Document the need to call mbedtls_ssl_set_hostname Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>

commit: eb2d29eb6bdce5b90e31ce2a8a4eb1826ee5d8b7 [log] [tgz]
author: Gilles Peskine <Gilles.Peskine@arm.com> Thu Feb 20 19:12:16 2025 +0100
committer: Gilles Peskine <Gilles.Peskine@arm.com> Mon Feb 24 18:48:49 2025 +0100
tree: 755bf380deb02cd8094c5fe18dfb00f4ebee091b
parent: 96073fb997dd6d7ef978f30bb390738691577f69 [diff] [blame]
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 0fe2399..3154024 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h

@@ -3948,6 +3948,16 @@
  *
  * \note           Maximum hostname length #MBEDTLS_SSL_MAX_HOST_NAME_LEN.
  *
+ * \note           If the hostname is \c NULL on a client, then the server
+ *                 is not authenticated: it only needs to have a valid
+ *                 certificate, not a certificate matching its name.
+ *                 Therefore you should always call this function on a client,
+ *                 unless the connection is set up to only allow
+ *                 pre-shared keys, or in scenarios where server
+ *                 impersonation is not a concern. See the documentation of
+ *                 #MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
+ *                 for more details.
+ *
  * \return         0 if successful, #MBEDTLS_ERR_SSL_ALLOC_FAILED on
  *                 allocation failure, #MBEDTLS_ERR_SSL_BAD_INPUT_DATA on
  *                 too long input hostname.
commit	eb2d29eb6bdce5b90e31ce2a8a4eb1826ee5d8b7	[log] [tgz]
author	Gilles Peskine <Gilles.Peskine@arm.com>	Thu Feb 20 19:12:16 2025 +0100
committer	Gilles Peskine <Gilles.Peskine@arm.com>	Mon Feb 24 18:48:49 2025 +0100
tree	755bf380deb02cd8094c5fe18dfb00f4ebee091b
parent	96073fb997dd6d7ef978f30bb390738691577f69 [diff] [blame]