security: Allow ssl handshake without hostname for OT cases

maciejbaczmanski · maciejbaczmanski · commit 7ec924d31a1c · 2025-04-03T11:04:12.000+02:00
Allow ssl handshake without hostname for OpenThread CoAPs and
TCAT.
These cases are isolated as handshake is done in internal network
with CA signed certificates.

Signed-off-by: Maciej Baczmanski &lt;maciej.baczmanski@nordicsemi.no&gt;
diff --git a/modules/openthread/Kconfig.features b/modules/openthread/Kconfig.features
@@ -44,6 +44,7 @@ config OPENTHREAD_BACKBONE_ROUTER_MULTICAST_ROUTING
 
 config OPENTHREAD_BLE_TCAT
 	bool "BLE TCAT support"
+	select MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
 	select EXPERIMENTAL
 
 config OPENTHREAD_BORDER_AGENT
@@ -90,6 +91,7 @@ config OPENTHREAD_COAP_OBSERVE
 
 config OPENTHREAD_COAPS
 	bool "Secure CoAP API support"
+	select MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
 	depends on OPENTHREAD_COAP
 
 config OPENTHREAD_COMMISSIONER
diff --git a/subsys/nrf_security/Kconfig.tls b/subsys/nrf_security/Kconfig.tls
@@ -222,6 +222,15 @@ config MBEDTLS_SSL_DTLS_BADMAC_LIMIT
 
 endif # MBEDTLS_SSL_PROTO_DTLS
 
+# This config can be set only for OpenThread's TCAT and CoAPs, because these are isolated cases,
+# when X.509 certificate-based handshake is done in an internal network with full trust.
+# KRKNWK-20181
+config MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
+	bool
+	depends on OPENTHREAD_BLE_TCAT || OPENTHREAD_COAPS
+	help
+	  Allow weak certificate verification without hostname check.
+
 config MBEDTLS_SSL_ALL_ALERT_MESSAGES
 	bool
 	prompt "Enable all SSL alert messages"
diff --git a/subsys/nrf_security/cmake/nrf_config.cmake b/subsys/nrf_security/cmake/nrf_config.cmake
@@ -147,6 +147,9 @@ if (NOT MBEDTLS_PSA_CRYPTO_SPM)
   kconfig_check_and_set_base(MBEDTLS_X509_CRT_WRITE_C)
   kconfig_check_and_set_base(MBEDTLS_X509_CSR_WRITE_C)
 
+  # KRKNWK-20181
+  kconfig_check_and_set_base(MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME)
+
   # TLS key exchange
   kconfig_check_and_set_base(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
   kconfig_check_and_set_base(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
diff --git a/subsys/nrf_security/configs/nrf-config.h.template b/subsys/nrf_security/configs/nrf-config.h.template
@@ -177,4 +177,7 @@
 #define MBEDTLS_CIPHER_MODE_CBC
 #endif
 
+/* KRKNWK-20181 */
+#cmakedefine MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
+
 #endif /* MBEDTLS_CONFIG_FILE_H */
