[esp32] Default to CMN certificate bundle, saving ~51KB flash (#13574)

2026-02-08 00:31:58 +00:00 · 2026-01-27 18:02:01 -10:00
parent fe6f27c526
commit 73a249c075
4 changed files with 41 additions and 0 deletions
--- a/esphome/components/esp32/init.py
+++ b/esphome/components/esp32/init.py
@@ -55,6 +55,7 @@ from .const import (  # noqa
    KEY_ESP32,
    KEY_EXTRA_BUILD_FILES,
    KEY_FLASH_SIZE,
+    KEY_FULL_CERT_BUNDLE,
    KEY_PATH,
    KEY_REF,
    KEY_REPO,
@@ -670,6 +671,7 @@ CONF_FREERTOS_IN_IRAM = "freertos_in_iram"
 CONF_RINGBUF_IN_IRAM = "ringbuf_in_iram"
 CONF_HEAP_IN_IRAM = "heap_in_iram"
 CONF_LOOP_TASK_STACK_SIZE = "loop_task_stack_size"
+CONF_USE_FULL_CERTIFICATE_BUNDLE = "use_full_certificate_bundle"

 # VFS requirement tracking
 # Components that need VFS features can call require_vfs_select() or require_vfs_dir()
@@ -695,6 +697,18 @@ def require_vfs_dir() -> None:
    CORE.data[KEY_VFS_DIR_REQUIRED] = True


+def require_full_certificate_bundle() -> None:
+    """Request the full certificate bundle instead of the common-CAs-only bundle.
+
+    By default, ESPHome uses CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_CMN which
+    includes only CAs with >1% market share (~51 KB smaller than full bundle).
+    This covers ~99% of websites including Let's Encrypt, DigiCert, Google, Amazon.
+
+    Call this from components that need to connect to services using uncommon CAs.
+    """
+    CORE.data[KEY_ESP32][KEY_FULL_CERT_BUNDLE] = True
+
+
 def _parse_idf_component(value: str) -> ConfigType:
    """Parse IDF component shorthand syntax like 'owner/component^version'"""
    # Match operator followed by version-like string (digit or *)
@@ -776,6 +790,9 @@ FRAMEWORK_SCHEMA = cv.Schema(
                    min=8192, max=32768
                ),
                cv.Optional(CONF_ENABLE_OTA_ROLLBACK, default=True): cv.boolean,
+                cv.Optional(
+                    CONF_USE_FULL_CERTIFICATE_BUNDLE, default=False
+                ): cv.boolean,
            }
        ),
        cv.Optional(CONF_COMPONENTS, default=[]): cv.ensure_list(
@@ -1093,6 +1110,18 @@ async def to_code(config):

    cg.add_build_flag("-Wno-nonnull-compare")

+    # Use CMN (common CAs) bundle by default to save ~51KB flash
+    # CMN covers CAs with >1% market share (~99% of websites)
+    # Components needing uncommon CAs can call require_full_certificate_bundle()
+    use_full_bundle = conf[CONF_ADVANCED].get(
+        CONF_USE_FULL_CERTIFICATE_BUNDLE, False
+    ) or CORE.data[KEY_ESP32].get(KEY_FULL_CERT_BUNDLE, False)
+    add_idf_sdkconfig_option(
+        "CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_FULL", use_full_bundle
+    )
+    if not use_full_bundle:
+        add_idf_sdkconfig_option("CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_CMN", True)
+
    add_idf_sdkconfig_option(f"CONFIG_IDF_TARGET_{variant}", True)
    add_idf_sdkconfig_option(
        f"CONFIG_ESPTOOLPY_FLASHSIZE_{config[CONF_FLASH_SIZE]}", True
--- a/esphome/components/esp32/const.py
+++ b/esphome/components/esp32/const.py
@@ -12,6 +12,7 @@ KEY_REFRESH = "refresh"
 KEY_PATH = "path"
 KEY_SUBMODULES = "submodules"
 KEY_EXTRA_BUILD_FILES = "extra_build_files"
+KEY_FULL_CERT_BUNDLE = "full_cert_bundle"

 VARIANT_ESP32 = "ESP32"
 VARIANT_ESP32C2 = "ESP32C2"
--- a/esphome/components/http_request/init.py
+++ b/esphome/components/http_request/init.py
@@ -165,6 +165,16 @@ async def to_code(config):
                    ca_cert_content = f.read()
                cg.add(var.set_ca_certificate(ca_cert_content))
            else:
+                # Uses the certificate bundle configured in esp32 component.
+                # By default, ESPHome uses the CMN (common CAs) bundle which covers
+                # ~99% of websites including GitHub, Let's Encrypt, DigiCert, etc.
+                # If connecting to services with uncommon CAs, components can call:
+                #   esp32.require_full_certificate_bundle()
+                # Or users can set in their config:
+                #   esp32:
+                #     framework:
+                #       advanced:
+                #         use_full_certificate_bundle: true
                esp32.add_idf_sdkconfig_option(
                    "CONFIG_MBEDTLS_CERTIFICATE_BUNDLE", True
                )
--- a/tests/components/esp32/test.esp32-idf.yaml
+++ b/tests/components/esp32/test.esp32-idf.yaml
@@ -7,6 +7,7 @@ esp32:
      enable_lwip_mdns_queries: true
      enable_lwip_bridge_interface: true
      disable_libc_locks_in_iram: false  # Test explicit opt-out of RAM optimization
+      use_full_certificate_bundle: false  # Test CMN bundle (default)

 wifi:
  ssid: MySSID