Merge branch 'fix/refactor_esp_tls_server' into 'master'

fix(esp_tls): Refactor esp-tls to remove ESP_TLS_SERVER config option Closes IDFGH-10812 See merge request espressif/esp-idf!25773
2023-10-27 06:34:44 +08:00 · 2023-10-27 06:34:44 +08:00 · 47678fc17b
commit 47678fc17b
--- a/components/esp-tls/Kconfig
+++ b/components/esp-tls/Kconfig
@ -38,16 +38,9 @@ menu "ESP-TLS"
        help
            Enable session ticket support as specified in RFC5077.

-    config ESP_TLS_SERVER
-        bool "Enable ESP-TLS Server"
-        depends on (ESP_TLS_USING_MBEDTLS && MBEDTLS_TLS_SERVER) || ESP_TLS_USING_WOLFSSL
-        help
-            Enable support for creating server side SSL/TLS session, available for mbedTLS
-            as well as wolfSSL TLS library.
-
    config ESP_TLS_SERVER_SESSION_TICKETS
        bool "Enable server session tickets"
-        depends on ESP_TLS_SERVER && ESP_TLS_USING_MBEDTLS && MBEDTLS_SERVER_SSL_SESSION_TICKETS
+        depends on ESP_TLS_USING_MBEDTLS && MBEDTLS_SERVER_SSL_SESSION_TICKETS
        help
            Enable session ticket support as specified in RFC5077

@ -60,7 +53,7 @@ menu "ESP-TLS"

    config ESP_TLS_SERVER_CERT_SELECT_HOOK
        bool "Certificate selection hook"
-        depends on ESP_TLS_USING_MBEDTLS && ESP_TLS_SERVER
+        depends on ESP_TLS_USING_MBEDTLS
        help
            Ability to configure and use a certificate selection callback during server handshake,
            to select a certificate to present to the client based on the TLS extensions supplied in
@ -68,7 +61,7 @@ menu "ESP-TLS"

    config ESP_TLS_SERVER_MIN_AUTH_MODE_OPTIONAL
        bool "ESP-TLS Server: Set minimum Certificate Verification mode to Optional"
-        depends on ESP_TLS_SERVER && ESP_TLS_USING_MBEDTLS
+        depends on ESP_TLS_USING_MBEDTLS
        help
            When this option is enabled, the peer (here, the client) certificate is checked by the server,
            however the handshake continues even if verification failed. By default, the
--- a/components/esp-tls/esp_tls.c
+++ b/components/esp-tls/esp_tls.c
@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2019-2022 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2019-2023 Espressif Systems (Shanghai) CO LTD
 *
 * SPDX-License-Identifier: Apache-2.0
 */
@ -64,12 +64,10 @@ static const char *TAG = "esp-tls";
 #define _esp_tls_get_client_session         esp_mbedtls_get_client_session
 #define _esp_tls_free_client_session        esp_mbedtls_free_client_session
 #define _esp_tls_get_ssl_context            esp_mbedtls_get_ssl_context
-#ifdef CONFIG_ESP_TLS_SERVER
 #define _esp_tls_server_session_create      esp_mbedtls_server_session_create
 #define _esp_tls_server_session_delete      esp_mbedtls_server_session_delete
 #define _esp_tls_server_session_ticket_ctx_init    esp_mbedtls_server_session_ticket_ctx_init
 #define _esp_tls_server_session_ticket_ctx_free    esp_mbedtls_server_session_ticket_ctx_free
-#endif  /* CONFIG_ESP_TLS_SERVER */
 #define _esp_tls_get_bytes_avail            esp_mbedtls_get_bytes_avail
 #define _esp_tls_init_global_ca_store       esp_mbedtls_init_global_ca_store
 #define _esp_tls_set_global_ca_store        esp_mbedtls_set_global_ca_store                 /*!< Callback function for setting global CA store data for TLS/SSL */
@ -83,10 +81,8 @@ static const char *TAG = "esp-tls";
 #define _esp_tls_write                      esp_wolfssl_write
 #define _esp_tls_conn_delete                esp_wolfssl_conn_delete
 #define _esp_tls_net_init                   esp_wolfssl_net_init
-#ifdef CONFIG_ESP_TLS_SERVER
 #define _esp_tls_server_session_create      esp_wolfssl_server_session_create
 #define _esp_tls_server_session_delete      esp_wolfssl_server_session_delete
-#endif  /* CONFIG_ESP_TLS_SERVER */
 #define _esp_tls_get_bytes_avail            esp_wolfssl_get_bytes_avail
 #define _esp_tls_init_global_ca_store       esp_wolfssl_init_global_ca_store
 #define _esp_tls_set_global_ca_store        esp_wolfssl_set_global_ca_store                 /*!< Callback function for setting global CA store data for TLS/SSL */
@ -108,7 +104,7 @@ static const char *TAG = "esp-tls";

