Add a note about calling mbedtls_ssl_set_hostname to mbedtls_ssl_setup Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>

commit: 825c3d075a7ac6e11505dfc4a59140282884e1a0 [log] [tgz]
author: Gilles Peskine <Gilles.Peskine@arm.com> Mon Feb 17 17:41:54 2025 +0100
committer: Gilles Peskine <Gilles.Peskine@arm.com> Mon Feb 24 18:48:49 2025 +0100
tree: c6a17a88bc0682d8df7a454bc4dfdc1f89a87ad5
parent: 640512eb90a129187aa24ae4f7e742224d63ad2e [diff] [blame]
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 0eaec5c..b15bbb6 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h

@@ -2015,6 +2015,17 @@
  * \note           The PSA crypto subsystem must have been initialized by
  *                 calling psa_crypto_init() before calling this function.
  *
+ * \note           After setting up a client context, if certificate-based
+ *                 authentication is enabled, you should call
+ *                 mbedtls_ssl_set_hostname() to specifiy the expected
+ *                 name of the server. Otherwise, if server authentication
+ *                 is required (which is the case by default) and the
+ *                 selected key exchange involves a certificate (i.e. is not
+ *                 based on a pre-shared key), the certificate authentication
+ *                 will fail. See
+ *                 #MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
+ *                 for more information.
+ *
  * \param ssl      SSL context
  * \param conf     SSL configuration to use
  *
commit	825c3d075a7ac6e11505dfc4a59140282884e1a0	[log] [tgz]
author	Gilles Peskine <Gilles.Peskine@arm.com>	Mon Feb 17 17:41:54 2025 +0100
committer	Gilles Peskine <Gilles.Peskine@arm.com>	Mon Feb 24 18:48:49 2025 +0100
tree	c6a17a88bc0682d8df7a454bc4dfdc1f89a87ad5
parent	640512eb90a129187aa24ae4f7e742224d63ad2e [diff] [blame]