TeamHepta/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2026-03-20 19:21:09 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
8893a8f33bcf95d945f72ce30a307d731e2572d3
mbedtls/ChangeLog.d/mbedtls_ssl_set_hostname.txt
David Horstmann bc7cd93b5f Add missing credit for set_hostname issue 
Correctly credit Daniel Stenberg as the reporter of the
mbedtls_ssl_set_hostname() issue. This was previously missed.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2025-03-25 15:59:45 +00:00

17 lines
819 B
Plaintext
Raw Blame History

Default behavior changes
* In TLS clients, if mbedtls_ssl_set_hostname() has not been called,
mbedtls_ssl_handshake() now fails with
MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
if certificate-based authentication of the server is attempted.
This is because authenticating a server without knowing what name
to expect is usually insecure.
Security
* Note that TLS clients should generally call mbedtls_ssl_set_hostname()
if they use certificate authentication (i.e. not pre-shared keys).
Otherwise, in many scenarios, the server could be impersonated.
The library will now prevent the handshake and return
MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
if mbedtls_ssl_set_hostname() has not been called.
Reported by Daniel Stenberg.
Reference in New Issue View Git Blame Copy Permalink