Almost all sites these days are virtually hosted and hence
SNI (server name indicator TLS extension) should be enabled by
default.
In addition this change enables OCSP (online server status protocol)
support for esp-tls clients using the wolfSSL backend.
The 3 code lines enable OCSP stabling v1.
By default this feature is disabled.
(I will send another PR on esp-wolfssl repository to allow to
enable it easily.)
This change makes the wolfSSL backend sent the complete TLS client certificate
chain. This align the wolfSSL backend with the behavior of the mbedTLS backend.
Some servers need the intermediate certificates to verify a client certificate.
If the provided PEM file contains only a single certificate this change has no effect
and the behavior will be as before.
This impacts higher level APIs to function as someone would expect.
E.g.: esp_websocket_client_config_t.client_cert: when passing here a pem
file containing 2 certificates (the CA's and the client's) it would be
expected that both are transmitted during TLS handshake.
For ESP certificate bundle case, the certificate failure error from
underlying TLS stack was not being tracked. Added the fix and also
updated example code showcasing how to retrieve it.
Closes https://github.com/espressif/esp-idf/issues/12034
wolfSSL error codes are mostly positive numbers, but esp-tls potentially
non-block API (read/write) returns ssize_t, i.e. bytes read/written if
>0, errorcode otherwise. To comply with this API we have to conditionate
the wolfssl return codes to negative numbers, preferably the same codes
as mbedTLS codes.
purpose)
By default esp-tls client will now return error if no server verify option
is provided, earlier it used to skip the verification by
default.
Added config option to skip server verification by default (for testing
purpose)
Updated required docs
Adds the ESP certificate bundle feature that enables users to bundle a
root certificate bundle together with their application.
Default bundle includes all Mozilla root certificates
Closes IDF-296
1)Segregating mbedtls API into seperate file and cleaned esp_tls.c
2)Added support for wolfssl for CMake and make
3)Added support for debug_wolfssl (with menuconfig option)
4)Added info on wolfssl in ESP-TLS docs
Frank Mertens