Fix compatibility with mbedTLS 2.28.10+ and 3.6.3+

From release notes: In TLS clients, if mbedtls_ssl_set_hostname() has not been called, mbedtls_ssl_handshake() now fails with MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME if certificate-based authentication of the server is attempted. This is because authenticating a server without knowing what name to expect is usually insecure. To restore the old behavior, either call mbedtls_ssl_set_hostname() with NULL as the hostname [...] Change-Id: I8bbb6ffdac7d0029dbf3c13e62c11b61813c15ef Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: MaxF <max@max-fillinger.net> Message-Id: <20250327113356.11233-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31262.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
2026-05-28 04:03:29 -04:00 · 2025-03-27 12:33:50 +01:00 · 2025-03-27 12:33:50 +01:00 · 4897c52294
commit 4897c52294
parent d167815318
1 changed files with 4 additions and 0 deletions
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@ -1246,6 +1246,10 @@ key_state_ssl_init(struct key_state_ssl *ks_ssl,
    ALLOC_OBJ_CLEAR(ks_ssl->ctx, mbedtls_ssl_context);
    mbedtls_ssl_init(ks_ssl->ctx);
    mbed_ok(mbedtls_ssl_setup(ks_ssl->ctx, ks_ssl->ssl_config));
+    /* We do verification in our own callback depending on the
+     * exact configuration. We do not rely on the default hostname
+     * verification. */
+    ASSERT(mbed_ok(mbedtls_ssl_set_hostname(ks_ssl->ctx, NULL)));

 #if HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB
    /* Initialize keying material exporter, new style. */