[mbedtls] add dtls hostname verification support #328
Conversation
- Add mHostname field to DtlsConfig for certificate hostname verification - Add mDtlsHostname to Config with default "ThreadRegistrar" - Implement client-side hostname verification using mbedtls_ssl_set_hostname() - Server connections ignore hostname setting (client-only feature) - Skip verification when hostname is empty (backward compatibility) - Add comprehensive unit tests covering all verification scenarios - Update test certificates with extended validity (2025-2035) Enhances DTLS security by validating server certificate hostname matches expected Thread border agent identity, preventing MITM attacks while maintaining backward compatibility.
There was a problem hiding this comment.
Pull Request Overview
This PR adds DTLS hostname verification support to enhance security by validating server certificate hostnames match expected Thread border agent identity, preventing MITM attacks while maintaining backward compatibility.
- Adds hostname verification functionality to DTLS configuration and client connections
- Updates test certificates with extended validity (2025-2035)
- Implements comprehensive unit tests covering hostname verification scenarios
Reviewed Changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| src/library/dtls.hpp | Adds mHostname field to DtlsConfig struct |
| src/library/dtls.cpp | Implements hostname verification logic using mbedtls_ssl_set_hostname() |
| include/commissioner/commissioner.hpp | Adds mDtlsHostname field to Config with default "ThreadRegistrar" |
| src/library/dtls_test.cpp | Adds comprehensive unit tests and updates certificates |
| src/library/coap_secure_test.cpp | Updates certificates and adds hostname to existing test |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
|
/gemini review |
ZhangLe2016
changed the title
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces DTLS hostname verification, a significant security enhancement to prevent man-in-the-middle attacks by validating the server certificate's hostname. The implementation is well-structured, adding the necessary configurations and logic to enable this feature for client-side connections while maintaining backward compatibility. The inclusion of comprehensive unit and integration tests is commendable, covering various scenarios such as valid/empty hostnames and ensuring servers ignore this client-only setting. I've provided a couple of suggestions to improve code style and maintainability in the test suite.
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request adds DTLS hostname verification to enhance security, which is a valuable improvement. The implementation correctly uses mbedtls_ssl_set_hostname for client-side verification and maintains backward compatibility by skipping verification for empty hostnames. The configuration is properly propagated from the main Config to DtlsConfig. The accompanying tests are well-structured, especially with the refactoring to use helper functions. However, the test suite is missing a crucial negative test case to verify that a connection with a mismatched hostname fails as expected. I've suggested adding such a test to ensure the feature is fully robust.
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request adds DTLS hostname verification support, which is a great security enhancement to prevent man-in-the-middle attacks. The implementation looks solid, with the new functionality being correctly added to the DTLS session initialization for clients. The inclusion of comprehensive unit and integration tests is excellent, covering various scenarios including valid/invalid hostnames, empty hostnames, and ensuring the server-side ignores the setting. The test code has also been nicely refactored to improve readability and reduce duplication. I have one minor suggestion regarding code style for better maintainability.
|
|
||
| TEST(DtlsTest, MbedtlsClientServer) | ||
| // Helper function to set up client configuration | ||
| void SetUpClientConfig(DtlsConfig &config) |
There was a problem hiding this comment.
nit: can the server hostname configuration being added to this SetUpClientConfig() method as an optional parameter? For example:
void SetUpClientConfig(DtlsConfig &config, const std::string& peerHostname="ThreadRegistrar")
Because it looks like all the DTLS tests which doesn't specifically test against the hostname verification need to manually set the hostname after calling SetUpClientConfig(). This is repeated and easy to be missed.
Co-authored-by: Kangping <[email protected]>
Co-authored-by: Kangping <[email protected]>
Co-authored-by: Kangping <[email protected]>
2 participants
Enhances DTLS security by validating server certificate hostname matches expected Thread border agent identity, preventing MITM attacks while maintaining backward compatibility.