mirror of
				https://github.com/Mbed-TLS/mbedtls.git
				synced 2025-10-26 00:37:41 +03:00 
			
		
		
		
	Merge pull request #10397 from minosgalanakis/debug/restore_changelogs
Changelog entries post migration to TF-PSA-Crypto
This commit is contained in:
		
							
								
								
									
										2
									
								
								ChangeLog.d/9684.txt
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										2
									
								
								ChangeLog.d/9684.txt
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,2 @@ | |||||||
|  | Removals | ||||||
|  |    * Remove support for the DHE-PSK key exchange in TLS 1.2. | ||||||
							
								
								
									
										2
									
								
								ChangeLog.d/9685.txt
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										2
									
								
								ChangeLog.d/9685.txt
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,2 @@ | |||||||
|  | Removals | ||||||
|  |    * Remove support for the DHE-RSA key exchange in TLS 1.2. | ||||||
							
								
								
									
										5
									
								
								ChangeLog.d/9874.txt
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										5
									
								
								ChangeLog.d/9874.txt
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,5 @@ | |||||||
|  | API changes | ||||||
|  |    * Align the mbedtls_ssl_ticket_setup() function with the PSA Crypto API. | ||||||
|  |      Instead of taking a mbedtls_cipher_type_t as an argument, this function | ||||||
|  |      now takes 3 new arguments: a PSA algorithm, key type and key size, to | ||||||
|  |      specify the AEAD for ticket protection. | ||||||
							
								
								
									
										5
									
								
								ChangeLog.d/9892.txt
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										5
									
								
								ChangeLog.d/9892.txt
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,5 @@ | |||||||
|  | Removals | ||||||
|  |    * Remove deprecated mbedtls_x509write_crt_set_serial(). The function was | ||||||
|  |      already deprecated and superseded by | ||||||
|  |      mbedtls_x509write_crt_set_serial_raw(). | ||||||
|  |  | ||||||
							
								
								
									
										6
									
								
								ChangeLog.d/9956.txt
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										6
									
								
								ChangeLog.d/9956.txt
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,6 @@ | |||||||
|  | Removals | ||||||
|  |    * Following the removal of DHM module (#9972 and TF-PSA-Crypto#175) the | ||||||
|  |      following SSL functions are removed: | ||||||
|  |      - mbedtls_ssl_conf_dh_param_bin | ||||||
|  |      - mbedtls_ssl_conf_dh_param_ctx | ||||||
|  |      - mbedtls_ssl_conf_dhm_min_bitlen | ||||||
							
								
								
									
										26
									
								
								ChangeLog.d/9964.txt
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										26
									
								
								ChangeLog.d/9964.txt
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,26 @@ | |||||||
|  | Removals | ||||||
|  |    * Sample programs for the legacy crypto API have been removed. | ||||||
|  |           pkey/rsa_genkey.c | ||||||
|  |           pkey/pk_decrypt.c | ||||||
|  |           pkey/dh_genprime.c | ||||||
|  |           pkey/rsa_verify.c | ||||||
|  |           pkey/mpi_demo.c | ||||||
|  |           pkey/rsa_decrypt.c | ||||||
|  |           pkey/key_app.c | ||||||
|  |           pkey/dh_server.c | ||||||
|  |           pkey/ecdh_curve25519.c | ||||||
|  |           pkey/pk_encrypt.c | ||||||
|  |           pkey/rsa_sign.c | ||||||
|  |           pkey/key_app_writer.c | ||||||
|  |           pkey/dh_client.c | ||||||
|  |           pkey/ecdsa.c | ||||||
|  |           pkey/rsa_encrypt.c | ||||||
|  |           wince_main.c | ||||||
|  |           aes/crypt_and_hash.c | ||||||
|  |           random/gen_random_ctr_drbg.c | ||||||
|  |           random/gen_entropy.c | ||||||
|  |           hash/md_hmac_demo.c | ||||||
|  |           hash/hello.c | ||||||
|  |           hash/generic_sum.c | ||||||
|  |           cipher/cipher_aead_demo.c | ||||||
|  |  | ||||||
							
