Merge branch 'feature/mbedtls_cipher_config' into 'master'

mbedtls: Add compile-time configuration, better default configuration



See merge request !1118

components/mbedtls/Kconfig

@@ -15,7 +15,7 @@ config MBEDTLS_SSL_MAX_CONTENT_LEN
         Fragment Length Negotiation Extension (max_fragment_length,
         see RFC6066) or you know for certain that it will never send a
         message longer than a certain number of bytes.
-        
+
         If the value is set too low, symptoms are a failed TLS
         handshake or a return value of MBEDTLS_ERR_SSL_INVALID_RECORD
         (-0x7200).
@@ -102,4 +102,426 @@ config MBEDTLS_HAVE_TIME_DATE
 
        It is suggested that you should get the real time by "SNTP".
 
-endmenu
+choice MBEDTLS_TLS_MODE
+    bool "TLS Protocol Role"
+    default MBEDTLS_TLS_SERVER_AND_CLIENT
+    help
+        mbedTLS can be compiled with protocol support for the TLS
+        server, TLS client, or both server and client.
+
+        Reducing the number of TLS roles supported saves code size.
+
+config MBEDTLS_TLS_SERVER_AND_CLIENT
+    bool "Server & Client"
+    select MBEDTLS_TLS_SERVER
+    select MBEDTLS_TLS_CLIENT
+config MBEDTLS_TLS_SERVER_ONLY
+    bool "Server"
+    select MBEDTLS_TLS_SERVER
+config MBEDTLS_TLS_CLIENT_ONLY
+    bool "Client"
+    select MBEDTLS_TLS_CLIENT
+config MBEDTLS_TLS_DISABLED
+    bool "None"
+
+endchoice
+
+config MBEDTLS_TLS_SERVER
+    bool
+    select MBEDTLS_TLS_ENABLED
+config MBEDTLS_TLS_CLIENT
+    bool
+    select MBEDTLS_TLS_ENABLED
+config MBEDTLS_TLS_ENABLED
+    bool
+
+menu "TLS Key Exchange Methods"
+   depends on MBEDTLS_TLS_ENABLED
+
+config MBEDTLS_PSK_MODES
+   bool "Enable pre-shared-key ciphersuites"
+   default n
+   help
+       Enable to show configuration for different types of pre-shared-key TLS authentatication methods.
+
+       Leaving this options disabled will save code size if they are not used.
+
+config MBEDTLS_KEY_EXCHANGE_PSK
+   bool "Enable PSK based ciphersuite modes"
+   depends on MBEDTLS_PSK_MODES
+   default n
+   help
+       Enable to support symmetric key PSK (pre-shared-key) TLS key exchange modes.
+
+config MBEDTLS_KEY_EXCHANGE_DHE_PSK
+   bool "Enable DHE-PSK based ciphersuite modes"
+   depends on MBEDTLS_PSK_MODES
+   default y
+   help
+       Enable to support Diffie-Hellman PSK (pre-shared-key) TLS authentication modes.
+
+config MBEDTLS_KEY_EXCHANGE_DHE_PSK
+   bool "Enable DHE-PSK based ciphersuite modes"
+   depends on MBEDTLS_PSK_MODES
+   default y
+   help
+       Enable to support Diffie-Hellman PSK (pre-shared-key) TLS authentication modes.
+
+config MBEDTLS_KEY_EXCHANGE_ECDHE_PSK
+   bool "Enable ECDHE-PSK based ciphersuite modes"
+   depends on MBEDTLS_PSK_MODES
+   default y
+   help
+       Enable to support Elliptic-Curve-Diffie-Hellman PSK (pre-shared-key) TLS authentication modes.
+
+config MBEDTLS_KEY_EXCHANGE_RSA_PSK
+   bool "Enable RSA-PSK based ciphersuite modes"
+   depends on MBEDTLS_PSK_MODES
+   default y
+   help
+       Enable to support RSA PSK (pre-shared-key) TLS authentication modes.
+
+config MBEDTLS_KEY_EXCHANGE_RSA
+   bool "Enable RSA-only based ciphersuite modes"
+   default y
+   help
+       Enable to support ciphersuites with prefix TLS-RSA-WITH-
+
+config MBEDTLS_KEY_EXCHANGE_DHE_RSA
+   bool "Enable DHE-RSA based ciphersuite modes"
