From d4e95c4fe8e05c5b79bf1dc57114d2ee3f22907b Mon Sep 17 00:00:00 2001 From: Paul-Louis Ageneau Date: Sun, 31 Mar 2024 23:10:40 +0200 Subject: [PATCH 1/3] Disable TLS 1.3 with Mbed TLS --- src/impl/tlstransport.cpp | 1 + 1 file changed, 1 insertion(+) diff --git a/src/impl/tlstransport.cpp b/src/impl/tlstransport.cpp index bf95250e3..5ea295069 100644 --- a/src/impl/tlstransport.cpp +++ b/src/impl/tlstransport.cpp @@ -336,6 +336,7 @@ TlsTransport::TlsTransport(variant, shared_ptr Date: Sun, 31 Mar 2024 23:32:46 +0200 Subject: [PATCH 2/3] Disable DTLS 1.3 with Mbed TLS for consistency --- src/impl/dtlstransport.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/impl/dtlstransport.cpp b/src/impl/dtlstransport.cpp index b1ac82723..8e12c956e 100644 --- a/src/impl/dtlstransport.cpp +++ b/src/impl/dtlstransport.cpp @@ -402,9 +402,9 @@ DtlsTransport::DtlsTransport(shared_ptr lower, certificate_ptr cer MBEDTLS_SSL_TRANSPORT_DATAGRAM, MBEDTLS_SSL_PRESET_DEFAULT), "Failed creating Mbed TLS Context"); + mbedtls_ssl_conf_max_version(&mConf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3); // TLS 1.2 mbedtls_ssl_conf_authmode(&mConf, MBEDTLS_SSL_VERIFY_OPTIONAL); mbedtls_ssl_conf_verify(&mConf, DtlsTransport::CertificateCallback, this); - mbedtls_ssl_conf_rng(&mConf, mbedtls_ctr_drbg_random, &mDrbg); auto [crt, pk] = mCertificate->credentials(); From f691748b838aa42c1917752bbe4d5fc5981f947b Mon Sep 17 00:00:00 2001 From: Paul-Louis Ageneau Date: Sun, 31 Mar 2024 23:36:23 +0200 Subject: [PATCH 3/3] Cleaned up mbedtls::check() messages for consistency --- src/impl/dtlstransport.cpp | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/src/impl/dtlstransport.cpp b/src/impl/dtlstransport.cpp index 8e12c956e..caad9c710 100644 --- a/src/impl/dtlstransport.cpp +++ b/src/impl/dtlstransport.cpp @@ -394,13 +394,11 @@ DtlsTransport::DtlsTransport(shared_ptr lower, certificate_ptr cer mbedtls_ctr_drbg_set_prediction_resistance(&mDrbg, MBEDTLS_CTR_DRBG_PR_ON); try { - mbedtls::check(mbedtls_ctr_drbg_seed(&mDrbg, mbedtls_entropy_func, &mEntropy, NULL, 0), - "Failed creating Mbed TLS Context"); + mbedtls::check(mbedtls_ctr_drbg_seed(&mDrbg, mbedtls_entropy_func, &mEntropy, NULL, 0)); mbedtls::check(mbedtls_ssl_config_defaults( &mConf, mIsClient ? MBEDTLS_SSL_IS_CLIENT : MBEDTLS_SSL_IS_SERVER, - MBEDTLS_SSL_TRANSPORT_DATAGRAM, MBEDTLS_SSL_PRESET_DEFAULT), - "Failed creating Mbed TLS Context"); + MBEDTLS_SSL_TRANSPORT_DATAGRAM, MBEDTLS_SSL_PRESET_DEFAULT)); mbedtls_ssl_conf_max_version(&mConf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3); // TLS 1.2 mbedtls_ssl_conf_authmode(&mConf, MBEDTLS_SSL_VERIFY_OPTIONAL); @@ -408,13 +406,12 @@ DtlsTransport::DtlsTransport(shared_ptr lower, certificate_ptr cer mbedtls_ssl_conf_rng(&mConf, mbedtls_ctr_drbg_random, &mDrbg); auto [crt, pk] = mCertificate->credentials(); - mbedtls::check(mbedtls_ssl_conf_own_cert(&mConf, crt.get(), pk.get()), - "Failed creating Mbed TLS Context"); + mbedtls::check(mbedtls_ssl_conf_own_cert(&mConf, crt.get(), pk.get())); mbedtls_ssl_conf_dtls_cookies(&mConf, NULL, NULL, NULL); mbedtls_ssl_conf_dtls_srtp_protection_profiles(&mConf, srtpSupportedProtectionProfiles); - mbedtls::check(mbedtls_ssl_setup(&mSsl, &mConf), "Failed creating Mbed TLS Context"); + mbedtls::check(mbedtls_ssl_setup(&mSsl, &mConf)); mbedtls_ssl_set_export_keys_cb(&mSsl, DtlsTransport::ExportKeysCallback, this); mbedtls_ssl_set_bio(&mSsl, this, WriteCallback, ReadCallback, NULL);