diff --git a/components/mbedtls/Kconfig b/components/mbedtls/Kconfig index cbc608a497..54cfab71cf 100644 --- a/components/mbedtls/Kconfig +++ b/components/mbedtls/Kconfig @@ -561,6 +561,22 @@ menu "mbedTLS" Client support for RFC 5077 session tickets. See mbedTLS documentation for more details. Disabling this option will save some code size. + config MBEDTLS_X509_CHECK_KEY_USAGE + bool "Enable verification of the keyUsage extension" + default y + depends on MBEDTLS_TLS_ENABLED + help + Disabling this avoids problems with mis-issued and/or misused (intermediate) CA and leaf certificates. + Depending on your PKI use, disabling this can be a security risk. + + config MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE + bool "Enable verification of the extendedKeyUsage extension" + default y + depends on MBEDTLS_TLS_ENABLED + help + Disabling this avoids problems with mis-issued and/or misused certificates. + Depending on your PKI use, disabling this can be a security risk. + config MBEDTLS_SERVER_SSL_SESSION_TICKETS bool "TLS: Server Support for RFC 5077 SSL session tickets" default y diff --git a/components/mbedtls/port/include/mbedtls/esp_config.h b/components/mbedtls/port/include/mbedtls/esp_config.h index 1ff7ea4ad5..f36ebf9bc7 100644 --- a/components/mbedtls/port/include/mbedtls/esp_config.h +++ b/components/mbedtls/port/include/mbedtls/esp_config.h @@ -1193,7 +1193,11 @@ * * Comment to skip keyUsage checking for both CA and leaf certificates. */ +#ifdef CONFIG_MBEDTLS_X509_CHECK_KEY_USAGE #define MBEDTLS_X509_CHECK_KEY_USAGE +#else +#undef MBEDTLS_X509_CHECK_KEY_USAGE +#endif /** * \def MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE @@ -1206,7 +1210,11 @@ * * Comment to skip extendedKeyUsage checking for certificates. */ +#ifdef CONFIG_MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE #define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE +#else +#undef MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE +#endif /** * \def MBEDTLS_X509_RSASSA_PSS_SUPPORT