Move ssl_set_ca_chain() to work on config
diff --git a/programs/ssl/dtls_client.c b/programs/ssl/dtls_client.c
index eb27f3c..9f8fcbf 100644
--- a/programs/ssl/dtls_client.c
+++ b/programs/ssl/dtls_client.c
@@ -176,13 +176,16 @@
goto exit;
}
- mbedtls_printf( " ok\n" );
-
/* OPTIONAL is usually a bad choice for security, but makes interop easier
* in this simplified example, in which the ca chain is hardcoded.
* Production code should set a proper ca chain and use REQUIRED. */
mbedtls_ssl_set_authmode( &conf, MBEDTLS_SSL_VERIFY_OPTIONAL );
- mbedtls_ssl_set_ca_chain( &ssl, &cacert, NULL, SERVER_NAME );
+ mbedtls_ssl_set_ca_chain( &conf, &cacert, NULL );
+ if( ( ret = mbedtls_ssl_set_hostname( &ssl, SERVER_NAME ) ) != 0 )
+ {
+ mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret );
+ goto exit;
+ }
mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg );
mbedtls_ssl_set_dbg( &conf, my_debug, stdout );
@@ -191,6 +194,8 @@
mbedtls_net_send, mbedtls_net_recv, mbedtls_net_recv_timeout,
READ_TIMEOUT_MS );
+ mbedtls_printf( " ok\n" );
+
/*
* 4. Handshake
*/
diff --git a/programs/ssl/dtls_server.c b/programs/ssl/dtls_server.c
index 96cb136..9a925ec 100644
--- a/programs/ssl/dtls_server.c
+++ b/programs/ssl/dtls_server.c
@@ -215,7 +215,7 @@
mbedtls_ssl_cache_set, &cache );
#endif
- mbedtls_ssl_set_ca_chain( &ssl, srvcert.next, NULL, NULL );
+ mbedtls_ssl_set_ca_chain( &conf, srvcert.next, NULL );
if( ( ret = mbedtls_ssl_set_own_cert( &ssl, &srvcert, &pkey ) ) != 0 )
{
printf( " failed\n ! mbedtls_ssl_set_own_cert returned %d\n\n", ret );
diff --git a/programs/ssl/mini_client.c b/programs/ssl/mini_client.c
index 5d140b9..d6ee570 100644
--- a/programs/ssl/mini_client.c
+++ b/programs/ssl/mini_client.c
@@ -149,6 +149,7 @@
ctr_drbg_seed_failed,
ssl_config_default_failed,
ssl_setup_failed,
+ hostname_failed,
socket_failed,
connect_failed,
x509_crt_parse_failed,
@@ -216,7 +217,12 @@
goto exit;
}
- mbedtls_ssl_set_ca_chain( &ssl, &ca, NULL, HOSTNAME );
+ mbedtls_ssl_set_ca_chain( &conf, &ca, NULL );
+ if( mbedtls_ssl_set_hostname( &ssl, HOSTNAME ) != 0 )
+ {
+ ret = hostname_failed;
+ goto exit;
+ }
mbedtls_ssl_set_authmode( &conf, MBEDTLS_SSL_VERIFY_REQUIRED );
#endif
diff --git a/programs/ssl/ssl_client1.c b/programs/ssl/ssl_client1.c
index 38a510c..d7cb141 100644
--- a/programs/ssl/ssl_client1.c
+++ b/programs/ssl/ssl_client1.c
@@ -169,7 +169,12 @@
/* OPTIONAL is not optimal for security,
* but makes interop easier in this simplified example */
mbedtls_ssl_set_authmode( &conf, MBEDTLS_SSL_VERIFY_OPTIONAL );
- mbedtls_ssl_set_ca_chain( &ssl, &cacert, NULL, "mbed TLS Server 1" );
+ mbedtls_ssl_set_ca_chain( &conf, &cacert, NULL );
+ if( ( ret = mbedtls_ssl_set_hostname( &ssl, "mbed TLS Server 1" ) ) != 0 )
+ {
+ mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret );
+ goto exit;
+ }
mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg );
mbedtls_ssl_set_dbg( &conf, my_debug, stdout );
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 03ac1b3..aaf22db 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -1154,7 +1154,7 @@
if( strcmp( opt.ca_path, "none" ) != 0 &&
strcmp( opt.ca_file, "none" ) != 0 )
{
- mbedtls_ssl_set_ca_chain( &ssl, &cacert, NULL, opt.server_name );
+ mbedtls_ssl_set_ca_chain( &conf, &cacert, NULL );
}
if( strcmp( opt.crt_file, "none" ) != 0 &&
strcmp( opt.key_file, "none" ) != 0 )
@@ -1165,6 +1165,11 @@
goto exit;
}
}
