mbedtls currently forces verification for TLS 1.3 client connections.
At some point in the future, this can probably be worked around with an
extra callback, but for now disabling TLS 1.3 is the only way.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
if (!require)
mode = MBEDTLS_SSL_VERIFY_NONE;
+ /* force TLS 1.2 when not requiring validation for now */
+ if (!require && !ctx->server)
+ mbedtls_ssl_conf_max_version(&ctx->conf, MBEDTLS_SSL_MAJOR_VERSION_3,
+ MBEDTLS_SSL_MINOR_VERSION_3);
mbedtls_ssl_conf_authmode(&ctx->conf, mode);
return 0;