 static esp_err_t create_ssl_handle(const char *hostname, size_t hostlen, const void *cfg, esp_tls_t *tls)
 {
-    return _esp_create_ssl_handle(hostname, hostlen, cfg, tls);
+    return _esp_create_ssl_handle(hostname, hostlen, cfg, tls, NULL);
 }

 static esp_err_t esp_tls_handshake(esp_tls_t *tls, const esp_tls_cfg_t *cfg)
@ -638,7 +634,6 @@ void esp_tls_free_client_session(esp_tls_client_session_t *client_session)
 #endif /* CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS */


-#ifdef CONFIG_ESP_TLS_SERVER
 esp_err_t esp_tls_cfg_server_session_tickets_init(esp_tls_cfg_server_t *cfg)
 {
 #if defined(CONFIG_ESP_TLS_SERVER_SESSION_TICKETS)
@ -682,7 +677,6 @@ void esp_tls_server_session_delete(esp_tls_t *tls)
 {
    return _esp_tls_server_session_delete(tls);
 }
-#endif /* CONFIG_ESP_TLS_SERVER */

 ssize_t esp_tls_get_bytes_avail(esp_tls_t *tls)
 {
--- a/components/esp-tls/esp_tls.h
+++ b/components/esp-tls/esp_tls.h
@ -213,7 +213,6 @@ typedef struct esp_tls_cfg {
    esp_tls_proto_ver_t tls_version;        /*!< TLS protocol version of the connection, e.g., TLS 1.2, TLS 1.3 (default - no preference) */
 } esp_tls_cfg_t;

-#ifdef CONFIG_ESP_TLS_SERVER
 #if defined(CONFIG_ESP_TLS_SERVER_SESSION_TICKETS)
 /**
 * @brief Data structures necessary to support TLS session tickets according to RFC5077
@ -228,7 +227,7 @@ typedef struct esp_tls_server_session_ticket_ctx {
 } esp_tls_server_session_ticket_ctx_t;
 #endif

-
+#if defined(CONFIG_ESP_TLS_SERVER_CERT_SELECT_HOOK)
 /**
 * @brief tls handshake callback
 * Can be used to configure per-handshake attributes for the TLS connection.
@ -239,7 +238,11 @@ typedef struct esp_tls_server_session_ticket_ctx {
 *         or a specific MBEDTLS_ERR_XXX code, which will cause the handhsake to abort
 */
 typedef mbedtls_ssl_hs_cb_t esp_tls_handshake_callback;
+#endif

+/**
+ * @brief ESP-TLS Server configuration parameters
+ */
 typedef struct esp_tls_cfg_server {
    const char **alpn_protos;                   /*!< Application protocols required for HTTP2.
                                                     If HTTP2/ALPN support is required, a list
@ -341,7 +344,6 @@ esp_err_t esp_tls_cfg_server_session_tickets_init(esp_tls_cfg_server_t *cfg);
 * @param cfg server configuration as esp_tls_cfg_server_t
 */
 void esp_tls_cfg_server_session_tickets_free(esp_tls_cfg_server_t *cfg);
-#endif /* ! CONFIG_ESP_TLS_SERVER */

 typedef struct esp_tls esp_tls_t;

