esp-tls: Changed default behaviour for esp-tls client ( for security

purpose) By default esp-tls client will now return error if no server verify option is provided, earlier it used to skip the verification by default. Added config option to skip server verification by default (for testing purpose) Updated required docs
2025-09-23 01:05:14 +00:00 · 2020-12-23 23:30:40 +05:30
parent e1d9abafa8
commit ca964dfbcc
4 changed files with 44 additions and 0 deletions
--- a/components/esp-tls/esp_tls_mbedtls.c
+++ b/components/esp-tls/esp_tls_mbedtls.c
@@ -492,7 +492,12 @@ esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls_cfg_t
        return ESP_ERR_INVALID_STATE;
 #endif
    } else {
+#ifdef CONFIG_ESP_TLS_SKIP_SERVER_CERT_VERIFY
        mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_NONE);
+#else
+        ESP_LOGE(TAG, "No server verification option set in esp_tls_cfg_t structure. Check esp_tls API reference");
+        return ESP_ERR_MBEDTLS_SSL_SETUP_FAILED;
+#endif
    }

    if (cfg->use_secure_element) {