_t *user_cb)
			
 
				 {
			
 
				     ESP_LOGI(TAG, "Session Created!");
			
 
				-    const mbedtls_x509_crt *cert;
			
 
				+    ESP_LOGI(TAG, "Socket FD: %d", user_cb->tls->sockfd);
			
 
				 
			
 
				+    const mbedtls_x509_crt *cert;
			
 
				     const size_t buf_size = 1024;
			
 
				     char *buf = calloc(buf_size, sizeof(char));
			
 
				     if (buf == NULL) {
			
@@ -54,9 +62,13 @@ void https_server_user_callback(esp_https_server_user_cb_arg_t *user_cb)
 
				         return;
			
 
				     }
			
 
				 
			
 
				+    mbedtls_x509_crt_info((char *) buf, buf_size - 1, "    ", &user_cb->tls->servercert);
			
 
				+    ESP_LOGI(TAG, "Server certificate info:\n%s", buf);
			
 
				+    memset(buf, 0x00, buf_size);
			
 
				+
			
 
				     cert = mbedtls_ssl_get_peer_cert(&user_cb->tls->ssl);
			
 
				     if (cert != NULL) {
			
 
				-        mbedtls_x509_crt_info((char *) buf, buf_size - 1, "      ", cert);
			
 
				+        mbedtls_x509_crt_info((char *) buf, buf_size - 1, "    ", cert);
			
 
				         ESP_LOGI(TAG, "Peer certificate info:\n%s", buf);
			
 
				     } else {
			
 
				         ESP_LOGW(TAG, "Could not obtain the peer certificate!");
			
@@ -91,9 +103,9 @@ static httpd_handle_t start_webserver(void)
 
				     conf.prvtkey_pem = prvtkey_pem_start;
			
 
				     conf.prvtkey_len = prvtkey_pem_end - prvtkey_pem_start;
			
 
				 
			
 
				-    #if CONFIG_EXAMPLE_ENABLE_HTTPS_USER_CALLBACK
			
 
				+#if CONFIG_EXAMPLE_ENABLE_HTTPS_USER_CALLBACK
			
 
				     conf.user_cb = https_server_user_callback;
			
 
				-    #endif
			
 
				+#endif
			
 
				     esp_err_t ret = httpd_ssl_start(&server, &conf);
			
 
				     if (ESP_OK != ret) {
			
 
				         ESP_LOGI(TAG, "Error starting server!");