								
								
									
										6
									
								
								ChangeLog.d/add-tls-exporter.txt
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										6
									
								
								ChangeLog.d/add-tls-exporter.txt
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,6 @@ | |||||||
|  | Features | ||||||
|  |    * Add the function mbedtls_ssl_export_keying_material() which allows the | ||||||
|  |      client and server to extract additional shared symmetric keys from an SSL | ||||||
|  |      session, according to the TLS-Exporter specification in RFC 8446 and 5705. | ||||||
|  |      This requires MBEDTLS_SSL_KEYING_MATERIAL_EXPORT to be defined in | ||||||
|  |      mbedtls_config.h. | ||||||
							
								
								
									
										12
									
								
								ChangeLog.d/error-unification.txt
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										12
									
								
								ChangeLog.d/error-unification.txt
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,12 @@ | |||||||
|  | API changes | ||||||
|  |    * The PSA and Mbed TLS error spaces are now unified. mbedtls_xxx() | ||||||
|  |      functions can now return PSA_ERROR_xxx values. | ||||||
|  |      There is no longer a distinction between "low-level" and "high-level" | ||||||
|  |      Mbed TLS error codes. | ||||||
|  |      This will not affect most applications since the error values are | ||||||
|  |      between -32767 and -1 as before. | ||||||
|  |  | ||||||
|  | Removals | ||||||
|  |    * Remove mbedtls_low_level_strerr() and mbedtls_high_level_strerr(), | ||||||
|  |      since these concepts no longer exists. There is just mbedtls_strerror(). | ||||||
|  |  | ||||||
							
								
								
									
										8
									
								
								ChangeLog.d/fix-asn1-store-named-data.txt
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										8
									
								
								ChangeLog.d/fix-asn1-store-named-data.txt
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,8 @@ | |||||||
|  | Security | ||||||
|  |    * Fix a bug in tf-psa-crypto's mbedtls_asn1_store_named_data() where it | ||||||
|  |      would sometimes leave an item in the output list in an inconsistent | ||||||
|  |      state with val.p == NULL but val.len > 0. Affected functions used in X.509 | ||||||
|  |      would then dereference a NULL pointer. Applications that do not | ||||||
|  |      call this function (directly, or indirectly through X.509 writing) are not | ||||||
|  |      affected. Found by Linh Le and Ngan Nguyen from Calif. | ||||||
|  |  | ||||||
							
								
								
									
										5
									
								
								ChangeLog.d/fix-clang-psa-build-without-dhm.txt
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										5
									
								
								ChangeLog.d/fix-clang-psa-build-without-dhm.txt
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,5 @@ | |||||||
|  | Bugfix | ||||||
|  |    * Fix Clang compilation error when finite-field Diffie-Hellman is disabled. | ||||||
|  |      Reported by Michael Schuster in #9188. | ||||||
|  |  | ||||||
|  |  | ||||||
| @@ -0,0 +1,2 @@ | |||||||
|  | Bugfix | ||||||
|  |    * Fix compilation error when memcpy() is a function-like macros. Fixes #8994. | ||||||
							
								
								
									
										2
									
								
								ChangeLog.d/fix-compilation-with-djgpp.txt
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										2
									
								
								ChangeLog.d/fix-compilation-with-djgpp.txt
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,2 @@ | |||||||
|  | Bugfix | ||||||
|  |    * Fix compilation on MS-DOS DJGPP. Fixes #9813. | ||||||
							
								
								
									
										6
									
								
								ChangeLog.d/fix-legacy-compression-issue.txt
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										6
									
								
								ChangeLog.d/fix-legacy-compression-issue.txt
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,6 @@ | |||||||
|  | Bugfix | ||||||
|  |    * Fixes an issue where some TLS 1.2 clients could not connect to an | ||||||
|  |      Mbed TLS 3.6.0 server, due to incorrect handling of | ||||||
|  |      legacy_compression_methods in the ClientHello. | ||||||
|  |      fixes #8995, #9243. | ||||||
|  |  | ||||||
							
