mbedtls: disable TLS 1.3 in client mode when skipping verification

[project/ustream-ssl.git] / ustream-mbedtls.c

diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c
index c2eb2d4a8bc09f4a345d0476246a4b692f1a8504..73c4a5eee1be378b0062ef5408a3a5e0fa4ee424 100644 (file)
--- a/ustream-mbedtls.c
+++ b/ustream-mbedtls.c
@@ -350,6 +350,10 @@ __hidden int __ustream_ssl_set_require_validation(struct ustream_ssl_ctx *ctx, b
        if (!require)
                mode = MBEDTLS_SSL_VERIFY_NONE;
 
+       /* force TLS 1.2 when not requiring validation for now */
+       if (!require && !ctx->server)
+               mbedtls_ssl_conf_max_version(&ctx->conf, MBEDTLS_SSL_MAJOR_VERSION_3,
+                                            MBEDTLS_SSL_MINOR_VERSION_3);
        mbedtls_ssl_conf_authmode(&ctx->conf, mode);
 
        return 0;