From ba27281c3ed7c3ee174db5bd75f4dc7cd698c241 Mon Sep 17 00:00:00 2001 From: Frank Mertens Date: Wed, 4 Sep 2024 12:21:36 +0200 Subject: [PATCH] change(esp-tls): add option to enable/disable the full set of OCSP checks for wolfSSL --- components/esp-tls/Kconfig | 8 ++++++++ components/esp-tls/esp_tls_wolfssl.c | 6 +++++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/components/esp-tls/Kconfig b/components/esp-tls/Kconfig index 297a357b6d..2b6499eb46 100644 --- a/components/esp-tls/Kconfig +++ b/components/esp-tls/Kconfig @@ -115,4 +115,12 @@ menu "ESP-TLS" help Enable detailed debug prints for wolfSSL SSL library. + config ESP_TLS_OCSP_CHECKALL + bool "Enabled full OCSP checks for ESP-TLS" + depends on ESP_TLS_USING_WOLFSSL + default y + help + Enable a fuller set of OCSP checks: checking revocation status of intermediate certificates, + optional fallbacks to CRLs, etc. + endmenu diff --git a/components/esp-tls/esp_tls_wolfssl.c b/components/esp-tls/esp_tls_wolfssl.c index b0f6316442..6096d717e4 100644 --- a/components/esp-tls/esp_tls_wolfssl.c +++ b/components/esp-tls/esp_tls_wolfssl.c @@ -316,8 +316,12 @@ static esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls } #ifdef CONFIG_WOLFSSL_HAVE_OCSP + int ocsp_options = 0; +#ifdef ESP_TLS_OCSP_CHECKALL + ocsp_options |= WOLFSSL_OCSP_CHECKALL; +#endif /* enable OCSP certificate status check for this TLS context */ - if ((ret = wolfSSL_CTX_EnableOCSP((WOLFSSL_CTX *)tls->priv_ctx, WOLFSSL_OCSP_CHECKALL)) != WOLFSSL_SUCCESS) { + if ((ret = wolfSSL_CTX_EnableOCSP((WOLFSSL_CTX *)tls->priv_ctx, ocsp_options)) != WOLFSSL_SUCCESS) { ESP_LOGE(TAG, "wolfSSL_CTX_EnableOCSP failed, returned %d", ret); return ESP_ERR_WOLFSSL_CTX_SETUP_FAILED; }