Move ssl_set_ca_chain() to work on config

programs/ssl/dtls_client.c

@@ -176,13 +176,16 @@ int main( int argc, char *argv[] )
         goto exit;
     }
 
-    mbedtls_printf( " ok\n" );
-
     /* OPTIONAL is usually a bad choice for security, but makes interop easier
      * in this simplified example, in which the ca chain is hardcoded.
      * Production code should set a proper ca chain and use REQUIRED. */
     mbedtls_ssl_set_authmode( &conf, MBEDTLS_SSL_VERIFY_OPTIONAL );
-    mbedtls_ssl_set_ca_chain( &ssl, &cacert, NULL, SERVER_NAME );
+    mbedtls_ssl_set_ca_chain( &conf, &cacert, NULL );
+    if( ( ret = mbedtls_ssl_set_hostname( &ssl, SERVER_NAME ) ) != 0 )
+    {
+        mbedtls_printf( " failed\n  ! mbedtls_ssl_set_hostname returned %d\n\n", ret );
+        goto exit;
+    }
 
     mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg );
     mbedtls_ssl_set_dbg( &conf, my_debug, stdout );
@@ -191,6 +194,8 @@ int main( int argc, char *argv[] )
                          mbedtls_net_send, mbedtls_net_recv, mbedtls_net_recv_timeout,
                          READ_TIMEOUT_MS );
 
+    mbedtls_printf( " ok\n" );
+
     /*
      * 4. Handshake
      */

programs/ssl/dtls_server.c

@@ -215,7 +215,7 @@ int main( void )
                                    mbedtls_ssl_cache_set, &cache );
 #endif
 
-    mbedtls_ssl_set_ca_chain( &ssl, srvcert.next, NULL, NULL );
+    mbedtls_ssl_set_ca_chain( &conf, srvcert.next, NULL );
     if( ( ret = mbedtls_ssl_set_own_cert( &ssl, &srvcert, &pkey ) ) != 0 )
     {
         printf( " failed\n  ! mbedtls_ssl_set_own_cert returned %d\n\n", ret );

programs/ssl/mini_client.c

@@ -149,6 +149,7 @@ enum exit_codes
     ctr_drbg_seed_failed,
     ssl_config_default_failed,
     ssl_setup_failed,
+    hostname_failed,
     socket_failed,
     connect_failed,
     x509_crt_parse_failed,
@@ -216,7 +217,12 @@ int main( void )
         goto exit;
     }
 
-    mbedtls_ssl_set_ca_chain( &ssl, &ca, NULL, HOSTNAME );
+    mbedtls_ssl_set_ca_chain( &conf, &ca, NULL );
+    if( mbedtls_ssl_set_hostname( &ssl, HOSTNAME ) != 0 )
+    {
+        ret = hostname_failed;
+        goto exit;
+    }
     mbedtls_ssl_set_authmode( &conf, MBEDTLS_SSL_VERIFY_REQUIRED );
 #endif
 

programs/ssl/ssl_client1.c

@@ -169,7 +169,12 @@ int main( void )
     /* OPTIONAL is not optimal for security,
      * but makes interop easier in this simplified example */
     mbedtls_ssl_set_authmode( &conf, MBEDTLS_SSL_VERIFY_OPTIONAL );
-    mbedtls_ssl_set_ca_chain( &ssl, &cacert, NULL, "mbed TLS Server 1" );
+    mbedtls_ssl_set_ca_chain( &conf, &cacert, NULL );
+    if( ( ret = mbedtls_ssl_set_hostname( &ssl, "mbed TLS Server 1" ) ) != 0 )
+    {
+        mbedtls_printf( " failed\n  ! mbedtls_ssl_set_hostname returned %d\n\n", ret );
+        goto exit;
+    }
 
     mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg );
     mbedtls_ssl_set_dbg( &conf, my_debug, stdout );

programs/ssl/ssl_client2.c

@@ -1154,7 +1154,7 @@ int main( int argc, char *argv[] )
     if( strcmp( opt.ca_path, "none" ) != 0 &&
         strcmp( opt.ca_file, "none" ) != 0 )
     {
-        mbedtls_ssl_set_ca_chain( &ssl, &cacert, NULL, opt.server_name );
+        mbedtls_ssl_set_ca_chain( &conf, &cacert, NULL );
     }
     if( strcmp( opt.crt_file, "none" ) != 0 &&
         strcmp( opt.key_file, "none" ) != 0 )
@@ -1165,6 +1165,11 @@ int main( int argc, char *argv[] )
             goto exit;
         }
     }
+    if( ( ret = mbedtls_ssl_set_hostname( &ssl, opt.server_name ) ) != 0 )
+    {
+        mbedtls_printf( " failed\n  ! mbedtls_ssl_set_hostname returned %d\n\n", ret );
+        goto exit;
+    }
 #endif
 
 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
@@ -1177,14 +1182,6 @@ int main( int argc, char *argv[] )
     }
 #endif
 