+   default y
+   help
+       Enable to support ciphersuites with prefix TLS-DHE-RSA-WITH-
+
+config MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE
+   bool "Support Elliptic Curve based ciphersuites"
+   depends on MBEDTLS_ECP_C
+   default y
+   help
+       Enable to show Elliptic Curve based ciphersuite mode options.
+
+       Disabling all Elliptic Curve ciphersuites saves code size and
+       can give slightly faster TLS handshakes, provided the server supports
+       RSA-only ciphersuite modes.
+
+config MBEDTLS_KEY_EXCHANGE_ECDHE_RSA
+   bool "Enable ECDHE-RSA based ciphersuite modes"
+   depends on MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE && MBEDTLS_ECDH_C
+   default y
+   help
+       Enable to support ciphersuites with prefix TLS-ECDHE-RSA-WITH-
+
+config MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
+   bool "Enable ECDHE-ECDSA based ciphersuite modes"
+   depends on MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE && MBEDTLS_ECDH_C && MBEDTLS_ECDSA_C
+   default y
+   help
+       Enable to support ciphersuites with prefix TLS-ECDHE-RSA-WITH-
+
+config MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
+   bool "Enable ECDHE-ECDSA based ciphersuite modes"
+   depends on MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE && MBEDTLS_ECDH_C && MBEDTLS_ECDSA_C
+   default y
+   help
+       Enable to support ciphersuites with prefix TLS-ECDHE-RSA-WITH-
+
+config MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA
+   bool "Enable ECDH-ECDSA based ciphersuite modes"
+   depends on MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE && MBEDTLS_ECDH_C && MBEDTLS_ECDSA_C
+   default y
+   help
+       Enable to support ciphersuites with prefix TLS-ECDHE-RSA-WITH-
+
+config MBEDTLS_KEY_EXCHANGE_ECDH_RSA
+   bool "Enable ECDH-RSA based ciphersuite modes"
+   depends on MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE && MBEDTLS_ECDH_C
+   default y
+   help
+       Enable to support ciphersuites with prefix TLS-ECDHE-RSA-WITH-
+
+endmenu # TLS key exchange modes
+
+config MBEDTLS_SSL_RENEGOTIATION
+   bool "Support TLS renegotiation"
+   depends on MBEDTLS_TLS_ENABLED
+   default y
+   help
+       The two main uses of renegotiation are (1) refresh keys on long-lived
+       connections and (2) client authentication after the initial handshake.
+       If you don't need renegotiation, disabling it will save code size and
+       reduce the possibility of abuse/vulnerability.
+
+config MBEDTLS_SSL_PROTO_SSL3
+   bool "Legacy SSL 3.0 support"
+   depends on MBEDTLS_TLS_ENABLED
+   default n
+   help
+       Support the legacy SSL 3.0 protocol. Most servers will speak a newer
+       TLS protocol these days.
+
+config MBEDTLS_SSL_PROTO_TLS1
+   bool "Support TLS 1.0 protocol"
+   depends on MBEDTLS_TLS_ENABLED
+   default y
+
+config MBEDTLS_SSL_PROTO_TLS1_1
+   bool "Support TLS 1.1 protocol"
+   depends on MBEDTLS_TLS_ENABLED
+   default y
+
+config MBEDTLS_SSL_PROTO_TLS1_2
+   bool "Support TLS 1.2 protocol"
+   depends on MBEDTLS_TLS_ENABLED
+   default y
+
+config MBEDTLS_SSL_PROTO_DTLS
+   bool "Support DTLS protocol (all versions)"
+   default n
+   depends on MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2
+   help
+       Requires TLS 1.1 to be enabled for DTLS 1.0
+       Requires TLS 1.2 to be enabled for DTLS 1.2
