fix(wolfssl): when skip_common_name is set, skip OCSP status checking, but always do SNI (IDFGH-13834)

[frankencode]

Description

This change includes two parts:

• When server certificate common name checking is disabled, OCSP status checks should also be disabled, as they cannot succeed when server's domain name is not matching its certificate's CN. (Match application programmers expectation.)

• With wolfSSL SNI should always be enabled, because wolfSSL is known to fail to handle related TLS alerts correctly when SNI is missing.

Testing

I've tested my changes with a wide coverage of different use cases performing TLS connections with the esp-http-client and esp-websocket-client libraries having wolfssl 5.7.2 (from /github.com/frankencode/esp-wolfssl) being configured as esp-tls backend and having TLS 1.3 + OCSP enabled. For a few tests I needed to disable server name checks on https connections, which I did with the esp-http-client's option skip_cert_common_name_check (which translates to skip_common_name on esp-tls layer) and this, as someone might have expected, now also disables OCSP status checks on the server's certificate. Without this change on my particular test servers I'm getting wolfSSL error -406 (invalid certificate status), which is to be expected when an OCSP status is stapled, but the server's certificate CN field is misconfigured and/or not matching its hostname. Having OCSP status checks also being disabled with the skip_common_name option meets my expectation (knowing well the security implications).

(mbedTLS still does not support OCSP stapling in any form, including a stapled status with TLS 1.3 and hence is not affected by this change.)

[github-actions]

	Messages
📖	🎉 Good Job! All checks are passing!

👋 Hello frankencode, we appreciate your contribution to this project!

---

📘 Please review the project's Contributions Guide for key guidelines on code, documentation, testing, and more.

---

🖊️ Please also make sure you have read and signed the Contributor License Agreement for this project.

---

Click to see more instructions ...

This automated output is generated by the PR linter DangerJS, which checks if your Pull Request meets the project's requirements and helps you fix potential issues.

DangerJS is triggered with each push event to a Pull Request and modify the contents of this comment.

Please consider the following:
- Danger mainly focuses on the PR structure and formatting and can't understand the meaning behind your code or changes.
- Danger is not a substitute for human code reviews; it's still important to request a code review from your colleagues.
- To manually retry these Danger checks, please navigate to the Actions tab and re-run last Danger workflow.

Review and merge process you can expect ...

We do welcome contributions in the form of bug reports, feature requests and pull requests via this public GitHub repository.

This GitHub project is public mirror of our internal git repository

1. An internal issue has been created for the PR, we assign it to the relevant engineer.
2. They review the PR and either approve it or ask you for changes or clarifications.
3. Once the GitHub PR is approved, we synchronize it into our internal git repository.
4. In the internal git repository we do the final review, collect approvals from core owners and make sure all the automated tests are passing.
- At this point we may do some adjustments to the proposed change, or extend it by adding tests or documentation.
5. If the change is approved and passes the tests it is merged into the default branch.
5. On next sync from the internal git repository merged change will appear in this public GitHub repository.

Generated by 🚫 dangerJS against a8a401e

[AdityaHPatwardhan]

Hi @frankencode Thanks for the PR.
We are planning to restructure the esp-tls component and move the TLS related part to esp-wolfssl component which would be easier to manage. Is it possible to keep this PR pending and then merge it later?
The activity may require some time to converge.

[frankencode]

Sure, no problem.