From 74a7558c346a96bb6c37ee515a54fed858a56e30 Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Thu, 19 Feb 2026 12:23:04 -0800
Subject: [PATCH] Improvements to the STM32 ports

---
 src/http/httpd.c                 |   4 +-
 src/port/{stm32h563 => }/certs.h |   2 +-
 src/port/stm32h563/Makefile      |  44 ++++++-----
 src/port/stm32h563/README.md     |  40 +++++-----
 src/port/stm32h563/main.c        |  14 +++-
 src/port/stm32h753/Makefile      |  56 +++++++++-----
 src/port/stm32h753/README.md     |  46 +++++++-----
 src/port/stm32h753/main.c        | 125 +++++++++++++++++++++++++++----
 8 files changed, 238 insertions(+), 93 deletions(-)
 rename src/port/{stm32h563 => }/certs.h (97%)

diff --git a/src/http/httpd.c b/src/http/httpd.c
index 429a6d8..92dfeeb 100644
--- a/src/http/httpd.c
+++ b/src/http/httpd.c
@@ -119,9 +119,9 @@ void http_send_response_headers(struct http_client *hc, int status_code, const c
     } else {
         snprintf(txt_response, sizeof(txt_response), "HTTP/1.1 %d %s\r\n"
             "Content-Type: %s\r\n"
-            "Content-Length: %zu\r\n"
+            "Content-Length: %lu\r\n"
             "\r\n",
-            status_code, status_text, content_type, content_length);
+            status_code, status_text, content_type, (unsigned long)content_length);
     }
     if (hc->ssl) {
         rc = wolfSSL_write(hc->ssl, txt_response, strlen(txt_response));
diff --git a/src/port/stm32h563/certs.h b/src/port/certs.h
similarity index 97%
rename from src/port/stm32h563/certs.h
rename to src/port/certs.h
index 9346a28..d794a92 100644
--- a/src/port/stm32h563/certs.h
+++ b/src/port/certs.h
@@ -1,6 +1,6 @@
 /* certs.h
  *
- * Embedded TLS certificates for STM32H563 wolfIP example
+ * Embedded TLS test certificates for wolfIP examples
  *
  * Copyright (C) 2024 wolfSSL Inc.
  *
diff --git a/src/port/stm32h563/Makefile b/src/port/stm32h563/Makefile
index 2fe93b9..dfbe9d2 100644
--- a/src/port/stm32h563/Makefile
+++ b/src/port/stm32h563/Makefile
@@ -11,15 +11,29 @@ TZEN ?= 0
 # Requires wolfSSL cloned alongside wolfip (or set WOLFSSL_ROOT)
 ENABLE_TLS ?= 0
 
-# HTTPS web server: set ENABLE_HTTPS=1 to include HTTPS web server (requires TLS)
+# HTTPS web server: set ENABLE_HTTPS=1 to include HTTPS web server
+# Automatically enables TLS if needed
 ENABLE_HTTPS ?= 0
 
-# SSH support: set ENABLE_SSH=1 to include wolfSSH server (requires TLS)
+# SSH support: set ENABLE_SSH=1 to include wolfSSH server
+# Automatically enables TLS if needed
 ENABLE_SSH ?= 0
 
-# MQTT support: set ENABLE_MQTT=1 to include wolfMQTT client (requires TLS)
+# MQTT support: set ENABLE_MQTT=1 to include wolfMQTT client
+# Automatically enables TLS if needed
 ENABLE_MQTT ?= 0
 