+
+config MBEDTLS_SSL_ALPN
+   bool "Support ALPN (Application Layer Protocol Negotiation)"
+   depends on MBEDTLS_TLS_ENABLED
+   default y
+   help
+       Disabling this option will save some code size if it is not needed.
+
+config MBEDTLS_SSL_SESSION_TICKETS
+   bool "TLS: Support RFC 5077 SSL session tickets"
+   default y
+   depends on MBEDTLS_TLS_ENABLED
+   help
+       Support RFC 5077 session tickets. See mbedTLS documentation for more details.
+
+       Disabling this option will save some code size.
+
+menu "Symmetric Ciphers"
+
+config MBEDTLS_AES_C
+   bool "AES block cipher"
+   default y
+
+config MBEDTLS_CAMELLIA_C
+   bool "Camellia block cipher"
+   default n
+
+config MBEDTLS_DES_C
+   bool "DES block cipher (legacy, insecure)"
+   default n
+   help
+       Enables the DES block cipher to support 3DES-based TLS ciphersuites.
+
+       3DES is vulnerable to the Sweet32 attack and should only be enabled
+       if absolutely necessary.
+
+choice MBEDTLS_RC4_MODE
+    prompt "RC4 Stream Cipher (legacy, insecure)"
+    default MBEDTLS_RC4_DISABLED
+    help
+        ARCFOUR (RC4) stream cipher can be disabled entirely, enabled but not
+        added to default ciphersuites, or enabled completely.
+
+        Please consider the security implications before enabling RC4.
+
+config MBEDTLS_RC4_DISABLED
+    bool "Disabled"
+config MBEDTLS_RC4_ENABLED_NO_DEFAULT
+    bool "Enabled, not in default ciphersuites"
+config MBEDTLS_RC4_ENABLED
+    bool "Enabled"
+endchoice
+
+config MBEDTLS_BLOWFISH_C
+    bool "Blowfish block cipher (read help)"
+    default n
+    help
+        Enables the Blowfish block cipher (not used for TLS sessions.)
+
+        The Blowfish cipher is not used for mbedTLS TLS sessions but can be
+        used for other purposes. Read up on the limitations of Blowfish (including
+        Sweet32) before enabling.
+
+config MBEDTLS_XTEA_C
+    bool "XTEA block cipher"
+    default n
+    help
+        Enables the XTEA block cipher.
+
+
+config MBEDTLS_CCM_C
+    bool "CCM (Counter with CBC-MAC) block cipher modes"
+    default y
+    depends on MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C
+    help
+        Enable Counter with CBC-MAC (CCM) modes for AES and/or Camellia ciphers.
+
+        Disabling this option saves some code size.
+
+config MBEDTLS_GCM_C
+    bool "GCM (Galois/Counter) block cipher modes"
+    default y
+    depends on MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C
+    help
+        Enable Galois/Counter Mode for AES and/or Camellia ciphers.
+
+        This option is generally faster than CCM.
+
+endmenu # Symmetric Ciphers
+
+config MBEDTLS_RIPEMD160_C
+    bool "Enable RIPEMD-160 hash algorithm"
+    default n
+    help
+        Enable the RIPEMD-160 hash algorithm.
+
+menu "Certificates"
+
+config MBEDTLS_PEM_PARSE_C
+    bool "Read & Parse PEM formatted certificates"
+    default y
+    help
+        Enable decoding/parsing of PEM formatted certificates.
+
+        If your certificates are all in the simpler DER format, disabling
+        this option will save some code size.
+
+config MBEDTLS_PEM_WRITE_C
+    bool "Write PEM formatted certificates"
+    default y
+    help
+        Enable writing of PEM formatted certificates.
+
+        If writing certificate data only in DER format, disabling this
