Lift TLS 1.2 limit for verify_none, newer MbedTLS.

Fixed in MbedTLS 3.6.1, only limit affected versions to TLS 1.2.

Signed-off-by: Peter M <petermm@gmail.com>

Author: petermm

CHANGELOG.md

@@ -46,6 +46,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Added `init:get_argument/1`, `init:get_plain_arguments/0` and `init:notify_when_started/1`
 - Added `application:get_env/2`
 - Added CodeQL analysis to esp32, stm32, pico, and wasm workflows
+- Lift TLS 1.2 limit for requests with verify_none, for newer MbedTLS versions.
 
 ### Changed
 

src/libAtomVM/otp_ssl.c

@@ -457,11 +457,11 @@ static term nif_ssl_conf_authmode(Context *ctx, int argc, term argv[])
 
     // MBEDTLS_SSL_VERIFY_NONE and MBEDTLS_SSL_VERIFY_OPTIONAL do not work with TLS 1.3
     // https://github.com/Mbed-TLS/mbedtls/issues/7075
+    // Fixed in 3.6.1 https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.1
+    // "Fixed by adding support for optional/none with TLS 1.3 as well."
     if (authmode != MBEDTLS_SSL_VERIFY_REQUIRED) {
-#if MBEDTLS_VERSION_NUMBER >= 0x03020000
+#if MBEDTLS_VERSION_NUMBER >= 0x03020000 && MBEDTLS_VERSION_NUMBER < 0x03060100
         mbedtls_ssl_conf_max_tls_version(&rsrc_obj->config, MBEDTLS_SSL_VERSION_TLS1_2);
-#else
-        mbedtls_ssl_conf_max_version(&rsrc_obj->config, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3);
 #endif
     }
 

src/platforms/esp32/sdkconfig.defaults

@@ -1,3 +1,5 @@
 CONFIG_PARTITION_TABLE_CUSTOM=y
 CONFIG_ESPTOOLPY_FLASHSIZE_4MB=y
 CONFIG_MBEDTLS_ECP_FIXED_POINT_OPTIM=y
+CONFIG_MBEDTLS_SSL_PROTO_TLS1_3=y
+CONFIG_MBEDTLS_SSL_KEEP_PEER_CERTIFICATE=y

src/platforms/esp32/test/main/test_erl_sources/test_ssl.erl

@@ -23,6 +23,9 @@
 
 start() ->
     % start SSL
+    ok = ssl:start(),
+    ok = test_print_client_capabilities(),
+    ok = ssl:stop(),
     Entropy = ssl:nif_entropy_init(),
     CtrDrbg = ssl:nif_ctr_drbg_init(),
     ok = ssl:nif_ctr_drbg_seed(CtrDrbg, Entropy, <<"AtomVM">>),
@@ -59,6 +62,29 @@ start() ->
     ok = socket:close(Socket),
     ok.
 
+test_print_client_capabilities() ->
+    {ok, SSLSocket} = ssl:connect("check-tls.akamai.io", 443, [
+        {verify, verify_none}, {active, false}, {binary, true}
+    ]),
+    UserAgent = erlang:system_info(machine),
+    ok = ssl:send(SSLSocket, [
+        <<"GET /v1/tlsinfo.json HTTP/1.1\r\nHost: check-tls.akamai.io\r\nUser-Agent: ">>,
+        UserAgent,
+        <<"\r\n\r\n">>
+    ]),
+    ok = recv_helper(SSLSocket, 0),
+    ok = ssl:close(SSLSocket),
+    ok.
+
+recv_helper(SSLSocket, Bytes) ->
+    case ssl:recv(SSLSocket, Bytes) of
+        {ok, Data} ->
+            io:format("~s~n", [Data]),
+            recv_helper(SSLSocket, 0);
+        {error, _Reason} ->
+            ok
+    end.
+
 handshake_loop(SSLContext, Socket) ->
     case ssl:nif_handshake_step(SSLContext) of
         ok ->

src/platforms/esp32/test/sdkconfig.defaults

@@ -5,3 +5,5 @@ CONFIG_ESP_INT_WDT_TIMEOUT_MS=10000
 CONFIG_ETH_USE_OPENETH=y
 CONFIG_AVM_RTC_SLOW_MAX_SIZE=1024
 CONFIG_MBEDTLS_ECP_FIXED_POINT_OPTIM=y
+CONFIG_MBEDTLS_SSL_PROTO_TLS1_3=y
+CONFIG_MBEDTLS_SSL_KEEP_PEER_CERTIFICATE=y

tests/libs/estdlib/test_ssl.erl

@@ -48,6 +48,9 @@ is_ssl_available() ->
     end.
 
 test_ssl() ->
+    ok = ssl:start(),
+    ok = test_print_client_capabilities(),
+    ok = ssl:stop(),
     ok = ssl:start(),
     ok = test_start_twice(),
     ok = test_connect_close(),
@@ -57,6 +60,29 @@ test_ssl() ->
     ok = ssl:stop(),
     ok.
 
+test_print_client_capabilities() ->
+    {ok, SSLSocket} = ssl:connect("check-tls.akamai.io", 443, [
+        {verify, verify_none}, {active, false}, {binary, true}
+    ]),
+    UserAgent = erlang:system_info(machine),
+    ok = ssl:send(SSLSocket, [
+        <<"GET /v1/tlsinfo.json HTTP/1.1\r\nHost: check-tls.akamai.io\r\nUser-Agent: ">>,
+        UserAgent,
+        <<"\r\n\r\n">>
+    ]),
+    ok = recv_helper(SSLSocket, 0),
+    ok = ssl:close(SSLSocket),
+    ok.
+
+recv_helper(SSLSocket, Bytes) ->
+    case ssl:recv(SSLSocket, Bytes) of
+        {ok, Data} ->
+            io:format("~s~n", [Data]),
+            recv_helper(SSLSocket, 0);
+        {error, _Reason} ->
+            ok
+    end.
+
 test_start_twice() ->
     ok = ssl:start().