Merge branch 'feature/change_esp_tls_default_behaviour' into 'master'

esp-tls: Changed default behaviour for esp-tls client ( for security purpose)

See merge request sdk/ESP8266_RTOS_SDK!1601

Author: donghengqaz

components/esp-tls/Kconfig

@@ -31,6 +31,25 @@ menu "ESP-TLS"
             Enable support for pre shared key ciphers, supported for both mbedTLS as well as
             wolfSSL TLS library.
 
+    config ESP_TLS_INSECURE
+        bool "Allow potentially insecure options"
+        help
+            You can enable some potentially insecure options. These options should only be used for testing pusposes.
+            Only enable these options if you are very sure.
+
+    config ESP_TLS_SKIP_SERVER_CERT_VERIFY
+        bool "Skip server certificate verification by default (WARNING: ONLY FOR TESTING PURPOSE, READ HELP)"
+        depends on ESP_TLS_INSECURE
+        help
+            After enabling this option the esp-tls client will skip the server certificate verification
+            by default. Note that this option will only modify the default behaviour of esp-tls client
+            regarding server cert verification. The default behaviour should only be applicable when
+            no other option regarding the server cert verification is opted in the esp-tls config
+            (e.g. crt_bundle_attach, use_global_ca_store etc.).
+            WARNING : Enabling this option comes with a potential risk of establishing a TLS connection
+            with a server which has a fake identity, provided that the server certificate
+            is not provided either through API or other mechanism like ca_store etc.
+
     config ESP_WOLFSSL_SMALL_CERT_VERIFY
         bool "Enable SMALL_CERT_VERIFY"
         depends on ESP_TLS_USING_WOLFSSL

components/esp-tls/esp_tls_mbedtls.c

@@ -445,7 +445,12 @@ esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls_cfg_t
         return ESP_ERR_INVALID_STATE;
 #endif
     } else {
+#ifdef CONFIG_ESP_TLS_SKIP_SERVER_CERT_VERIFY
         mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_NONE);
+#else
+        ESP_LOGE(TAG, "No server verification option set in esp_tls_cfg_t structure. Check esp_tls API reference");
+        return ESP_ERR_MBEDTLS_SSL_SETUP_FAILED;
+#endif
     }
 
     if (cfg->clientcert_buf != NULL && cfg->clientkey_buf != NULL) {

components/esp-tls/esp_tls_wolfssl.c

@@ -201,7 +201,12 @@ static esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls
         return ESP_ERR_INVALID_STATE;
 #endif
     } else {
+#ifdef CONFIG_ESP_TLS_SKIP_SERVER_CERT_VERIFY
         wolfSSL_CTX_set_verify( (WOLFSSL_CTX *)tls->priv_ctx, WOLFSSL_VERIFY_NONE, NULL);
+#else
+        ESP_LOGE(TAG, "No server verification option set in esp_tls_cfg_t structure. Check esp_tls API reference");
+        return ESP_ERR_WOLFSSL_SSL_SETUP_FAILED;
+#endif
     }
 
     if (cfg->clientcert_buf != NULL && cfg->clientkey_buf != NULL) {