Set correct minimal versions in default conf
Set `MBEDTLS_SSL_MIN_MAJOR_VERSION` and `MBEDTLS_SSL_MIN_MINOR_VERSION` instead of `MBEDTLS_SSL_MAJOR_VERSION_3` and `MBEDTLS_SSL_MINOR_VERSION_1`
This commit is contained in:
parent
297d7535fb
commit
5e9f14d4d9
3 changed files with 26 additions and 13 deletions
26
ChangeLog
26
ChangeLog
|
@ -41,17 +41,6 @@ New deprecations
|
||||||
* Direct manipulation of structure fields of RSA contexts is deprecated.
|
* Direct manipulation of structure fields of RSA contexts is deprecated.
|
||||||
Users are advised to use the extended RSA API instead.
|
Users are advised to use the extended RSA API instead.
|
||||||
|
|
||||||
API Changes
|
|
||||||
* Extend RSA interface by multiple functions allowing structure-
|
|
||||||
independent setup and export of RSA contexts. Most notably,
|
|
||||||
mbedtls_rsa_import and mbedtls_rsa_complete are introduced for setting
|
|
||||||
up RSA contexts from partial key material and having them completed to the
|
|
||||||
needs of the implementation automatically. This allows to setup private RSA
|
|
||||||
contexts from keys consisting of N,D,E only, even if P,Q are needed for the
|
|
||||||
purpose or CRT and/or blinding.
|
|
||||||
* The configuration option MBEDTLS_RSA_ALT can be used to define alternative
|
|
||||||
implementations of the RSA interface declared in rsa.h.
|
|
||||||
|
|
||||||
Bugfix
|
Bugfix
|
||||||
* Fix ssl_parse_record_header() to silently discard invalid DTLS records
|
* Fix ssl_parse_record_header() to silently discard invalid DTLS records
|
||||||
as recommended in RFC 6347 Section 4.1.2.7.
|
as recommended in RFC 6347 Section 4.1.2.7.
|
||||||
|
@ -101,6 +90,10 @@ Bugfix
|
||||||
RSA test suite where the failure of CTR DRBG initialization lead to
|
RSA test suite where the failure of CTR DRBG initialization lead to
|
||||||
freeing an RSA context and several MPI's without proper initialization
|
freeing an RSA context and several MPI's without proper initialization
|
||||||
beforehand.
|
beforehand.
|
||||||
|
* Fix setting version TLSv1 as minimal version, even if TLS 1
|
||||||
|
is not enabled. Set `MBEDTLS_SSL_MIN_MAJOR_VERSION`
|
||||||
|
and `MBEDTLS_SSL_MIN_MINOR_VERSION` instead
|
||||||
|
of `MBEDTLS_SSL_MAJOR_VERSION_3` and `MBEDTLS_SSL_MINOR_VERSION_1`
|
||||||
|
|
||||||
Changes
|
Changes
|
||||||
* Extend cert_write example program by options to set the CRT version
|
* Extend cert_write example program by options to set the CRT version
|
||||||
|
@ -114,6 +107,17 @@ Changes
|
||||||
* Tighten the RSA PKCS#1 v1.5 signature verification code and remove the
|
* Tighten the RSA PKCS#1 v1.5 signature verification code and remove the
|
||||||
undeclared dependency of the RSA module on the ASN.1 module.
|
undeclared dependency of the RSA module on the ASN.1 module.
|
||||||
|
|
||||||
|
API Changes
|
||||||
|
* Extend RSA interface by multiple functions allowing structure-
|
||||||
|
independent setup and export of RSA contexts. Most notably,
|
||||||
|
mbedtls_rsa_import and mbedtls_rsa_complete are introduced for setting
|
||||||
|
up RSA contexts from partial key material and having them completed to the
|
||||||
|
needs of the implementation automatically. This allows to setup private RSA
|
||||||
|
contexts from keys consisting of N,D,E only, even if P,Q are needed for the
|
||||||
|
purpose or CRT and/or blinding.
|
||||||
|
* The configuration option MBEDTLS_RSA_ALT can be used to define alternative
|
||||||
|
implementations of the RSA interface declared in rsa.h.
|
||||||
|
|
||||||
= mbed TLS 2.6.0 branch released 2017-08-10
|
= mbed TLS 2.6.0 branch released 2017-08-10
|
||||||
|
|
||||||
Security
|
Security
|
||||||
|
|
|
@ -69,6 +69,9 @@
|
||||||
#endif /* MBEDTLS_SSL_PROTO_TLS1 */
|
#endif /* MBEDTLS_SSL_PROTO_TLS1 */
|
||||||
#endif /* MBEDTLS_SSL_PROTO_SSL3 */
|
#endif /* MBEDTLS_SSL_PROTO_SSL3 */
|
||||||
|
|
||||||
|
#define MBEDTLS_SSL_MIN_VALID_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1
|
||||||
|
#define MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
|
||||||
|
|
||||||
/* Determine maximum supported version */
|
/* Determine maximum supported version */
|
||||||
#define MBEDTLS_SSL_MAX_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
|
#define MBEDTLS_SSL_MAX_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
|
||||||
|
|
||||||
|
|
|
@ -7602,8 +7602,14 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
|
||||||
* Default
|
* Default
|
||||||
*/
|
*/
|
||||||
default:
|
default:
|
||||||
conf->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
|
conf->min_major_ver = ( MBEDTLS_SSL_MIN_MAJOR_VERSION >
|
||||||
conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_1; /* TLS 1.0 */
|
MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION ) ?
|
||||||
|
MBEDTLS_SSL_MIN_MAJOR_VERSION :
|
||||||
|
MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION;
|
||||||
|
conf->min_minor_ver = ( MBEDTLS_SSL_MIN_MINOR_VERSION >
|
||||||
|
MBEDTLS_SSL_MIN_VALID_MINOR_VERSION ) ?
|
||||||
|
MBEDTLS_SSL_MIN_MINOR_VERSION :
|
||||||
|
MBEDTLS_SSL_MIN_VALID_MINOR_VERSION;
|
||||||
conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
|
conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
|
||||||
conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
|
conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue