| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
Now that mbedTLS 3.6.1 is released we know that only 3.6.0 contains this regression.
ref: c28e5b597ecc34188427347ad8d773bf9a0176cd
Signed-off-by: sfan5 <[email protected]>
Signed-off-by: Anton Khirnov <[email protected]>
|
| |
|
|
|
|
|
|
|
|
| |
As of mbedTLS 3.6.0 TLSv1.3 is enabled by default and certificate verification
is now mandatory. Our default configuration does not do verification, so
downgrade to 1.2 in these situations to avoid breaking it.
ref: https://github.com/Mbed-TLS/mbedtls/issues/7075
Signed-off-by: Anton Khirnov <[email protected]>
|
| |
|
|
|
|
|
|
|
|
| |
When TLSv1.3 and session tickets are enabled mbedtls_ssl_read()
will return an error code to inform about a received session ticket.
This can simply be handled like EAGAIN instead of errornously
aborting the connection.
ref: https://github.com/Mbed-TLS/mbedtls/issues/8749
Signed-off-by: Anton Khirnov <[email protected]>
|
| |
|
|
|
|
|
|
|
|
| |
We manually check the verification status after the handshake has completed
using mbedtls_ssl_get_verify_result(). However with VERIFY_REQUIRED
mbedtls_ssl_handshake() already returns an error, so this code is never reached.
Fix that by using VERIFY_OPTIONAL, which performs the verification but
does not abort the handshake.
Signed-off-by: Anton Khirnov <[email protected]>
|
| |
|
|
|
|
|
| |
Unfortunately this won't work out-of-the-box because mbedTLS
only provides a global (not per-context) debug toggle.
Signed-off-by: Anton Khirnov <[email protected]>
|
| |
|
|
|
|
| |
This is mandatory depending on configuration or at least with mbedTLS 3.6.0.
Signed-off-by: Anton Khirnov <[email protected]>
|
| |
|
|
| |
Signed-off-by: Anton Khirnov <[email protected]>
|
| |
|
|
|
|
| |
This fix rtmps failure since rtmps requires nonblocking read.
Signed-off-by: Zhao Zhili <[email protected]>
|
| |
|
|
|
|
|
|
|
|
|
| |
There are lots of files that don't need it: The number of object
files that actually need it went down from 2011 to 884 here.
Keep it for external users in order to not cause breakages.
Also improve the other headers a bit while just at it.
Signed-off-by: Andreas Rheinhardt <[email protected]>
|
| |
|
|
|
|
|
| |
Some callers assume that item_name is always set, so this may be
considered an API break.
This reverts commit 0c6203c97a99f69dbaa6e4011d48c331e1111f5e.
|
| |
|
|
|
|
|
|
| |
Unnecessary since acf63d5350adeae551d412db699f8ca03f7e76b9;
also avoids relocations.
Reviewed-by: Anton Khirnov <[email protected]>
Signed-off-by: Andreas Rheinhardt <[email protected]>
|
| |
|
|
|
|
|
|
|
|
|
| |
- certs.h is gone. Only contains test data, and was not used at all.
- config.h is renamed. Was seemingly not used, so can be removed.
- MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE is gone, instead
MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE will be thrown.
- mbedtls_pk_parse_keyfile now needs to be passed a properly seeded
RNG. Hence, move the call to after RNG seeding.
Signed-off-by: Timo Rothenpieler <[email protected]>
|
| |
|
|
|
| |
If ca_file was set, setting tls_verify=0 would not actually disable
verification.
|
| |
|
|
|
|
|
| |
This makes sure that small seeks forward on https don't end up
doing new requests.
Signed-off-by: Martin Storsjö <[email protected]>
|
| |
|
|
|
|
|
|
| |
fix resource leak in mbedtls part.
fix #8614
Signed-off-by: Jun Zhao <[email protected]>
|
| |\
| |
| |
| |
| |
| |
| | |
* commit 'e368b0cbfa3fdc627c331e34556f8e39296d04d5':
tls_mbedtls: Use non-deprecated header file
Merged-by: James Almer <[email protected]>
|
| | |
| |
| |
| | |
/usr/include/mbedtls/net.h:29:2: warning: #warning "Deprecated header file: Superseded by mbedtls/net_sockets.h" [-Wcpp]
|
| |
|
|
| |
Signed-off-by: Luca Barbato <[email protected]>
|
| |
|
|
| |
Signed-off-by: James Almer <[email protected]>
|
| |
|
|
|
| |
This reverts commit 62f5c9d68bf6e0f2c1a47cf002629a70a82274fc,
which was pushed a bit prematurely.
|
| |
|