+# Auto-enable TLS when any feature that requires it is enabled
+ifeq ($(ENABLE_HTTPS),1)
+  ENABLE_TLS = 1
+endif
+ifeq ($(ENABLE_SSH),1)
+  ENABLE_TLS = 1
+endif
+ifeq ($(ENABLE_MQTT),1)
+  ENABLE_TLS = 1
+endif
+
 # Library paths - default to sibling directories (clone alongside pattern)
 WOLFSSL_ROOT ?= $(ROOT)/../wolfssl
 WOLFSSH_ROOT ?= $(ROOT)/../wolfssh
@@ -28,7 +42,7 @@ WOLFMQTT_ROOT ?= $(ROOT)/../wolfmqtt
 # Base compiler flags
 CFLAGS := -mcpu=cortex-m33 -mthumb -mcmse -Os -ffreestanding -fdata-sections -ffunction-sections
 CFLAGS += -g -ggdb -Wall -Wextra -Werror
-CFLAGS += -I. -I$(ROOT) -I$(ROOT)/src -I$(ROOT)/src/port/stm32
+CFLAGS += -I. -I$(ROOT) -I$(ROOT)/src -I$(ROOT)/src/port -I$(ROOT)/src/port/stm32
 CFLAGS += -DSTM32H5
 
 # Relaxed warnings for external libraries (wolfSSL has many unused var warnings)
@@ -70,14 +84,8 @@ SRCS += tls_server.c
 SRCS += tls_client.c
 SRCS += $(ROOT)/src/port/wolfssl_io.c
 
-# HTTPS web server (requires TLS) - uses existing wolfIP httpd
+# HTTPS web server - uses existing wolfIP httpd
 ifeq ($(ENABLE_HTTPS),1)
-
-# HTTPS requires TLS
-ifeq ($(ENABLE_TLS),0)
-  $(error ENABLE_HTTPS=1 requires ENABLE_TLS=1)
-endif
-
 CFLAGS += -DENABLE_HTTPS
 SRCS += $(ROOT)/src/http/httpd.c
 endif
@@ -127,15 +135,10 @@ SRCS += $(WOLFSSL_SRCS)
 endif # ENABLE_TLS
 
 # -----------------------------------------------------------------------------
-# SSH Support (wolfSSH) - requires TLS
+# SSH Support (wolfSSH)
 # -----------------------------------------------------------------------------
 ifeq ($(ENABLE_SSH),1)
 
-# SSH requires TLS
-ifeq ($(ENABLE_TLS),0)
-  $(error ENABLE_SSH=1 requires ENABLE_TLS=1)
-endif
-
 # Validate wolfSSH exists
 ifeq ($(wildcard $(WOLFSSH_ROOT)/wolfssh/ssh.h),)
   $(error wolfSSH not found at $(WOLFSSH_ROOT). Clone it: git clone https://github.com/wolfSSL/wolfssh.git)
@@ -167,15 +170,10 @@ $(WOLFSSH_ROOT)/%.o: $(WOLFSSH_ROOT)/%.c
 endif # ENABLE_SSH
 
 # -----------------------------------------------------------------------------
-# MQTT Support (wolfMQTT) - requires TLS
+# MQTT Support (wolfMQTT)
 # -----------------------------------------------------------------------------
 ifeq ($(ENABLE_MQTT),1)
 
-# MQTT requires TLS
-ifeq ($(ENABLE_TLS),0)
-  $(error ENABLE_MQTT=1 requires ENABLE_TLS=1)
-endif
-
 # Validate wolfMQTT exists
 ifeq ($(wildcard $(WOLFMQTT_ROOT)/wolfmqtt/mqtt_client.h),)
   $(error wolfMQTT not found at $(WOLFMQTT_ROOT). Clone it: git clone https://github.com/wolfSSL/wolfMQTT.git)
diff --git a/src/port/stm32h563/README.md b/src/port/stm32h563/README.md
index 2a50974..a53eb88 100644
--- a/src/port/stm32h563/README.md
+++ b/src/port/stm32h563/README.md
@@ -8,7 +8,7 @@ This directory contains a bare-metal port of wolfIP for the STM32H563 microcontr
    ```bash
    cd src/port/stm32h563
    CC=arm-none-eabi-gcc OBJCOPY=arm-none-eabi-objcopy \
-   make ENABLE_TLS=1 ENABLE_HTTPS=1 ENABLE_SSH=1 ENABLE_MQTT=1
+   make ENABLE_HTTPS=1 ENABLE_SSH=1 ENABLE_MQTT=1
    ```
 
