diff --git a/ChangeLog b/ChangeLog index 513f24f3a..149e43972 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,6 +7,8 @@ Bugfix invalidated keys of a lifetime of less than a 1s. Fixes #1968. * Fix failure in hmac_drbg in the benchmark sample application, when MBEDTLS_THREADING_C is defined. Found by TrinityTonic, #1095 + * Clarify documentation of mbedtls_ssl_set_own_cert() regarding the absence + of check for certificate/key matching. Reported by Attila Molnar, #507. Changes * Add tests for session resumption in DTLS. diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 83849a564..78db69eb5 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -2043,6 +2043,14 @@ void mbedtls_ssl_conf_ca_chain( mbedtls_ssl_config *conf, * whether it matches those preferences - the server can then * decide what it wants to do with it. * + * \note The provided \p pk_key needs to match the public key in the + * first certificate in \p own_cert, or all handshakes using + * that certificate will fail. It is your responsibility + * to ensure that; this function will not perform any check. + * You may use mbedtls_pk_check_pair() in order to perform + * this check yourself, but be aware that this function can + * be computationally expensive on some key types. + * * \param conf SSL configuration * \param own_cert own public certificate chain * \param pk_key own private key