@ -681,7 +683,6 @@ mbedtls_x509_crt *esp_tls_get_global_ca_store(void);
 */
 const int *esp_tls_get_ciphersuites_list(void);
 #endif /* CONFIG_ESP_TLS_USING_MBEDTLS */
-#ifdef CONFIG_ESP_TLS_SERVER
 /**
 * @brief      Create TLS/SSL server session
 *
@ -707,7 +708,6 @@ int esp_tls_server_session_create(esp_tls_cfg_server_t *cfg, int sockfd, esp_tls
 * @param[in]  tls  pointer to esp_tls_t
 */
 void esp_tls_server_session_delete(esp_tls_t *tls);
-#endif /* ! CONFIG_ESP_TLS_SERVER */

 /**
 * @brief Creates a plain TCP connection, returning a valid socket fd on success or an error handle
--- a/components/esp-tls/esp_tls_mbedtls.c
+++ b/components/esp-tls/esp_tls_mbedtls.c
@ -70,7 +70,9 @@ typedef struct esp_tls_pki_t {
 #endif
 } esp_tls_pki_t;

-esp_err_t esp_create_mbedtls_handle(const char *hostname, size_t hostlen, const void *cfg, esp_tls_t *tls)
+static esp_err_t set_server_config(esp_tls_cfg_server_t *cfg, esp_tls_t *tls);
+
+esp_err_t esp_create_mbedtls_handle(const char *hostname, size_t hostlen, const void *cfg, esp_tls_t *tls, void *server_params)
 {
    assert(cfg != NULL);
    assert(tls != NULL);
@ -116,16 +118,16 @@ esp_err_t esp_create_mbedtls_handle(const char *hostname, size_t hostlen, const
            goto exit;
        }
    } else if (tls->role == ESP_TLS_SERVER) {
-#ifdef CONFIG_ESP_TLS_SERVER
-        esp_ret = set_server_config((esp_tls_cfg_server_t *) cfg, tls);
+        if (server_params == NULL) {
+            /* Server params cannot be NULL when TLS role is server */
+            return ESP_ERR_INVALID_ARG;
+        }
+        esp_tls_server_params_t *input_server_params = server_params;
+        esp_ret = input_server_params->set_server_cfg((esp_tls_cfg_server_t *) cfg, tls);
        if (esp_ret != 0) {
            ESP_LOGE(TAG, "Failed to set server configurations, returned [0x%04X] (%s)", esp_ret, esp_err_to_name(esp_ret));
            goto exit;
        }
-#else
-            ESP_LOGE(TAG, "ESP_TLS_SERVER Not enabled in Kconfig");
-            goto exit;
-#endif
    }

    if ((ret = mbedtls_ctr_drbg_seed(&tls->ctr_drbg,
@ -353,10 +355,6 @@ void esp_mbedtls_cleanup(esp_tls_t *tls)
        mbedtls_x509_crt_free(tls->cacert_ptr);
    }
    tls->cacert_ptr = NULL;
-#ifdef CONFIG_ESP_TLS_SERVER
-    mbedtls_x509_crt_free(&tls->servercert);
-    mbedtls_pk_free(&tls->serverkey);
-#endif
    mbedtls_x509_crt_free(&tls->cacert);
    mbedtls_x509_crt_free(&tls->clientcert);
    mbedtls_pk_free(&tls->clientkey);
@ -478,7 +476,6 @@ static esp_err_t set_global_ca_store(esp_tls_t *tls)
    return ESP_OK;
 }

-#ifdef CONFIG_ESP_TLS_SERVER
 #ifdef CONFIG_ESP_TLS_SERVER_SESSION_TICKETS
 int esp_mbedtls_server_session_ticket_write(void *p_ticket, const mbedtls_ssl_session *session, unsigned char *start, const unsigned char *end, size_t *tlen, uint32_t *lifetime)
 {
@ -547,7 +544,7 @@ void esp_mbedtls_server_session_ticket_ctx_free(esp_tls_server_session_ticket_ct
 }
 #endif

