Google Git
Sign in
pigweed / third_party / github / ARMmbed / mbedtls / d807060e0a2528547c278ed9cea9e184e52c5b0d^! / .
commitd807060e0a2528547c278ed9cea9e184e52c5b0d[log] [tgz]
authorTRodziewicz <tomasz.rodziewicz@mobica.com>Fri May 14 11:09:44 2021 +0200
committerTRodziewicz <tomasz.rodziewicz@mobica.com>Mon May 24 12:50:51 2021 +0200
treefc5791cc4b29084f76741df6b2ede0e7a9d93b36
parent97e41723fa876eba6445efffe2e57488e7a8ddb4 [diff]
Addition of migration guide and corrections to the ChangeLog file

Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>

diff --git a/ChangeLog.d/issue4286.txt b/ChangeLog.d/issue4286.txt
index 3fb9585..f2f2be2 100644
--- a/ChangeLog.d/issue4286.txt
+++ b/ChangeLog.d/issue4286.txt

@@ -1,9 +1,14 @@
 Removals
-   * Remove the following deprecated library constants
-     MBEDTLS_SSL_PROTO_TLS1, MBEDTLS_SSL_PROTO_TLS1_1,
-     MBEDTLS_SSL_CBC_RECORD_SPLITTING,
+   * Remove the TLS 1.0, TLS 1.1 and DTLS 1.0 support by removing the following
+     deprecated library constants: MBEDTLS_SSL_PROTO_TLS1,
+     MBEDTLS_SSL_PROTO_TLS1_1, MBEDTLS_SSL_CBC_RECORD_SPLITTING,
      MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED,
-     MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED and functions
-     ssl_write_split(), mbedtls_ssl_conf_cbc_record_splitting() as well as test
+     MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED, MBEDTLS_SSL_RECORD_CHECKING,
+     MBEDTLS_SSL_FALLBACK_SCSV, MBEDTLS_SSL_FALLBACK_SCSV_VALUE,
+     MBEDTLS_SSL_IS_FALLBACK, MBEDTLS_SSL_IS_NOT_FALLBACK, and functions:
+     ssl_write_split(), mbedtls_ssl_conf_cbc_record_splitting(), tls1_prf(),
+     ssl_update_checksum_md5sha1(), mbedtls_ssl_get_key_exchange_md_ssl_tls(),
+     mbedtls_ssl_check_record(), ssl_check_record(), ssl_calc_verify_tls(),
+     ssl_calc_finished_tls(), mbedtls_ssl_conf_fallback() as well as test
      function component_test_variable_ssl_in_out_buffer_len_record_splitting().
      Fixes #4286.

diff --git a/docs/3.0-migration-guide.d/remove_support_for_tls_1.0_1.1_and_dtls_1.0.md b/docs/3.0-migration-guide.d/remove_support_for_tls_1.0_1.1_and_dtls_1.0.md
new file mode 100644
index 0000000..899f79a
--- /dev/null
+++ b/docs/3.0-migration-guide.d/remove_support_for_tls_1.0_1.1_and_dtls_1.0.md

@@ -0,0 +1,11 @@
+Remove suport for TLS 1.0, 1.1 and DLTS 1.0
+-------------------------------------------
+
+This change affects users of the TLS 1.0, 1.1 and DTLS 1.0.
+
+The versions of (D)TLS that are being removed are not as secure as the latest
+versions. Keeping them in the library creates opportunities for misconfiguration
+and possibly downgrade attacks. More generally, more code means a larger attack
+surface, even if the code is supposedly not used.
+
+The migration path is to adopt the latest versions of the protocol.