Note incompatibility of truncated HMAC extension in ChangeLog

The change in the truncated HMAC extension aligns Mbed TLS with the
standard, but breaks interoperability with previous versions. Indicate
this in the ChangeLog, as well as how to restore the old behavior.

ChangeLog

@@ -3,6 +3,16 @@ mbed TLS ChangeLog (Sorted per branch, date)
 
 = mbed TLS 2.1.10 branch released 2017-xx-xx
 
+Default behavior changes
+   * The truncated HMAC extension now conforms to RFC 6066. This means
+     that when both sides of a TLS connection negotiate the truncated
+     HMAC extension, Mbed TLS can now interoperate with other
+     compliant implementations, but this breaks interoperability with
+     prior versions of Mbed TLS. To restore the old behavior, enable
+     the (deprecated) option MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT in
+     config.h. Found by Andreas Walz (ivESK, Offenburg University of
+     Applied Sciences).
+
 Security
    * Fix heap corruption in implementation of truncated HMAC extension.
      When the truncated HMAC extension is enabled and CBC is used,
@@ -10,12 +20,10 @@ Security
      corrupt 6 bytes on the peer's heap, potentially leading to crash or
      remote code execution. This can be triggered remotely from either
      side in both TLS and DTLS.
-   * Fix implementation of truncated HMAC extension leading to
+   * Fix implementation of the truncated HMAC extension. The previous
-     compatibility problems with non Mbed TLS peers and allowing
+     implementation allowed an offline 2^80 brute force attack on the
-     an offline 2^80 brute force attack on the HMAC key of a single,
+     HMAC key of a single, uninterrupted connection (with no
-     uninterrupted (excluding session resumption) connection.
+     resumption of the session).
-     Found by Andreas Walz (ivESK, Offenburg University of Applied
-     Sciences).
 
 Bugfix
    * Fix ssl_parse_record_header() to silently discard invalid DTLS records