-esp_err_t set_server_config(esp_tls_cfg_server_t *cfg, esp_tls_t *tls)
+static esp_err_t set_server_config(esp_tls_cfg_server_t *cfg, esp_tls_t *tls)
 {
    assert(cfg != NULL);
    assert(tls != NULL);
@ -679,7 +676,6 @@ esp_err_t set_server_config(esp_tls_cfg_server_t *cfg, esp_tls_t *tls)

    return ESP_OK;
 }
-#endif /* ! CONFIG_ESP_TLS_SERVER */

 esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls_cfg_t *cfg, esp_tls_t *tls)
 {
@ -903,7 +899,6 @@ esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls_cfg_t
    return ESP_OK;
 }

-#ifdef CONFIG_ESP_TLS_SERVER
 /**
 * @brief      Create TLS/SSL server session
 */
@ -914,7 +909,9 @@ int esp_mbedtls_server_session_create(esp_tls_cfg_server_t *cfg, int sockfd, esp
    }
    tls->role = ESP_TLS_SERVER;
    tls->sockfd = sockfd;
-    esp_err_t esp_ret = esp_create_mbedtls_handle(NULL, 0, cfg, tls);
+    esp_tls_server_params_t server_params = {};
+    server_params.set_server_cfg = &set_server_config;
+    esp_err_t esp_ret = esp_create_mbedtls_handle(NULL, 0, cfg, tls, &server_params);
    if (esp_ret != ESP_OK) {
        ESP_LOGE(TAG, "create_ssl_handle failed, returned [0x%04X] (%s)", esp_ret, esp_err_to_name(esp_ret));
        ESP_INT_EVENT_TRACKER_CAPTURE(tls->error_handle, ESP_TLS_ERR_TYPE_ESP, esp_ret);
@ -946,7 +943,6 @@ void esp_mbedtls_server_session_delete(esp_tls_t *tls)
        free(tls);
    }
 };
-#endif /* ! CONFIG_ESP_TLS_SERVER */

 esp_err_t esp_mbedtls_init_global_ca_store(void)
 {
--- a/components/esp-tls/esp_tls_wolfssl.c
+++ b/components/esp-tls/esp_tls_wolfssl.c
@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2019-2021 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2019-2023 Espressif Systems (Shanghai) CO LTD
 *
 * SPDX-License-Identifier: Apache-2.0
 */
@ -44,9 +44,7 @@ static uint8_t psk_key_array[PSK_MAX_KEY_LEN];
 static uint8_t psk_key_max_len = 0;
 #endif /* CONFIG_ESP_TLS_PSK_VERIFICATION */

-#ifdef CONFIG_ESP_TLS_SERVER
 static esp_err_t set_server_config(esp_tls_cfg_server_t *cfg, esp_tls_t *tls);
-#endif /* CONFIG_ESP_TLS_SERVER */


 /* This function shall return the error message when appropriate log level has been set otherwise this function shall do nothing */
@ -124,7 +122,7 @@ void *esp_wolfssl_get_ssl_context(esp_tls_t *tls)
    return (void*)tls->priv_ssl;
 }

-esp_err_t esp_create_wolfssl_handle(const char *hostname, size_t hostlen, const void *cfg, esp_tls_t *tls)
+esp_err_t esp_create_wolfssl_handle(const char *hostname, size_t hostlen, const void *cfg, esp_tls_t *tls, void *server_params)
 {
 #ifdef CONFIG_ESP_DEBUG_WOLFSSL
    wolfSSL_Debugging_ON();
@ -152,16 +150,11 @@ esp_err_t esp_create_wolfssl_handle(const char *hostname, size_t hostlen, const
            goto exit;
        }
    } else if (tls->role == ESP_TLS_SERVER) {
-#ifdef CONFIG_ESP_TLS_SERVER
        esp_ret = set_server_config((esp_tls_cfg_server_t *) cfg, tls);
        if (esp_ret != ESP_OK) {
            ESP_LOGE(TAG, "Failed to set server configurations, [0x%04X] (%s)", esp_ret, esp_err_to_name(esp_ret));
            goto exit;
        }
-#else
-        ESP_LOGE(TAG, "ESP_TLS_SERVER Not enabled in menuconfig");
-        goto exit;
-#endif
    }
    else {
        ESP_LOGE(TAG, "tls->role is not valid");
@ -321,7 +314,6 @@ static esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls
    return ESP_OK;
 }

