diff --git a/ChangeLog.d/issue4286.txt b/ChangeLog.d/issue4286.txt index 3fb9585634..f2f2be2184 100644 --- a/ChangeLog.d/issue4286.txt +++ b/ChangeLog.d/issue4286.txt @@ -1,9 +1,14 @@ Removals - * Remove the following deprecated library constants - MBEDTLS_SSL_PROTO_TLS1, MBEDTLS_SSL_PROTO_TLS1_1, - MBEDTLS_SSL_CBC_RECORD_SPLITTING, + * Remove the TLS 1.0, TLS 1.1 and DTLS 1.0 support by removing the following + deprecated library constants: MBEDTLS_SSL_PROTO_TLS1, + MBEDTLS_SSL_PROTO_TLS1_1, MBEDTLS_SSL_CBC_RECORD_SPLITTING, MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED, - MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED and functions - ssl_write_split(), mbedtls_ssl_conf_cbc_record_splitting() as well as test + MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED, MBEDTLS_SSL_RECORD_CHECKING, + MBEDTLS_SSL_FALLBACK_SCSV, MBEDTLS_SSL_FALLBACK_SCSV_VALUE, + MBEDTLS_SSL_IS_FALLBACK, MBEDTLS_SSL_IS_NOT_FALLBACK, and functions: + ssl_write_split(), mbedtls_ssl_conf_cbc_record_splitting(), tls1_prf(), + ssl_update_checksum_md5sha1(), mbedtls_ssl_get_key_exchange_md_ssl_tls(), + mbedtls_ssl_check_record(), ssl_check_record(), ssl_calc_verify_tls(), + ssl_calc_finished_tls(), mbedtls_ssl_conf_fallback() as well as test function component_test_variable_ssl_in_out_buffer_len_record_splitting(). Fixes #4286. diff --git a/docs/3.0-migration-guide.d/remove_support_for_tls_1.0_1.1_and_dtls_1.0.md b/docs/3.0-migration-guide.d/remove_support_for_tls_1.0_1.1_and_dtls_1.0.md new file mode 100644 index 0000000000..899f79aa08 --- /dev/null +++ b/docs/3.0-migration-guide.d/remove_support_for_tls_1.0_1.1_and_dtls_1.0.md @@ -0,0 +1,11 @@ +Remove suport for TLS 1.0, 1.1 and DLTS 1.0 +------------------------------------------- + +This change affects users of the TLS 1.0, 1.1 and DTLS 1.0. + +The versions of (D)TLS that are being removed are not as secure as the latest +versions. Keeping them in the library creates opportunities for misconfiguration +and possibly downgrade attacks. More generally, more code means a larger attack +surface, even if the code is supposedly not used. + +The migration path is to adopt the latest versions of the protocol.