feat(mqtt): enable custom TLS cipher suites for MQTTs (IDFGH-15198)

[danghb]

Description

• Add ciphersuites_list to esp_mqtt_client_config_t for specifying TLS cipher suites.
• Update SSL transport configuration to use the provided cipher suites.
• Users are responsible for managing the cipher suites list memory.

This change allows users to flexibly select the TLS cipher suites used in MQTT communication, improving the ability to meet increasingly stringent network security certifications. By adding the ciphersuites_list to esp_mqtt_client_config_t, users now have full control over the encryption suites used in the connection, which enhances security and adaptability in various environments.

The provided cipher suite list is not copied or freed by the client, so users are responsible for managing the memory of the list.

Related

Dependent on this submitted change

espressif/esp-idf#15868

Testing

Tested by configuring the specified TLS cipher suites in the MQTT client configuration and using Wireshark to capture the packets during the TLS handshake. The captured packets were analyzed to verify that the selected cipher suites were indeed used in the communication. This method confirmed the configuration's effectiveness on ESP32-S3 with a secure MQTT broker.

const int ETSI_EN_303645_ciphersuites_list[] = {
    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
    MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
    MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
    0
};

esp_mqtt_client_config_t mqtt_cfg = {
    .broker.address.uri = mqtt_config.broker_uri,
    .credentials.client_id = mqtt_config.client_id,
    .credentials.username = mqtt_config.username,
    .credentials.authentication.password = mqtt_config.password,
    .session.keepalive=atoi(mqtt_config.keepalive),
    .network.timeout_ms=5000,
    .broker.verification.crt_bundle_attach = esp_crt_bundle_attach,
    .broker.verification.ciphersuites_list = ETSI_EN_303645_ciphersuites_list,
};

[euripedesrocha]

Hi @danghb thanks for the contribution!

The required MR got merged to IDF, but for this one we need to make it backwards compatible with older IDF versions.

A workaround to make it work is to use the get_transport function in the before connect event handler and call the API added to tcp_transport.