+ if( ( ret = mbedtls_ssl_set_hostname( &ssl, opt.server_name ) ) != 0 )
+ {
+ mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret );
+ goto exit;
+ }
#endif
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
@@ -1177,14 +1182,6 @@
}
#endif
-#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
- if( ( ret = mbedtls_ssl_set_hostname( &ssl, opt.server_name ) ) != 0 )
- {
- mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret );
- goto exit;
- }
-#endif
-
if( opt.min_version != DFL_MIN_VERSION )
{
ret = mbedtls_ssl_set_min_version( &conf, MBEDTLS_SSL_MAJOR_VERSION_3, opt.min_version );
diff --git a/programs/ssl/ssl_fork_server.c b/programs/ssl/ssl_fork_server.c
index 877f958..50de5ef 100644
--- a/programs/ssl/ssl_fork_server.c
+++ b/programs/ssl/ssl_fork_server.c
@@ -269,7 +269,7 @@
mbedtls_ssl_set_dbg( &conf, my_debug, stdout );
mbedtls_ssl_set_bio_timeout( &ssl, &client_fd, mbedtls_net_send, mbedtls_net_recv, NULL, 0 );
- mbedtls_ssl_set_ca_chain( &ssl, srvcert.next, NULL, NULL );
+ mbedtls_ssl_set_ca_chain( &conf, srvcert.next, NULL );
if( ( ret = mbedtls_ssl_set_own_cert( &ssl, &srvcert, &pkey ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_set_own_cert returned %d\n\n", ret );
diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c
index 000ed09..ab849a9 100644
--- a/programs/ssl/ssl_mail_client.c
+++ b/programs/ssl/ssl_mail_client.c
@@ -611,7 +611,12 @@
if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER )
mbedtls_ssl_set_ciphersuites( &conf, opt.force_ciphersuite );
- mbedtls_ssl_set_ca_chain( &ssl, &cacert, NULL, opt.server_name );
+ mbedtls_ssl_set_ca_chain( &conf, &cacert, NULL );
+ if( ( ret = mbedtls_ssl_set_hostname( &ssl, opt.server_name ) ) != 0 )
+ {
+ mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret );
+ goto exit;
+ }
if( ( ret = mbedtls_ssl_set_own_cert( &ssl, &clicert, &pkey ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_set_own_cert returned %d\n\n", ret );
diff --git a/programs/ssl/ssl_pthread_server.c b/programs/ssl/ssl_pthread_server.c
index e951b3a..1fc3262 100644
--- a/programs/ssl/ssl_pthread_server.c
+++ b/programs/ssl/ssl_pthread_server.c
@@ -188,7 +188,7 @@
mbedtls_ssl_cache_set, thread_info->cache );
#endif
- mbedtls_ssl_set_ca_chain( &ssl, thread_info->ca_chain, NULL, NULL );
+ mbedtls_ssl_set_ca_chain( &conf, thread_info->ca_chain, NULL );
if( ( ret = mbedtls_ssl_set_own_cert( &ssl, thread_info->server_cert, thread_info->server_key ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_set_own_cert returned %d\n\n", ret );
diff --git a/programs/ssl/ssl_server.c b/programs/ssl/ssl_server.c
index 2302f06..61b9dc9 100644
--- a/programs/ssl/ssl_server.c
+++ b/programs/ssl/ssl_server.c
@@ -214,7 +214,7 @@
mbedtls_ssl_cache_set, &cache );
#endif
- mbedtls_ssl_set_ca_chain( &ssl, srvcert.next, NULL, NULL );
+ mbedtls_ssl_set_ca_chain( &conf, srvcert.next, NULL );
if( ( ret = mbedtls_ssl_set_own_cert( &ssl, &srvcert, &pkey ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_set_own_cert returned %d\n\n", ret );
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index e5fcfdf..954ae43 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -1682,7 +1682,7 @@
if( strcmp( opt.ca_path, "none" ) != 0 &&
strcmp( opt.ca_file, "none" ) != 0 )
{
- mbedtls_ssl_set_ca_chain( &ssl, &cacert, NULL, NULL );
+ mbedtls_ssl_set_ca_chain( &conf, &cacert, NULL );
}
if( key_cert_init )
if( ( ret = mbedtls_ssl_set_own_cert( &ssl, &srvcert, &pkey ) ) != 0 )