| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
Now that mbedTLS 3.6.1 is released we know that only 3.6.0 contains this regression.
ref: c28e5b597ecc34188427347ad8d773bf9a0176cd
Signed-off-by: sfan5 <sfan5@live.de>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
|
| |
|
|
|
|
|
|
|
|
| |
As of mbedTLS 3.6.0 TLSv1.3 is enabled by default and certificate verification
is now mandatory. Our default configuration does not do verification, so
downgrade to 1.2 in these situations to avoid breaking it.
ref: https://github.com/Mbed-TLS/mbedtls/issues/7075
Signed-off-by: Anton Khirnov <anton@khirnov.net>
|
| |
|
|
|
|
|
|
|
|
| |
When TLSv1.3 and session tickets are enabled mbedtls_ssl_read()
will return an error code to inform about a received session ticket.
This can simply be handled like EAGAIN instead of errornously
aborting the connection.
ref: https://github.com/Mbed-TLS/mbedtls/issues/8749
Signed-off-by: Anton Khirnov <anton@khirnov.net>
|
| |
|
|
|
|
|
|
|
|
| |
We manually check the verification status after the handshake has completed
using mbedtls_ssl_get_verify_result(). However with VERIFY_REQUIRED
mbedtls_ssl_handshake() already returns an error, so this code is never reached.
Fix that by using VERIFY_OPTIONAL, which performs the verification but
does not abort the handshake.
Signed-off-by: Anton Khirnov <anton@khirnov.net>
|
| |
|
|
|
|
|
| |
Unfortunately this won't work out-of-the-box because mbedTLS
only provides a global (not per-context) debug toggle.
Signed-off-by: Anton Khirnov <anton@khirnov.net>
|
| |
|
|
|
|
| |
This is mandatory depending on configuration or at least with mbedTLS 3.6.0.
Signed-off-by: Anton Khirnov <anton@khirnov.net>
|
| |
|
|
| |
Signed-off-by: Anton Khirnov <anton@khirnov.net>
|
| |
|
|
|
|
| |
This fix rtmps failure since rtmps requires nonblocking read.
Signed-off-by: Zhao Zhili <zhilizhao@tencent.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
There are lots of files that don't need it: The number of object
files that actually need it went down from 2011 to 884 here.
Keep it for external users in order to not cause breakages.
Also improve the other headers a bit while just at it.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
|
| |
|
|
|
|
|
| |
Some callers assume that item_name is always set, so this may be
considered an API break.
This reverts commit 0c6203c97a99f69dbaa6e4011d48c331e1111f5e.
|
| |
|
|
|
|
|
|
| |
Unnecessary since acf63d5350adeae551d412db699f8ca03f7e76b9;
also avoids relocations.
Reviewed-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
- certs.h is gone. Only contains test data, and was not used at all.
- config.h is renamed. Was seemingly not used, so can be removed.
- MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE is gone, instead
MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE will be thrown.
- mbedtls_pk_parse_keyfile now needs to be passed a properly seeded
RNG. Hence, move the call to after RNG seeding.
Signed-off-by: Timo Rothenpieler <timo@rothenpieler.org>
|
| |
|
|
|
| |
If ca_file was set, setting tls_verify=0 would not actually disable
verification.
|
| |
|
|
|
|
|
| |
This makes sure that small seeks forward on https don't end up
doing new requests.
Signed-off-by: Martin Storsjö <martin@martin.st>
|
| |
|
|
|
|
|
|
| |
fix resource leak in mbedtls part.
fix #8614
Signed-off-by: Jun Zhao <barryjzhao@tencent.com>
|
| |\
| |
| |
| |
| |
| |
| | |
* commit 'e368b0cbfa3fdc627c331e34556f8e39296d04d5':
tls_mbedtls: Use non-deprecated header file
Merged-by: James Almer <jamrial@gmail.com>
|
| | |
| |
| |
| | |
/usr/include/mbedtls/net.h:29:2: warning: #warning "Deprecated header file: Superseded by mbedtls/net_sockets.h" [-Wcpp]
|
| |
|
|
| |
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
|
| |
|
|
| |
Signed-off-by: James Almer <jamrial@gmail.com>
|
| |
|
|
|
| |
This reverts commit 62f5c9d68bf6e0f2c1a47cf002629a70a82274fc,
which was pushed a bit prematurely.
|
| |
|
