Add a note about calling mbedtls_ssl_set_hostname to mbedtls_ssl_setup Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>

commit: 11f74c57516a487d9f81282ed4418d9321e062ec [log] [tgz]
author: Gilles Peskine <Gilles.Peskine@arm.com> Mon Feb 17 17:41:54 2025 +0100
committer: Gilles Peskine <Gilles.Peskine@arm.com> Tue Feb 25 18:46:17 2025 +0100
tree: a8cd12c30b3766f3e1dd820741e8f932c8aa38f6
parent: cbe6529170dad85a30f454bb2bf5cad51d1b49e1 [diff] [blame]
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 7108a30..fbd1c3a 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h

@@ -2041,6 +2041,14 @@
  *                 Calling mbedtls_ssl_setup again is not supported, even
  *                 if no session is active.
  *
+ * \warning        After setting up a client context, if certificate-based
+ *                 authentication is enabled, you should call
+ *                 mbedtls_ssl_set_hostname() to specifiy the expected
+ *                 name of the server. Without this, in most scenarios,
+ *                 the TLS connection is insecure. See
+ *                 #MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
+ *                 for more information.
+ *
  * \note           If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto
  *                 subsystem must have been initialized by calling
  *                 psa_crypto_init() before calling this function.
commit	11f74c57516a487d9f81282ed4418d9321e062ec	[log] [tgz]
author	Gilles Peskine <Gilles.Peskine@arm.com>	Mon Feb 17 17:41:54 2025 +0100
committer	Gilles Peskine <Gilles.Peskine@arm.com>	Tue Feb 25 18:46:17 2025 +0100
tree	a8cd12c30b3766f3e1dd820741e8f932c8aa38f6
parent	cbe6529170dad85a30f454bb2bf5cad51d1b49e1 [diff] [blame]