Skip to content

Commit

Permalink
change(esp-tls): make wolfSSL backend send SNI and enable OCSP
Browse files Browse the repository at this point in the history 
Almost all sites these days are virtually hosted and hence
SNI (server name indicator TLS extension) should be enabled by
default.

In addition this change enables OCSP (online server status protocol)
support for esp-tls clients using the wolfSSL backend.
The 3 code lines enable OCSP stabling v1.
By default this feature is disabled.
(I will send another PR on esp-wolfssl repository to allow to
enable it easily.)
  • Loading branch information
@frankencode
frankencode committed May 30, 2024
1 parent 05d3c06 commit d2d43bb
Showing 1 changed file with 24 additions and 1 deletion.
25 changes: 24 additions & 1 deletion components/esp-tls/esp_tls_wolfssl.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -288,6 +288,11 @@ static esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls
free(use_host);
return ESP_ERR_WOLFSSL_SSL_SET_HOSTNAME_FAILED;
}
/* Mimic the semantics of mbedtls_ssl_set_hostname() */
if ((ret = wolfSSL_CTX_UseSNI(tls->priv_ctx, WOLFSSL_SNI_HOST_NAME, use_host, strlen(use_host))) != WOLFSSL_SUCCESS) {
ESP_LOGE(TAG, "wolfSSL_CTX_UseSNI failed, returned %d", ret);
return ESP_ERR_WOLFSSL_SSL_SET_HOSTNAME_FAILED;
}
free(use_host);
}

Expand All @@ -310,6 +315,24 @@ static esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls
#endif /* CONFIG_WOLFSSL_HAVE_ALPN */
}

#ifdef CONFIG_WOLFSSL_HAVE_OCSP
/* enable OCSP certificate status check for this TLS context */
if ((ret = wolfSSL_CTX_EnableOCSP((WOLFSSL_CTX *)tls->priv_ctx, WOLFSSL_OCSP_CHECKALL)) != WOLFSSL_SUCCESS) {
ESP_LOGE(TAG, "wolfSSL_CTX_EnableOCSP failed, returned %d", ret);
return ESP_ERR_WOLFSSL_CTX_SETUP_FAILED;
}
/* enable OCSP stapling for this TLS context */
if ((ret = wolfSSL_CTX_EnableOCSPStapling((WOLFSSL_CTX *)tls->priv_ctx )) != WOLFSSL_SUCCESS) {
ESP_LOGE(TAG, "wolfSSL_CTX_EnableOCSPStapling failed, returned %d", ret);
return ESP_ERR_WOLFSSL_CTX_SETUP_FAILED;
}
/* set option to use OCSP v1 stapling with nounce extension */
if ((ret = wolfSSL_UseOCSPStapling((WOLFSSL *)tls->priv_ssl, WOLFSSL_CSR_OCSP, WOLFSSL_CSR_OCSP_USE_NONCE)) != WOLFSSL_SUCCESS) {
ESP_LOGE(TAG, "wolfSSL_UseOCSPStapling failed, returned %d", ret);
return ESP_ERR_WOLFSSL_SSL_SETUP_FAILED;
}
#endif /* CONFIG_WOLFSSL_HAVE_OCSP */

wolfSSL_set_fd((WOLFSSL *)tls->priv_ssl, tls->sockfd);
return ESP_OK;
}
Expand Down Expand Up @@ -526,7 +549,7 @@ void esp_wolfssl_server_session_delete(esp_tls_t *tls)

esp_err_t esp_wolfssl_init_global_ca_store(void)
{
/* This function is just to provide consistancy between function calls of esp_tls.h and wolfssl */
/* This function is just to provide consistency between function calls of esp_tls.h and wolfssl */
return ESP_OK;
}

Expand Down

0 comments on commit d2d43bb

Please sign in to comment.