From 88d37859b6d1b0ddce970a5d01576e0708b9512e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 17 Jun 2015 14:26:49 +0200 Subject: [PATCH] Update Changelog for the profiles branch --- ChangeLog | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 1d995c8a3..8c183a9d6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,8 +9,12 @@ Features ability to override the whole module. * New server-side implementation of session tickets that rotate keys to preserve forward secrecy, and allows sharing across multiple contexts. - * Reduced ROM fooprint of SHA-256 and added an option to reduce it even - more (at the expense of performance) MBEDTLS_SHA256_SMALLER. + * Added a concept of X.509 cerificate verification profile that controls + which algorithms and key sizes (curves for ECDSA) are acceptable. + * Expanded configurability of security parameters in the SSL module with + mbedtls_ssl_conf_dhm_min_bitlen() and mbedtls_ssl_conf_sig_hashes(). + * Introduced a concept of presets for SSL security-relevant configuration + parameters. API Changes * All public identifiers moved to the mbedtls_* or MBEDTLS_* namespace. @@ -129,6 +133,8 @@ Default behavior changes enabled in the default configuration, this is only noticeable if using a custom config.h * Default DHM parameters server-side upgraded from 1024 to 2048 bits. + * A minimum RSA key size of 2048 bits is now enforced during ceritificate + chain verification. * Negotiation of truncated HMAC is now disabled by default on server too. * The following functions are now case-sensitive: mbedtls_cipher_info_from_string() @@ -157,6 +163,8 @@ API changes from the 1.4 preview branch Changes * mbedtls_ctr_drbg_random() and mbedtls_hmac_drbg_random() are now thread-safe if MBEDTLS_THREADING_C is enabled. + * Reduced ROM fooprint of SHA-256 and added an option to reduce it even + more (at the expense of performance) MBEDTLS_SHA256_SMALLER. = mbed TLS 1.3 branch