feat(mqtt): enable custom TLS cipher suites for MQTTs

danghb · glmfe · commit 00cc9dbd9af0 · 2025-05-21T10:05:00.000+02:00
- Add `ciphersuites_list` to `esp_mqtt_client_config_t` for specifying TLS cipher suites.
- Update SSL transport configuration to use the provided cipher suites.
- Users are responsible for managing the cipher suites list memory.
diff --git a/include/mqtt_client.h b/include/mqtt_client.h
@@ -274,6 +274,8 @@ typedef struct esp_mqtt_client_config_t {
                                                                If NULL, server certificate CN must match hostname.
                                                                This is ignored if skip_cert_common_name_check=true.
                                                   It's not copied nor freed by the client, user needs to clean up.*/
+            const int *ciphersuites_list;    /*!< Pointer to a zero-terminated array of IANA identifiers of TLS cipher suites. 
+                                              Please ensure the validity of the list, and note that it is not copied or freed by the client. */
         } verification; /*!< Security verification of the broker */
     } broker; /*!< Broker address and security verification */
     /**
diff --git a/lib/include/mqtt_client_priv.h b/lib/include/mqtt_client_priv.h
@@ -85,6 +85,7 @@ typedef struct {
     int clientkey_password_len;
     bool use_global_ca_store;
     esp_err_t ((*crt_bundle_attach)(void *conf));
+    const int *ciphersuites_list;
     const char *cacert_buf;
     size_t cacert_bytes;
     const char *clientcert_buf;
diff --git a/mqtt_client.c b/mqtt_client.c
@@ -158,6 +158,12 @@ static esp_err_t esp_mqtt_set_ssl_transport_properties(esp_transport_list_handle
                      goto esp_mqtt_set_transport_failed);
 
     }
+
+    if(cfg->ciphersuites_list)
+    {
+        esp_transport_ssl_set_ciphersuites_list(ssl,cfg->ciphersuites_list);
+    }
+
     if (cfg->psk_hint_key) {
 #if defined(MQTT_SUPPORTED_FEATURE_PSK_AUTHENTICATION) && MQTT_ENABLE_SSL
 #ifdef CONFIG_ESP_TLS_PSK_VERIFICATION
@@ -578,6 +584,7 @@ esp_err_t esp_mqtt_set_config(esp_mqtt_client_handle_t client, const esp_mqtt_cl
     client->config->cacert_bytes = config->broker.verification.certificate_len;
     client->config->psk_hint_key = config->broker.verification.psk_hint_key;
     client->config->crt_bundle_attach = config->broker.verification.crt_bundle_attach;
+    client->config->ciphersuites_list = config->broker.verification.ciphersuites_list;
     client->config->clientcert_buf = config->credentials.authentication.certificate;
     client->config->clientcert_bytes = config->credentials.authentication.certificate_len;
     client->config->clientkey_buf = config->credentials.authentication.key;
