Problem:
1. In low-memory scenarios, the dynamic buffer feature can fail due to memory fragmentation.
2. It requires a contiguous 16KB heap chunk, but continuous allocation and deallocation of
the RX buffer can lead to fragmentation.
3. If another component allocates memory between these operations, it can break up the
available 16KB block, causing allocation failure.
Solution:
1. Introduce configurable strategy for using dynamic buffers in TLS connections.
2. For example, convert RX buffers to static after the TLS handshake.
3. Allow users to select the strategy via a new field in the esp_http_client_cfg_t structure.
4. The strategy can be controlled independently for each TLS session.
feat(mbedtls): add support for dynamic buffer for TLS1.3
Closes IDFGH-14708, IDF-12469, IDF-9178, and IDF-1725
See merge request espressif/esp-idf!38258
Added the option to define tls_handshake_timeout value
for the esp_tls_server_session_create API.
At the moment, the API gets stuck infinitely if
the handshake is blocked on recieving more data
and the peer connection has closed due to some issue.
Closes https://github.com/espressif/esp-idf/issues/14999
feat(esp-tls): add option to enable/disable the full set of OCSP checks for wolfSSL (GitHub PR)
Closes IDFGH-13619
See merge request espressif/esp-idf!33700
Previously the *data parameters of esp_tls_conn_read
was required to be non-NULL after espressif/esp-idf!28358.
This prevents users from using a functionality in esp_tls_conn_read
where calling `esp_tls_conn_read(ctx, NULL, 0);` triggers the
transfer of contents from tcp layer to mbedtls (ssl) layer.
After this the user can read the contents from
esp_tls_get_bytes_avail().
This commit removes the additional NULL check on the data field
to keep this functionality enabled.
Almost all sites these days are virtually hosted and hence
SNI (server name indicator TLS extension) should be enabled by
default.
In addition this change enables OCSP (online server status protocol)
support for esp-tls clients using the wolfSSL backend.
The 3 code lines enable OCSP stabling v1.
By default this feature is disabled.
(I will send another PR on esp-wolfssl repository to allow to
enable it easily.)
This change makes the wolfSSL backend sent the complete TLS client certificate
chain. This align the wolfSSL backend with the behavior of the mbedTLS backend.
Some servers need the intermediate certificates to verify a client certificate.
If the provided PEM file contains only a single certificate this change has no effect
and the behavior will be as before.
This impacts higher level APIs to function as someone would expect.
E.g.: esp_websocket_client_config_t.client_cert: when passing here a pem
file containing 2 certificates (the CA's and the client's) it would be
expected that both are transmitted during TLS handshake.
* Users can now use libbsd string.h and sys/cdefs.h functionality
(e.g., strlcpy, containerof) on Linux by just including
string.h or sys/cdefs.h. In other words, the includes are the same
on the Linux target as well as on chips targets (ESP32, etc.).
* libbsd linking is done by the linux component (belongs to common
components) now instead of handling it separately in each component
Only pull in direct dependencies for the test apps, reducing build time
as well making it possible for CI to determine if the test should run or not
when dependencies are changed.
- ESP32-WROOM-32SE has been discontinued and marked as NRND
- This change removes all references to ESP32-WROOM-32SE from IDF
- The example has been migrated to esp-cryptoauthlib repository and it
can be used through the component manager
(https://components.espressif.com/components/espressif/esp-cryptoauthlib)
HTTPD_SSL_CONFIG_DEFAULT used to be a MACRO and hence used to return
a const pointer. With a recent change it started not returning a
const variable. This change reverts the function to its MACRO form.
Updated the https_server example to use static declration
