From d6596eff3a6e1c8fd20e8dd5588dc48e644da85c Mon Sep 17 00:00:00 2001
From: "hrushikesh.bhosale" <hrushikesh.bhosale@espressif.com>
Date: Tue, 7 Apr 2026 14:51:01 +0530
Subject: [PATCH] fix(https_x509_bundle): Replace unreliable external URL in
 https_x509_bundle example

Replace howsmyssl.com with letsencrypt.org in the https_x509_bundle
example. howsmyssl.com is a third-party server that is frequently
unreachable from CI, causing flaky test failures. letsencrypt.org
chains to the same ISRG Root X1 CA, so the custom certificate bundle
validation coverage is identical.

Since letsencrypt.org was already present in the full bundle URL list,
remove the duplicate entry and reduce MAX_URLS from 9 to 8. All 6
unique root CAs in the stress test are still covered.

For the QEMU stress test, increase per-connection timeout from 30s to
60s and final completion timeout from 60s to 180s. QEMU emulated
network is 3-5x slower than real hardware for TLS handshakes.

Add flaky markers to hardware tests to handle intermittent CI lab DHCP
failures that affect all Ethernet-based tests.
---
 .../main/https_x509_bundle_example_main.c                | 9 ++++-----
 .../https_x509_bundle/pytest_https_x509_bundle.py        | 6 ++++--
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/examples/protocols/https_x509_bundle/main/https_x509_bundle_example_main.c b/examples/protocols/https_x509_bundle/main/https_x509_bundle_example_main.c
index 33e3040cf9..5bb819f69c 100644
--- a/examples/protocols/https_x509_bundle/main/https_x509_bundle_example_main.c
+++ b/examples/protocols/https_x509_bundle/main/https_x509_bundle_example_main.c
@@ -1,7 +1,7 @@
 /* HTTPS GET Example using plain mbedTLS sockets
  *
- * Contacts the howsmyssl.com API via TLS v1.2 and reads a JSON
- * response.
+ * Connects to multiple HTTPS servers and validates their certificates
+ * using the certificate bundle.
  *
  * Adapted from the ssl_client1 example in mbedtls.
  *
@@ -44,16 +44,15 @@
 #include "esp_crt_bundle.h"
 
 #if CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_FULL
-#define MAX_URLS    9
+#define MAX_URLS    8
 #else
 #define MAX_URLS    2
 #endif
 
 static const char *web_urls[MAX_URLS] = {
-    "https://www.howsmyssl.com/a/check",
+    "https://letsencrypt.org",
     "https://espressif.com",
 #if CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_FULL
-    "https://letsencrypt.org",
     "https://www.identrust.com",
     "https://www.globalsign.com",
     "https://www.sectigo.com",
diff --git a/examples/protocols/https_x509_bundle/pytest_https_x509_bundle.py b/examples/protocols/https_x509_bundle/pytest_https_x509_bundle.py
index 0c787a8097..3945899e44 100644
--- a/examples/protocols/https_x509_bundle/pytest_https_x509_bundle.py
+++ b/examples/protocols/https_x509_bundle/pytest_https_x509_bundle.py
@@ -9,6 +9,7 @@ from pytest_embedded_idf.utils import idf_parametrize
 
 
 @pytest.mark.ethernet
+@pytest.mark.flaky(reruns=2, reruns_delay=5)
 @idf_parametrize('target', ['esp32'], indirect=['target'])
 def test_examples_protocol_https_x509_bundle(dut: Dut) -> None:
     """
@@ -30,6 +31,7 @@ def test_examples_protocol_https_x509_bundle(dut: Dut) -> None:
 
 
 @pytest.mark.ethernet
+@pytest.mark.flaky(reruns=2, reruns_delay=5)
 @pytest.mark.parametrize(
     'config',
     [
@@ -69,5 +71,5 @@ def test_examples_protocol_https_x509_bundle_default_crt_bundle_stress_test(dut:
     # start test
     num_URLS = int(dut.expect(r'Connecting to (\d+) URLs', timeout=30)[1].decode())
     for _ in range(num_URLS):
-        dut.expect(r'Connection established to ([\s\S]*)', timeout=30)
-    dut.expect(f'Completed {num_URLS} connections', timeout=60)
+        dut.expect(r'Connection established to ([\s\S]*)', timeout=60)
+    dut.expect(f'Completed {num_URLS} connections', timeout=180)