Menu
▾
▴
[Openvpn-devel] [XS] Change in openvpn[master]: Fix compatibility with mbedTLS 2.28.10+ and 3.6.3+
|
From: cron2 (C. Review) <ge...@op...> - 2025-03-27 12:18:47
|
cron2 has uploaded a new patch set (#4) to the change originally created by flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/918?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by MaxF Change subject: Fix compatibility with mbedTLS 2.28.10+ and 3.6.3+ ...................................................................... Fix compatibility with mbedTLS 2.28.10+ and 3.6.3+ >From release notes: In TLS clients, if mbedtls_ssl_set_hostname() has not been called, mbedtls_ssl_handshake() now fails with MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME if certificate-based authentication of the server is attempted. This is because authenticating a server without knowing what name to expect is usually insecure. To restore the old behavior, either call mbedtls_ssl_set_hostname() with NULL as the hostname [...] Change-Id: I8bbb6ffdac7d0029dbf3c13e62c11b61813c15ef Signed-off-by: Frank Lichtenheld <fr...@li...> Acked-by: MaxF <ma...@ma...> Message-Id: <202...@gr...> URL: https://www.mail-archive.com/ope...@li.../msg31262.html Signed-off-by: Gert Doering <ge...@gr...> --- M src/openvpn/ssl_mbedtls.c 1 file changed, 4 insertions(+), 0 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/18/918/4 diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index 92b52fe..e15c391 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -1246,6 +1246,10 @@ ALLOC_OBJ_CLEAR(ks_ssl->ctx, mbedtls_ssl_context); mbedtls_ssl_init(ks_ssl->ctx); mbed_ok(mbedtls_ssl_setup(ks_ssl->ctx, ks_ssl->ssl_config)); + /* We do verification in our own callback depending on the + * exact configuration. We do not rely on the default hostname + * verification. */ + ASSERT(mbed_ok(mbedtls_ssl_set_hostname(ks_ssl->ctx, NULL))); #if HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB /* Initialize keying material exporter, new style. */ -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/918?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I8bbb6ffdac7d0029dbf3c13e62c11b61813c15ef Gerrit-Change-Number: 918 Gerrit-PatchSet: 4 Gerrit-Owner: flichtenheld <fr...@li...> Gerrit-Reviewer: MaxF <ma...@ma...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-MessageType: newpatchset |
