Adust migration guide for SSL error codes

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
This commit is contained in:
Hanno Becker 2021-06-24 11:22:22 +01:00 committed by Dave Rodgman
parent 90d59dddf5
commit 2e3ecda684

View file

@ -1,20 +1,41 @@
Removal of some SSL error codes
Changes in the SSL error code space
-----------------------------------------------------------------
# Removals
This affects users manually checking for the following error codes:
- `MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED`
- `MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH`
- `MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE`
- `MBEDTLS_ERR_SSL_BAD_HS_XXX`
Migration paths:
- `MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED` and `MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH`
should never be returned from Mbed TLS, and there is no need to check for it.
Users should simply remove manual checks for those codes, and let the Mbed TLS
team know if -- contrary to the team's understanding -- there is in fact a situation
where one of them was ever returned.
- `MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE` has been removed, and
`MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL` is returned instead if the user's own certificate
is too large to fit into the output buffers. Users should check for
is too large to fit into the output buffers.
Users should check for
`MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL` instead, and potentially compare the size of their
own certificate against the configured size of the output buffer to understand if
the error is due to an overly large certificate.
- All `MBEDTLS_ERR_SSL_BAD_HS_XXX` error code have been removed.
Users should check for the newly introduced generic error codes
* `MBEDTLS_ERR_SSL_DECODE_ERROR`
* `MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER`,
* `MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE`
* `MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION`
* `MBEDTLS_ERR_SSL_BAD_CERTIFICATE`
* `MBEDTLS_ERR_SSL_UNRECOGNIZED_NAME`
instead.
Users should check for the generic error codes instead.