mbedtls/ChangeLog.d/default-curves.txt

Default behavior changes
   * Some default policies for X.509 certificate verification and TLS have
     changed: curves and hashes weaker than 255 bits are no longer accepted
     by default. The default order in TLS now favors faster curves over larger
     curves.

Removals
   * Remove the compile-time option
     MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE.
Changelog entry and migration guide for hash and curve profile upgrades Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com> 2021-06-02 00:07:17 +02:00			`Default behavior changes`
			`* Some default policies for X.509 certificate verification and TLS have`
			`changed: curves and hashes weaker than 255 bits are no longer accepted`
In TLS, order curves by resource usage, not size TLS used to prefer larger curves, under the idea that a larger curve has a higher security strength and is therefore harder to attack. However, brute force attacks are not a practical concern, so this was not particularly meaningful. If a curve is considered secure enough to be allowed, then we might as well use it. So order curves by resource usage. The exact definition of what this means is purposefully left open. It may include criteria such as performance and memory usage. Risk of side channels could be a factor as well, although it didn't affect the current choice. The current list happens to exactly correspond to the numbers reported by one run of the benchmark program for "full handshake/s" on my machine. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com> 2021-06-02 15:18:12 +02:00			`by default. The default order in TLS now favors faster curves over larger`
			`curves.`
Changelog entry and migration guide for hash and curve profile upgrades Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com> 2021-06-02 00:07:17 +02:00
			`Removals`
			`* Remove the compile-time option`
			`MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE.`