TeamHepta/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2026-03-20 11:11:08 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
e5862c04940b07a7c4f871e63715fcce00bf14a3
mbedtls/ChangeLog.d/mbedtls_ssl_set_hostname.txt
Minos Galanakis cc3f987c4f Changelogs: Added CVEs 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2025-09-29 11:34:24 +01:00

19 lines
840 B
Plaintext
Raw Blame History

Default behavior changes
* In TLS clients, if mbedtls_ssl_set_hostname() has not been called,
mbedtls_ssl_handshake() now fails with
MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
if certificate-based authentication of the server is attempted.
This is because authenticating a server without knowing what name
to expect is usually insecure.
Security
* Note that TLS clients should generally call mbedtls_ssl_set_hostname()
if they use certificate authentication (i.e. not pre-shared keys).
Otherwise, in many scenarios, the server could be impersonated.
The library will now prevent the handshake and return
MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
if mbedtls_ssl_set_hostname() has not been called.
Reported by Daniel Stenberg.
CVE-2025-27809
Reference in New Issue View Git Blame Copy Permalink