WiFiClientSecure: robust TLS writes (loop & chunk), avoid zero-length write -> fixes sporadic MBEDTLS_ERR_NET_CONN_RESET

[prooma]

Description of Change / Summary

This PR makes TLS writes robust against partial mbedtls_ssl_write() returns and eliminates zero-length writes. It also sends large payloads in 4 KB chunks which significantly reduces MBEDTLS_ERR_NET_CONN_RESET (−0x0050) occurrences on long HTTP bodies (e.g. multipart uploads).

Motivation / Problem

In send_ssl_data() we currently call mbedtls_ssl_write(ctx, data, len) once and return as soon as it returns >0. This means we may send less than len bytes and rely on higher layers to retry. Many callers (including WiFiClientSecure::write) then return that partial size to user code, which can break long HTTP requests.
Additionally, zero-length writes were not guarded; we observed “Writing … 0 bytes” followed by peer resets during multipart uploads.

Fix

• Loop until the entire buffer is written; handle WANT_READ/WRITE correctly.
• Guard zero-length calls (len==0 -> return 0).
• Chunk large writes (4 KB), which proved more reliable with mbedTLS + some servers and access points.

Behavioral changes

• No API changes. WiFiClientSecure::write() still returns the number of bytes written, now reliably == size on success.
• Failure paths and timeouts remain unchanged.

Test Scenarios

• Reproduced with a Telegram Bot multipart sendPhoto upload. Before: frequent (-0x0050) MBEDTLS_ERR_NET_CONN_RESET mid-body, sometimes preceded by a 0-byte write; after patch: stable uploads.
• Verified on ESP32-S3; TLS handshake and certificate verification unaffected (same logs as before).
• Also verified small payloads and GET requests.

Why chunking?

Some setups are sensitive to very large TLS records and single-shot writes. Chunking to 4 KB reduces resets without measurable throughput loss and keeps memory usage predictable.

Alternatives

• Make chunk size configurable; we kept 4 KB static for simplicity.
• Do the loop in WiFiClientSecure::write() instead—this would duplicate logic; it’s more coherent in ssl_client.cpp.

Risks

• Low. The change only affects the write path; handshake/verify/reads are untouched.

Logs (before / after)

• Before: header then “Writing HTTP request with 0 bytes…” → (-80) UNKNOWN ERROR CODE (0050) (peer reset).
• After: multiple 4 KB writes; no resets; server returns 200 with JSON body.

[CLAassistant]

All committers have signed the CLA.

[github-actions]

	Messages
📖	🎉 Good Job! All checks are passing!

👋 Hello prooma, we appreciate your contribution to this project!

---

📘 Please review the project's Contributions Guide for key guidelines on code, documentation, testing, and more.

---

🖊️ Please also make sure you have read and signed the Contributor License Agreement for this project.

---

Click to see more instructions ...

This automated output is generated by the PR linter DangerJS, which checks if your Pull Request meets the project's requirements and helps you fix potential issues.

DangerJS is triggered with each push event to a Pull Request and modify the contents of this comment.

Please consider the following:
- Danger mainly focuses on the PR structure and formatting and can't understand the meaning behind your code or changes.
- Danger is not a substitute for human code reviews; it's still important to request a code review from your colleagues.
- To manually retry these Danger checks, please navigate to the Actions tab and re-run last Danger workflow.

Review and merge process you can expect ...

We do welcome contributions in the form of bug reports, feature requests and pull requests.

1. An internal issue has been created for the PR, we assign it to the relevant engineer.
2. They review the PR and either approve it or ask you for changes or clarifications.
3. Once the GitHub PR is approved we do the final review, collect approvals from core owners and make sure all the automated tests are passing.
- At this point we may do some adjustments to the proposed change, or extend it by adding tests or documentation.
4. If the change is approved and passes the tests it is merged into the default branch.

Generated by 🚫 dangerJS against c78c814

[lucasssvaz]

@me-no-dev PTAL

[github-actions]

Test Results

 76 files   76 suites   14m 25s ⏱️
 38 tests  38 ✅ 0 💤 0 ❌
241 runs  241 ✅ 0 💤 0 ❌

Results for commit c78c814.

♻️ This comment has been updated with latest results.

[Copilot]

Pull Request Overview

This PR fixes robustness issues in TLS writes for WiFiClientSecure by implementing complete buffer transmission, guarding against zero-length writes, and chunking large payloads to prevent connection resets.

• Refactors send_ssl_data() to loop until the entire buffer is written rather than returning on partial writes
• Adds zero-length write guards in both send_ssl_data() and NetworkClientSecure::write()
• Implements 4KB chunking for large writes to reduce MBEDTLS_ERR_NET_CONN_RESET errors

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
ssl_client.cpp	Implements robust write loop with chunking and zero-length guards
NetworkClientSecure.cpp	Adds zero-length write guard at API level

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[github-actions]

Memory usage test (comparing PR against master branch)

The table below shows the summary of memory usage change (decrease - increase) in bytes and percentage for each target.

