From 499b579986ef35a6fc6729186f1e2511ee3d9c66 Mon Sep 17 00:00:00 2001 From: Mahavir Jain Date: Tue, 25 Apr 2023 17:40:01 +0530 Subject: [PATCH 1/5] esp_tls: add initial support for TLS 1.3 connection --- components/esp-tls/esp_tls_mbedtls.c | 16 ++++++++++++++++ .../esp-tls/private_include/esp_tls_private.h | 3 +++ 2 files changed, 19 insertions(+) diff --git a/components/esp-tls/esp_tls_mbedtls.c b/components/esp-tls/esp_tls_mbedtls.c index c2da31965656..486e17dff2b1 100644 --- a/components/esp-tls/esp_tls_mbedtls.c +++ b/components/esp-tls/esp_tls_mbedtls.c @@ -76,6 +76,15 @@ esp_err_t esp_create_mbedtls_handle(const char *hostname, size_t hostlen, const assert(tls != NULL); int ret; esp_err_t esp_ret = ESP_FAIL; + +#ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 + psa_status_t status = psa_crypto_init(); + if (status != PSA_SUCCESS) { + ESP_LOGE(TAG, "Failed to initialize PSA crypto, returned %d\n", (int) status); + return esp_ret; + } +#endif // CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 + tls->server_fd.fd = tls->sockfd; mbedtls_ssl_init(&tls->ssl); mbedtls_ctr_drbg_init(&tls->ctr_drbg); @@ -224,6 +233,13 @@ ssize_t esp_mbedtls_read(esp_tls_t *tls, char *data, size_t datalen) { ssize_t ret = mbedtls_ssl_read(&tls->ssl, (unsigned char *)data, datalen); +#if CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 && CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS + while (ret == MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET) { + ESP_LOGD(TAG, "got session ticket in TLS 1.3 connection, retry read"); + ret = mbedtls_ssl_read(&tls->ssl, (unsigned char *)data, datalen); + } +#endif // CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 && CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS + if (ret < 0) { if (ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY) { return 0; diff --git a/components/esp-tls/private_include/esp_tls_private.h b/components/esp-tls/private_include/esp_tls_private.h index 3f203bb883df..dcbb42070eab 100644 --- a/components/esp-tls/private_include/esp_tls_private.h +++ b/components/esp-tls/private_include/esp_tls_private.h @@ -26,6 +26,9 @@ #ifdef CONFIG_ESP_TLS_SERVER_SESSION_TICKETS #include "mbedtls/ssl_ticket.h" #endif +#ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 +#include "psa/crypto.h" +#endif #elif CONFIG_ESP_TLS_USING_WOLFSSL #include "wolfssl/wolfcrypt/settings.h" #include "wolfssl/ssl.h" From 01631ffcb4021271c5e73672f22bc695274f0334 Mon Sep 17 00:00:00 2001 From: Mahavir Jain Date: Tue, 25 Apr 2023 17:41:35 +0530 Subject: [PATCH 2/5] https_mbedtls: update example to support TLS 1.3 connection - make server verification mandatory (previously it was optional) - add PSA crypto init API and handling for session ticket event - coding style fixes --- .../main/https_mbedtls_example_main.c | 48 +++++++++++-------- 1 file changed, 29 insertions(+), 19 deletions(-) diff --git a/examples/protocols/https_mbedtls/main/https_mbedtls_example_main.c b/examples/protocols/https_mbedtls/main/https_mbedtls_example_main.c index fec4e5e73205..d7da1926e93b 100644 --- a/examples/protocols/https_mbedtls/main/https_mbedtls_example_main.c +++ b/examples/protocols/https_mbedtls/main/https_mbedtls_example_main.c @@ -37,6 +37,9 @@ #include "mbedtls/entropy.h" #include "mbedtls/ctr_drbg.h" #include "mbedtls/error.h" +#ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 +#include "psa/crypto.h" +#endif #include "esp_crt_bundle.h" @@ -65,6 +68,14 @@ static void https_get_task(void *pvParameters) mbedtls_ssl_config conf; mbedtls_net_context server_fd; +#ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 + psa_status_t status = psa_crypto_init(); + if (status != PSA_SUCCESS) { + ESP_LOGE(TAG, "Failed to initialize PSA crypto, returned %d\n", (int) status); + return; + } +#endif + mbedtls_ssl_init(&ssl); mbedtls_x509_crt_init(&cacert); mbedtls_ctr_drbg_init(&ctr_drbg); @@ -110,12 +121,7 @@ static void https_get_task(void *pvParameters) goto exit; } - /* MBEDTLS_SSL_VERIFY_OPTIONAL is bad for security, in this example it will print - a warning if CA verification fails but it will continue to connect. - - You