From 832128faf02b8062bedae4762f8b312851abc49d Mon Sep 17 00:00:00 2001
From: Aditya Patwardhan <aditya.patwardhan@espressif.com>
Date: Mon, 11 Jan 2021 12:23:30 +0530
Subject: [PATCH] esp_tls: Add warning if the CA chain provided contains
 one/more invalid cert

---
 components/esp-tls/esp_tls.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/components/esp-tls/esp_tls.c b/components/esp-tls/esp_tls.c
index 1bd14f2dc9..b6d971d6ff 100644
--- a/components/esp-tls/esp_tls.c
+++ b/components/esp-tls/esp_tls.c
@@ -292,6 +292,11 @@ static int create_ssl_handle(esp_tls_t *tls, const char *hostname, size_t hostle
             ESP_LOGE(TAG, "mbedtls_x509_crt_parse returned -0x%x\n\n", -ret);
             goto exit;
         }
+        if (ret > 0) {
+            /* This will happen if the CA chain contains one or more invalid certs, going ahead as the hadshake
+            * may still succeed if the other certificates in the CA chain are enough for the authentication */
+            ESP_LOGW(TAG, "mbedtls_x509_crt_parse was partly successful. No. of failed certificates: %d", ret);
+        }
         mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_REQUIRED);
         mbedtls_ssl_conf_ca_chain(&tls->conf, tls->cacert_ptr, NULL);
     } else {