mbedtls: Optimize memory usage during handshake

All the certificates in the server's chain except the client certificate
are released as soon as possible to save RAM.
They are therefore not available for examination after handshake,
but we don't care: Mongoose frees them immediately anyway
(`MG_SSL_IF_MBEDTLS_FREE_CERTS` is set).

The savings depend on the length of the chain sent by the server, with AWS it's about 7K.

mbedtLS commit for this is cesanta/mbedtls@e3b9e09

CL: mbedtls: Optimize memory usage during handshake

PUBLISHED_FROM=cbd65ab9e6c532925aa45acf95f1083ca53c4f8c

mbedtls/include/mbedtls/version.h

@@ -48,8 +48,8 @@
  *    Major version | Minor version | Patch version
  */
 #define MBEDTLS_VERSION_NUMBER         0x02100000
-#define MBEDTLS_VERSION_STRING         "2.16.0-cesanta3"
-#define MBEDTLS_VERSION_STRING_FULL    "mbed TLS 2.16.0-cesanta3"
+#define MBEDTLS_VERSION_STRING         "2.16.0-cesanta4"
+#define MBEDTLS_VERSION_STRING_FULL    "mbed TLS 2.16.0-cesanta4"
 
 #if defined(MBEDTLS_VERSION_C)
 

mos.yml

@@ -14,8 +14,16 @@ includes:
   - mbedtls/include
 
 cdefs:
-  MBEDTLS_X509_CA_CHAIN_ON_DISK: 1
   MBEDTLS_USER_CONFIG_FILE: '\"mbedtls_platform_config.h\"'
+  # Do not load CA chain into memory, read it from file during verification.
+  # This make handshake slower but saves a lot of memory.
+  MBEDTLS_X509_CA_CHAIN_ON_DISK: 1
+  # All the certificates in the server's chain except the client certificate
+  # are released as soon as possible to save RAM.
+  # They are therefore not available for examination after handshake,
+  # but we don't care: Mongoose frees them immediately anyway
+  # (`MG_SSL_IF_MBEDTLS_FREE_CERTS` is set).
+  MBEDTLS_FREE_CERT_CHAIN: 1
 
 config_schema:
   - ["debug.mbedtls_level", "i", 1, {title: "mbedTLS debug level"}]