Add support for mutual authentication in esp_http_client

[AndersKaloer]

Add support for TLS mutual authentication (implemented recently in #2490) in esp_http_client.

This is very convenient for OTA updates, and has been tested with esp_https_ota and nginx.

[CLAassistant]

All committers have signed the CLA.

[kifantidis]

I hope this goes on and get implemented in the esp-idf :/ I've tried the code changes today as AndersKaloer sugest but my code seems not to be using mutual auth.
After inserting the 2 crt pem files + the priv key +url (the link of the bin file), I've got in return this message:

I (4688) event: sta ip: 10.0.0.174, mask: 255.255.255.0, gw: 10.0.0.2
I (4688) simple_ota_example: Connect to Wifi ! Start to Connect to Server....
E (5838) esp-tls: read error :-30592:
E (5838) TRANS_SSL: esp_tls_conn_read error, errno=Success errno=0
I (5838) esp_https_ota: Starting OTA...
I (5838) esp_https_ota: Writing to partition subtype 16 at offset 0x110000
I (5858) esp_https_ota: esp_ota_begin succeeded
I (5858) esp_https_ota: Please Wait. This may take time
I (5858) esp_https_ota: Connection closed,all data received
E (5868) esp_https_ota: Error: esp_ota_end failed! err=0x258. Image is invalid
E (5878) simple_ota_example: Firmware Upgrades Failed

I contacted with my colleague that handles the server in order to get my hands on the server's log files.
What i found there was this message: "Re-negotiation handshake failed: Client certificate missing"
Does this mean that Client certificate is wrong or something else ? :-/

Any help would be greatly appreciated.
Best regards, Kostas

[AndersKaloer]

Kostas,
It is difficult to help you based on the limited information that you provide.
It seems like you are using an Apache web server. I have been able to verify the implementation with Apache2 using the SSLVerifyClient require directive. You also need to provide the SSLCACertificateFile directive in order to enable client authentication.
In addition to the directives mentioned above, SSLCertificateFile and SSLCertificateKeyFile are needed for server authentication.

There are several guides available on the Internet on how to configure mutual authentication in Apache2. I suggest you to follow one of these and verify your setup using e.g. wget before you try to implement it on the ESP32.

The same thing can be achieved with nginx using the ssl_verify_client and ssl_client_certificate directives (in addition to ssl_certificate and ssl_certificate_key used for server authentication).

[tuanpmt]

Thank you for adding this feature to esp_http_client