Fix wording of ChangeLog and 3DES_REMOVE docs
diff --git a/ChangeLog b/ChangeLog
index f0f0adc..2b51621 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -10,6 +10,11 @@
* Reduce stack usage of `mpi_write_hlp()` by eliminating recursion.
Fixes #2190.
+Features
+ * Add MBEDTLS_REMOVE_3DES_CIPHERSUITES to allow removing 3DES ciphersuites
+ from the default list (enabled by default). See
+ https://sweet32.info/SWEET32_CCS16.pdf.
+
Changes
* Include configuration file in all header files that use configuration,
instead of relying on other header files that they include.
@@ -23,10 +28,6 @@
by Aurelien Jarno and submitted by Jeffrey Martin.
* Ciphersuites based on 3DES now have the lowest priority by default.
-Features
- * Add MBEDTLS_REMOVE_3DES_CIPHERSUITES to allow removing 3DES ciphersuites
- from the default list (inactive by default).
-
= mbed TLS 2.7.9 branch released 2018-12-21
Bugfix
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index 113e1d1..5b176ca 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -565,6 +565,13 @@
* to enable (some of) them with mbedtls_ssl_conf_ciphersuites() by including
* them explicitly.
*
+ * A man-in-the browser attacker can recover authentication tokens sent through
+ * a TLS connection using a 3DES based cipher suite (see "On the Practical
+ * (In-)Security of 64-bit Block Ciphers" by Karthikeyan Bhargavan and Gaëtan
+ * Leurent, see https://sweet32.info/SWEET32_CCS16.pdf). If this attack falls
+ * in your threat model or you are unsure, then you should keep this option
+ * enabled to remove 3DES based cipher suites.
+ *
* Comment this macro to keep 3DES in the default ciphersuite list.
*/
#define MBEDTLS_REMOVE_3DES_CIPHERSUITES