Memory	FLASH [bytes]		FLASH [%]		RAM [bytes]		RAM [%]
Target	DEC	INC	DEC	INC	DEC	INC	DEC	INC
ESP32C5	0	⚠️ +46	0.00	0.00	0	0	0.00	0.00
ESP32P4	0	⚠️ +46	0.00	0.00	0	0	0.00	0.00
ESP32S3	0	⚠️ +60	0.00	⚠️ +0.01	0	0	0.00	0.00
ESP32S2	0	⚠️ +64	0.00	⚠️ +0.01	0	0	0.00	0.00
ESP32C3	0	⚠️ +46	0.00	0.00	0	0	0.00	0.00
ESP32C6	0	⚠️ +46	0.00	0.00	0	0	0.00	0.00
ESP32	0	⚠️ +64	0.00	⚠️ +0.01	0	0	0.00	0.00

Click to expand the detailed deltas report [usage change in BYTES]

Target	ESP32C5		ESP32P4		ESP32S3		ESP32S2		ESP32C3		ESP32C6		ESP32
Example	FLASH	RAM	FLASH	RAM	FLASH	RAM	FLASH	RAM	FLASH	RAM	FLASH	RAM	FLASH	RAM
libraries/HTTPClient/examples/Authorization	⚠️ +46	0	⚠️ +46	0	⚠️ +52	0	⚠️ +56	0	⚠️ +46	0	⚠️ +46	0	⚠️ +56	0
libraries/HTTPClient/examples/BasicHttpClient	⚠️ +46	0	⚠️ +46	0	⚠️ +52	0	⚠️ +56	0	⚠️ +46	0	⚠️ +46	0	⚠️ +56	0
libraries/HTTPClient/examples/BasicHttpsClient	⚠️ +46	0	⚠️ +46	0	⚠️ +52	0	⚠️ +48	0	⚠️ +46	0	⚠️ +46	0	⚠️ +56	0
libraries/HTTPClient/examples/CustomHeaders	⚠️ +46	0	⚠️ +46	0	⚠️ +52	0	⚠️ +56	0	⚠️ +46	0	⚠️ +46	0	⚠️ +56	0
libraries/HTTPClient/examples/HTTPClientEnterprise	⚠️ +46	0	-	-	⚠️ +52	0	⚠️ +56	0	⚠️ +46	0	⚠️ +46	0	⚠️ +56	0
libraries/HTTPClient/examples/ReuseConnection	⚠️ +46	0	⚠️ +46	0	⚠️ +52	0	⚠️ +64	0	⚠️ +46	0	⚠️ +46	0	⚠️ +56	0
libraries/HTTPClient/examples/StreamHttpClient	⚠️ +46	0	⚠️ +46	0	⚠️ +52	0	⚠️ +56	0	⚠️ +46	0	⚠️ +46	0	⚠️ +60	0
libraries/HTTPUpdate/examples/httpUpdate	0	0	0	0	0	0	0	0	0	0	0	0	0	0
libraries/HTTPUpdate/examples/httpUpdateSPIFFS	0	0	0	0	0	0	0	0	0	0	0	0	0	0
libraries/HTTPUpdate/examples/httpUpdateSecure	⚠️ +46	0	⚠️ +46	0	⚠️ +56	0	⚠️ +56	0	⚠️ +46	0	⚠️ +46	0	⚠️ +56	0
libraries/NetworkClientSecure/examples/WiFiClientInsecure	⚠️ +46	0	⚠️ +46	0	⚠️ +56	0	⚠️ +56	0	⚠️ +46	0	⚠️ +46	0	⚠️ +64	0
libraries/NetworkClientSecure/examples/WiFiClientPSK	⚠️ +46	0	⚠️ +46	0	⚠️ +52	0	⚠️ +56	0	⚠️ +46	0	⚠️ +46	0	⚠️ +56	0
libraries/NetworkClientSecure/examples/WiFiClientSecure	⚠️ +46	0	⚠️ +46	0	⚠️ +52	0	⚠️ +56	0	⚠️ +46	0	⚠️ +46	0	⚠️ +56	0
libraries/NetworkClientSecure/examples/WiFiClientSecureEnterprise	⚠️ +46	0	-	-	⚠️ +52	0	⚠️ +56	0	⚠️ +46	0	⚠️ +46	0	⚠️ +56	0
libraries/NetworkClientSecure/examples/WiFiClientSecureProtocolUpgrade	⚠️ +46	0	⚠️ +46	0	⚠️ +56	0	⚠️ +48	0	⚠️ +46	0	⚠️ +46	0	⚠️ +56	0
libraries/NetworkClientSecure/examples/WiFiClientShowPeerCredentials	⚠️ +46	0	⚠️ +46	0	⚠️ +52	0	⚠️ +56	0	⚠️ +46	0	⚠️ +46	0	⚠️ +60	0
libraries/NetworkClientSecure/examples/WiFiClientTrustOnFirstUse	⚠️ +46	0	⚠️ +46	0	⚠️ +60	0	⚠️ +64	0	⚠️ +46	0	⚠️ +46	0	⚠️ +60	0
libraries/Update/examples/HTTP_Client_AES_OTA_Update	0	0	0	0	0	0	0	0	0	0	0	0	0	0
libraries/WiFi/examples/WiFiMultiAdvanced	⚠️ +46	0	⚠️ +46	0	⚠️ +52	0	⚠️ +56	0	⚠️ +46	0	⚠️ +46	0	⚠️ +36	0