mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-02-22 09:40:09 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fix and improve logs and documentation

Browse Source 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
This commit is contained in:
Ronald Cron 2022-07-01 14:36:52 +02:00
parent 08346434d2
commit 3cb707dc6d
2 changed files with 31 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
ChangeLog.d/tls13-misc-changelogs.txt
View File

@ -1,19 +1,18 @@
Bugfix Bugfix
* Fix a TLS 1.3 handshake failure when the first attempt to send the client * Fix a TLS 1.3 handshake failure when the first attempt to send the client
Finished message on the network cannot be satisfied. Finished message on the network cannot be satisfied. Fixes #5499.
Features Features
* Add support for authentication of TLS 1.3 clients by TLS 1.3 servers. * Add support for authentication of TLS 1.3 clients by TLS 1.3 servers.
* Add support for server HelloRetryRequest message. The TLS 1.3 client is * Add support for server HelloRetryRequest message. The TLS 1.3 client is
now capable of negotiating another shared secret if the one sent in its now capable of negotiating another shared secret if the one sent in its
first ClientHello was not suitable to the server. first ClientHello was not suitable to the server.
* Add support for TLS version negotiation. If both TLS 1.2 and TLS 1.3 * Add support for client-side TLS version negotiation. If both TLS 1.2 and
protocols are enabled in the build of Mbed TLS, the TLS client now TLS 1.3 protocols are enabled in the build of Mbed TLS, the TLS client now
negotiates TLS 1.3 or TLS 1.2 with TLS servers. negotiates TLS 1.3 or TLS 1.2 with TLS servers.
* Enable building of Mbed TLS with TLS 1.3 protocol support but without TLS * Enable building of Mbed TLS with TLS 1.3 protocol support but without TLS
1.2 protocol support. 1.2 protocol support.
* Mbed TLS provides an implementation of a TLS 1.3 server (ephemeral key * Mbed TLS provides an implementation of a TLS 1.3 server (ephemeral key
establishment only). See docs/architecture/tls13-support.md for a establishment only). See docs/architecture/tls13-support.md for a
description of the support. The MBEDTLS_SSL_PROTO_TLS1_3 and description of the support. The MBEDTLS_SSL_PROTO_TLS1_3 and
MBEDTLS_SSL_SRV_C configuration options control the enablement of the MBEDTLS_SSL_SRV_C configuration options control this.
support.

56
docs/architecture/tls13-support.md
View File

@ -39,31 +39,30 @@ Support description
- Supported ClientHello extensions: - Supported ClientHello extensions:
| Extension | Mbed TLS | Prototype (1) | | Extension | Support |
| ---------------------------- | -------- | ------------- | | ---------------------------- | ------- |
| server_name | YES | YES | | server_name | YES |
| max_fragment_length | no | YES | | max_fragment_length | no |
| status_request | no | no | | status_request | no |
| supported_groups | YES | YES | | supported_groups | YES |
| signature_algorithms | YES | YES | | signature_algorithms | YES |
| use_srtp | no | no | | use_srtp | no |
| heartbeat | no | no | | heartbeat | no |
| apln | YES | YES | | apln | YES |
| signed_certificate_timestamp | no | no | | signed_certificate_timestamp | no |
| client_certificate_type | no | no | | client_certificate_type | no |
| server_certificate_type | no | no | | server_certificate_type | no |
| padding | no | no | | padding | no |
| key_share | YES | YES | | key_share | YES |
| pre_shared_key | no | YES | | pre_shared_key | no |
| psk_key_exchange_modes | no | YES | | psk_key_exchange_modes | no |
| early_data | no | YES | | early_data | no |
| cookie | no | YES | | cookie | no |
| supported_versions | YES | YES | | supported_versions | YES |
| certificate_authorities | no | no | | certificate_authorities | no |
| post_handshake_auth | no | no | | post_handshake_auth | no |
| signature_algorithms_cert | no | no | | signature_algorithms_cert | no |
(1) This is just for comparison.
- Supported groups: depends on the library configuration. - Supported groups: depends on the library configuration.
Potentially all ECDHE groups: Potentially all ECDHE groups:
@ -104,8 +103,8 @@ Support description
MBEDTLS_PSA_CRYPTO_C and MBEDTLS_SSL_KEEP_PEER_CERTIFICATE, so these options MBEDTLS_PSA_CRYPTO_C and MBEDTLS_SSL_KEEP_PEER_CERTIFICATE, so these options
must be enabled. must be enabled.
Most of Mbed TLS SSL/TLS related features are not supported or not applicable Most of the Mbed TLS SSL/TLS related options are not supported or not
to the TLS 1.3 implementation: applicable to the TLS 1.3 implementation:
| Mbed TLS configuration option | Support | | Mbed TLS configuration option | Support |
| ---------------------------------------- | ------- | | ---------------------------------------- | ------- |
@ -126,7 +125,7 @@ Support description
| MBEDTLS_ECP_RESTARTABLE | no | | MBEDTLS_ECP_RESTARTABLE | no |
| MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED | no | | MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED | no |
| | | | | |
| MBEDTLS_KEY_EXCHANGE_PSK_ENABLED | n/a (1) | | MBEDTLS_KEY_EXCHANGE_PSK_ENABLED | n/a (2) |
| MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED | n/a | | MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED | n/a |
| MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED | n/a | | MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED | n/a |
| MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED | n/a | | MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED | n/a |
@ -151,8 +150,7 @@ Support description
Prototype upstreaming status Prototype upstreaming status
---------------------------- ----------------------------
The following summarizes which parts of the TLS 1.3 prototype remain to be The following parts of the TLS 1.3 prototype remain to be upstreamed:
upstreamed:
- Pre-shared keys, session resumption and 0-RTT data (both client and server - Pre-shared keys, session resumption and 0-RTT data (both client and server
side). side).