TeamHepta/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2026-03-20 19:21:09 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
43bb98f55b639af3231a6b6edc6d46c8639ae32f
mbedtls/ChangeLog.d/mbedtls_ssl_set_hostname.txt
Minos Galanakis 43bb98f55b Changelog: Added CVE. 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2025-03-18 16:44:06 +00:00

23 lines
1.2 KiB
Plaintext
Raw Blame History

Default behavior changes
* In TLS clients, if mbedtls_ssl_set_hostname() has not been called,
mbedtls_ssl_handshake() now fails with
MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
if certificate-based authentication of the server is attempted.
This is because authenticating a server without knowing what name
to expect is usually insecure. To restore the old behavior, either
call mbedtls_ssl_set_hostname() with NULL as the hostname, or
enable the new compile-time option
MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME.
The content of ssl->hostname after mbedtls_ssl_set_hostname(ssl, NULL)
has changed, see the documentation of the hostname field in the
mbedtls_ssl_context struct type for details.
Security
* Note that TLS clients should generally call mbedtls_ssl_set_hostname()
if they use certificate authentication (i.e. not pre-shared keys).
Otherwise, in many scenarios, the server could be impersonated.
The library will now prevent the handshake and return
MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
if mbedtls_ssl_set_hostname() has not been called.
CVE-2025-27809
Reference in New Issue View Git Blame Copy Permalink