should consider using MBEDTLS_SSL_VERIFY_REQUIRED in your own code. - */ - mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_OPTIONAL); + mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_REQUIRED); mbedtls_ssl_conf_ca_chain(&conf, &cacert, NULL); mbedtls_ssl_conf_rng(&conf, mbedtls_ctr_drbg_random, &ctr_drbg); #ifdef CONFIG_MBEDTLS_DEBUG @@ -123,10 +129,9 @@ static void https_get_task(void *pvParameters) #endif #ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 - mbedtls_ssl_conf_min_version(&conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_4); - mbedtls_ssl_conf_max_version(&conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_4); + mbedtls_ssl_conf_min_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_3); + mbedtls_ssl_conf_max_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_3); #endif - if ((ret = mbedtls_ssl_setup(&ssl, &conf)) != 0) { ESP_LOGE(TAG, "mbedtls_ssl_setup returned -0x%x\n\n", -ret); @@ -200,22 +205,28 @@ static void https_get_task(void *pvParameters) bzero(buf, sizeof(buf)); ret = mbedtls_ssl_read(&ssl, (unsigned char *)buf, len); - if(ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE) +#if CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 && CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS + if (ret == MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET) { + ESP_LOGD(TAG, "got session ticket in TLS 1.3 connection, retry read"); continue; + } +#endif // CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 && CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS + + if (ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE) { + continue; + } - if(ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY) { + if (ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY) { ret = 0; break; } - if(ret < 0) - { + if (ret < 0) { ESP_LOGE(TAG, "mbedtls_ssl_read returned -0x%x", -ret); break; } - if(ret == 0) - { + if (ret == 0) { ESP_LOGI(TAG, "connection closed"); break; } @@ -223,7 +234,7 @@ static void https_get_task(void *pvParameters) len = ret; ESP_LOGD(TAG, "%d bytes read", len); /* Print response directly to stdout as it is read */ - for(int i = 0; i < len; i++) { + for (int i = 0; i < len; i++) { putchar(buf[i]); } } while(1); @@ -234,8 +245,7 @@ static void https_get_task(void *pvParameters) mbedtls_ssl_session_reset(&ssl); mbedtls_net_free(&server_fd); - if(ret != 0) - { + if (ret != 0) { mbedtls_strerror(ret, buf, 100); ESP_LOGE(TAG, "Last error was: -0x%x - %s", -ret, buf); } @@ -246,7 +256,7 @@ static void https_get_task(void *pvParameters) ESP_LOGI(TAG, "Completed %d requests", ++request_count); printf("Minimum free heap size: %" PRIu32 " bytes\n", esp_get_minimum_free_heap_size()); - for(int countdown = 10; countdown >= 0; countdown--) { + for (int countdown = 10; countdown >= 0; countdown--) { ESP_LOGI(TAG, "%d...", countdown); vTaskDelay(1000 / portTICK_PERIOD_MS); } From ff03fd934a392db93cb80c87b55f3e3720fbe687 Mon Sep 17 00:00:00 2001 From: Harshit Malpani Date: Mon, 17 Jul 2023 13:24:40 +0530 Subject: [PATCH 3/5] fix(esp-tls): Retry reads if using session tickets with TLS 1.3 Fixed the error that occurred while performing OTA upgrades over TLS 1.3 connection. After handshake is completed, post-handshake message is received and internal state is changed. While performing mbedtls_ssl_read(), it checks handshake state and if it is not MBEDTLS_SSL_HANDSHAKE_OVER, mbedtls_ssl_handshake is called again. --- components/esp-tls/esp_tls_mbedtls.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/components/esp-tls/esp_tls_mbedtls.c b/components/esp-tls/esp_tls_mbedtls.c index 486e17dff2b1..8c1024746e85 100644 --- a/components/esp-tls/esp_tls_mbedtls.c +++ b/components/esp-tls/esp_tls_mbedtls.c @@ -234,7 +234,10 @@ ssize_t esp_mbedtls_read(esp_tls_t *tls, char *data, size_t datalen) ssize_t ret = mbedtls_ssl_read(&tls->ssl, (unsigned char *)data, datalen); #if CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 && CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS - while (ret == MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET) { + // If a post-handshake message is