+        option will save some code size.
+
+config MBEDTLS_X509_CRL_PARSE_C
+    bool "X.509 CRL parsing"
+    default y
+    help
+        Support for parsing X.509 Certifificate Revocation Lists.
+
+config MBEDTLS_X509_CSR_PARSE_C
+    bool "X.509 CSR parsing"
+    default y
+    help
+        Support for parsing X.509 Certifificate Signing Requests
+
+endmenu # Certificates
+
+menuconfig MBEDTLS_ECP_C
+    bool  "Elliptic Curve Ciphers"
+    default y
+
+config MBEDTLS_ECDH_C
+    bool "Elliptic Curve Diffie-Hellman (ECDH)"
+    depends on MBEDTLS_ECP_C
+    default y
+    help
+        Enable ECDH. Needed to use ECDHE-xxx TLS ciphersuites.
+
+config MBEDTLS_ECDSA_C
+    bool "Elliptic Curve DSA"
+    depends on MBEDTLS_ECDH_C
+    default y
+    help
+        Enable ECDSA. Needed to use ECDSA-xxx TLS ciphersuites.
+
+config MBEDTLS_ECP_DP_SECP192R1_ENABLED
+    bool "Enable SECP192R1 curve"
+    depends on MBEDTLS_ECP_C
+    default y
+    help
+        Enable support for SECP192R1 Elliptic Curve.
+
+config MBEDTLS_ECP_DP_SECP224R1_ENABLED
+    bool "Enable SECP224R1 curve"
+    depends on MBEDTLS_ECP_C
+    default y
+    help
+        Enable support for SECP224R1 Elliptic Curve.
+
+config MBEDTLS_ECP_DP_SECP256R1_ENABLED
+    bool "Enable SECP256R1 curve"
+    depends on MBEDTLS_ECP_C
+    default y
+    help
+        Enable support for SECP256R1 Elliptic Curve.
+
+config MBEDTLS_ECP_DP_SECP384R1_ENABLED
+    bool "Enable SECP384R1 curve"
+    depends on MBEDTLS_ECP_C
+    default y
+    help
+        Enable support for SECP384R1 Elliptic Curve.
+
+config MBEDTLS_ECP_DP_SECP521R1_ENABLED
+    bool "Enable SECP521R1 curve"
+    depends on MBEDTLS_ECP_C
+    default y
+    help
+        Enable support for SECP521R1 Elliptic Curve.
+
+config MBEDTLS_ECP_DP_SECP192K1_ENABLED
+    bool "Enable SECP192K1 curve"
+    depends on MBEDTLS_ECP_C
+    default y
+    help
+        Enable support for SECP192K1 Elliptic Curve.
+
+config MBEDTLS_ECP_DP_SECP224K1_ENABLED
+    bool "Enable SECP224K1 curve"
+    depends on MBEDTLS_ECP_C
+    default y
+    help
+        Enable support for SECP224K1 Elliptic Curve.
+
+config MBEDTLS_ECP_DP_SECP256K1_ENABLED
+    bool "Enable SECP256K1 curve"
+    depends on MBEDTLS_ECP_C
+    default y
+    help
+        Enable support for SECP256K1 Elliptic Curve.
+
+config MBEDTLS_ECP_DP_BP256R1_ENABLED
+    bool "Enable BP256R1 curve"
+    depends on MBEDTLS_ECP_C
+    default y
+    help
+        support for DP Elliptic Curve.
+
+config MBEDTLS_ECP_DP_BP384R1_ENABLED
+    bool "Enable BP384R1 curve"
+    depends on MBEDTLS_ECP_C
+    default y
+    help
+        support for DP Elliptic Curve.
+
+config MBEDTLS_ECP_DP_BP512R1_ENABLED
+    bool "Enable BP512R1 curve"
+    depends on MBEDTLS_ECP_C
+    default y
+    help
+        support for DP Elliptic Curve.
+
+config MBEDTLS_ECP_DP_CURVE25519_ENABLED
+    bool "Enable CURVE25519 curve"
+    depends on MBEDTLS_ECP_C
+    default y
+    help
+        Enable support for CURVE25519 Elliptic Curve.
+
+config MBEDTLS_ECP_NIST_OPTIM
+    bool "NIST 'modulo p' optimisations"
+    depends on MBEDTLS_ECP_C
+    default y
+    help
+        NIST 'modulo p' optimisations increase Elliptic Curve operation performance.
+
+        Disabling this option saves some code size.
+
+# end of Elliptic Curve options
+
+endmenu  # mbedTLS

