Addition of migration guide and corrections to the ChangeLog file
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
This commit is contained in:
parent
97e41723fa
commit
d807060e0a
2 changed files with 21 additions and 5 deletions
|
@ -1,9 +1,14 @@
|
||||||
Removals
|
Removals
|
||||||
* Remove the following deprecated library constants
|
* Remove the TLS 1.0, TLS 1.1 and DTLS 1.0 support by removing the following
|
||||||
MBEDTLS_SSL_PROTO_TLS1, MBEDTLS_SSL_PROTO_TLS1_1,
|
deprecated library constants: MBEDTLS_SSL_PROTO_TLS1,
|
||||||
MBEDTLS_SSL_CBC_RECORD_SPLITTING,
|
MBEDTLS_SSL_PROTO_TLS1_1, MBEDTLS_SSL_CBC_RECORD_SPLITTING,
|
||||||
MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED,
|
MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED,
|
||||||
MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED and functions
|
MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED, MBEDTLS_SSL_RECORD_CHECKING,
|
||||||
ssl_write_split(), mbedtls_ssl_conf_cbc_record_splitting() as well as test
|
MBEDTLS_SSL_FALLBACK_SCSV, MBEDTLS_SSL_FALLBACK_SCSV_VALUE,
|
||||||
|
MBEDTLS_SSL_IS_FALLBACK, MBEDTLS_SSL_IS_NOT_FALLBACK, and functions:
|
||||||
|
ssl_write_split(), mbedtls_ssl_conf_cbc_record_splitting(), tls1_prf(),
|
||||||
|
ssl_update_checksum_md5sha1(), mbedtls_ssl_get_key_exchange_md_ssl_tls(),
|
||||||
|
mbedtls_ssl_check_record(), ssl_check_record(), ssl_calc_verify_tls(),
|
||||||
|
ssl_calc_finished_tls(), mbedtls_ssl_conf_fallback() as well as test
|
||||||
function component_test_variable_ssl_in_out_buffer_len_record_splitting().
|
function component_test_variable_ssl_in_out_buffer_len_record_splitting().
|
||||||
Fixes #4286.
|
Fixes #4286.
|
||||||
|
|
|
@ -0,0 +1,11 @@
|
||||||
|
Remove suport for TLS 1.0, 1.1 and DLTS 1.0
|
||||||
|
-------------------------------------------
|
||||||
|
|
||||||
|
This change affects users of the TLS 1.0, 1.1 and DTLS 1.0.
|
||||||
|
|
||||||
|
The versions of (D)TLS that are being removed are not as secure as the latest
|
||||||
|
versions. Keeping them in the library creates opportunities for misconfiguration
|
||||||
|
and possibly downgrade attacks. More generally, more code means a larger attack
|
||||||
|
surface, even if the code is supposedly not used.
|
||||||
|
|
||||||
|
The migration path is to adopt the latest versions of the protocol.
|
Loading…
Reference in a new issue