Merge branch 'https_server/min_cert_auth_mode_v4.4' into 'release/v4.4'

https_server: Add config option to set minimum certificate auth mode (v4.4)

See merge request espressif/esp-idf!17796

components/esp-tls/Kconfig

@@ -19,7 +19,6 @@ menu "ESP-TLS"
         select ATCA_MBEDTLS_ECDSA
         select ATCA_MBEDTLS_ECDSA_SIGN
         select ATCA_MBEDTLS_ECDSA_VERIFY
-        default n
         help
             Enable use of Secure Element for ESP-TLS, this enables internal support for
             ATECC608A peripheral on ESPWROOM32SE, which can be used for TLS connection.
@@ -34,24 +33,21 @@ menu "ESP-TLS"
             can only be used when it is appropriately configured for TLS.
             Consult the ESP-TLS documentation in ESP-IDF Programming Guide for more details.
 
+    config ESP_TLS_CLIENT_SESSION_TICKETS
+        bool "Enable client session tickets"
+        depends on ESP_TLS_USING_MBEDTLS && MBEDTLS_CLIENT_SSL_SESSION_TICKETS
+        help
+            Enable session ticket support as specified in RFC5077.
+
     config ESP_TLS_SERVER
         bool "Enable ESP-TLS Server"
-        default n
         help
             Enable support for creating server side SSL/TLS session, available for mbedTLS
             as well as wolfSSL TLS library.
 
-    config ESP_TLS_CLIENT_SESSION_TICKETS
-        bool "Enable client session tickets"
-        depends on ESP_TLS_USING_MBEDTLS && MBEDTLS_CLIENT_SSL_SESSION_TICKETS
-        default n
-        help
-            Enable session ticket support as specified in RFC5077.
-
     config ESP_TLS_SERVER_SESSION_TICKETS
         bool "Enable server session tickets"
         depends on ESP_TLS_SERVER && ESP_TLS_USING_MBEDTLS && MBEDTLS_SERVER_SSL_SESSION_TICKETS
-        default n
         help
             Enable session ticket support as specified in RFC5077
 
@@ -62,6 +58,17 @@ menu "ESP-TLS"
         help
             Sets the session ticket timeout used in the tls server.
 
+    config ESP_TLS_SERVER_MIN_AUTH_MODE_OPTIONAL
+        bool "ESP-TLS Server: Set minimum Certificate Verification mode to Optional"
+        depends on ESP_TLS_SERVER && ESP_TLS_USING_MBEDTLS
+        help
+            When this option is enabled, the peer (here, the client) certificate is checked by the server,
+            however the handshake continues even if verification failed. By default, the
+            peer certificate is not checked and ignored by the server.
+
+            mbedtls_ssl_get_verify_result() can be called after the handshake is complete to
+            retrieve status of verification.
+
     config ESP_TLS_PSK_VERIFICATION
         bool "Enable PSK verification"
         select MBEDTLS_PSK_MODES if ESP_TLS_USING_MBEDTLS
@@ -69,7 +76,6 @@ menu "ESP-TLS"
         select MBEDTLS_KEY_EXCHANGE_DHE_PSK if ESP_TLS_USING_MBEDTLS
         select MBEDTLS_KEY_EXCHANGE_ECDHE_PSK if ESP_TLS_USING_MBEDTLS
         select MBEDTLS_KEY_EXCHANGE_RSA_PSK if ESP_TLS_USING_MBEDTLS
-        default n
         help
             Enable support for pre shared key ciphers, supported for both mbedTLS as well as
             wolfSSL TLS library.
@@ -105,7 +111,6 @@ menu "ESP-TLS"
     config ESP_DEBUG_WOLFSSL
         bool "Enable debug logs for wolfSSL"
         depends on ESP_TLS_USING_WOLFSSL
-        default n
         help
             Enable detailed debug prints for wolfSSL SSL library.
 

components/esp-tls/esp_tls_mbedtls.c

@@ -500,7 +500,11 @@ esp_err_t set_server_config(esp_tls_cfg_server_t *cfg, esp_tls_t *tls)
             return esp_ret;
         }
     } else {
+#ifdef CONFIG_ESP_TLS_SERVER_MIN_AUTH_MODE_OPTIONAL
         mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
+#else
+        mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_NONE);
+#endif
     }
 
     if (cfg->servercert_buf != NULL && cfg->serverkey_buf != NULL) {

examples/protocols/https_server/simple/main/Kconfig.projbuild

@@ -2,7 +2,7 @@ menu "Example Configuration"
 
     config EXAMPLE_ENABLE_HTTPS_USER_CALLBACK
         bool "Enable user callback with HTTPS Server"
-        default false
+        select ESP_TLS_SERVER_MIN_AUTH_MODE_OPTIONAL
         help
             Enable user callback for esp_https_server which can be used to get SSL context (connection information)
             E.g. Certificate of the connected client

examples/protocols/https_server/simple/main/main.c

@@ -41,12 +41,20 @@ static esp_err_t root_get_handler(httpd_req_t *req)
  * whenever a new SSL connection is created
  *
  * Can also be used to other information like Socket FD, Connection state, etc.
+ *
+ * NOTE: This callback will not be able to obtain the client certificate if the
+ * following config `Set minimum Certificate Verification mode to Optional` is
+ * not enabled (enabled by default in this example).
+ *
+ * The config option is found here - Component config → ESP-TLS
+ *
  */
 void https_server_user_callback(esp_https_server_user_cb_arg_t *user_cb)
 {
     ESP_LOGI(TAG, "Session Created!");
-    const mbedtls_x509_crt *cert;
+    ESP_LOGI(TAG, "Socket FD: %d", user_cb->tls->sockfd);
 
+    const mbedtls_x509_crt *cert;
     const size_t buf_size = 1024;
     char *buf = calloc(buf_size, sizeof(char));
     if (buf == NULL) {
@@ -54,9 +62,13 @@ void https_server_user_callback(esp_https_server_user_cb_arg_t *user_cb)
         return;
     }
 
+    mbedtls_x509_crt_info((char *) buf, buf_size - 1, "    ", &user_cb->tls->servercert);
+    ESP_LOGI(TAG, "Server certificate info:\n%s", buf);
+    memset(buf, 0x00, buf_size);
+
     cert = mbedtls_ssl_get_peer_cert(&user_cb->tls->ssl);
     if (cert != NULL) {
-        mbedtls_x509_crt_info((char *) buf, buf_size - 1, "      ", cert);
+        mbedtls_x509_crt_info((char *) buf, buf_size - 1, "    ", cert);
         ESP_LOGI(TAG, "Peer certificate info:\n%s", buf);
     } else {
         ESP_LOGW(TAG, "Could not obtain the peer certificate!");
@@ -91,9 +103,9 @@ static httpd_handle_t start_webserver(void)
     conf.prvtkey_pem = prvtkey_pem_start;
     conf.prvtkey_len = prvtkey_pem_end - prvtkey_pem_start;
 
-    #if CONFIG_EXAMPLE_ENABLE_HTTPS_USER_CALLBACK
+#if CONFIG_EXAMPLE_ENABLE_HTTPS_USER_CALLBACK
     conf.user_cb = https_server_user_callback;
-    #endif
+#endif
     esp_err_t ret = httpd_ssl_start(&server, &conf);
     if (ESP_OK != ret) {
         ESP_LOGI(TAG, "Error starting server!");