components/mbedtls/port/include/mbedtls/esp_config.h

@@ -430,7 +430,9 @@
  *
  * Uncomment this macro to remove RC4 ciphersuites by default.
  */
+#ifdef CONFIG_MBEDTLS_RC4_ENABLED
 #define MBEDTLS_REMOVE_ARC4_CIPHERSUITES
+#endif
 
 /**
  * \def MBEDTLS_ECP_DP_SECP192R1_ENABLED
@@ -440,18 +442,42 @@
  *
  * Comment macros to disable the curve and functions for it
  */
+#ifdef CONFIG_MBEDTLS_ECP_DP_SECP192R1_ENABLED
 #define MBEDTLS_ECP_DP_SECP192R1_ENABLED
+#endif
+#ifdef CONFIG_MBEDTLS_ECP_DP_SECP224R1_ENABLED
 #define MBEDTLS_ECP_DP_SECP224R1_ENABLED
+#endif
+#ifdef CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED
 #define MBEDTLS_ECP_DP_SECP256R1_ENABLED
+#endif
+#ifdef CONFIG_MBEDTLS_ECP_DP_SECP384R1_ENABLED
 #define MBEDTLS_ECP_DP_SECP384R1_ENABLED
+#endif
+#ifdef CONFIG_MBEDTLS_ECP_DP_SECP521R1_ENABLED
 #define MBEDTLS_ECP_DP_SECP521R1_ENABLED
+#endif
+#ifdef CONFIG_MBEDTLS_ECP_DP_SECP192K1_ENABLED
 #define MBEDTLS_ECP_DP_SECP192K1_ENABLED
+#endif
+#ifdef CONFIG_MBEDTLS_ECP_DP_SECP224K1_ENABLED
 #define MBEDTLS_ECP_DP_SECP224K1_ENABLED
+#endif
+#ifdef CONFIG_MBEDTLS_ECP_DP_SECP256K1_ENABLED
 #define MBEDTLS_ECP_DP_SECP256K1_ENABLED
+#endif
+#ifdef CONFIG_MBEDTLS_ECP_DP_BP256R1_ENABLED
 #define MBEDTLS_ECP_DP_BP256R1_ENABLED
+#endif
+#ifdef CONFIG_MBEDTLS_ECP_DP_BP384R1_ENABLED
 #define MBEDTLS_ECP_DP_BP384R1_ENABLED
+#endif
+#ifdef CONFIG_MBEDTLS_ECP_DP_BP512R1_ENABLED
 #define MBEDTLS_ECP_DP_BP512R1_ENABLED
+#endif
+#ifdef CONFIG_MBEDTLS_ECP_DP_CURVE25519_ENABLED
 #define MBEDTLS_ECP_DP_CURVE25519_ENABLED
+#endif
 
 /**
  * \def MBEDTLS_ECP_NIST_OPTIM
@@ -462,7 +488,9 @@
  *
  * Comment this macro to disable NIST curves optimisation.
  */
+#ifdef CONFIG_MBEDTLS_ECP_NIST_OPTIM
 #define MBEDTLS_ECP_NIST_OPTIM
+#endif
 
 /**
  * \def MBEDTLS_ECDSA_DETERMINISTIC
@@ -498,7 +526,9 @@
  *      MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA
  *      MBEDTLS_TLS_PSK_WITH_RC4_128_SHA
  */
+#ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_PSK
 #define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
+#endif
 
 /**
  * \def MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
@@ -522,7 +552,9 @@
  *      MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
  *      MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA
  */
+#ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_PSK
 #define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
+#endif
 
 /**
  * \def MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
@@ -542,7 +574,9 @@
  *      MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
  *      MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA
  */
+#ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_PSK
 #define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+#endif
 
 /**
  * \def MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
@@ -567,7 +601,9 @@
  *      MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
  *      MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA
  */
+#ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_PSK
 #define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
+#endif
 
 /**
  * \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
@@ -595,7 +631,9 @@
  *      MBEDTLS_TLS_RSA_WITH_RC4_128_SHA
  *      MBEDTLS_TLS_RSA_WITH_RC4_128_MD5
  */
+#ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_RSA
 #define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
+#endif
 
 /**
  * \def MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
@@ -621,7 +659,9 @@
  *      MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
  *      MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  */
+#ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_RSA
 #define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
+#endif
 
 /**
  * \def MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
@@ -646,7 +686,9 @@
  *      MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  *      MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA
  */
+#ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_RSA
 #define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
+#endif
 
 /**
  * \def MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
@@ -670,7 +712,9 @@
  *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
  *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
  */
+#ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
 #define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+#endif
 
 /**
  * \def MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
@@ -694,7 +738,9 @@
  *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
  *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
  */
+#ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA
 #define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
+#endif
 
 /**
  * \def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
@@ -718,7 +764,9 @@
  *      MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
  *      MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
  */
+#ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_RSA
 #define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
+#endif
 
 /**
  * \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
@@ -971,7 +1019,9 @@
  *
  * Comment this macro to disable support for Encrypt-then-MAC
  */
+#ifdef CONFIG_MBEDTLS_TLS_ENABLED
 #define MBEDTLS_SSL_ENCRYPT_THEN_MAC
+#endif
 
 /** \def MBEDTLS_SSL_EXTENDED_MASTER_SECRET
  *
@@ -989,7 +1039,9 @@
  *
  * Comment this macro to disable support for Extended Master Secret.
  */
+#ifdef CONFIG_MBEDTLS_TLS_ENABLED
 #define MBEDTLS_SSL_EXTENDED_MASTER_SECRET
+#endif
 