received, connection state is changed to `MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET` + // Call mbedtls_ssl_read() till state is `MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET` or return code is `MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET` + // to process session tickets in TLS 1.3 connection + while (ret == MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET || tls->ssl.MBEDTLS_PRIVATE(state) == MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET) { ESP_LOGD(TAG, "got session ticket in TLS 1.3 connection, retry read"); ret = mbedtls_ssl_read(&tls->ssl, (unsigned char *)data, datalen); } From 07f2cbeb0ce0914d5d69dc93518f52ce46149d0b Mon Sep 17 00:00:00 2001 From: Harshit Malpani Date: Wed, 4 Oct 2023 12:19:43 +0530 Subject: [PATCH 4/5] fix(esp-tls): Use TLS 1.2 and TLS 1.3 simultaneously This commit fixes the issue with TLS 1.2 connection when TLS 1.3 is enabled in config. --- components/esp-tls/esp_tls.h | 13 ++++++- components/esp-tls/esp_tls_mbedtls.c | 37 +++++++++++++------ components/esp_http_client/esp_http_client.c | 8 +++- .../esp_http_client/include/esp_http_client.h | 13 ++++++- .../tcp_transport/include/esp_transport_ssl.h | 10 ++++- components/tcp_transport/transport_ssl.c | 6 +++ 6 files changed, 72 insertions(+), 15 deletions(-) diff --git a/components/esp-tls/esp_tls.h b/components/esp-tls/esp_tls.h index ba510a5c8e48..3a6b76422f18 100644 --- a/components/esp-tls/esp_tls.h +++ b/components/esp-tls/esp_tls.h @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2017-2023 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2017-2024 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -80,6 +80,16 @@ typedef enum esp_tls_addr_family { ESP_TLS_AF_INET6, /**< IPv6 address family. */ } esp_tls_addr_family_t; +/* +* @brief ESP-TLS TLS Protocol version +*/ +typedef enum { + ESP_TLS_VER_ANY = 0, /* No preference */ + ESP_TLS_VER_TLS_1_2 = 0x1, /* (D)TLS 1.2 */ + ESP_TLS_VER_TLS_1_3 = 0x2, /* (D)TLS 1.3 */ + ESP_TLS_VER_TLS_MAX, /* to indicate max */ +} esp_tls_proto_ver_t; + /** * @brief ESP-TLS configuration parameters * @@ -197,6 +207,7 @@ typedef struct esp_tls_cfg { #endif /* CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS */ esp_tls_addr_family_t addr_family; /*!< The address family to use when connecting to a host. */ + esp_tls_proto_ver_t tls_version; /*!< TLS protocol version of the connection, e.g., TLS 1.2, TLS 1.3 (default - no preference) */ } esp_tls_cfg_t; #ifdef CONFIG_ESP_TLS_SERVER diff --git a/components/esp-tls/esp_tls_mbedtls.c b/components/esp-tls/esp_tls_mbedtls.c index 8c1024746e85..4e66902610bb 100644 --- a/components/esp-tls/esp_tls_mbedtls.c +++ b/components/esp-tls/esp_tls_mbedtls.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2019-2023 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2019-2024 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -97,6 +97,24 @@ esp_err_t esp_create_mbedtls_handle(const char *hostname, size_t hostlen, const ESP_LOGE(TAG, "Failed to set client configurations, returned [0x%04X] (%s)", esp_ret, esp_err_to_name(esp_ret)); goto exit; } + const esp_tls_proto_ver_t tls_ver = ((esp_tls_cfg_t *)cfg)->tls_version; + if (tls_ver == ESP_TLS_VER_TLS_1_3) { +#if CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 + ESP_LOGD(TAG, "Setting TLS version to 0x%4x", MBEDTLS_SSL_VERSION_TLS1_3); + mbedtls_ssl_conf_min_tls_version(&tls->conf, MBEDTLS_SSL_VERSION_TLS1_3); + mbedtls_ssl_conf_max_tls_version(&tls->conf, MBEDTLS_SSL_VERSION_TLS1_3); +#else + ESP_LOGW(TAG, "TLS 1.3 is not enabled in config, continuing with default TLS protocol"); +#endif + } else if (tls_ver == ESP_TLS_VER_TLS_1_2) { + ESP_LOGD(TAG, "Setting TLS version to 0x%4x", MBEDTLS_SSL_VERSION_TLS1_2); + mbedtls_ssl_conf_min_tls_version(&tls->conf, MBEDTLS_SSL_VERSION_TLS1_2); + mbedtls_ssl_conf_max_tls_version(&tls->conf, MBEDTLS_SSL_VERSION_TLS1_2); + } else if (tls_ver != ESP_TLS_VER_ANY) { + ESP_LOGE(TAG, "Unsupported protocol version"); + esp_ret = ESP_ERR_INVALID_ARG; + goto exit; + } } else if (tls->role == ESP_TLS_SERVER) { #ifdef CONFIG_ESP_TLS_SERVER esp_ret = set_server_config((esp_tls_cfg_server_t *) cfg, tls); @@ -125,11 +143,6 @@ esp_err_t esp_create_mbedtls_handle(const char *hostname, size_t hostlen, const mbedtls_esp_enable_debug_log(&tls->conf, CONFIG_MBEDTLS_DEBUG_LEVEL); #endif -#ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 - mbedtls_ssl_conf_min_tls_version(&tls->conf, MBEDTLS_SSL_VERSION_TLS1_3); - mbedtls_ssl_conf_max_tls_version(&tls->conf, MBEDTLS_SSL_VERSION_TLS1_3); -#endif - if ((ret = mbedtls_ssl_setup(&tls->ssl, &tls->conf)) != 0) { ESP_LOGE(TAG, "mbedtls_ssl_setup returned -0x%04X", -ret); mbedtls_print_error_msg(ret); @@ -233,15 +246,17 @@ ssize_t esp_mbedtls_read(esp_tls_t *tls, char *data, size_t datalen) { ssize_t ret = mbedtls_ssl_read(&tls->ssl, (unsigned char *)data, datalen); -#if CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 && CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS +#if CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS // If a post-handshake message is received, connection state is changed to `MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET` // Call mbedtls_ssl_read() till state is `MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET` or return code is `MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET` // to process session tickets in TLS 1.3 connection - while (ret == MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET || tls->ssl.MBEDTLS_PRIVATE(state) == MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET) { - ESP_LOGD(TAG, "got session ticket in TLS 1.3 connection, retry read"); - ret = mbedtls_ssl_read(&tls->ssl, (unsigned char *)data, datalen); + if (mbedtls_ssl_get_version_number(&tls->ssl) == MBEDTLS_SSL_VERSION_TLS1_3) { + while (ret == MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET || tls->ssl.MBEDTLS_PRIVATE(state) == MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET) { + ESP_LOGD(TAG, "got session ticket in TLS 1.3 connection, retry read"); + ret = mbedtls_ssl_read(&tls->ssl, (unsigned char *)data, datalen); + } } -#endif // CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 && CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS +#endif // CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS if (ret < 0) { if (ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY) { diff --git a/components/esp_http_client/esp_http_client.c b/components/esp_http_client/esp_http_client.c index c76f1830f040..0110d08795a1 100644 --- a/components/esp_http_client/esp_http_client.c +++ b/components/esp_http_client/esp_http_client.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2015-2023 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2015-2024 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -9,6 +9,7 @@ #include #include "esp_log.h" +#include "esp_assert.h" #include "esp_check.h" #include "http_parser.h" #include "http_header.h" @@ -20,6 +21,7 @@ #include "esp_http_client.h" #include "errno.h" #include "esp_random.h" +#include "esp_tls.h" #ifdef CONFIG_ESP_HTTP_CLIENT_ENABLE_HTTPS #include "esp_transport_ssl.h" @@ -29,6 +31,9 @@ ESP_EVENT_DEFINE_BASE(ESP_HTTP_CLIENT_EVENT); static const char *TAG = "HTTP_CLIENT"; +ESP_STATIC_ASSERT((int)ESP_HTTP_CLIENT_TLS_VER_ANY == (int)ESP_TLS_VER_ANY, "Enum mismatch in esp_http_client and esp-tls"); +ESP_STATIC_ASSERT((int)ESP_HTTP_CLIENT_TLS_VER_MAX <= (int)ESP_TLS_VER_TLS_MAX, "HTTP client supported TLS is not supported in esp-tls"); + /** * HTTP Buffer */ @@ -722,6 +727,7 @@ esp_http_client_handle_t esp_http_client_init(const esp_http_client_config_t *co esp_transport_ssl_set_client_cert_data_der(ssl, config->client_cert_pem, config->client_cert_len); } } + esp_transport_ssl_set_tls_version(ssl, config->tls_version); #if CONFIG_ESP_TLS_USE_SECURE_ELEMENT if (config->use_secure_element) { diff --git a/components/esp_http_client/include/esp_http_client.h b/components/esp_http_client/include/esp_http_client.h index c125c9d468d1..4eb61871d687 100644 --- a/components/esp_http_client/include/esp_http_client.h +++ b/components/esp_http_client/include/esp_http_client.h @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2015-2022 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2015-2024 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -78,6 +78,16 @@ typedef enum { HTTP_TRANSPORT_OVER_SSL, /*!