Support loading CA certs with unsupported extensions (IDFGH-2307)

[ryankurte]

Hey hi,

This PR adds support for CA certificates with critical extensions unsupported by mbedtls (fixes esp-tls: mbedtls_x509_crt_parse returned -0x2562 when loading CA certificates with critical Name Constraints).

• Added KConfig to mbedtls module
• Added config option to mbedtls/esp_config.h

(It's be awesome if it was possible to land this in 4.0 but I wasn't sure what to open the PR against)

[claassistantio]

All committers have signed the CLA.

[mahavirj]

@ryankurte This is not recommended config option per https://github.com/ARMmbed/mbedtls/blob/development/include/mbedtls/config.h#L1875, I wonder if we should expose this through kconfig. Could you please help to elaborate on requirement? (CC @projectgus)

[ryankurte]

Hey thanks for the reply, we use name constraints on our internal TLS infrastructure which are unsupported by mbed-tls, leaving us with the option to disable this or to re-issue our infrastructure without name constraints.

If y'all don't want it in the kconfig we can just define it globally in our projects, it was however pretty annoying to track down so might make a good addition to the TLS docs somewhere?

[projectgus]

@mahavirj @ryankurte What about adding a "Show configurations with potential security risks" option to the mbedTLS menu that defaults to n, and make any non-recommended items depend on this being set first?

[ryankurte]

seems reasonable, something like this?

[projectgus]

Hi @ryankurte,

Yes, something like that! There is a way to do it without moving all these config items under the parent, something like visible if instead of depends. But I think it's fine either way.

[mahavirj]

@ryankurte Thanks for changes. I will put this up in our internal review queue.