 /**
  * \def MBEDTLS_SSL_FALLBACK_SCSV
@@ -1028,7 +1080,9 @@
  *
  * Comment this macro to disable 1/n-1 record splitting.
  */
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
 #define MBEDTLS_SSL_CBC_RECORD_SPLITTING
+#endif
 
 /**
  * \def MBEDTLS_SSL_RENEGOTIATION
@@ -1043,7 +1097,9 @@
  *
  * Comment this to disable support for renegotiation.
  */
+#ifdef CONFIG_MBEDTLS_SSL_RENEGOTIATION
 #define MBEDTLS_SSL_RENEGOTIATION
+#endif
 
 /**
  * \def MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
@@ -1084,7 +1140,9 @@
  *
  * Comment this macro to disable support for SSL 3.0
  */
+#ifdef CONFIG_MBEDTLS_SSL_PROTO_SSL3
 #define MBEDTLS_SSL_PROTO_SSL3
+#endif
 
 /**
  * \def MBEDTLS_SSL_PROTO_TLS1
@@ -1096,7 +1154,9 @@
  *
  * Comment this macro to disable support for TLS 1.0
  */
+#ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1
 #define MBEDTLS_SSL_PROTO_TLS1
+#endif
 
 /**
  * \def MBEDTLS_SSL_PROTO_TLS1_1
@@ -1108,7 +1168,9 @@
  *
  * Comment this macro to disable support for TLS 1.1 / DTLS 1.0
  */
+#ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_1
 #define MBEDTLS_SSL_PROTO_TLS1_1
+#endif
 
 /**
  * \def MBEDTLS_SSL_PROTO_TLS1_2
@@ -1120,7 +1182,9 @@
  *
  * Comment this macro to disable support for TLS 1.2 / DTLS 1.2
  */
+#ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_2
 #define MBEDTLS_SSL_PROTO_TLS1_2
+#endif
 
 /**
  * \def MBEDTLS_SSL_PROTO_DTLS
@@ -1135,7 +1199,9 @@
  *
  * Comment this macro to disable support for DTLS
  */
+#ifdef CONFIG_MBEDTLS_SSL_PROTO_DTLS
 #define MBEDTLS_SSL_PROTO_DTLS
+#endif
 
 /**
  * \def MBEDTLS_SSL_ALPN
@@ -1144,7 +1210,9 @@
  *
  * Comment this macro to disable support for ALPN.
  */
+#ifdef CONFIG_MBEDTLS_SSL_ALPN
 #define MBEDTLS_SSL_ALPN
+#endif
 
 /**
  * \def MBEDTLS_SSL_DTLS_ANTI_REPLAY
@@ -1159,7 +1227,9 @@
  *
  * Comment this to disable anti-replay in DTLS.
  */
+#ifdef CONFIG_MBEDTLS_SSL_PROTO_DTLS
 #define MBEDTLS_SSL_DTLS_ANTI_REPLAY
+#endif
 
 /**
  * \def MBEDTLS_SSL_DTLS_HELLO_VERIFY
@@ -1177,7 +1247,9 @@
  *
  * Comment this to disable support for HelloVerifyRequest.
  */
+#ifdef CONFIG_MBEDTLS_SSL_PROTO_DTLS
 #define MBEDTLS_SSL_DTLS_HELLO_VERIFY
+#endif
 
 /**
  * \def MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
@@ -1193,7 +1265,9 @@
  *
  * Comment this to disable support for clients reusing the source port.
  */
+#ifdef CONFIG_MBEDTLS_SSL_PROTO_DTLS
 #define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
+#endif
 
 /**
  * \def MBEDTLS_SSL_DTLS_BADMAC_LIMIT
@@ -1204,7 +1278,9 @@
  *
  * Requires: MBEDTLS_SSL_PROTO_DTLS
  */
+#ifdef CONFIG_MBEDTLS_SSL_PROTO_DTLS
 #define MBEDTLS_SSL_DTLS_BADMAC_LIMIT
+#endif
 
 /**
  * \def MBEDTLS_SSL_SESSION_TICKETS
@@ -1218,7 +1294,9 @@
  *
  * Comment this macro to disable support for SSL session tickets
  */
+#ifdef CONFIG_MBEDTLS_SSL_SESSION_TICKETS
 #define MBEDTLS_SSL_SESSION_TICKETS
+#endif
 