< Transport over ssl */ } esp_http_client_transport_t; +/* +* @brief TLS Protocol version +*/ +typedef enum { + ESP_HTTP_CLIENT_TLS_VER_ANY = 0, /* No preference */ + ESP_HTTP_CLIENT_TLS_VER_TLS_1_2 = 0x1, /* (D)TLS 1.2 */ + ESP_HTTP_CLIENT_TLS_VER_TLS_1_3 = 0x2, /* (D)TLS 1.3 */ + ESP_HTTP_CLIENT_TLS_VER_MAX, /* to indicate max */ +} esp_http_client_proto_ver_t; + typedef esp_err_t (*http_event_handle_cb)(esp_http_client_event_t *evt); /** @@ -133,6 +143,7 @@ typedef struct { size_t client_key_len; /*!< Length of the buffer pointed to by client_key_pem. May be 0 for null-terminated pem */ const char *client_key_password; /*!< Client key decryption password string */ size_t client_key_password_len; /*!< String length of the password pointed to by client_key_password */ + esp_http_client_proto_ver_t tls_version; /*!< TLS protocol version of the connection, e.g., TLS 1.2, TLS 1.3 (default - no preference) */ #ifdef CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN bool use_ecdsa_peripheral; /*!< Use ECDSA peripheral to use private key. */ uint8_t ecdsa_key_efuse_blk; /*!< The efuse block where ECDSA key is stored. */ diff --git a/components/tcp_transport/include/esp_transport_ssl.h b/components/tcp_transport/include/esp_transport_ssl.h index 1d3fbc7d0e47..fd0fffcf5732 100644 --- a/components/tcp_transport/include/esp_transport_ssl.h +++ b/components/tcp_transport/include/esp_transport_ssl.h @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2015-2023 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2015-2024 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -61,6 +61,14 @@ void esp_transport_ssl_crt_bundle_attach(esp_transport_handle_t t, esp_err_t ((* */ void esp_transport_ssl_enable_global_ca_store(esp_transport_handle_t t); +/** + * @brief Set TLS protocol version for ESP-TLS connection + * + * @param t ssl transport + * @param[in] tls_version TLS version + */ +void esp_transport_ssl_set_tls_version(esp_transport_handle_t t, esp_tls_proto_ver_t tls_version); + /** * @brief Set SSL client certificate data for mutual authentication (as PEM format). * Note that, this function stores the pointer to data, rather than making a copy. diff --git a/components/tcp_transport/transport_ssl.c b/components/tcp_transport/transport_ssl.c index 4ef918f289c2..6d89d6ec4ee2 100644 --- a/components/tcp_transport/transport_ssl.c +++ b/components/tcp_transport/transport_ssl.c @@ -344,6 +344,12 @@ void esp_transport_ssl_enable_global_ca_store(esp_transport_handle_t t) ssl->cfg.use_global_ca_store = true; } +void esp_transport_ssl_set_tls_version(esp_transport_handle_t t, esp_tls_proto_ver_t tls_version) +{ + GET_SSL_FROM_TRANSPORT_OR_RETURN(ssl, t); + ssl->cfg.tls_version = tls_version; +} + #ifdef CONFIG_ESP_TLS_PSK_VERIFICATION void esp_transport_ssl_set_psk_key_hint(esp_transport_handle_t t, const psk_hint_key_t *psk_hint_key) { From 6cad71d6386264d4184a1f0e32f74d1b115b81f5 Mon Sep 17 00:00:00 2001 From: Harshit Malpani Date: Thu, 5 Oct 2023 12:10:46 +0530 Subject: [PATCH 5/5] fix: Update https_mbedtls example to fix TLS v1.2 connection --- .../protocols/https_mbedtls/main/https_mbedtls_example_main.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/examples/protocols/https_mbedtls/main/https_mbedtls_example_main.c b/examples/protocols/https_mbedtls/main/https_mbedtls_example_main.c index d7da1926e93b..67de0ba68a78 100644 --- a/examples/protocols/https_mbedtls/main/https_mbedtls_example_main.c +++ b/examples/protocols/https_mbedtls/main/https_mbedtls_example_main.c @@ -128,10 +128,6 @@ static void https_get_task(void *pvParameters) mbedtls_esp_enable_debug_log(&conf, CONFIG_MBEDTLS_DEBUG_LEVEL); #endif -#ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 - mbedtls_ssl_conf_min_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_3); - mbedtls_ssl_conf_max_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_3); -#endif if ((ret = mbedtls_ssl_setup(&ssl, &conf)) != 0) { ESP_LOGE(TAG, "mbedtls_ssl_setup returned -0x%x\n\n", -ret);