fix(esp-tls): clarify skip_common_name and warn when SNI is disabled

The skip_common_name flag was named for the legacy CN field but actually suppresses the entire mbedtls_ssl_set_hostname() call -- disabling hostname matching against CN/SAN AND Server Name Indication. Update the doxygen to describe the real effect, and emit a per-call WARN inside the SNI-disable branch so debug-only use does not slip into production unnoticed.
2026-05-28 16:46:31 +03:00 · 2026-05-10 17:44:20 +05:30
parent c5f20937bd
commit 4540181c62
2 changed files with 12 additions and 3 deletions
--- a/components/esp-tls/esp_tls.h
+++ b/components/esp-tls/esp_tls.h
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2017-2025 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2017-2026 Espressif Systems (Shanghai) CO LTD
 *
 * SPDX-License-Identifier: Apache-2.0
 */
@@ -198,8 +198,14 @@ typedef struct esp_tls_cfg {
    const char *common_name;                /*!< If non-NULL, server certificate CN must match this name.
                                                 If NULL, server certificate CN must match hostname. */

-    bool skip_common_name;                  /*!< Skip any validation of server certificate CN field.
-                                                 This field should be set to false for SNI to function correctly. */
+    bool skip_common_name;                  /*!< When true, esp-tls skips the call to
+                                                 mbedtls_ssl_set_hostname(). This disables BOTH
+                                                 server-hostname matching against the certificate
+                                                 (CN/SAN) and Server Name Indication (SNI), not just
+                                                 the legacy CN field. Only set on loopback / debug
+                                                 clients that can tolerate the loss of hostname
+                                                 authentication. Must be false for SNI to function
+                                                 correctly. */

    tls_keep_alive_cfg_t *keep_alive_cfg;   /*!< Enable TCP keep-alive timeout for SSL connection */

--- a/components/esp-tls/esp_tls_mbedtls.c
+++ b/components/esp-tls/esp_tls_mbedtls.c
@@ -931,6 +931,9 @@ esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls_cfg_t
        }
        free(use_host);
    } else {
+        ESP_LOGW(TAG, "skip_common_name=true: hostname matching and SNI disabled. "
+                 "This disables ALL server-name authentication (CN/SAN/SNI), not just CN. "
+                 "Only intended for loopback / debug clients.");
        mbedtls_ssl_set_hostname(&tls->ssl, NULL);
    }