-#ifdef CONFIG_ESP_TLS_SERVER
 static esp_err_t set_server_config(esp_tls_cfg_server_t *cfg, esp_tls_t *tls)
 {
    int ret = WOLFSSL_FAILURE;
@ -378,7 +370,6 @@ static esp_err_t set_server_config(esp_tls_cfg_server_t *cfg, esp_tls_t *tls)
    wolfSSL_set_fd((WOLFSSL *)tls->priv_ssl, tls->sockfd);
    return ESP_OK;
 }
-#endif

 int esp_wolfssl_handshake(esp_tls_t *tls, const esp_tls_cfg_t *cfg)
 {
@ -486,7 +477,6 @@ void esp_wolfssl_cleanup(esp_tls_t *tls)
    wolfSSL_Cleanup();
 }

-#ifdef CONFIG_ESP_TLS_SERVER
 /**
 * @brief       Create TLS/SSL server session
 */
@ -497,7 +487,9 @@ int esp_wolfssl_server_session_create(esp_tls_cfg_server_t *cfg, int sockfd, esp
    }
    tls->role = ESP_TLS_SERVER;
    tls->sockfd = sockfd;
-    esp_err_t esp_ret = esp_create_wolfssl_handle(NULL, 0, cfg, tls);
+    esp_tls_server_params_t server_params = {};
+    server_params.set_server_cfg = &set_server_config;
+    esp_err_t esp_ret = esp_create_wolfssl_handle(NULL, 0, cfg, tls, &server_params);
    if (esp_ret != ESP_OK) {
        ESP_LOGE(TAG, "create_ssl_handle failed, [0x%04X] (%s)", esp_ret, esp_err_to_name(esp_ret));
        ESP_INT_EVENT_TRACKER_CAPTURE(tls->error_handle, ESP_TLS_ERR_TYPE_ESP, esp_ret);
@ -531,7 +523,6 @@ void esp_wolfssl_server_session_delete(esp_tls_t *tls)
        free(tls);
    }
 }
-#endif /* CONFIG_ESP_TLS_SERVER */

 esp_err_t esp_wolfssl_init_global_ca_store(void)
 {
--- a/components/esp-tls/private_include/esp_tls_mbedtls.h
+++ b/components/esp-tls/private_include/esp_tls_mbedtls.h
@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2019-2021 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2019-2023 Espressif Systems (Shanghai) CO LTD
 *
 * SPDX-License-Identifier: Apache-2.0
 */
@ -46,7 +46,7 @@ ssize_t esp_mbedtls_get_bytes_avail(esp_tls_t *tls);
 /**
 * Internal Callback for creating ssl handle for mbedtls
 */
-esp_err_t esp_create_mbedtls_handle(const char *hostname, size_t hostlen, const void *cfg, esp_tls_t *tls);
+esp_err_t esp_create_mbedtls_handle(const char *hostname, size_t hostlen, const void *cfg, esp_tls_t *tls, void* server_params);

 /**
 * mbedTLS function for Initializing socket wrappers
@ -61,13 +61,6 @@ static inline void esp_mbedtls_net_init(esp_tls_t *tls)
 */
 void *esp_mbedtls_get_ssl_context(esp_tls_t *tls);

-#ifdef CONFIG_ESP_TLS_SERVER
-/**
- * Internal Callback for set_server_config
- *
- * /note :- can only be used with mbedtls ssl library
- */
-esp_err_t set_server_config(esp_tls_cfg_server_t *cfg, esp_tls_t *tls);

 /**
 * Internal Callback for mbedtls_server_session_create
@ -98,7 +91,6 @@ esp_err_t esp_mbedtls_server_session_ticket_ctx_init(esp_tls_server_session_tick
 */
 void esp_mbedtls_server_session_ticket_ctx_free(esp_tls_server_session_ticket_ctx_t *cfg);
 #endif
-#endif

 /**
 * Internal Callback for set_client_config_function
--- a/components/esp-tls/private_include/esp_tls_private.h
+++ b/components/esp-tls/private_include/esp_tls_private.h
@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2021-2022 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2021-2023 Espressif Systems (Shanghai) CO LTD
 *
 * SPDX-License-Identifier: Apache-2.0
 */
@ -53,21 +53,21 @@ struct esp_tls {
    mbedtls_x509_crt cacert;                                                    /*!< Container for the X.509 CA certificate */

    mbedtls_x509_crt *cacert_ptr;                                               /*!< Pointer to the cacert being used. */
-
+    union {
    mbedtls_x509_crt clientcert;                                                /*!< Container for the X.509 client certificate */
+    mbedtls_x509_crt servercert;                                                /*!< Container for the X.509 server certificate */
+    };

+    union {
    mbedtls_pk_context clientkey;                                               /*!< Container for the private key of the client
                                                                                     certificate */
+    mbedtls_pk_context serverkey;                                               /*!< Container for the private key of the server
+                                                                                     certificate */
+    };
 #ifdef CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN
    bool use_ecdsa_peripheral;                                                  /*!< Use the ECDSA peripheral for the private key operations. */
    uint8_t ecdsa_efuse_blk;                                                    /*!< The efuse block number where the ECDSA key is stored. */
 #endif
-#ifdef CONFIG_ESP_TLS_SERVER
-    mbedtls_x509_crt servercert;                                                /*!< Container for the X.509 server certificate */
-
-    mbedtls_pk_context serverkey;                                               /*!< Container for the private key of the server
-                                                                                   certificate */
-#endif
 #elif CONFIG_ESP_TLS_USING_WOLFSSL
    void *priv_ctx;
    void *priv_ssl;
@ -95,3 +95,11 @@ struct esp_tls {
    esp_tls_error_handle_t error_handle;                                        /*!< handle to error descriptor */

 };
+
+// Function pointer for the server configuration API
+typedef esp_err_t (*set_server_config_func_ptr) (esp_tls_cfg_server_t *cfg, esp_tls_t *tls);
+
+// This struct contains any data that is only specific to the server session and not required by the client.
+typedef struct esp_tls_server_params {
+    set_server_config_func_ptr set_server_cfg;
+} esp_tls_server_params_t;
--- a/components/esp-tls/private_include/esp_tls_wolfssl.h
+++ b/components/esp-tls/private_include/esp_tls_wolfssl.h
@ -11,7 +11,7 @@
 /**
 * Internal Callback for creating ssl handle for wolfssl
 */
-int esp_create_wolfssl_handle(const char *hostname, size_t hostlen, const void *cfg, esp_tls_t *tls);
+int esp_create_wolfssl_handle(const char *hostname, size_t hostlen, const void *cfg, esp_tls_t *tls, void *server_params);

 /**
 * Internal Callback for wolfssl_handshake
@ -76,7 +76,6 @@ static inline void esp_wolfssl_net_init(esp_tls_t *tls)
 {
 }

-#ifdef CONFIG_ESP_TLS_SERVER

 /**
 * Function to Create ESP-TLS Server session with wolfssl Stack
@ -87,5 +86,3 @@ int esp_wolfssl_server_session_create(esp_tls_cfg_server_t *cfg, int sockfd, esp
 * Delete Server Session
 */
 void esp_wolfssl_server_session_delete(esp_tls_t *tls);
-
-#endif
--- a/components/esp-tls/test_apps/main/test_esp_tls.c
+++ b/components/esp-tls/test_apps/main/test_esp_tls.c
@ -76,7 +76,6 @@ TEST_CASE("esp-tls global_ca_store set free", "[esp-tls]")
    esp_tls_free_global_ca_store();
 }

-#ifdef CONFIG_ESP_TLS_SERVER
 TEST_CASE("esp_tls_server session create delete", "[esp-tls]")
 {
    struct esp_tls *tls = esp_tls_init();
@ -95,4 +94,3 @@ TEST_CASE("esp_tls_server session create delete", "[esp-tls]")
    esp_tls_server_session_delete(tls);

