Fix wording of ChangeLog and 3DES_REMOVE docs

This commit is contained in:
Andres Amaya Garcia 2018-11-26 20:57:49 +00:00 committed by Manuel Pégourié-Gonnard
parent 4a512281ec
commit 22a8905686
2 changed files with 13 additions and 5 deletions

View file

@ -8,7 +8,12 @@ Features
at the cost of additional lifetime constraints on the input at the cost of additional lifetime constraints on the input
buffer, but at the benefit of reduced RAM consumption. buffer, but at the benefit of reduced RAM consumption.
* Add MBEDTLS_REMOVE_3DES_CIPHERSUITES to allow removing 3DES ciphersuites * Add MBEDTLS_REMOVE_3DES_CIPHERSUITES to allow removing 3DES ciphersuites
from the default list (inactive by default). from the default list (enabled by default). See
https://sweet32.info/SWEET32_CCS16.pdf.
API Changes
* Add a new X.509 API call `mbedtls_x509_parse_der_nocopy()`.
See the Features section for more information.
Bugfix Bugfix
* Fix a compilation issue with mbedtls_ecp_restart_ctx not being defined * Fix a compilation issue with mbedtls_ecp_restart_ctx not being defined
@ -53,10 +58,6 @@ Changes
* Ensure that ssl-opt.h can be run in OS X. #2029 * Ensure that ssl-opt.h can be run in OS X. #2029
* Ciphersuites based on 3DES now have the lowest priority by default. * Ciphersuites based on 3DES now have the lowest priority by default.
API Changes
* Add a new X.509 API call `mbedtls_x509_parse_der_nocopy()`.
See the Features section for more information.
= mbed TLS 2.16.0 branch released 2018-12-21 = mbed TLS 2.16.0 branch released 2018-12-21
Features Features

View file

@ -696,6 +696,13 @@
* to enable (some of) them with mbedtls_ssl_conf_ciphersuites() by including * to enable (some of) them with mbedtls_ssl_conf_ciphersuites() by including
* them explicitly. * them explicitly.
* *
* A man-in-the browser attacker can recover authentication tokens sent through
* a TLS connection using a 3DES based cipher suite (see "On the Practical
* (In-)Security of 64-bit Block Ciphers" by Karthikeyan Bhargavan and Gaëtan
* Leurent, see https://sweet32.info/SWEET32_CCS16.pdf). If this attack falls
* in your threat model or you are unsure, then you should keep this option
* enabled to remove 3DES based cipher suites.
*
* Comment this macro to keep 3DES in the default ciphersuite list. * Comment this macro to keep 3DES in the default ciphersuite list.
*/ */
#define MBEDTLS_REMOVE_3DES_CIPHERSUITES #define MBEDTLS_REMOVE_3DES_CIPHERSUITES