add a way to log attackers to esp_https_server (IDFGH-17004)

[dannybackx]

Is your feature request related to a problem?

The current callback functions don't appear to allow logging the IP address of an attacker on esp_https_server.
I've included a small hack to allow that.

Please note that the function I've changed also contains a strange construct with a "goto fail" only on one place, it would seem better to simplify that (putting the failure code inline).

Describe the solution you'd like.

*** src/https_server.c.orig     2025-11-11 06:02:54.000000000 +0100
--- src/https_server.c  2025-12-25 15:24:37.745087943 +0100
***************
*** 221,229 ****
      {
          esp_tls_error_handle_t error_handle;
          if (esp_tls_get_error_handle(tls, &error_handle) == ESP_OK) {
!             esp_https_server_last_error_t last_error = {0};
!             last_error.last_error = esp_tls_get_and_clear_last_error(error_handle, &last_error.esp_tls_error_code, &last_error.esp_tls_flags);
!             http_dispatch_event_to_event_loop(HTTPS_SERVER_EVENT_ERROR, &last_error, sizeof(last_error));
          }
          esp_tls_server_session_delete(tls);
      }
--- 221,233 ----
      {
          esp_tls_error_handle_t error_handle;
          if (esp_tls_get_error_handle(tls, &error_handle) == ESP_OK) {
!             // esp_https_server_last_error_t last_error = {0};
!             // last_error.last_error = esp_tls_get_and_clear_last_error(error_handle, &last_error.esp_tls_error_code, &last_error.esp_tls_flags);
!             // http_dispatch_event_to_event_loop(HTTPS_SERVER_EVENT_ERROR, &last_error, sizeof(last_error));
!           esp_https_server_ssl_error_t error = {0};
!             error.last_error = esp_tls_get_and_clear_last_error(error_handle, &error.esp_tls_error_code, &error.esp_tls_flags);
!           error.sockfd = sockfd;
!             http_dispatch_event_to_event_loop(HTTPS_SERVER_EVENT_SSL_ERROR, &error, sizeof(error));
          }
          esp_tls_server_session_delete(tls);
      }
*** include/esp_https_server.h.orig     2025-11-11 06:02:54.000000000 +0100
--- include/esp_https_server.h  2025-12-25 15:27:35.624593426 +0100
***************
*** 28,33 ****
--- 28,34 ----
      HTTPS_SERVER_EVENT_SENT_DATA,       /*!< Occurs when an ESP HTTPS server sends data to the client */
      HTTPS_SERVER_EVENT_DISCONNECTED,    /*!< The connection has been disconnected */
      HTTPS_SERVER_EVENT_STOP,            /*!< This event occurs when HTTPS Server is stopped */
+     HTTPS_SERVER_EVENT_SSL_ERROR,       /*!< Log cert errors (usually crawlers/attacks) */
  } esp_https_server_event_id_t;
  
  typedef enum {
***************
*** 57,62 ****
--- 58,70 ----
  
  typedef esp_tls_last_error_t esp_https_server_last_error_t;
  
+ typedef struct esp_https_server_ssl_error {
+     esp_err_t last_error;               /*!< error code (based on ESP_ERR_ESP_TLS_BASE) of the last occurred error */
+     int       esp_tls_error_code;       /*!< esp_tls error code from last esp_tls failed api */
+     int       esp_tls_flags;            /*!< last certification verification flags */
+     int       sockfd;                   /*!< socket of this connection */
+ } esp_https_server_ssl_error_t;
+ 
  /**
   * @brief Callback function prototype
   * Can be used to get connection or client information (SSL context)

Describe alternatives you've considered.

No response

Additional context.

No response

[Ashish285]

Hi @dannybackx , thanks for creating this feature request.

May I suggest using the user callback mechanism to do this? Here is a patch to test this.

add_client_IP_support.patch

Let me know if this approach works for you!

[dannybackx]

Yes that works too. I should have thought of that, been there before.
Thanks !