commit 0cd5b94dba7548c3b40efc0681f377744b424f59
author Hanno Becker <hanno.becker@arm.com> Fri Oct 13 17:17:28 2017 +0100
committer Hanno Becker <hanno.becker@arm.com> Fri Oct 13 17:17:28 2017 +0100
tree 7695d9d83964406a07069cf656e123b854296bb4
parent f5dce36a2440aaf1d2ecbac7323b5cc93f0311d4

Adapt ChangeLog

ChangeLog

diff --git a/ChangeLog b/ChangeLog
index e199682..62a705d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -6,6 +6,21 @@
    * Fix ssl_parse_record_header() to silently discard invalid DTLS records
      as recommended in RFC 6347 Section 4.1.2.7.
 
+Security
+   * Change default choice of DHE parameters from untrustworthy RFC 5114
+     to RFC 3526 containing parameters generated in a nothing-up-my-sleeve
+     manner.
+
+New deprecations
+   * Deprecate untrustworthy DHE parameters from RFC 5114. Superseded by
+     parameters from RFC 3526 or the newly added parameters from RFC 7919.
+   * Deprecate hex string DHE constants MBEDTLS_DHM_RFC3526_MODP_2048_P etc.
+     Supserseded by binary encoded constants MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN
+     etc.
+   * Deprecate mbedtls_ssl_conf_dh_param for setting default DHE parameters
+     from hex strings. Superseded by mbedtls_ssl_conf_dh_param_bin
+     accepting DHM parameters in binary form, matching the new constants.
+
 = mbed TLS 2.6.0 branch released 2017-08-10
 
 Security