 2. **Flash to board:**
@@ -321,15 +321,16 @@ make ENABLE_TLS=1 WOLFSSL_ROOT=/path/to/wolfssl
 
 ### Building with HTTPS Web Server
 
-The HTTPS web server provides a status page accessible via browser:
+The HTTPS web server provides a status page accessible via browser.
+TLS is automatically enabled:
 
 ```bash
-make ENABLE_TLS=1 ENABLE_HTTPS=1
+make ENABLE_HTTPS=1
 ```
 
 ### Building with SSH Server
 
-SSH server requires both wolfSSL and wolfSSH:
+SSH server requires wolfSSH. TLS is automatically enabled:
 
 ```bash
 # Clone wolfSSH alongside wolfip
@@ -337,21 +338,22 @@ cd /path/to/parent
 git clone https://github.com/wolfSSL/wolfssh.git
 
 # Build with SSH support
-make ENABLE_TLS=1 ENABLE_SSH=1
+make ENABLE_SSH=1
 ```
 
 Or specify a custom wolfSSH path:
 
 ```bash
-make ENABLE_TLS=1 ENABLE_SSH=1 WOLFSSH_ROOT=/path/to/wolfssh
+make ENABLE_SSH=1 WOLFSSH_ROOT=/path/to/wolfssh
 ```
 
 ### Full Featured Build
 
-Build with all features (TLS echo, HTTPS web server, and SSH shell):
+Build with all features (TLS echo, HTTPS web server, and SSH shell).
+TLS is automatically enabled when any feature that requires it is set:
 
 ```bash
-make ENABLE_TLS=1 ENABLE_HTTPS=1 ENABLE_SSH=1
+make ENABLE_HTTPS=1 ENABLE_SSH=1
 ```
 
 This provides:
@@ -434,7 +436,7 @@ The self-signed certificate warning is expected for development. Replace with a
 
 ### TLS Client (Google Test)
 
-The TLS build includes a client example that connects to Google over HTTPS to verify outbound TLS connectivity. This runs automatically ~5 seconds after boot.
+The TLS build includes a client example that connects to Google over HTTPS to verify outbound TLS connectivity. This runs automatically after boot.
 
 **Example Output:**
 ```
@@ -472,7 +474,7 @@ The TLS configuration is in `user_settings.h`:
 | File | Description |
 |------|-------------|
 | `user_settings.h` | wolfSSL compile-time configuration |
-| `certs.h` | Embedded ECC P-256 test certificate |
+| `../certs.h` | Embedded ECC P-256 test certificate (shared) |
 | `tls_server.c/h` | TLS echo server implementation |
 | `tls_client.c/h` | TLS client (for outbound connections) |
 
@@ -497,7 +499,7 @@ When built with `ENABLE_HTTPS=1`, the device serves a status web page on port 44
 ### Building HTTPS Mode
 
 ```bash
-make ENABLE_TLS=1 ENABLE_HTTPS=1
+make ENABLE_HTTPS=1
 ```
 
 ### Expected Serial Output (HTTPS Mode)
@@ -567,9 +569,9 @@ When built with `ENABLE_SSH=1`, the device provides an SSH shell on port 22.
 cd /path/to/parent
 git clone https://github.com/wolfSSL/wolfssh.git
 
-# Build with SSH support (requires TLS)
+# Build with SSH support (TLS automatically enabled)
 cd wolfip/src/port/stm32h563
-make ENABLE_TLS=1 ENABLE_SSH=1
+make ENABLE_SSH=1
 ```
 
 ### Expected Serial Output (SSH Mode)
@@ -671,14 +673,14 @@ git clone https://github.com/wolfSSL/wolfMQTT.git
 ### Building MQTT Mode
 
 ```bash
-# MQTT requires TLS
-make ENABLE_TLS=1 ENABLE_MQTT=1
+# TLS is automatically enabled
+make ENABLE_MQTT=1
 ```
 
