Limit TLS 1.2 lock workaround

petermm · petermm · commit 355bc453bfa7 · 2025-03-09T21:37:35.000+01:00
To affected versions.

Signed-off-by: Peter M &lt;petermm@gmail.com&gt;
diff --git a/src/libAtomVM/otp_ssl.c b/src/libAtomVM/otp_ssl.c
@@ -457,11 +457,11 @@ static term nif_ssl_conf_authmode(Context *ctx, int argc, term argv[])
 
     // MBEDTLS_SSL_VERIFY_NONE and MBEDTLS_SSL_VERIFY_OPTIONAL do not work with TLS 1.3
     // https://github.com/Mbed-TLS/mbedtls/issues/7075
+    // Fixed in 3.6.1 https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.1
+    // "Fixed by adding support for optional/none with TLS 1.3 as well."
     if (authmode != MBEDTLS_SSL_VERIFY_REQUIRED) {
-#if MBEDTLS_VERSION_NUMBER >= 0x03020000
+#if MBEDTLS_VERSION_NUMBER >= 0x03020000 && MBEDTLS_VERSION_NUMBER < 0x03060100
         mbedtls_ssl_conf_max_tls_version(&rsrc_obj->config, MBEDTLS_SSL_VERSION_TLS1_2);
-#else
-        mbedtls_ssl_conf_max_version(&rsrc_obj->config, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3);
 #endif
     }
 
diff --git a/tests/libs/estdlib/test_ssl.erl b/tests/libs/estdlib/test_ssl.erl
@@ -49,6 +49,7 @@ is_ssl_available() ->
 
 test_ssl() ->
     ok = ssl:start(),
+    ok = test_print_client_capabilities(),
     ok = test_start_twice(),
     ok = test_connect_close(),
     ok = test_connect_error(),
@@ -57,6 +58,25 @@ test_ssl() ->
     ok = ssl:stop(),
     ok.
 
+test_print_client_capabilities() ->
+    {ok, SSLSocket} = ssl:connect("www.howsmyssl.com", 443, [
+        {verify, verify_none}, {active, false}, {binary, true}
+    ]),
+    UserAgent = erlang:system_info(machine),
+    ok = ssl:send(SSLSocket, [
+        <<"GET /a/check HTTP/1.1\r\nHost: www.howsmyssl.com\r\nUser-Agent: ">>, UserAgent, <<"\r\n\r\n">>
+    ]),
+    {ok, <<"HTTP/1.1 200 OK", Return/binary>>} = ssl:recv(SSLSocket, 0),
+    io:format("~s~n", [Return]),
+    {ok, <<Return2/binary>>} = ssl:recv(SSLSocket, 0),
+    io:format("~s~n", [Return2]),
+    {ok, <<Return3/binary>>} = ssl:recv(SSLSocket, 0),
+    io:format("~s~n", [Return3]),
+    {ok, <<Return4/binary>>} = ssl:recv(SSLSocket, 0),
+    io:format("~s~n", [Return4]),
+    ok = ssl:close(SSLSocket),
+    ok.
+
 test_start_twice() ->
     ok = ssl:start().
 