 }
-#endif
--- a/components/esp-tls/test_apps/sdkconfig.defaults
+++ b/components/esp-tls/test_apps/sdkconfig.defaults
@ -5,6 +5,4 @@ CONFIG_BOOTLOADER_LOG_LEVEL_WARN=y
 CONFIG_FREERTOS_WATCHPOINT_END_OF_STACK=y
 CONFIG_COMPILER_STACK_CHECK_MODE_STRONG=y
 CONFIG_COMPILER_STACK_CHECK=y
-
 CONFIG_ESP_TASK_WDT_EN=n
-CONFIG_ESP_TLS_SERVER=y
--- a/components/esp_https_server/CMakeLists.txt
+++ b/components/esp_https_server/CMakeLists.txt
@ -1,7 +1,5 @@
-if(CONFIG_ESP_HTTPS_SERVER_ENABLE OR CONFIG_IDF_DOC_BUILD)
-    set(src "src/https_server.c")
-    set(inc "include")
-endif()
+set(src "src/https_server.c")
+set(inc "include")

 idf_component_register(SRCS ${src}
                    INCLUDE_DIRS ${inc}
--- a/components/esp_https_server/Kconfig
+++ b/components/esp_https_server/Kconfig
@ -3,7 +3,6 @@ menu "ESP HTTPS server"
    config ESP_HTTPS_SERVER_ENABLE
        bool "Enable ESP_HTTPS_SERVER component"
        depends on (ESP_TLS_USING_MBEDTLS && MBEDTLS_TLS_SERVER)
-        select ESP_TLS_SERVER
        help
            Enable ESP HTTPS server component

--- a/components/esp_https_server/include/esp_https_server.h
+++ b/components/esp_https_server/include/esp_https_server.h
@ -104,70 +104,30 @@ struct httpd_ssl_config {
    esp_https_server_user_cb *user_cb;

    void *ssl_userdata; /*!< user data to add to the ssl context  */
+#if CONFIG_ESP_TLS_SERVER_CERT_SELECT_HOOK
    esp_tls_handshake_callback cert_select_cb; /*!< Certificate selection callback to use */
+#endif

    const char** alpn_protos; /*!< Application protocols the server supports in order of prefernece. Used for negotiating during the TLS handshake, first one the client supports is selected. The data structure must live as long as the https server itself! */
 };

 typedef struct httpd_ssl_config httpd_ssl_config_t;

+/* Macro kept for compatibility reasons */
+#define HTTPD_SSL_CONFIG_DEFAULT    httpd_ssl_config_default
 /**
- * Default config struct init
- *
- * (http_server default config had to be copied for customization)
+ * Returns the httpd config struct with default initialisation
 *
+ * @return
+ * httpd_ssl_config_t   HTTPD ssl config struct
+ *                      with default initialisation
 * Notes:
 * - port is set when starting the server, according to 'transport_mode'
 * - one socket uses ~ 40kB RAM with SSL, we reduce the default socket count to 4
 * - SSL sockets are usually long-lived, closing LRU prevents pool exhaustion DOS
 * - Stack size may need adjustments depending on the user application
 */
-#define HTTPD_SSL_CONFIG_DEFAULT() {              \
-    .httpd = {                                    \
-        .task_priority      = tskIDLE_PRIORITY+5, \
-        .stack_size         = 10240,              \
-        .core_id            = tskNO_AFFINITY,     \
-        .server_port        = 0,                  \
-        .ctrl_port   = ESP_HTTPD_DEF_CTRL_PORT+1, \
-        .max_open_sockets   = 4,                  \
-        .max_uri_handlers   = 8,                  \
-        .max_resp_headers   = 8,                  \
-        .backlog_conn       = 5,                  \
-        .lru_purge_enable   = true,               \
-        .recv_wait_timeout  = 5,                  \
-        .send_wait_timeout  = 5,                  \
-        .global_user_ctx = NULL,                  \
-        .global_user_ctx_free_fn = NULL,          \
-        .global_transport_ctx = NULL,             \
-        .global_transport_ctx_free_fn = NULL,     \
-        .enable_so_linger = false,                \
-        .linger_timeout = 0,                      \
-        .keep_alive_enable = false,               \
-        .keep_alive_idle = 0,                     \
-        .keep_alive_interval = 0,                 \
-        .keep_alive_count = 0,                    \
-        .open_fn = NULL,                          \
-        .close_fn = NULL,                         \
-        .uri_match_fn = NULL                      \
-    },                                            \
-    .servercert = NULL,                           \
-    .servercert_len = 0,                          \
-    .cacert_pem = NULL,                           \
-    .cacert_len = 0,                              \
-    .prvtkey_pem = NULL,                          \
-    .prvtkey_len = 0,                             \
-    .use_ecdsa_peripheral = false,                \
-    .ecdsa_key_efuse_blk = 0,                     \
-    .transport_mode = HTTPD_SSL_TRANSPORT_SECURE, \
-    .port_secure = 443,                           \
-    .port_insecure = 80,                          \
-    .session_tickets = false,                     \
-    .use_secure_element = false,                  \
-    .user_cb = NULL,                              \
-    .ssl_userdata = NULL,                         \
-    .cert_select_cb = NULL,                       \
-    .alpn_protos = NULL,                          \
-}
+httpd_ssl_config_t httpd_ssl_config_default(void);