 Or specify a custom wolfMQTT path:
 
 ```bash
-make ENABLE_TLS=1 ENABLE_MQTT=1 WOLFMQTT_ROOT=/path/to/wolfmqtt
+make ENABLE_MQTT=1 WOLFMQTT_ROOT=/path/to/wolfmqtt
 ```
 
 ### Expected Serial Output (MQTT Mode)
@@ -730,7 +732,7 @@ mosquitto_sub -h test.mosquitto.org -t "wolfip/status" -v
 Build with all features (TLS, HTTPS, SSH, and MQTT):
 
 ```bash
-make ENABLE_TLS=1 ENABLE_HTTPS=1 ENABLE_SSH=1 ENABLE_MQTT=1
+make ENABLE_HTTPS=1 ENABLE_SSH=1 ENABLE_MQTT=1
 ```
 
 This provides:
@@ -763,7 +765,7 @@ This provides:
 | `config.h` | Build configuration |
 | `Makefile` | Build system |
 | `user_settings.h` | wolfSSL/wolfSSH/wolfMQTT configuration |
-| `certs.h` | Embedded TLS certificates (TLS builds only) |
+| `../certs.h` | Embedded TLS certificates, shared (TLS builds only) |
 | `tls_server.c/h` | TLS echo server (TLS builds only) |
 | `tls_client.c/h` | TLS client for outbound connections (TLS builds only) |
 | `../http/httpd.c` | HTTPS web server - wolfIP httpd (HTTPS builds only) |
@@ -799,7 +801,7 @@ If you don't see "Initializing TLS/HTTPS/SSH/MQTT" messages in UART output:
 **Solution:** Rebuild with required flags:
 ```bash
 CC=arm-none-eabi-gcc OBJCOPY=arm-none-eabi-objcopy \
-make clean && make ENABLE_TLS=1 ENABLE_HTTPS=1 ENABLE_SSH=1 ENABLE_MQTT=1
+make clean && make ENABLE_HTTPS=1 ENABLE_SSH=1 ENABLE_MQTT=1
 ```
 
 **Verify build:** Check that strings exist in binary:
diff --git a/src/port/stm32h563/main.c b/src/port/stm32h563/main.c
index 880e892..1884a8a 100644
--- a/src/port/stm32h563/main.c
+++ b/src/port/stm32h563/main.c
@@ -689,7 +689,19 @@ int main(void)
 #endif
 
     uart_puts("Entering main loop. Ready for connections!\n");
-    uart_puts("Loop starting...\n");
+    uart_puts("  TCP Echo: port 7\n");
+#ifdef ENABLE_TLS
+    uart_puts("  TLS Client: will connect to Google after ~2s\n");
+#endif
+#ifdef ENABLE_HTTPS
+    uart_puts("  HTTPS Server: port 443\n");
+#endif
+#ifdef ENABLE_SSH
+    uart_puts("  SSH Server: port 22\n");
+#endif
+#ifdef ENABLE_MQTT
+    uart_puts("  MQTT Client: connecting to broker\n");
+#endif
 
     for (;;) {
         (void)wolfIP_poll(IPStack, tick++);
diff --git a/src/port/stm32h753/Makefile b/src/port/stm32h753/Makefile
index 28450e1..b5d44ce 100644
--- a/src/port/stm32h753/Makefile
+++ b/src/port/stm32h753/Makefile
@@ -3,13 +3,26 @@ OBJCOPY ?= arm-none-eabi-objcopy
 
 ROOT := ../../..
 
-# TLS support: set ENABLE_TLS=1 to include wolfSSL TLS client
+# TLS support: set ENABLE_TLS=1 to include wolfSSL
 # Requires wolfSSL cloned alongside wolfip (or set WOLFSSL_ROOT)
 ENABLE_TLS ?= 0
 
-# HTTPS web server: set ENABLE_HTTPS=1 to include HTTPS web server (requires TLS)
+# TLS client test: set ENABLE_TLS_CLIENT=1 to include TLS client (Google test)
+# Automatically enables TLS if needed
+ENABLE_TLS_CLIENT ?= 0
+
+# HTTPS web server: set ENABLE_HTTPS=1 to include HTTPS web server
+# Automatically enables TLS if needed
 ENABLE_HTTPS ?= 0
 
