fix(esp-tls): Use TLS 1.2 and TLS 1.3 simultaneously

This commit fixes the issue with TLS 1.2 connection when TLS 1.3 is enabled in config.
2026-06-04 20:26:38 +03:00 · 2023-10-04 12:19:43 +05:30
parent 199ce4c7a9
commit 27681a5073
6 changed files with 67 additions and 10 deletions
--- a/components/esp_http_client/esp_http_client.c
+++ b/components/esp_http_client/esp_http_client.c
@@ -9,6 +9,7 @@
 #include <inttypes.h>

 #include "esp_log.h"
+#include "esp_assert.h"
 #include "esp_check.h"
 #include "http_parser.h"
 #include "http_header.h"
@@ -20,6 +21,7 @@
 #include "esp_http_client.h"
 #include "errno.h"
 #include "esp_random.h"
+#include "esp_tls.h"

 #ifdef CONFIG_ESP_HTTP_CLIENT_ENABLE_HTTPS
 #include "esp_transport_ssl.h"
@@ -29,6 +31,9 @@ ESP_EVENT_DEFINE_BASE(ESP_HTTP_CLIENT_EVENT);

 static const char *TAG = "HTTP_CLIENT";

+ESP_STATIC_ASSERT((int)ESP_HTTP_CLIENT_TLS_VER_ANY == (int)ESP_TLS_VER_ANY, "Enum mismatch in esp_http_client and esp-tls");
+ESP_STATIC_ASSERT((int)ESP_HTTP_CLIENT_TLS_VER_MAX <= (int)ESP_TLS_VER_TLS_MAX, "HTTP client supported TLS is not supported in esp-tls");
+
 /**
 * HTTP Buffer
 */
@@ -723,6 +728,7 @@ esp_http_client_handle_t esp_http_client_init(const esp_http_client_config_t *co
            esp_transport_ssl_set_client_cert_data_der(ssl, config->client_cert_pem, config->client_cert_len);
        }
    }
+    esp_transport_ssl_set_tls_version(ssl, config->tls_version);

 #if CONFIG_ESP_TLS_USE_SECURE_ELEMENT
    if (config->use_secure_element) {
--- a/components/esp_http_client/include/esp_http_client.h
+++ b/components/esp_http_client/include/esp_http_client.h
@@ -78,6 +78,16 @@ typedef enum {
    HTTP_TRANSPORT_OVER_SSL,        /*!< Transport over ssl */
 } esp_http_client_transport_t;

+/*
+* @brief TLS Protocol version
+*/
+typedef enum {
+   ESP_HTTP_CLIENT_TLS_VER_ANY = 0,         /* No preference */
+   ESP_HTTP_CLIENT_TLS_VER_TLS_1_2 = 0x1,   /* (D)TLS 1.2 */
+   ESP_HTTP_CLIENT_TLS_VER_TLS_1_3 = 0x2,   /* (D)TLS 1.3 */
+   ESP_HTTP_CLIENT_TLS_VER_MAX,             /* to indicate max */
+} esp_http_client_proto_ver_t;
+
 typedef esp_err_t (*http_event_handle_cb)(esp_http_client_event_t *evt);

 /**
@@ -133,6 +143,7 @@ typedef struct {
    size_t                      client_key_len;      /*!< Length of the buffer pointed to by client_key_pem. May be 0 for null-terminated pem */
    const char                  *client_key_password;      /*!< Client key decryption password string */
    size_t                      client_key_password_len;   /*!< String length of the password pointed to by client_key_password */
+    esp_http_client_proto_ver_t tls_version;         /*!< TLS protocol version of the connection, e.g., TLS 1.2, TLS 1.3 (default - no preference) */
 #ifdef CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN
    bool                        use_ecdsa_peripheral;       /*!< Use ECDSA peripheral to use private key. */
    uint8_t                     ecdsa_key_efuse_blk;        /*!< The efuse block where ECDSA key is stored. */