-
Notifications
You must be signed in to change notification settings - Fork 94
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support TLS 1.3 #272
Comments
It appears ESP-TLS does not support TLS 1.3 yet. Initial support was added in master: espressif/esp-idf@7fd1378. After manually initializing the Mbed TLS PSA library and enabling CONFIG_MBEDTLS_DEBUG in sdkconfig, there's a different error:
So it appears CONFIG_ESP_TLS_SKIP_SERVER_CERT_VERIFY doesn't work anymore with TLS 1.3. This appears to be because of MBEDTLS_SSL_VERIFY_NONE not doing what's expected. MBEDTLS_SSL_VERIFY_OPTIONAL still works. --- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -571,7 +571,7 @@ MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl)
{
int ret = 0;
- int authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
+ int authmode = MBEDTLS_SSL_VERIFY_OPTIONAL;
mbedtls_x509_crt *ca_chain;
mbedtls_x509_crl *ca_crl;
const char *ext_oid;``` But then we hit the next error in esp_tls:
At this point it's probably better to wait for a new IDF release where it is properly supported. |
We have initial IDF 5.1 support and it has a new mbedtls implementation that supports TLS 1.3. Unfortunately, it errors on HTTP stream to WIS/nginx when TLS 1.3 is enabled:
The text was updated successfully, but these errors were encountered: