lwIP: require TLS certificate verification when CA is configured

[Old-Ding]

why to submit this PR

ALTCP TLS client configurations should require server certificate verification when a CA certificate is configured. This keeps certificate validation in the TLS configuration layer and makes the configured trust anchor effective.

what is your solution

Use MBEDTLS_SSL_VERIFY_REQUIRED for client TLS configurations that provide a CA certificate. Keep the existing optional verification mode for server configurations and client configurations without a CA certificate to preserve current compatibility.

provide the config and bsp

• BSP: bsp/bouffalo_lab/bl808/m0
• .config: CONFIG_RT_USING_LWIP212=y, CONFIG_PKG_USING_MBEDTLS=y
• action: no fork action run was available after pushing the branch

validation

• git diff --check
• static source check confirmed both altcp_tls_create_config_client() and altcp_tls_create_config_client_2wayauth() use the shared client configuration path
• scons -j4 in bsp/bouffalo_lab/bl808/m0 did not reach compilation because the configured toolchain path /opt/Xuantie-900-gcc-elf-newlib-x86_64-V2.6.1/bin is not available on this Windows host

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[github-actions]

👋 感谢您对 RT-Thread 的贡献！Thank you for your contribution to RT-Thread!

为确保代码符合 RT-Thread 的编码规范，请在你的仓库中执行以下步骤运行代码格式化工作流（如果格式化CI运行失败）。
To ensure your code complies with RT-Thread's coding style, please run the code formatting workflow by following the steps below (If the formatting of CI fails to run).

---

🛠 操作步骤 | Steps

1. 前往 Actions 页面 | Go to the Actions page
   点击进入工作流 → | Click to open workflow →

2. 点击 Run workflow | Click Run workflow

• 设置需排除的文件/目录（目录请以"/"结尾）
  Set files/directories to exclude (directories should end with "/")
• 将目标分支设置为 \ Set the target branch to：fix/lwip-altcp-tls-verify
• 设置PR number为 \ Set the PR number to：11523

3. 等待工作流完成 | Wait for the workflow to complete
   格式化后的代码将自动推送至你的分支。
   The formatted code will be automatically pushed to your branch.

完成后，提交将自动更新至 fix/lwip-altcp-tls-verify 分支，关联的 Pull Request 也会同步更新。
Once completed, commits will be pushed to the fix/lwip-altcp-tls-verify branch automatically, and the related Pull Request will be updated.

如有问题欢迎联系我们，再次感谢您的贡献！💐
If you have any questions, feel free to reach out. Thanks again for your contribution!

[github-actions]

📌 Code Review Assignment

🏷️ Tag: components

Reviewers: @Maihuanyi

Changed Files (Click to expand)

• components/net/lwip/lwip-2.1.2/src/apps/altcp_tls/altcp_tls_mbedtls.c

---

📊 Current Review Status (Last Updated: 2026-06-27 03:38 CST)

• ⌛ @Maihuanyi Pending Review

---

📝 Review Instructions

1. 维护者可以通过单击此处来刷新审查状态: 🔄 刷新状态
   Maintainers can refresh the review status by clicking here: 🔄 Refresh Status

2. 确认审核通过后评论 LGTM/lgtm
   Comment LGTM/lgtm after confirming approval

3. PR合并前需至少一位维护者确认
   PR must be confirmed by at least one maintainer before merging

ℹ️ 刷新CI状态操作需要具备仓库写入权限。
ℹ️ Refresh CI status operation requires repository Write permission.

[github-actions]

MemBrowse Memory Report

No memory changes detected for:

• at32f415-start
• esp32-c3
• gd32105r-start
• hc32f334
• hpmicro-hpm5301evklite
• infineon-psoc6
• k230
• loongson-ls1cdev
• nordic-nrf51822
• nuvoton-m487
• nxp-lpc1114
• qemu-virt64-aarch64
• raspberry-pico-rp2040
• renesas-ra2l1
• simulator
• stm32f407-rt-spark
• stm32l475-atk-pandora-llvm
• wch-ch32v208w-r0
• x86
• xuantie-e901plus