+# Auto-enable TLS when any feature that requires it is enabled
+ifeq ($(ENABLE_TLS_CLIENT),1)
+  ENABLE_TLS = 1
+endif
+ifeq ($(ENABLE_HTTPS),1)
+  ENABLE_TLS = 1
+endif
+
 # Library paths - default to sibling directories
 WOLFSSL_ROOT ?= $(ROOT)/../wolfssl
 
@@ -17,7 +30,7 @@ WOLFSSL_ROOT ?= $(ROOT)/../wolfssl
 CFLAGS := -mcpu=cortex-m7 -mthumb -mfpu=fpv5-d16 -mfloat-abi=hard
 CFLAGS += -Os -ffreestanding -fdata-sections -ffunction-sections
 CFLAGS += -g -ggdb -Wall -Wextra -Werror
-CFLAGS += -I. -I$(ROOT) -I$(ROOT)/src -I$(ROOT)/src/port/stm32
+CFLAGS += -I. -I$(ROOT) -I$(ROOT)/src -I$(ROOT)/src/port -I$(ROOT)/src/port/stm32
 CFLAGS += -DSTM32H7
 
 # Relaxed warnings for external libraries
@@ -46,14 +59,13 @@ CFLAGS += -DWOLFSSL_USER_SETTINGS
 CFLAGS += -DWOLFSSL_WOLFIP
 CFLAGS += -I$(WOLFSSL_ROOT)
 
-# TLS client and wolfIP-wolfSSL glue
-SRCS += tls_client.c
+# wolfIP-wolfSSL glue
 SRCS += $(ROOT)/src/port/wolfssl_io.c
 
-# HTTPS web server (requires TLS)
-ifeq ($(ENABLE_HTTPS),1)
-CFLAGS += -DENABLE_HTTPS
-SRCS += $(ROOT)/src/http/httpd.c
+# TLS client (Google test)
+ifeq ($(ENABLE_TLS_CLIENT),1)
+CFLAGS += -DENABLE_TLS_CLIENT
+SRCS += tls_client.c
 endif
 
 # wolfSSL source files (minimal set for TLS 1.3 client with ECC)
@@ -105,13 +117,21 @@ SRCS += $(WOLFSSL_SRCS)
 
 endif # ENABLE_TLS
 
+# -----------------------------------------------------------------------------
+# HTTPS web server (requires TLS) - uses existing wolfIP httpd
+# -----------------------------------------------------------------------------
+ifeq ($(ENABLE_HTTPS),1)
+CFLAGS += -DENABLE_HTTPS
+SRCS += $(ROOT)/src/http/httpd.c
+endif
+
 # -----------------------------------------------------------------------------
 # Build rules
 # -----------------------------------------------------------------------------
 OBJS := $(patsubst %.c,%.o,$(SRCS))
 