								
								
									
										5
									
								
								ChangeLog.d/fix-msvc-version-guard-format-zu.txt
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										5
									
								
								ChangeLog.d/fix-msvc-version-guard-format-zu.txt
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,5 @@ | |||||||
|  | Bugfix | ||||||
|  |    * Fix definition of MBEDTLS_PRINTF_SIZET to prevent runtime crashes that | ||||||
|  |      occurred whenever SSL debugging was enabled on a copy of Mbed TLS built | ||||||
|  |      with Visual Studio 2013 or MinGW. | ||||||
|  |      Fixes #10017. | ||||||
							
								
								
									
										3
									
								
								ChangeLog.d/fix-server-mode-only-build.txt
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										3
									
								
								ChangeLog.d/fix-server-mode-only-build.txt
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,3 @@ | |||||||
|  | Bugfix | ||||||
|  |    * Fix server mode only build when MBEDTLS_SSL_SRV_C is enabled but | ||||||
|  |      MBEDTLS_SSL_CLI_C is disabled. Reported by M-Bab on GitHub in #9186. | ||||||
							
								
								
									
										19
									
								
								ChangeLog.d/fix-string-to-names-memory-management.txt
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										19
									
								
								ChangeLog.d/fix-string-to-names-memory-management.txt
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,19 @@ | |||||||
|  | Security | ||||||
|  |    * Fix possible use-after-free or double-free in code calling | ||||||
|  |      mbedtls_x509_string_to_names(). This was caused by the function calling | ||||||
|  |      mbedtls_asn1_free_named_data_list() on its head argument, while the | ||||||
|  |      documentation did no suggest it did, making it likely for callers relying | ||||||
|  |      on the documented behaviour to still hold pointers to memory blocks after | ||||||
|  |      they were free()d, resulting in high risk of use-after-free or double-free, | ||||||
|  |      with consequences ranging up to arbitrary code execution. | ||||||
|  |      In particular, the two sample programs x509/cert_write and x509/cert_req | ||||||
|  |      were affected (use-after-free if the san string contains more than one DN). | ||||||
|  |      Code that does not call mbedtls_string_to_names() directly is not affected. | ||||||
|  |      Found by Linh Le and Ngan Nguyen from Calif. | ||||||
|  |      CVE-2025-47917 | ||||||
|  |  | ||||||
|  | Changes | ||||||
|  |    * The function mbedtls_x509_string_to_names() now requires its head argument | ||||||
|  |      to point to NULL on entry. This makes it likely that existing risky uses of | ||||||
|  |      this function (see the entry in the Security section) will be detected and | ||||||
|  |      fixed. | ||||||
							
								
								
									
										10
									
								
								ChangeLog.d/fix-string-to-names-store-named-data.txt
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										10
									
								
								ChangeLog.d/fix-string-to-names-store-named-data.txt
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,10 @@ | |||||||
|  | Security | ||||||
|  |    * Fix a bug in mbedtls_x509_string_to_names() and the | ||||||
|  |      mbedtls_x509write_{crt,csr}_set_{subject,issuer}_name() functions, | ||||||
|  |      where some inputs would cause an inconsistent state to be reached, causing | ||||||
|  |      a NULL dereference either in the function itself, or in subsequent | ||||||
|  |      users of the output structure, such as mbedtls_x509_write_names(). This | ||||||
|  |      only affects applications that create (as opposed to consume) X.509 | ||||||
|  |      certificates, CSRs or CRLs. Found by Linh Le and Ngan Nguyen from Calif. | ||||||
|  |      CVE-2025-48965 | ||||||
|  |  | ||||||
							
								
								
									
										12
									
								
								ChangeLog.d/fix_reporting_of_key_usage_issues.txt
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										12
									
