Skip to content

Allow the https server to request client certs only with OPTIONAL (IDFGH-16506) #17641

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Allow the https server to request client certs only with OPTIONAL (IDFGH-16506) #17641

wants to merge 1 commit into from
+9 −0

Conversation

0xFEEDC0DE64
Copy link
Contributor

I want to serve my webinterface via https to smartphones and the manufacturer should have special permissions and we authenticate developers or production using client key / cert. The end customer will not have such a cert. The connection should not fail, but our internal APIs will then refuse to work.

@github-actions GitHub Actions
Copy link

Warnings
⚠️

Some issues found for the commit messages in this PR:

  • the commit message "Allow the https server to request client certs only with OPTIONAL":
    • summary looks empty
    • type/action looks empty

Please fix these commit messages - here are some basic tips:

  • follow Conventional Commits style
  • correct format of commit message should be: <type/action>(<scope/component>): <summary>, for example fix(esp32): Fixed startup timeout issue
  • allowed types are: change,ci,docs,feat,fix,refactor,remove,revert,test
  • sufficiently descriptive message summary should be between 20 to 72 characters and start with upper case letter
  • avoid Jira references in commit messages (unavailable/irrelevant for our customers)

TIP: Install pre-commit hooks and run this check when committing (uses the Conventional Precommit Linter).

👋 Hello 0xFEEDC0DE64, we appreciate your contribution to this project!

📘 Please review the project's Contributions Guide for key guidelines on code, documentation, testing, and more.
🖊️ Please also make sure you have read and signed the Contributor License Agreement for this project.
Click to see more instructions ...


This automated output is generated by the PR linter DangerJS, which checks if your Pull Request meets the project's requirements and helps you fix potential issues.

DangerJS is triggered with each push event to a Pull Request and modify the contents of this comment.

Please consider the following:
- Danger mainly focuses on the PR structure and formatting and can't understand the meaning behind your code or changes.
- Danger is not a substitute for human code reviews; it's still important to request a code review from your colleagues.
- Resolve all warnings (⚠️ ) before requesting a review from human reviewers - they will appreciate it.
- To manually retry these Danger checks, please navigate to the Actions tab and re-run last Danger workflow.

Review and merge process you can expect ...


We do welcome contributions in the form of bug reports, feature requests and pull requests via this public GitHub repository.

This GitHub project is public mirror of our internal git repository

1. An internal issue has been created for the PR, we assign it to the relevant engineer.
2. They review the PR and either approve it or ask you for changes or clarifications.
3. Once the GitHub PR is approved, we synchronize it into our internal git repository.
4. In the internal git repository we do the final review, collect approvals from core owners and make sure all the automated tests are passing.
- At this point we may do some adjustments to the proposed change, or extend it by adding tests or documentation.
5. If the change is approved and passes the tests it is merged into the default branch.
5. On next sync from the internal git repository merged change will appear in this public GitHub repository.

Generated by 🚫 dangerJS against 6213a90

@github-actions github-actions bot changed the title Allow the https server to request client certs only with OPTIONAL Allow the https server to request client certs only with OPTIONAL (IDFGH-16506) Sep 23, 2025
@espressif-bot espressif-bot added the Status: Opened Issue is new label Sep 23, 2025
@mahavirj
Copy link
Member

mahavirj commented Sep 24, 2025
edited
Loading

@0xFEEDC0DE64

We have a configuration knob for this here:

esp-idf/components/esp-tls/Kconfig

Line 63 in 5c5eb99

config ESP_TLS_SERVER_MIN_AUTH_MODE_OPTIONAL

Please see if that can help!

Edit: Probably we should be using this config in the if block where cacert_buf is not NULL CC @Ashish285

@mahavirj mahavirj requested a review from Ashish285 September 24, 2025 05:22
@0xFEEDC0DE64
Copy link
Contributor Author

Hi thanks for sharing, but it does not help, since this completely breaks the security of my mqtt broker that verifies clients. I only want it optional for the https server

Ashish285
Ashish285 approved these changes Sep 24, 2025
View reviewed changes
Copy link
Collaborator

@Ashish285 Ashish285 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. Maybe the new runtime config should be under ESP_TLS_SERVER_MIN_AUTH_MODE_OPTIONAL to have a compile time switch available for this? So there will be compile time switch to enable the functionality and then runtime config to select which server it applies to

@0xFEEDC0DE64
Copy link
Contributor Author

Do you think just offering this option all the time is a risk? If applications don't set it, behaviour should stay the same. That's why its set to true to reduce the cert checking.

@Ashish285
Copy link
Collaborator

Hi @0xFEEDC0DE64 , My suggestion to have compile time switch is to enforce the configuration (as is the case currently). Along with the runtime check that you have enabled, we can cater to all different use cases. Having a compile time switch also helps to enforce a secure profile.

Let me know your thoughts, we will be happy to include this PR.

hurricanefrog
hurricanefrog reviewed Oct 2, 2025
View reviewed changes
components/esp-tls/esp_tls_mbedtls.c
Comment on lines +697 to +698
if (cfg->cacert_authmode_optional)
mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"External opinion": I would suggest adding curly braces here, to stay consistent with the rest of the code. (Which also adds curly braces even for single statements, at least as far as I can see in the context).

@Ashish285
Copy link
Collaborator

Hi @0xFEEDC0DE64 , thanks for the PR. I will accept it and make any changes regarding the compile time switches internally if required.

@Ashish285
Copy link
Collaborator

sha=6213a906c049d08f5bc1a372aad1577dee26fdf1

@Ashish285 Ashish285 added the PR-Sync-Merge Pull request sync as merge commit label Oct 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@hurricanefrog hurricanefrog hurricanefrog left review comments

@Ashish285 Ashish285 Ashish285 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

PR-Sync-Merge Pull request sync as merge commit Status: Opened Issue is new

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@0xFEEDC0DE64 @mahavirj @Ashish285 @hurricanefrog @espressif-bot