 all: app.bin
-	@echo "Built with ENABLE_TLS=$(ENABLE_TLS) ENABLE_HTTPS=$(ENABLE_HTTPS)"
+	@echo "Built with ENABLE_TLS=$(ENABLE_TLS) ENABLE_TLS_CLIENT=$(ENABLE_TLS_CLIENT) ENABLE_HTTPS=$(ENABLE_HTTPS)"
 ifeq ($(ENABLE_TLS),1)
 	@echo "  wolfSSL: $(WOLFSSL_ROOT)"
 endif
@@ -172,15 +192,17 @@ help:
 	@echo "  help     Show this help"
 	@echo ""
 	@echo "Options:"
-	@echo "  ENABLE_TLS=1    Enable TLS 1.3 client (requires wolfSSL)"
-	@echo "  ENABLE_HTTPS=1  Enable HTTPS web server (requires TLS)"
-	@echo "  WOLFSSL_ROOT=   Path to wolfSSL (default: ../wolfssl)"
-	@echo "  CC=             C compiler (default: arm-none-eabi-gcc)"
+	@echo "  ENABLE_TLS=1         Enable wolfSSL TLS support"
+	@echo "  ENABLE_TLS_CLIENT=1  Enable TLS client test (Google)"
+	@echo "  ENABLE_HTTPS=1       Enable HTTPS web server (port 443)"
+	@echo "  WOLFSSL_ROOT=        Path to wolfSSL (default: ../wolfssl)"
+	@echo "  CC=                  C compiler (default: arm-none-eabi-gcc)"
 	@echo ""
 	@echo "Examples:"
-	@echo "  make                              # Basic TCP echo (port 7)"
-	@echo "  make ENABLE_TLS=1                 # TLS 1.3 client"
-	@echo "  make ENABLE_TLS=1 ENABLE_HTTPS=1  # TLS + HTTPS server"
+	@echo "  make                                        # Basic TCP echo (port 7)"
+	@echo "  make ENABLE_HTTPS=1                         # HTTPS web server"
+	@echo "  make ENABLE_TLS_CLIENT=1                    # TLS client (Google test)"
+	@echo "  make ENABLE_TLS_CLIENT=1 ENABLE_HTTPS=1    # All features"
 	@echo ""
 	@echo "Testing:"
 	@echo "  nc <ip> 7                         # TCP echo test"
diff --git a/src/port/stm32h753/README.md b/src/port/stm32h753/README.md
index a68446a..b2e6dde 100644
--- a/src/port/stm32h753/README.md
+++ b/src/port/stm32h753/README.md
@@ -45,11 +45,14 @@ STM32H753ZI microcontroller (NUCLEO-H753ZI board).
 # Basic TCP echo server (no TLS)
 make
 
-# With TLS 1.3 client support
-make ENABLE_TLS=1
+# HTTPS web server (port 443) - automatically enables TLS
+make ENABLE_HTTPS=1
 
-# With TLS + HTTPS server
-make ENABLE_TLS=1 ENABLE_HTTPS=1
+# TLS client test (connects to Google) - automatically enables TLS
+make ENABLE_TLS_CLIENT=1
+
+# All features
+make ENABLE_TLS_CLIENT=1 ENABLE_HTTPS=1
 
 # Clean build
 make clean
@@ -99,10 +102,18 @@ nc <device-ip> 7
 
 ### TLS Client Test
 
-When built with `ENABLE_TLS=1`, the device automatically connects to Google
+When built with `ENABLE_TLS_CLIENT=1`, the device automatically connects to Google
 (142.250.189.174:443) after ~2 seconds and performs an HTTPS GET request.
 The response is printed on the serial console.
 
+### HTTPS Server Test
+
+When built with `ENABLE_HTTPS=1`, the device runs an HTTPS web server on port 443:
+
+```bash
+curl -k https://<device-ip>/
+```
+
 ## Memory Map
 
 | Region       | Address      | Size   | Usage                      |
@@ -160,20 +171,21 @@ Enable these in `user_settings.h`:
 
 ```
 stm32h753/
-├── Makefile          # Build system
-├── README.md         # This file
-├── config.h          # wolfIP configuration
-├── user_settings.h   # wolfSSL configuration
-├── target.ld         # Linker script
-├── startup.c         # Cortex-M7 startup code
-├── ivt.c             # Interrupt vector table
-├── syscalls.c        # Newlib stubs
-├── main.c            # Application entry point
+├── Makefile               # Build system
+├── README.md              # This file
+├── config.h               # wolfIP configuration
+├── user_settings.h        # wolfSSL configuration
+├── target.ld              # Linker script
+├── startup.c              # Cortex-M7 startup code
+├── ivt.c                  # Interrupt vector table
+├── syscalls.c             # Newlib stubs
+├── main.c                 # Application entry point
+├── stm32_hash_register.h  # STM32 HASH peripheral register definitions
+├── tls_client.c           # TLS 1.3 client (ENABLE_TLS_CLIENT)
+├── tls_client.h           # TLS client header
 ├── ../stm32/stm32_eth.c   # Ethernet MAC/PHY driver (shared)
 ├── ../stm32/stm32_eth.h   # Ethernet driver header (shared)
-├── stm32_hash_register.h  # STM32 HASH peripheral register definitions
-├── tls_client.c           # TLS 1.3 client
-└── tls_client.h           # TLS client header
+└── ../certs.h             # Embedded TLS test certificates (shared)
 ```
 