-#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
-    if( ( ret = mbedtls_ssl_set_hostname( &ssl, opt.server_name ) ) != 0 )
-    {
-        mbedtls_printf( " failed\n  ! mbedtls_ssl_set_hostname returned %d\n\n", ret );
-        goto exit;
-    }
-#endif
-
     if( opt.min_version != DFL_MIN_VERSION )
     {
         ret = mbedtls_ssl_set_min_version( &conf, MBEDTLS_SSL_MAJOR_VERSION_3, opt.min_version );

programs/ssl/ssl_fork_server.c

@@ -269,7 +269,7 @@ int main( void )
         mbedtls_ssl_set_dbg( &conf, my_debug, stdout );
         mbedtls_ssl_set_bio_timeout( &ssl, &client_fd, mbedtls_net_send, mbedtls_net_recv, NULL, 0 );
 
-        mbedtls_ssl_set_ca_chain( &ssl, srvcert.next, NULL, NULL );
+        mbedtls_ssl_set_ca_chain( &conf, srvcert.next, NULL );
         if( ( ret = mbedtls_ssl_set_own_cert( &ssl, &srvcert, &pkey ) ) != 0 )
         {
             mbedtls_printf( " failed\n  ! mbedtls_ssl_set_own_cert returned %d\n\n", ret );

programs/ssl/ssl_mail_client.c

@@ -611,7 +611,12 @@ int main( int argc, char *argv[] )
     if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER )
         mbedtls_ssl_set_ciphersuites( &conf, opt.force_ciphersuite );
 
-    mbedtls_ssl_set_ca_chain( &ssl, &cacert, NULL, opt.server_name );
+    mbedtls_ssl_set_ca_chain( &conf, &cacert, NULL );
+    if( ( ret = mbedtls_ssl_set_hostname( &ssl, opt.server_name ) ) != 0 )
+    {
+        mbedtls_printf( " failed\n  ! mbedtls_ssl_set_hostname returned %d\n\n", ret );
+        goto exit;
+    }
     if( ( ret = mbedtls_ssl_set_own_cert( &ssl, &clicert, &pkey ) ) != 0 )
     {
         mbedtls_printf( " failed\n  ! mbedtls_ssl_set_own_cert returned %d\n\n", ret );

programs/ssl/ssl_pthread_server.c

@@ -188,7 +188,7 @@ static void *handle_ssl_connection( void *data )
                                    mbedtls_ssl_cache_set, thread_info->cache );
 #endif
 
-    mbedtls_ssl_set_ca_chain( &ssl, thread_info->ca_chain, NULL, NULL );
+    mbedtls_ssl_set_ca_chain( &conf, thread_info->ca_chain, NULL );
     if( ( ret = mbedtls_ssl_set_own_cert( &ssl, thread_info->server_cert, thread_info->server_key ) ) != 0 )
     {
         mbedtls_printf( " failed\n  ! mbedtls_ssl_set_own_cert returned %d\n\n", ret );

programs/ssl/ssl_server.c

@@ -214,7 +214,7 @@ int main( void )
                                    mbedtls_ssl_cache_set, &cache );
 #endif
 
-    mbedtls_ssl_set_ca_chain( &ssl, srvcert.next, NULL, NULL );
+    mbedtls_ssl_set_ca_chain( &conf, srvcert.next, NULL );
     if( ( ret = mbedtls_ssl_set_own_cert( &ssl, &srvcert, &pkey ) ) != 0 )
     {
         mbedtls_printf( " failed\n  ! mbedtls_ssl_set_own_cert returned %d\n\n", ret );

programs/ssl/ssl_server2.c

@@ -1682,7 +1682,7 @@ int main( int argc, char *argv[] )
     if( strcmp( opt.ca_path, "none" ) != 0 &&
         strcmp( opt.ca_file, "none" ) != 0 )
     {
-        mbedtls_ssl_set_ca_chain( &ssl, &cacert, NULL, NULL );
+        mbedtls_ssl_set_ca_chain( &conf, &cacert, NULL );
     }
     if( key_cert_init )
         if( ( ret = mbedtls_ssl_set_own_cert( &ssl, &srvcert, &pkey ) ) != 0 )

programs/x509/cert_app.c

@@ -413,7 +413,7 @@ int main( int argc, char *argv[] )
         if( verify )
         {
             mbedtls_ssl_set_authmode( &conf, MBEDTLS_SSL_VERIFY_REQUIRED );
-            mbedtls_ssl_set_ca_chain( &ssl, &cacert, NULL, opt.server_name );
+            mbedtls_ssl_set_ca_chain( &conf, &cacert, NULL );
             mbedtls_ssl_set_verify( &conf, my_verify, NULL );
         }
         else
@@ -429,13 +429,11 @@ int main( int argc, char *argv[] )
             goto ssl_exit;
         }
 
-#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
         if( ( ret = mbedtls_ssl_set_hostname( &ssl, opt.server_name ) ) != 0 )
         {
             mbedtls_printf( " failed\n  ! mbedtls_ssl_set_hostname returned %d\n\n", ret );
             goto ssl_exit;
         }
-#endif
 
         /*
          * 4. Handshake