From a2a95350b5d0ab559446c6f23a4774af67a750c3 Mon Sep 17 00:00:00 2001
From: Chen Wu <chenwu@espressif.com>
Date: Wed, 30 Apr 2025 15:03:30 +0800
Subject: [PATCH] feat(esp-tls): update to upstream 3.6.3

---
 components/esp-tls/esp_tls_mbedtls.c              |  4 ++++
 components/mbedtls/mbedtls_v3/Kconfig             |  6 ++++++
 .../mbedtls_v3/port/include/mbedtls/esp_config.h  | 15 +++++++++++++++
 3 files changed, 25 insertions(+)

diff --git a/components/esp-tls/esp_tls_mbedtls.c b/components/esp-tls/esp_tls_mbedtls.c
index b8791836..756a0a05 100644
--- a/components/esp-tls/esp_tls_mbedtls.c
+++ b/components/esp-tls/esp_tls_mbedtls.c
@@ -389,6 +389,10 @@ esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls_cfg_t
             return ESP_ERR_MBEDTLS_SSL_SET_HOSTNAME_FAILED;
         }
         free(use_host);
+#ifdef CONFIG_MBEDTLS_V3
+    } else {
+         mbedtls_ssl_set_hostname(&tls->ssl, NULL);
+#endif
     }
 
     if ((ret = mbedtls_ssl_config_defaults(&tls->conf,
diff --git a/components/mbedtls/mbedtls_v3/Kconfig b/components/mbedtls/mbedtls_v3/Kconfig
index 961cc470..fffa5f82 100644
--- a/components/mbedtls/mbedtls_v3/Kconfig
+++ b/components/mbedtls/mbedtls_v3/Kconfig
@@ -1148,3 +1148,9 @@ config MBEDTLS_USE_CRYPTO_ROM_IMPL
         the flash footprint and hence care must be taken to keep some reserved space
         for the application binary in flash layout.
 
+    config MBEDTLS_ALLOW_WEAK_CERTIFICATE_VERIFICATION
+        bool "Allow weak certificate verification"
+        default n
+        help
+            This options allows weak certificate verification by skipping the hostname verification.
+            It is not recommended to use this option.
diff --git a/components/mbedtls/mbedtls_v3/port/include/mbedtls/esp_config.h b/components/mbedtls/mbedtls_v3/port/include/mbedtls/esp_config.h
index 579b6a37..0ce60511 100644
--- a/components/mbedtls/mbedtls_v3/port/include/mbedtls/esp_config.h
+++ b/components/mbedtls/mbedtls_v3/port/include/mbedtls/esp_config.h
@@ -2078,6 +2078,21 @@
 #undef MBEDTLS_ERROR_C
 #endif
 
+/**
+ * \def MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
+ *
+ * Caller: library/ssl_tls.c
+ *
+ * Allow weak certificate verification without a hostname.
+ * This option is not recommended for production use.
+ */
+
+#if CONFIG_MBEDTLS_ALLOW_WEAK_CERTIFICATE_VERIFICATION
+#define MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
+#else
+#undef MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
+#endif
+
 /**
  * \def MBEDTLS_GCM_C
  *