 ## License
diff --git a/src/port/stm32h753/main.c b/src/port/stm32h753/main.c
index 4e7a0e1..63bc625 100644
--- a/src/port/stm32h753/main.c
+++ b/src/port/stm32h753/main.c
@@ -13,25 +13,91 @@
 #include "stm32_eth.h"
 
 #ifdef ENABLE_TLS
-#include "tls_client.h"
 #include <wolfssl/wolfcrypt/settings.h>
 #include <wolfcrypt/test/test.h>
-#define TLS_PORT 8443
+#endif
+
+#ifdef ENABLE_TLS_CLIENT
+#include "tls_client.h"
+#define GOOGLE_IP "142.250.189.174"
+#define GOOGLE_HOST "www.google.com"
+#define GOOGLE_HTTPS_PORT 443
+static int tls_client_test_started = 0;
+static int tls_client_test_done = 0;
 #endif
 
 #ifdef ENABLE_HTTPS
+#include <stdio.h>
 #include "http/httpd.h"
 #include "certs.h"
 #define HTTPS_WEB_PORT 443
 #endif
 
-/* Test server for TLS client (Google) */
-#ifdef ENABLE_TLS
-#define GOOGLE_IP "142.250.189.174"
-#define GOOGLE_HOST "www.google.com"
-#define GOOGLE_HTTPS_PORT 443
-static int tls_client_test_started = 0;
-static int tls_client_test_done = 0;
+#ifdef ENABLE_HTTPS
+/* HTTPS server using wolfIP httpd */
+static struct httpd https_server;
+static WOLFSSL_CTX *https_ssl_ctx;
+static uint32_t https_uptime_sec;
+static ip4 https_device_ip;
+
+/* Status page handler */
+static int https_status_handler(struct httpd *httpd, struct http_client *hc,
+    struct http_request *req)
+{
+    char response[512];
+    char ip_str[16];
+    char uptime_str[12];
+    int len;
+
+    (void)httpd;
+    (void)req;
+
+    /* Format IP address (stored in network byte order) */
+    {
+        uint8_t *b = (uint8_t *)&https_device_ip;
+        char *p = ip_str;
+        int i;
+        for (i = 3; i >= 0; i--) {
+            int val = b[i];
+            if (val >= 100) { *p++ = '0' + val / 100; val %= 100; }
+            if (val >= 10 || b[i] >= 100) { *p++ = '0' + val / 10; val %= 10; }
+            *p++ = '0' + val;
+            if (i > 0) *p++ = '.';
+        }
+        *p = '\0';
+    }
+
+    /* Format uptime */
+    {
+        uint32_t val = https_uptime_sec;
+        char tmp[12];
+        int i = 0, j = 0;
+        if (val == 0) { uptime_str[0] = '0'; uptime_str[1] = '\0'; }
+        else {
+            while (val > 0) { tmp[i++] = '0' + (val % 10); val /= 10; }
+            while (i > 0) { uptime_str[j++] = tmp[--i]; }
+            uptime_str[j] = '\0';
+        }
+    }
+
+    /* Build HTML response */
+    len = snprintf(response, sizeof(response),
+        "<!DOCTYPE html><html><head><title>wolfIP STM32H753</title>"
+        "<style>body{font-family:sans-serif;margin:40px;}"
+        "h1{color:#333;}table{border-collapse:collapse;}"
+        "td{padding:8px 16px;border:1px solid #ddd;}</style></head>"
+        "<body><h1>wolfIP Status</h1><table>"
+        "<tr><td>Device</td><td>STM32H753</td></tr>"
+        "<tr><td>IP Address</td><td>%s</td></tr>"
+        "<tr><td>Uptime</td><td>%s sec</td></tr>"
+        "<tr><td>TLS</td><td>TLS 1.3</td></tr>"
+        "</table></body></html>",
+        ip_str, uptime_str);
+
+    http_send_response_headers(hc, HTTP_STATUS_OK, "OK", "text/html", len);
+    http_send_response_body(hc, response, len);
+    return 0;
+}
 #endif
 
