diff --git a/components/esp-tls/Kconfig b/components/esp-tls/Kconfig index 8ccd90f53fde..81d5a365fc3b 100644 --- a/components/esp-tls/Kconfig +++ b/components/esp-tls/Kconfig @@ -106,4 +106,12 @@ menu "ESP-TLS" help Enable detailed debug prints for wolfSSL SSL library. + config ESP_TLS_OCSP_CHECKALL + bool "Enabled full OCSP checks for ESP-TLS" + depends on ESP_TLS_USING_WOLFSSL + default y + help + Enable a fuller set of OCSP checks: checking revocation status of intermediate certificates, + optional fallbacks to CRLs, etc. + endmenu diff --git a/components/esp-tls/esp_tls_wolfssl.c b/components/esp-tls/esp_tls_wolfssl.c index b0f63164423d..6096d717e4fb 100644 --- a/components/esp-tls/esp_tls_wolfssl.c +++ b/components/esp-tls/esp_tls_wolfssl.c @@ -316,8 +316,12 @@ static esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls } #ifdef CONFIG_WOLFSSL_HAVE_OCSP + int ocsp_options = 0; +#ifdef ESP_TLS_OCSP_CHECKALL + ocsp_options |= WOLFSSL_OCSP_CHECKALL; +#endif /* enable OCSP certificate status check for this TLS context */ - if ((ret = wolfSSL_CTX_EnableOCSP((WOLFSSL_CTX *)tls->priv_ctx, WOLFSSL_OCSP_CHECKALL)) != WOLFSSL_SUCCESS) { + if ((ret = wolfSSL_CTX_EnableOCSP((WOLFSSL_CTX *)tls->priv_ctx, ocsp_options)) != WOLFSSL_SUCCESS) { ESP_LOGE(TAG, "wolfSSL_CTX_EnableOCSP failed, returned %d", ret); return ESP_ERR_WOLFSSL_CTX_SETUP_FAILED; }