 /**
 * Create a SSL capable HTTP server (secure mode may be disabled in config)
--- a/components/esp_https_server/src/https_server.c
+++ b/components/esp_https_server/src/https_server.c
@ -48,6 +48,60 @@ static void httpd_ssl_close(void *ctx)
    ESP_LOGD(TAG, "Secure socket closed");
 }

+httpd_ssl_config_t httpd_ssl_config_default(void)
+{
+    httpd_ssl_config_t config = {
+        .httpd = {
+            .task_priority = tskIDLE_PRIORITY + 5,
+            .stack_size = 10240,
+            .core_id = tskNO_AFFINITY,
+            .server_port = 0,
+            .ctrl_port = ESP_HTTPD_DEF_CTRL_PORT + 1,
+            .max_open_sockets = 4,
+            .max_uri_handlers = 8,
+            .max_resp_headers = 8,
+            .backlog_conn = 5,
+            .lru_purge_enable = true,
+            .recv_wait_timeout = 5,
+            .send_wait_timeout = 5,
+            .global_user_ctx = NULL,
+            .global_user_ctx_free_fn = NULL,
+            .global_transport_ctx = NULL,
+            .global_transport_ctx_free_fn = NULL,
+            .enable_so_linger = false,
+            .linger_timeout = 0,
+            .keep_alive_enable = false,
+            .keep_alive_idle = 0,
+            .keep_alive_interval = 0,
+            .keep_alive_count = 0,
+            .open_fn = NULL,
+            .close_fn = NULL,
+            .uri_match_fn = NULL,
+        },
+        .servercert = NULL,
+        .servercert_len = 0,
+        .cacert_pem = NULL,
+        .cacert_len = 0,
+        .prvtkey_pem = NULL,
+        .prvtkey_len = 0,
+        .use_ecdsa_peripheral = false,
+        .ecdsa_key_efuse_blk = 0,
+        .transport_mode = HTTPD_SSL_TRANSPORT_SECURE,
+        .port_secure = 443,
+        .port_insecure = 80,
+        .session_tickets = false,
+        .use_secure_element = false,
+        .user_cb = NULL,
+        .ssl_userdata = NULL,
+#if CONFIG_ESP_TLS_SERVER_CERT_SELECT_HOOK
+        .cert_select_cb = NULL,
+#endif
+        .alpn_protos = NULL,
+    };
+
+    return config;
+}
+
 /**
 * SSL socket pending-check function
 *
--- a/examples/protocols/https_server/simple/sdkconfig.ci
+++ b/examples/protocols/https_server/simple/sdkconfig.ci
@ -1,3 +1,4 @@
 CONFIG_ESP_HTTPS_SERVER_ENABLE=y
+CONFIG_ESP_TLS_CERT_SELECT_HOOK=y
 CONFIG_EXAMPLE_ENABLE_HTTPS_USER_CALLBACK=y
 CONFIG_EXAMPLE_WIFI_SSID_PWD_FROM_STDIN=y