From: Felix Fietkau <nbd@nbd.name>
Date: Sun, 7 Apr 2024 14:57:29 +0000 (+0200)
Subject: mbedtls: disable TLS 1.3 in client mode when skipping verification
X-Git-Url: http://git.cdn.openwrt.org/?a=commitdiff_plain;h=28c4c1e6471b6bf5a2e5dd1842c8d1be5d9478e9;p=project%2Fustream-ssl.git

mbedtls: disable TLS 1.3 in client mode when skipping verification

mbedtls currently forces verification for TLS 1.3 client connections.
At some point in the future, this can probably be worked around with an
extra callback, but for now disabling TLS 1.3 is the only way.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
---

diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c
index c2eb2d4..73c4a5e 100644
--- a/ustream-mbedtls.c
+++ b/ustream-mbedtls.c
@@ -350,6 +350,10 @@ __hidden int __ustream_ssl_set_require_validation(struct ustream_ssl_ctx *ctx, b
 	if (!require)
 		mode = MBEDTLS_SSL_VERIFY_NONE;
 
+	/* force TLS 1.2 when not requiring validation for now */
+	if (!require && !ctx->server)
+		mbedtls_ssl_conf_max_version(&ctx->conf, MBEDTLS_SSL_MAJOR_VERSION_3,
+					     MBEDTLS_SSL_MINOR_VERSION_3);
 	mbedtls_ssl_conf_authmode(&ctx->conf, mode);
 
 	return 0;