Merge pull request #8930 from ronald-cron-arm/tls13-doc-update

TLS 1.3: Documentation update for 3.6 release
2025-08-08 17:42:09 +03:00 · 2024-03-15 16:41:52 +00:00
parent a457633034 a9bdc8fbb8
commit c9db499299
5 changed files with 211 additions and 233 deletions
--- a/include/mbedtls/mbedtls_config.h
+++ b/include/mbedtls/mbedtls_config.h
@@ -1854,9 +1854,6 @@
 * Comment this to disable support for early data. If MBEDTLS_SSL_PROTO_TLS1_3
 * is not enabled, this option does not have any effect on the build.
 *
- * This feature is experimental, not completed and thus not ready for
- * production.
- *
 * \note The maximum amount of early data can be set with
 *       MBEDTLS_SSL_MAX_EARLY_DATA_SIZE.
 *
@@ -4145,10 +4142,6 @@
 *
 * If MBEDTLS_SSL_EARLY_DATA is not defined, this default value does not
 * have any impact on the build.
- *
- * This feature is experimental, not completed and thus not ready for
- * production.
- *
 */
 //#define MBEDTLS_SSL_MAX_EARLY_DATA_SIZE        1024

--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -2102,9 +2102,6 @@ void mbedtls_ssl_conf_authmode(mbedtls_ssl_config *conf, int authmode);
 *  MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA indicating that some early data have
 *  been received. To read the early data, call mbedtls_ssl_read_early_data()
 *  before calling the original function again.
- *
- * \warning This interface is experimental and may change without notice.
- *
 */
 void mbedtls_ssl_conf_early_data(mbedtls_ssl_config *conf,
                                 int early_data_enabled);
@@ -2130,12 +2127,9 @@ void mbedtls_ssl_conf_early_data(mbedtls_ssl_config *conf,
 * \param[in] conf                  The SSL configuration to use.
 * \param[in] max_early_data_size   The maximum amount of 0-RTT data.
 *
- * \warning This interface is experimental and may change without notice.
- *
 * \warning This interface DOES NOT influence/limit the amount of early data
 *          that can be received through previously created and issued tickets,
 *          which clients may have stored.
- *
 */
 void mbedtls_ssl_conf_max_early_data_size(
    mbedtls_ssl_config *conf, uint32_t max_early_data_size);
@@ -5229,6 +5223,11 @@ int mbedtls_ssl_close_notify(mbedtls_ssl_context *ssl);
 *                   same warnings apply to any use of the
 *                   early_exporter_master_secret.
 *
+ * \warning        Mbed TLS does not implement any of the anti-replay defenses
+ *                 defined in section 8 of the TLS 1.3 specification:
+ *                 single-use of tickets or ClientHello recording within a
+ *                 given time window.
+ *
 * \note           This function is used in conjunction with
 *                 mbedtls_ssl_handshake(), mbedtls_ssl_handshake_step(),
 *                 mbedtls_ssl_read() and mbedtls_ssl_write() to read early