From 28c4c1e6471b6bf5a2e5dd1842c8d1be5d9478e9 Mon Sep 17 00:00:00 2001
From: Felix Fietkau <nbd@nbd.name>
Date: Sun, 7 Apr 2024 16:57:29 +0200
Subject: [PATCH] mbedtls: disable TLS 1.3 in client mode when skipping
 verification

mbedtls currently forces verification for TLS 1.3 client connections.
At some point in the future, this can probably be worked around with an
extra callback, but for now disabling TLS 1.3 is the only way.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
---
 ustream-mbedtls.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c
index c2eb2d4..73c4a5e 100644
--- a/ustream-mbedtls.c
+++ b/ustream-mbedtls.c
@@ -350,6 +350,10 @@ __hidden int __ustream_ssl_set_require_validation(struct ustream_ssl_ctx *ctx, b
 	if (!require)
 		mode = MBEDTLS_SSL_VERIFY_NONE;
 
+	/* force TLS 1.2 when not requiring validation for now */
+	if (!require && !ctx->server)
+		mbedtls_ssl_conf_max_version(&ctx->conf, MBEDTLS_SSL_MAJOR_VERSION_3,
+					     MBEDTLS_SSL_MINOR_VERSION_3);
 	mbedtls_ssl_conf_authmode(&ctx->conf, mode);
 
 	return 0;
-- 
2.30.2