								
								ChangeLog.d/fix_reporting_of_key_usage_issues.txt
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,12 @@ | |||||||
|  | Security | ||||||
|  |    * With TLS 1.3, when a server enables optional authentication of the | ||||||
|  |      client, if the client-provided certificate does not have appropriate values | ||||||
|  |      in keyUsage or extKeyUsage extensions, then the return value of | ||||||
|  |      mbedtls_ssl_get_verify_result() would incorrectly have the | ||||||
|  |      MBEDTLS_X509_BADCERT_KEY_USAGE and MBEDTLS_X509_BADCERT_EXT_KEY_USAGE bits | ||||||
|  |      clear. As a result, an attacker that had a certificate valid for uses other | ||||||
|  |      than TLS client authentication could be able to use it for TLS client | ||||||
|  |      authentication anyway. Only TLS 1.3 servers were affected, and only with | ||||||
|  |      optional authentication (required would abort the handshake with a fatal | ||||||
|  |      alert). | ||||||
|  |      CVE-2024-45159 | ||||||
							
								
								
									
										18
									
								
								ChangeLog.d/mbedtls_ssl_set_hostname.txt
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										18
									
								
								ChangeLog.d/mbedtls_ssl_set_hostname.txt
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,18 @@ | |||||||
|  | Default behavior changes | ||||||
|  |    * In TLS clients, if mbedtls_ssl_set_hostname() has not been called, | ||||||
|  |      mbedtls_ssl_handshake() now fails with | ||||||
|  |      MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME | ||||||
|  |      if certificate-based authentication of the server is attempted. | ||||||
|  |      This is because authenticating a server without knowing what name | ||||||
|  |      to expect is usually insecure. | ||||||
|  |  | ||||||
|  | Security | ||||||
|  |    * Note that TLS clients should generally call mbedtls_ssl_set_hostname() | ||||||
|  |      if they use certificate authentication (i.e. not pre-shared keys). | ||||||
|  |      Otherwise, in many scenarios, the server could be impersonated. | ||||||
|  |      The library will now prevent the handshake and return | ||||||
|  |      MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME | ||||||
|  |      if mbedtls_ssl_set_hostname() has not been called. | ||||||
|  |      Reported by Daniel Stenberg. | ||||||
|  |      CVE-2025-27809 | ||||||
|  |  | ||||||
							
								
								
									
										8
									
								
								ChangeLog.d/oid.txt
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										8
									
								
								ChangeLog.d/oid.txt
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,8 @@ | |||||||
|  | Removals | ||||||
|  |    * The library no longer offers interfaces to look up values by OID | ||||||
|  |      or OID by enum values. | ||||||
|  |      The header <mbedtls/oid.h> now only defines functions to convert | ||||||
|  |      between binary and dotted string OID representations, and macros | ||||||
|  |      for OID strings that are relevant to X.509. | ||||||
|  |      The compilation option MBEDTLS_OID_C no longer | ||||||
|  |      exists. OID tables are included in the build automatically as needed. | ||||||
							
								
								
									
										11
									
								
								ChangeLog.d/psa-always-on.txt
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										11
									
								
								ChangeLog.d/psa-always-on.txt
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,11 @@ | |||||||
|  | Default behavior changes | ||||||
|  |    * The X.509 and TLS modules now always use the PSA subsystem | ||||||
|  |      to perform cryptographic operations, with a few exceptions documented | ||||||
|  |      in docs/architecture/psa-migration/psa-limitations.md. This | ||||||
|  |      corresponds to the behavior of Mbed TLS 3.x when | ||||||
|  |      MBEDTLS_USE_PSA_CRYPTO is enabled. In effect, MBEDTLS_USE_PSA_CRYPTO | ||||||
|  |      is now always enabled. | ||||||
|  |    * psa_crypto_init() must be called before performing any cryptographic | ||||||
|  |      operation, including indirect requests such as parsing a key or | ||||||
|  |      certificate or starting a TLS handshake. | ||||||
|  |  | ||||||
							
