ChangeLog.d/mbedtls_ssl_set_hostname.txt - mirror/mbed-tls - TrustedFirmware Git Browser

 Default behavior changes
    * In TLS clients, if mbedtls_ssl_set_hostname() has not been called,
      mbedtls_ssl_handshake() now fails with
      MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
      if certificate-based authentication of the server is attempted.
      This is because authenticating a server without knowing what name
      to expect is usually insecure.

 Security
    * Note that TLS clients should generally call mbedtls_ssl_set_hostname()
      if they use certificate authentication (i.e. not pre-shared keys).
      Otherwise, in many scenarios, the server could be impersonated.
      The library will now prevent the handshake and return
      MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
      if mbedtls_ssl_set_hostname() has not been called.
      Reported by Daniel Stenberg.
	Default behavior changes
	* In TLS clients, if mbedtls_ssl_set_hostname() has not been called,
	mbedtls_ssl_handshake() now fails with
	MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
	if certificate-based authentication of the server is attempted.
	This is because authenticating a server without knowing what name
	to expect is usually insecure.

	Security
	* Note that TLS clients should generally call mbedtls_ssl_set_hostname()
	if they use certificate authentication (i.e. not pre-shared keys).
	Otherwise, in many scenarios, the server could be impersonated.
	The library will now prevent the handshake and return
	MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
	if mbedtls_ssl_set_hostname() has not been called.
	Reported by Daniel Stenberg.