 /**
  * \def MBEDTLS_SSL_EXPORT_KEYS
@@ -1461,7 +1539,9 @@
  *
  * PEM_PARSE uses AES for decrypting encrypted keys.
  */
+#ifdef CONFIG_MBEDTLS_AES_C
 #define MBEDTLS_AES_C
+#endif
 
 /**
  * \def MBEDTLS_ARC4_C
@@ -1484,7 +1564,9 @@
  *      MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA
  *      MBEDTLS_TLS_PSK_WITH_RC4_128_SHA
  */
+#if defined(CONFIG_MBEDTLS_RC4_ENABLED_NO_DEFAULT) || defined(CONFIG_MBEDTLS_RC4_ENABLED)
 #define MBEDTLS_ARC4_C
+#endif
 
 /**
  * \def MBEDTLS_ASN1_PARSE_C
@@ -1549,7 +1631,9 @@
  *
  * Module:  library/blowfish.c
  */
+#ifdef CONFIG_MBEDTLS_BLOWFISH_C
 #define MBEDTLS_BLOWFISH_C
+#endif
 
 /**
  * \def MBEDTLS_CAMELLIA_C
@@ -1604,7 +1688,9 @@
  *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
  *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
  */
+#ifdef CONFIG_MBEDTLS_CAMELLIA_C
 #define MBEDTLS_CAMELLIA_C
+#endif
 
 /**
  * \def MBEDTLS_CCM_C
@@ -1618,7 +1704,9 @@
  * This module enables the AES-CCM ciphersuites, if other requisites are
  * enabled as well.
  */
+#ifdef CONFIG_MBEDTLS_CCM_C
 #define MBEDTLS_CCM_C
+#endif
 
 /**
  * \def MBEDTLS_CERTS_C
@@ -1698,7 +1786,9 @@
  *
  * PEM_PARSE uses DES/3DES for decrypting encrypted keys.
  */
+#ifdef CONFIG_MBEDTLS_DES_C
 #define MBEDTLS_DES_C
+#endif
 
 /**
  * \def MBEDTLS_DHM_C
@@ -1728,7 +1818,9 @@
  *
  * Requires: MBEDTLS_ECP_C
  */
+#ifdef CONFIG_MBEDTLS_ECDH_C
 #define MBEDTLS_ECDH_C
+#endif
 
 /**
  * \def MBEDTLS_ECDSA_C
@@ -1743,7 +1835,9 @@
  *
  * Requires: MBEDTLS_ECP_C, MBEDTLS_ASN1_WRITE_C, MBEDTLS_ASN1_PARSE_C
  */
+#ifdef CONFIG_MBEDTLS_ECDSA_C
 #define MBEDTLS_ECDSA_C
+#endif
 
 /**
  * \def MBEDTLS_ECJPAKE_C
@@ -1776,7 +1870,9 @@
  *
  * Requires: MBEDTLS_BIGNUM_C and at least one MBEDTLS_ECP_DP_XXX_ENABLED
  */
+#ifdef CONFIG_MBEDTLS_ECP_C
 #define MBEDTLS_ECP_C
+#endif
 
 /**
  * \def MBEDTLS_ENTROPY_C
@@ -1816,7 +1912,9 @@
  * This module enables the AES-GCM and CAMELLIA-GCM ciphersuites, if other
  * requisites are enabled as well.
  */
+#ifdef CONFIG_MBEDTLS_GCM_C
 #define MBEDTLS_GCM_C
+#endif
 
 /**
  * \def MBEDTLS_HAVEGE_C
@@ -1986,7 +2084,9 @@
  *
  * This modules adds support for decoding / parsing PEM files.
  */
+#ifdef CONFIG_MBEDTLS_PEM_PARSE_C
 #define MBEDTLS_PEM_PARSE_C
+#endif
 
 /**
  * \def MBEDTLS_PEM_WRITE_C
@@ -2002,7 +2102,9 @@
  *
  * This modules adds support for encoding / writing PEM files.
  */
+#ifdef CONFIG_MBEDTLS_PEM_WRITE_C
 #define MBEDTLS_PEM_WRITE_C
+#endif
 
 /**
  * \def MBEDTLS_PK_C
@@ -2122,7 +2224,9 @@
  * Caller:  library/mbedtls_md.c
  *
  */
+#ifdef CONFIG_MBEDTLS_RIPEMD160_C
 #define MBEDTLS_RIPEMD160_C
+#endif
 
