Update TLS 1.3 documentation and add change log
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
diff --git a/ChangeLog.d/tls13-server-version-negotiation.txt b/ChangeLog.d/tls13-server-version-negotiation.txt
new file mode 100644
index 0000000..989018b
--- /dev/null
+++ b/ChangeLog.d/tls13-server-version-negotiation.txt
@@ -0,0 +1,5 @@
+Features
+ * Add support for server-side TLS version negotiation. If both TLS 1.2 and
+ TLS 1.3 protocols are enabled, the TLS server now selects TLS 1.2 or
+ TLS 1.3 depending on the capabilities and preferences of TLS clients.
+ Fixes #6867.
diff --git a/docs/architecture/tls13-support.md b/docs/architecture/tls13-support.md
index 85482ba..6db0e54 100644
--- a/docs/architecture/tls13-support.md
+++ b/docs/architecture/tls13-support.md
@@ -86,17 +86,11 @@
- Supported versions:
- - TLS 1.2 and TLS 1.3 with version negotiation on the client side, not server
- side.
+ - TLS 1.2 and TLS 1.3 with version negotiation on client and server side.
- TLS 1.2 and TLS 1.3 can be enabled in the build independently of each
other.
- - If both TLS 1.3 and TLS 1.2 are enabled at build time, only one of them can
- be configured at runtime via `mbedtls_ssl_conf_{min,max}_tls_version` for a
- server endpoint. Otherwise, `mbedtls_ssl_setup` will raise
- `MBEDTLS_ERR_SSL_BAD_CONFIG` error.
-
- Compatibility with existing SSL/TLS build options:
The TLS 1.3 implementation is compatible with nearly all TLS 1.2