esp-tls: Changed default behaviour for esp-tls client ( for security purpose)

Commit ID: ca964dfb
2025-07-03 15:38:15 +08:00 · 2021-04-22 15:32:24 +08:00
parent 870aa0a1e4
commit 7b92080927
3 changed files with 29 additions and 0 deletions
--- a/components/esp-tls/Kconfig
+++ b/components/esp-tls/Kconfig
@ -31,6 +31,25 @@ menu "ESP-TLS"
            Enable support for pre shared key ciphers, supported for both mbedTLS as well as
            wolfSSL TLS library.

+    config ESP_TLS_INSECURE
+        bool "Allow potentially insecure options"
+        help
+            You can enable some potentially insecure options. These options should only be used for testing pusposes.
+            Only enable these options if you are very sure.
+
+    config ESP_TLS_SKIP_SERVER_CERT_VERIFY
+        bool "Skip server certificate verification by default (WARNING: ONLY FOR TESTING PURPOSE, READ HELP)"
+        depends on ESP_TLS_INSECURE
+        help
+            After enabling this option the esp-tls client will skip the server certificate verification
+            by default. Note that this option will only modify the default behaviour of esp-tls client
+            regarding server cert verification. The default behaviour should only be applicable when
+            no other option regarding the server cert verification is opted in the esp-tls config
+            (e.g. crt_bundle_attach, use_global_ca_store etc.).
+            WARNING : Enabling this option comes with a potential risk of establishing a TLS connection
+            with a server which has a fake identity, provided that the server certificate
+            is not provided either through API or other mechanism like ca_store etc.
+
    config ESP_WOLFSSL_SMALL_CERT_VERIFY
        bool "Enable SMALL_CERT_VERIFY"
        depends on ESP_TLS_USING_WOLFSSL
--- a/components/esp-tls/esp_tls_mbedtls.c
+++ b/components/esp-tls/esp_tls_mbedtls.c
@ -445,7 +445,12 @@ esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls_cfg_t
        return ESP_ERR_INVALID_STATE;
 #endif
    } else {
+#ifdef CONFIG_ESP_TLS_SKIP_SERVER_CERT_VERIFY
        mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_NONE);
+#else
+        ESP_LOGE(TAG, "No server verification option set in esp_tls_cfg_t structure. Check esp_tls API reference");
+        return ESP_ERR_MBEDTLS_SSL_SETUP_FAILED;
+#endif
    }

    if (cfg->clientcert_buf != NULL && cfg->clientkey_buf != NULL) {
--- a/components/esp-tls/esp_tls_wolfssl.c
+++ b/components/esp-tls/esp_tls_wolfssl.c
@ -201,7 +201,12 @@ static esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls
        return ESP_ERR_INVALID_STATE;
 #endif
    } else {
+#ifdef CONFIG_ESP_TLS_SKIP_SERVER_CERT_VERIFY
        wolfSSL_CTX_set_verify( (WOLFSSL_CTX *)tls->priv_ctx, WOLFSSL_VERIFY_NONE, NULL);
+#else
+        ESP_LOGE(TAG, "No server verification option set in esp_tls_cfg_t structure. Check esp_tls API reference");
+        return ESP_ERR_WOLFSSL_SSL_SETUP_FAILED;
+#endif
    }

    if (cfg->clientcert_buf != NULL && cfg->clientkey_buf != NULL) {