diff mbox series

[Openvpn-devel,v3] Fix compatibility with mbedTLS 2.28.10+ and 3.6.3+

Message ID 20250327113356.11233-1-gert@greenie.muc.de
State New
Headers show
Series [Openvpn-devel,v3] Fix compatibility with mbedTLS 2.28.10+ and 3.6.3+ | expand

Commit Message

Gert Doering March 27, 2025, 11:33 a.m. UTC 
From: Frank Lichtenheld <frank@lichtenheld.com>

From release notes:
In TLS clients, if mbedtls_ssl_set_hostname() has not been called,
mbedtls_ssl_handshake() now fails with
MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
if certificate-based authentication of the server is attempted.
This is because authenticating a server without knowing what name
to expect is usually insecure. To restore the old behavior, either
call mbedtls_ssl_set_hostname() with NULL as the hostname [...]

Change-Id: I8bbb6ffdac7d0029dbf3c13e62c11b61813c15ef
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: MaxF <max@max-fillinger.net>
---

This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.

Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/918
This mail reflects revision 3 of this Change.

Acked-by according to Gerrit (reflected above):
MaxF <max@max-fillinger.net>

Comments

Gert Doering March 27, 2025, 12:17 p.m. UTC | #1 
I have not tested this further - the buildbots have, and both the
release notes and our mbedTLS expert agree on the fix :-)

Tested compilation for the 2.6 backport via GHA.

Your patch has been applied to the master and release/2.6 branch
(long-term compat).

commit 4897c522948c8cdb82c0325ee08f6907cfc16f57 (master)
commit 4913628022f5d9d33bac656082a2ec279d8d1222 (release/2.6)
Author: Frank Lichtenheld
Date:   Thu Mar 27 12:33:50 2025 +0100

     Fix compatibility with mbedTLS 2.28.10+ and 3.6.3+

     Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
     Acked-by: MaxF <max@max-fillinger.net>
     Message-Id: <20250327113356.11233-1-gert@greenie.muc.de>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31262.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering
diff mbox series

Patch

diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index 92b52fe..e15c391 100644
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -1246,6 +1246,10 @@ 
     ALLOC_OBJ_CLEAR(ks_ssl->ctx, mbedtls_ssl_context);
     mbedtls_ssl_init(ks_ssl->ctx);
     mbed_ok(mbedtls_ssl_setup(ks_ssl->ctx, ks_ssl->ssl_config));
+    /* We do verification in our own callback depending on the
+     * exact configuration. We do not rely on the default hostname
+     * verification. */
+    ASSERT(mbed_ok(mbedtls_ssl_set_hostname(ks_ssl->ctx, NULL)));
 
 #if HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB
     /* Initialize keying material exporter, new style. */