From 05d3c06c7c25ca08a56779b918da2da3ac99609f Mon Sep 17 00:00:00 2001 From: Frank Mertens Date: Tue, 16 Apr 2024 00:59:27 +0200 Subject: [PATCH 1/2] fix(esp-tls): make the wolfSSL backend send entire client certificate chains This change makes the wolfSSL backend sent the complete TLS client certificate chain. This align the wolfSSL backend with the behavior of the mbedTLS backend. Some servers need the intermediate certificates to verify a client certificate. If the provided PEM file contains only a single certificate this change has no effect and the behavior will be as before. This impacts higher level APIs to function as someone would expect. E.g.: esp_websocket_client_config_t.client_cert: when passing here a pem file containing 2 certificates (the CA's and the client's) it would be expected that both are transmitted during TLS handshake. --- components/esp-tls/esp_tls_wolfssl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/components/esp-tls/esp_tls_wolfssl.c b/components/esp-tls/esp_tls_wolfssl.c index 733b097429..7bad5e14d5 100644 --- a/components/esp-tls/esp_tls_wolfssl.c +++ b/components/esp-tls/esp_tls_wolfssl.c @@ -97,7 +97,7 @@ static esp_err_t esp_load_wolfssl_verify_buffer(esp_tls_t *tls, const unsigned c wolf_fileformat = WOLFSSL_FILETYPE_ASN1; } if (type == FILE_TYPE_SELF_CERT) { - if ((*err_ret = wolfSSL_CTX_use_certificate_buffer( (WOLFSSL_CTX *)tls->priv_ctx, cert_buf, cert_len, wolf_fileformat)) == WOLFSSL_SUCCESS) { + if ((*err_ret = wolfSSL_CTX_use_certificate_chain_buffer_format( (WOLFSSL_CTX *)tls->priv_ctx, cert_buf, cert_len, wolf_fileformat)) == WOLFSSL_SUCCESS) { return ESP_OK; } return ESP_FAIL; From edd260e543da7ed51ad8aded0ee1dbbde46e029c Mon Sep 17 00:00:00 2001 From: Frank Mertens Date: Tue, 16 Apr 2024 01:44:05 +0200 Subject: [PATCH 2/2] change(esp-tls): make wolfSSL backend send SNI and enable OCSP Almost all sites these days are virtually hosted and hence SNI (server name indicator TLS extension) should be enabled by default. In addition this change enables OCSP (online server status protocol) support for esp-tls clients using the wolfSSL backend. The 3 code lines enable OCSP stabling v1. By default this feature is disabled. (I will send another PR on esp-wolfssl repository to allow to enable it easily.) --- components/esp-tls/esp_tls_wolfssl.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/components/esp-tls/esp_tls_wolfssl.c b/components/esp-tls/esp_tls_wolfssl.c index 7bad5e14d5..8cbe20c778 100644 --- a/components/esp-tls/esp_tls_wolfssl.c +++ b/components/esp-tls/esp_tls_wolfssl.c @@ -310,6 +310,14 @@ static esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls #endif /* CONFIG_WOLFSSL_HAVE_ALPN */ } +#ifdef CONFIG_WOLFSSL_HAVE_OCSP + wolfSSL_CTX_EnableOCSPStapling((WOLFSSL_CTX *)tls->priv_ctx ); + wolfSSL_UseOCSPStapling((WOLFSSL *)tls->priv_ssl, WOLFSSL_CSR_OCSP, 0); + wolfSSL_CTX_EnableOCSP((WOLFSSL_CTX *)tls->priv_ctx, 0); +#endif + + wolfSSL_CTX_UseSNI(tls->priv_ctx, WOLFSSL_SNI_HOST_NAME, hostname, hostlen); + wolfSSL_set_fd((WOLFSSL *)tls->priv_ssl, tls->sockfd); return ESP_OK; }