 /**
  * \def MBEDTLS_RSA_C
@@ -2236,7 +2340,9 @@
  *
  * This module is required for SSL/TLS client support.
  */
+#ifdef CONFIG_MBEDTLS_TLS_CLIENT
 #define MBEDTLS_SSL_CLI_C
+#endif
 
 /**
  * \def MBEDTLS_SSL_SRV_C
@@ -2250,7 +2356,9 @@
  *
  * This module is required for SSL/TLS server support.
  */
+#ifdef CONFIG_MBEDTLS_TLS_SERVER
 #define MBEDTLS_SSL_SRV_C
+#endif
 
 /**
  * \def MBEDTLS_SSL_TLS_C
@@ -2266,7 +2374,9 @@
  *
  * This module is required for SSL/TLS.
  */
+#ifdef CONFIG_MBEDTLS_TLS_ENABLED
 #define MBEDTLS_SSL_TLS_C
+#endif
 
 /**
  * \def MBEDTLS_THREADING_C
@@ -2357,7 +2467,9 @@
  *
  * This module is required for X.509 CRL parsing.
  */
+#ifdef CONFIG_MBEDTLS_X509_CRL_PARSE_C
 #define MBEDTLS_X509_CRL_PARSE_C
+#endif
 
 /**
  * \def MBEDTLS_X509_CSR_PARSE_C
@@ -2371,7 +2483,9 @@
  *
  * This module is used for reading X.509 certificate request.
  */
+#ifdef CONFIG_MBEDTLS_X509_CSR_PARSE_C
 #define MBEDTLS_X509_CSR_PARSE_C
+#endif
 
 /**
  * \def MBEDTLS_X509_CREATE_C
@@ -2420,7 +2534,9 @@
  * Module:  library/xtea.c
  * Caller:
  */
+#ifdef CONFIG_MBEDTLS_XTEA_C
 #define MBEDTLS_XTEA_C
+#endif
 
 /* \} name SECTION: mbed TLS modules */
 

examples/protocols/https_request/main/https_request_example_main.c

@@ -254,19 +254,24 @@ static void https_get_task(void *pvParameters)
             ESP_LOGI(TAG, "Certificate verified.");
         }
 
+        ESP_LOGI(TAG, "Cipher suite is %s", mbedtls_ssl_get_ciphersuite(&ssl));
+
         ESP_LOGI(TAG, "Writing HTTP request...");
 
-        while((ret = mbedtls_ssl_write(&ssl, (const unsigned char *)REQUEST, strlen(REQUEST))) <= 0)
-        {
-            if(ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE)
-            {
+        size_t written_bytes = 0;
+        do {
+            ret = mbedtls_ssl_write(&ssl,
+                                    (const unsigned char *)REQUEST + written_bytes,
+                                    strlen(REQUEST) - written_bytes);
+            if (ret >= 0) {
+                ESP_LOGI(TAG, "%d bytes written", ret);
+                written_bytes += ret;
+            } else if (ret != MBEDTLS_ERR_SSL_WANT_WRITE && ret != MBEDTLS_ERR_SSL_WANT_READ) {
                 ESP_LOGE(TAG, "mbedtls_ssl_write returned -0x%x", -ret);
                 goto exit;
             }
-        }
+        } while(written_bytes < strlen(REQUEST));
 
-        len = ret;
-        ESP_LOGI(TAG, "%d bytes written", len);
         ESP_LOGI(TAG, "Reading HTTP response...");
 
         do
@@ -296,7 +301,7 @@ static void https_get_task(void *pvParameters)
             }
 
             len = ret;
-            ESP_LOGI(TAG, "%d bytes read", len);
+            ESP_LOGD(TAG, "%d bytes read", len);
             /* Print response directly to stdout as it is read */
             for(int i = 0; i < len; i++) {
                 putchar(buf[i]);
@@ -315,6 +320,11 @@ static void https_get_task(void *pvParameters)
             ESP_LOGE(TAG, "Last error was: -0x%x - %s", -ret, buf);
         }
 
+        putchar('\n'); // JSON output doesn't have a newline at end
+
+        static int request_count;
+        ESP_LOGI(TAG, "Completed %d requests", ++request_count);
+
         for(int countdown = 10; countdown >= 0; countdown--) {
             ESP_LOGI(TAG, "%d...", countdown);
             vTaskDelay(1000 / portTICK_PERIOD_MS);