From 63c84a0a87d4f112cce456a71842967ddb5a8c69 Mon Sep 17 00:00:00 2001 From: Frank Mertens Date: Tue, 16 Apr 2024 01:44:05 +0200 Subject: [PATCH] change(esp-tls): make wolfSSL backend send SNI and enable OCSP Almost all sites these days are virtually hosted and hence SNI (server name indicator TLS extension) should be enabled by default. In addition this change enables OCSP (online server status protocol) support for esp-tls clients using the wolfSSL backend. The 3 code lines enable OCSP stabling v1. By default this feature is disabled. (I will send another PR on esp-wolfssl repository to allow to enable it easily.) --- components/esp-tls/esp_tls_wolfssl.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/components/esp-tls/esp_tls_wolfssl.c b/components/esp-tls/esp_tls_wolfssl.c index 7bad5e14d5fb..fd2b001e7f6a 100644 --- a/components/esp-tls/esp_tls_wolfssl.c +++ b/components/esp-tls/esp_tls_wolfssl.c @@ -288,6 +288,9 @@ static esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls free(use_host); return ESP_ERR_WOLFSSL_SSL_SET_HOSTNAME_FAILED; } + /* Mimick the semantics of mbedtls_ssl_set_hostname(), which does not only set the SNI, + but if not set will make the mbedTLS stack skip certificate verification. */ + wolfSSL_CTX_UseSNI(tls->priv_ctx, WOLFSSL_SNI_HOST_NAME, use_host, strlen(use_host)); free(use_host); } @@ -310,6 +313,12 @@ static esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls #endif /* CONFIG_WOLFSSL_HAVE_ALPN */ } +#ifdef CONFIG_WOLFSSL_HAVE_OCSP + wolfSSL_CTX_EnableOCSPStapling((WOLFSSL_CTX *)tls->priv_ctx ); + wolfSSL_UseOCSPStapling((WOLFSSL *)tls->priv_ssl, WOLFSSL_CSR_OCSP, 0); + wolfSSL_CTX_EnableOCSP((WOLFSSL_CTX *)tls->priv_ctx, 0); +#endif + wolfSSL_set_fd((WOLFSSL *)tls->priv_ssl, tls->sockfd); return ESP_OK; }