From 3cb707dc6d7ace9d874b3a1aa206f8ec7fdb406e Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 1 Jul 2022 14:36:52 +0200 Subject: [PATCH] Fix and improve logs and documentation Signed-off-by: Ronald Cron --- ChangeLog.d/tls13-misc-changelogs.txt | 9 ++--- docs/architecture/tls13-support.md | 56 +++++++++++++-------------- 2 files changed, 31 insertions(+), 34 deletions(-) diff --git a/ChangeLog.d/tls13-misc-changelogs.txt b/ChangeLog.d/tls13-misc-changelogs.txt index f097d6cca5..a575b33458 100644 --- a/ChangeLog.d/tls13-misc-changelogs.txt +++ b/ChangeLog.d/tls13-misc-changelogs.txt @@ -1,19 +1,18 @@ Bugfix * Fix a TLS 1.3 handshake failure when the first attempt to send the client - Finished message on the network cannot be satisfied. + Finished message on the network cannot be satisfied. Fixes #5499. Features * Add support for authentication of TLS 1.3 clients by TLS 1.3 servers. * Add support for server HelloRetryRequest message. The TLS 1.3 client is now capable of negotiating another shared secret if the one sent in its first ClientHello was not suitable to the server. - * Add support for TLS version negotiation. If both TLS 1.2 and TLS 1.3 - protocols are enabled in the build of Mbed TLS, the TLS client now + * Add support for client-side TLS version negotiation. If both TLS 1.2 and + TLS 1.3 protocols are enabled in the build of Mbed TLS, the TLS client now negotiates TLS 1.3 or TLS 1.2 with TLS servers. * Enable building of Mbed TLS with TLS 1.3 protocol support but without TLS 1.2 protocol support. * Mbed TLS provides an implementation of a TLS 1.3 server (ephemeral key establishment only). See docs/architecture/tls13-support.md for a description of the support. The MBEDTLS_SSL_PROTO_TLS1_3 and - MBEDTLS_SSL_SRV_C configuration options control the enablement of the - support. + MBEDTLS_SSL_SRV_C configuration options control this. diff --git a/docs/architecture/tls13-support.md b/docs/architecture/tls13-support.md index de92690d75..10da3c5ab2 100644 --- a/docs/architecture/tls13-support.md +++ b/docs/architecture/tls13-support.md @@ -39,31 +39,30 @@ Support description - Supported ClientHello extensions: - | Extension | Mbed TLS | Prototype (1) | - | ---------------------------- | -------- | ------------- | - | server_name | YES | YES | - | max_fragment_length | no | YES | - | status_request | no | no | - | supported_groups | YES | YES | - | signature_algorithms | YES | YES | - | use_srtp | no | no | - | heartbeat | no | no | - | apln | YES | YES | - | signed_certificate_timestamp | no | no | - | client_certificate_type | no | no | - | server_certificate_type | no | no | - | padding | no | no | - | key_share | YES | YES | - | pre_shared_key | no | YES | - | psk_key_exchange_modes | no | YES | - | early_data | no | YES | - | cookie | no | YES | - | supported_versions | YES | YES | - | certificate_authorities | no | no | - | post_handshake_auth | no | no | - | signature_algorithms_cert | no | no | + | Extension | Support | + | ---------------------------- | ------- | + | server_name | YES | + | max_fragment_length | no | + | status_request | no | + | supported_groups | YES | + | signature_algorithms | YES | + | use_srtp | no | + | heartbeat | no | + | apln | YES | + | signed_certificate_timestamp | no | + | client_certificate_type | no | + | server_certificate_type | no | + | padding | no | + | key_share | YES | + | pre_shared_key | no | + | psk_key_exchange_modes | no | + | early_data | no | + | cookie | no | + | supported_versions | YES | + | certificate_authorities | no | + | post_handshake_auth | no | + | signature_algorithms_cert | no | - (1) This is just for comparison. - Supported groups: depends on the library configuration. Potentially all ECDHE groups: @@ -104,8 +103,8 @@ Support description MBEDTLS_PSA_CRYPTO_C and MBEDTLS_SSL_KEEP_PEER_CERTIFICATE, so these options must be enabled. - Most of Mbed TLS SSL/TLS related features are not supported or not applicable - to the TLS 1.3 implementation: + Most of the Mbed TLS SSL/TLS related options are not supported or not + applicable to the TLS 1.3 implementation: | Mbed TLS configuration option | Support | | ---------------------------------------- | ------- | @@ -126,7 +125,7 @@ Support description | MBEDTLS_ECP_RESTARTABLE | no | | MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED | no | | | | - | MBEDTLS_KEY_EXCHANGE_PSK_ENABLED | n/a (1) | + | MBEDTLS_KEY_EXCHANGE_PSK_ENABLED | n/a (2) | | MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED | n/a | | MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED | n/a | | MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED | n/a | @@ -151,8 +150,7 @@ Support description Prototype upstreaming status ---------------------------- -The following summarizes which parts of the TLS 1.3 prototype remain to be -upstreamed: +The following parts of the TLS 1.3 prototype remain to be upstreamed: - Pre-shared keys, session resumption and 0-RTT data (both client and server side).