From 0ea257650207918f84748c589c1e8238e701fbf2 Mon Sep 17 00:00:00 2001 From: TRodziewicz Date: Wed, 9 Jun 2021 13:24:48 +0200 Subject: [PATCH] Correction to the migr. guide wording and removal of not needed option Signed-off-by: TRodziewicz --- ...LS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION.md | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/docs/3.0-migration-guide.d/remove_MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION.md b/docs/3.0-migration-guide.d/remove_MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION.md index 34ec4738ae..738fa81fd1 100644 --- a/docs/3.0-migration-guide.d/remove_MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION.md +++ b/docs/3.0-migration-guide.d/remove_MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION.md @@ -1,9 +1,13 @@ -Remove the X509 parser sensitivity control for an unknown critical extension from config.h ------------------------------------------------------------------------------------------- +Remove the config option MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION +-------------------------------------------------------------------------- -It affects users who use the `MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION` -option which if set, allowed the X509 parser to parse an X509 certificate -even when it encountered an unknown critical extension. +This change does not affect users of the default configuration; it only affect +users who enable this option. + +The X.509 standard says that implementations must reject critical extensions that +they don't recognize, and this is what Mbed TLS does by default. This option +allowed to continue parsing those certificates but didn't provide a convenient +way to handle those extensions. The migration path from that option is to use the `mbedtls_x509_crt_parse_der_with_ext_cb()` function which is functionally