 #define ECHO_PORT 7
@@ -650,7 +716,7 @@ static void eth_gpio_init(void)
  * TLS Client Callback
  * ========================================================================= */
 
-#ifdef ENABLE_TLS
+#ifdef ENABLE_TLS_CLIENT
 static void tls_response_cb(const char *data, int len, void *ctx)
 {
     (void)ctx;
@@ -1157,7 +1223,7 @@ int main(void)
     (void)wolfIP_sock_bind(IPStack, listen_fd, (struct wolfIP_sockaddr *)&addr, sizeof(addr));
     (void)wolfIP_sock_listen(IPStack, listen_fd, 1);
 
-#ifdef ENABLE_TLS
+#ifdef ENABLE_TLS_CLIENT
     uart_puts("Initializing TLS client...\n");
     if (tls_client_init(IPStack, uart_puts) < 0) {
         uart_puts("ERROR: TLS client init failed\n");
@@ -1166,17 +1232,44 @@ int main(void)
     tls_client_set_sni(GOOGLE_HOST);
 #endif
 
+#ifdef ENABLE_HTTPS
+    uart_puts("Initializing HTTPS server on port 443...\n");
+
+    /* Create SSL context for HTTPS */
+    https_ssl_ctx = wolfSSL_CTX_new(wolfTLSv1_3_server_method());
+    if (https_ssl_ctx) {
+        wolfSSL_CTX_use_certificate_buffer(https_ssl_ctx,
+            (const unsigned char *)server_cert_pem, strlen(server_cert_pem),
+            SSL_FILETYPE_PEM);
+        wolfSSL_CTX_use_PrivateKey_buffer(https_ssl_ctx,
+            (const unsigned char *)server_key_pem, strlen(server_key_pem),
+            SSL_FILETYPE_PEM);
+
+        if (httpd_init(&https_server, IPStack, HTTPS_WEB_PORT, https_ssl_ctx) == 0) {
+            httpd_register_handler(&https_server, "/", https_status_handler);
+            uart_puts("HTTPS: Server ready on port 443\n");
+        } else {
+            uart_puts("ERROR: HTTPS server init failed\n");
+        }
+    } else {
+        uart_puts("ERROR: HTTPS SSL context failed\n");
+    }
+#endif
+
     uart_puts("Entering main loop. Ready for connections!\n");
     uart_puts("  TCP Echo: port 7\n");
-#ifdef ENABLE_TLS
+#ifdef ENABLE_TLS_CLIENT
     uart_puts("  TLS Client: will connect to Google after ~2s\n");
 #endif
+#ifdef ENABLE_HTTPS
+    uart_puts("  HTTPS Server: port 443\n");
+#endif
 
     for (;;) {
         (void)wolfIP_poll(IPStack, tick++);
         delay(100000);  /* ~8ms per tick (volatile loop ~80ns/iter at 400MHz) */
 
-#ifdef ENABLE_TLS
+#ifdef ENABLE_TLS_CLIENT
         /* TLS client test: connect to Google after network settles */
         if (!tls_client_test_started && tick > 250) {
             uart_puts("\n--- TLS Client Test: Connecting to Google ---\n");
@@ -1215,6 +1308,12 @@ int main(void)
         }
 #endif
 
+#ifdef ENABLE_HTTPS
+        /* Update HTTPS server status info for handler */
+        wolfIP_ipconfig_get(IPStack, &https_device_ip, NULL, NULL);
+        https_uptime_sec = (uint32_t)(tick / 125);  /* ~8ms per tick */
+#endif
+
         /* Toggle green LED every ~256K iterations as heartbeat */
         if ((tick & 0x3FFFF) == 0) {
             led_toggle_green();