ssl: ignore CertificateRequest's content for real
- document why we made that choice
- remove the two TODOs about checking hash and CA
- remove the code that parsed certificate_type: it did nothing except store
the selected type in handshake->cert_type, but that field was never accessed
afterwards. Since handshake_params is now an internal type, we can remove that
field without breaking the ABI.
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index b778255..24d5678 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -1594,7 +1594,12 @@
* adequate, preference is given to the one set by the first
* call to this function, then second, etc.
*
- * \note On client, only the first call has any effect.
+ * \note On client, only the first call has any effect. That is,
+ * only one client certificate can be provisioned. The
+ * server's preferences in its CertficateRequest message will
+ * be ignored and our only cert will be sent regardless of
+ * whether it matches those preferences - the server can then
+ * decide what it wants to do with it.
*
* \param conf SSL configuration
* \param own_cert own public certificate chain
diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h
index 3af059f..d63d7d4 100644
--- a/include/mbedtls/ssl_internal.h
+++ b/include/mbedtls/ssl_internal.h
@@ -166,7 +166,6 @@
* Handshake specific crypto variables
*/
int sig_alg; /*!< Hash algorithm for signature */
- int cert_type; /*!< Requested cert type */
int verify_sig_alg; /*!< Signature algorithm for verify */
#if defined(MBEDTLS_DHM_C)
mbedtls_dhm_context dhm_ctx; /*!< DHM key exchange */