1Default behavior changes 2 * In TLS clients, if mbedtls_ssl_set_hostname() has not been called, 3 mbedtls_ssl_handshake() now fails with 4 MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME 5 if certificate-based authentication of the server is attempted. 6 This is because authenticating a server without knowing what name 7 to expect is usually insecure. To restore the old behavior, either 8 call mbedtls_ssl_set_hostname() with NULL as the hostname, or 9 enable the new compile-time option 10 MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME. 11 12Security 13 * Note that TLS clients should generally call mbedtls_ssl_set_hostname() 14 if they use certificate authentication (i.e. not pre-shared keys). 15 Otherwise, in many scenarios, the server could be impersonated. 16 The library will now prevent the handshake and return 17 MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME 18 if mbedtls_ssl_set_hostname() has not been called.