change(esp-tls): add option to enable/disable the full set of OCSP checks for wolfSSL

This commit is contained in:
Frank Mertens 2024-09-04 12:21:36 +02:00
parent 6673376297
commit ba27281c3e
2 changed files with 13 additions and 1 deletions

View File

@ -115,4 +115,12 @@ menu "ESP-TLS"
help help
Enable detailed debug prints for wolfSSL SSL library. Enable detailed debug prints for wolfSSL SSL library.
config ESP_TLS_OCSP_CHECKALL
bool "Enabled full OCSP checks for ESP-TLS"
depends on ESP_TLS_USING_WOLFSSL
default y
help
Enable a fuller set of OCSP checks: checking revocation status of intermediate certificates,
optional fallbacks to CRLs, etc.
endmenu endmenu

View File

@ -316,8 +316,12 @@ static esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls
} }
#ifdef CONFIG_WOLFSSL_HAVE_OCSP #ifdef CONFIG_WOLFSSL_HAVE_OCSP
int ocsp_options = 0;
#ifdef ESP_TLS_OCSP_CHECKALL
ocsp_options |= WOLFSSL_OCSP_CHECKALL;
#endif
/* enable OCSP certificate status check for this TLS context */ /* enable OCSP certificate status check for this TLS context */
if ((ret = wolfSSL_CTX_EnableOCSP((WOLFSSL_CTX *)tls->priv_ctx, WOLFSSL_OCSP_CHECKALL)) != WOLFSSL_SUCCESS) { if ((ret = wolfSSL_CTX_EnableOCSP((WOLFSSL_CTX *)tls->priv_ctx, ocsp_options)) != WOLFSSL_SUCCESS) {
ESP_LOGE(TAG, "wolfSSL_CTX_EnableOCSP failed, returned %d", ret); ESP_LOGE(TAG, "wolfSSL_CTX_EnableOCSP failed, returned %d", ret);
return ESP_ERR_WOLFSSL_CTX_SETUP_FAILED; return ESP_ERR_WOLFSSL_CTX_SETUP_FAILED;
} }