								
								
									
										6
									
								
								ChangeLog.d/removal-of-rng.txt
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										6
									
								
								ChangeLog.d/removal-of-rng.txt
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,6 @@ | |||||||
|  | API changes | ||||||
|  |    * All API functions now use the PSA random generator psa_generate_random() | ||||||
|  |      internally. As a consequence, functions no longer take RNG parameters. | ||||||
|  |      Please refer to the migration guide at : | ||||||
|  |      docs/4.0-migration-guide.md. | ||||||
|  |  | ||||||
							
								
								
									
										2
									
								
								ChangeLog.d/remove-compat-2.x.txt
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										2
									
								
								ChangeLog.d/remove-compat-2.x.txt
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,2 @@ | |||||||
|  | Removals | ||||||
|  |    * Remove compat-2-x.h header from mbedtls. | ||||||
							
								
								
									
										2
									
								
								ChangeLog.d/remove_RSA_key_exchange.txt
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										2
									
								
								ChangeLog.d/remove_RSA_key_exchange.txt
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,2 @@ | |||||||
|  | Removals | ||||||
|  |    * Remove support for the RSA key exchange in TLS 1.2. | ||||||
							
								
								
									
										4
									
								
								ChangeLog.d/replace-close-with-mbedtls_net_close.txt
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										4
									
								
								ChangeLog.d/replace-close-with-mbedtls_net_close.txt
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,4 @@ | |||||||
|  | Bugfix | ||||||
|  |    * Use 'mbedtls_net_close' instead of 'close' in 'mbedtls_net_bind' | ||||||
|  |      and 'mbedtls_net_connect' to prevent possible double close fd | ||||||
|  |      problems. Fixes #9711. | ||||||
							
								
								
									
										5
									
								
								ChangeLog.d/repo-split.txt
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										5
									
								
								ChangeLog.d/repo-split.txt
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,5 @@ | |||||||
|  | Changes | ||||||
|  |    * Move the crypto part of the library (content of tf-psa-crypto directory) | ||||||
|  |      from the Mbed TLS to the TF-PSA-Crypto repository. The crypto code and | ||||||
|  |      tests development will now occur in TF-PSA-Crypto, which Mbed TLS | ||||||
|  |      references as a Git submodule. | ||||||
							
								
								
									
										4
									
								
								ChangeLog.d/rm-ssl-conf-curves.txt
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										4
									
								
								ChangeLog.d/rm-ssl-conf-curves.txt
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,4 @@ | |||||||
|  | Removals | ||||||
|  |    * Remove the function mbedtls_ssl_conf_curves() which had been deprecated | ||||||
|  |      in favour of mbedtls_ssl_conf_groups() since Mbed TLS 3.1. | ||||||
|  |  | ||||||
| @@ -0,0 +1,4 @@ | |||||||
|  | Changes | ||||||
|  |    * Functions regarding numeric string conversions for OIDs have been moved | ||||||
|  |      from the OID module and now reside in X.509 module. This helps to reduce | ||||||
|  |      the code size as these functions are not commonly used outside of X.509. | ||||||
							
								
								
									
										7
									
								
								ChangeLog.d/tls-hs-defrag-in.txt
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										7
									
								
								ChangeLog.d/tls-hs-defrag-in.txt
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,7 @@ | |||||||
|  | Bugfix | ||||||
|  |    * Support re-assembly of fragmented handshake messages in TLS (both | ||||||
|  |      1.2 and 1.3). The lack of support was causing handshake failures with | ||||||
|  |      some servers, especially with TLS 1.3 in practice. There are a few | ||||||
|  |      limitations, notably a fragmented ClientHello is only supported when | ||||||
|  |      TLS 1.3 support is enabled. See the documentation of | ||||||
|  |      mbedtls_ssl_handshake() for details. | ||||||
							
								
								
									
										2
									
								
								ChangeLog.d/tls-key-exchange-rsa.txt
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										2
									
