change(esp-tls): make wolfSSL backend send SNI and enable OCSP

Almost all sites these days are virtually hosted and hence SNI (server name indicator TLS extension) should be enabled by default. In addition this change enables OCSP (online server status protocol) support for esp-tls clients using the wolfSSL backend. The 3 code lines enable OCSP stabling v1. By default this feature is disabled. (I will send another PR on esp-wolfssl repository to allow to enable it easily.)
espressif · May 21, 2024 · 5711493 · 5711493
1 parent 05d3c06
commit 5711493
Showing 1 changed file with 24 additions and 0 deletions.
diff --git a/components/esp-tls/esp_tls_wolfssl.c b/components/esp-tls/esp_tls_wolfssl.c
@@ -288,6 +288,13 @@ static esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls
  free(use_host);
  return ESP_ERR_WOLFSSL_SSL_SET_HOSTNAME_FAILED;
  }
+ /* Mimic the semantics of mbedtls_ssl_set_hostname(), which does not only set the SNI,
+ but if not set will make the mbedTLS stack skip certificate verification. */
+ if ((ret = wolfSSL_CTX_UseSNI(tls->priv_ctx, WOLFSSL_SNI_HOST_NAME, use_host, strlen(use_host))) != WOLFSSL_SUCCESS)
+ {
+ ESP_LOGE(TAG, "wolfSSL_CTX_UseSNI failed, returned %d", ret);
+ return ESP_ERR_WOLFSSL_SSL_SET_HOSTNAME_FAILED;
+ }
  free(use_host);
  }
 
@@ -310,6 +317,23 @@ static esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls
 #endif /* CONFIG_WOLFSSL_HAVE_ALPN */
  }
 
+#ifdef CONFIG_WOLFSSL_HAVE_OCSP
+ /* increase error verbosity */
+ wolfSSL_CTX_EnableOCSP((WOLFSSL_CTX *)tls->priv_ctx, WOLFSSL_OCSP_CHECKALL);
+ /* enable OCSP certificate status check */
+ if ((ret = wolfSSL_CTX_EnableOCSPStapling((WOLFSSL_CTX *)tls->priv_ctx )) != WOLFSSL_SUCCESS) {
+ ESP_LOGE(TAG, "wolfSSL_CTX_EnableOCSPStapling failed, returned %d", ret);
+ return ESP_ERR_WOLFSSL_CTX_SETUP_FAILED;
+ }
+ /* enable OCSPv1 TLS extension (RFC 6960) with nounce extension (RFC 8954) */
+ if ((ret = wolfSSL_UseOCSPStapling((WOLFSSL *)tls->priv_ssl, WOLFSSL_CSR_OCSP, WOLFSSL_CSR_OCSP_USE_NONCE)) != WOLFSSL_SUCCESS) {
+ ESP_LOGE(TAG, "wolfSSL_UseOCSPStapling failed, returned %d", ret);
+ return ESP_ERR_WOLFSSL_SSL_SETUP_FAILED;
+ }
+ /* decrease error verbosity */
+ wolfSSL_CTX_EnableOCSP((WOLFSSL_CTX *)tls->priv_ctx, 0);
+#endif /* CONFIG_WOLFSSL_HAVE_OCSP */
+
  wolfSSL_set_fd((WOLFSSL *)tls->priv_ssl, tls->sockfd);
  return ESP_OK;
 }