								
								ChangeLog.d/tls-key-exchange-rsa.txt
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,2 @@ | |||||||
|  | Removals | ||||||
|  |    * Remove support for the RSA-PSK key exchange in TLS 1.2. | ||||||
							
								
								
									
										6
									
								
								ChangeLog.d/tls12-check-finished-calc.txt
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										6
									
								
								ChangeLog.d/tls12-check-finished-calc.txt
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,6 @@ | |||||||
|  | Security | ||||||
|  |    * Fix a vulnerability in the TLS 1.2 handshake. If memory allocation failed | ||||||
|  |      or there was a cryptographic hardware failure when calculating the | ||||||
|  |      Finished message, it could be calculated incorrectly. This would break | ||||||
|  |      the security guarantees of the TLS handshake. | ||||||
|  |      CVE-2025-27810 | ||||||
							
								
								
									
										18
									
								
								ChangeLog.d/tls13-cert-regressions.txt
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										18
									
								
								ChangeLog.d/tls13-cert-regressions.txt
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,18 @@ | |||||||
|  | Bugfix | ||||||
|  |    * Fixed a regression introduced in 3.6.0 where the CA callback set with | ||||||
|  |      mbedtls_ssl_conf_ca_cb() would stop working when connections were | ||||||
|  |      upgraded to TLS 1.3. Fixed by adding support for the CA callback with TLS | ||||||
|  |      1.3. | ||||||
|  |    * Fixed a regression introduced in 3.6.0 where clients that relied on | ||||||
|  |      optional/none authentication mode, by calling mbedtls_ssl_conf_authmode() | ||||||
|  |      with MBEDTLS_SSL_VERIFY_OPTIONAL or MBEDTLS_SSL_VERIFY_NONE, would stop | ||||||
|  |      working when connections were upgraded to TLS 1.3. Fixed by adding | ||||||
|  |      support for optional/none with TLS 1.3 as well. Note that the TLS 1.3 | ||||||
|  |      standard makes server authentication mandatory; users are advised not to | ||||||
|  |      use authmode none, and to carefully check the results when using optional | ||||||
|  |      mode. | ||||||
|  |    * Fixed a regression introduced in 3.6.0 where context-specific certificate | ||||||
|  |      verify callbacks, set with mbedtls_ssl_set_verify() as opposed to | ||||||
|  |      mbedtls_ssl_conf_verify(), would stop working when connections were | ||||||
|  |      upgraded to TLS 1.3. Fixed by adding support for context-specific verify | ||||||
|  |      callback in TLS 1.3. | ||||||
							
								
								
									
										4
									
								
								ChangeLog.d/tls13-middlebox-compat-disabled.txt
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										4
									
								
								ChangeLog.d/tls13-middlebox-compat-disabled.txt
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,4 @@ | |||||||
|  | Bugfix | ||||||
|  |    * When MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE is disabled, work with | ||||||
|  |      peers that have middlebox compatibility enabled, as long as no | ||||||
|  |      problematic middlebox is in the way. Fixes #9551. | ||||||
							
								
								
									
										3
									
								
								ChangeLog.d/tls13-without-tickets.txt
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										3
									
								
								ChangeLog.d/tls13-without-tickets.txt
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,3 @@ | |||||||
|  | Bugfix | ||||||
|  |    * Fix TLS 1.3 client build and runtime when support for session tickets is | ||||||
|  |      disabled (MBEDTLS_SSL_SESSION_TICKETS configuration option). Fixes #6395. | ||||||
							
								
								
									
										3
									
								
								ChangeLog.d/unterminated-string-initialization.txt
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										3
									
								
								ChangeLog.d/unterminated-string-initialization.txt
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,3 @@ | |||||||
|  | Bugfix | ||||||
|  |    * Silence spurious -Wunterminated-string-initialization warnings introduced | ||||||
|  |      by GCC 15. Fixes #9944. | ||||||
		Reference in New Issue
	
	Block a user