| Hanno Becker | 2e3ecda | 2021-06-24 11:22:22 +0100 | [diff] [blame^] | 1 | Changes in the SSL error code space |
| Hanno Becker | 8e184e2 | 2021-05-14 17:10:27 +0100 | [diff] [blame] | 2 | ----------------------------------------------------------------- |
| 3 | |
| Hanno Becker | 2e3ecda | 2021-06-24 11:22:22 +0100 | [diff] [blame^] | 4 | # Removals |
| 5 | |
| Hanno Becker | 8e184e2 | 2021-05-14 17:10:27 +0100 | [diff] [blame] | 6 | This affects users manually checking for the following error codes: |
| 7 | - `MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED` |
| 8 | - `MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH` |
| 9 | - `MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE` |
| Hanno Becker | 2e3ecda | 2021-06-24 11:22:22 +0100 | [diff] [blame^] | 10 | - `MBEDTLS_ERR_SSL_BAD_HS_XXX` |
| Hanno Becker | 8e184e2 | 2021-05-14 17:10:27 +0100 | [diff] [blame] | 11 | |
| 12 | Migration paths: |
| Hanno Becker | 2e3ecda | 2021-06-24 11:22:22 +0100 | [diff] [blame^] | 13 | |
| Hanno Becker | 8e184e2 | 2021-05-14 17:10:27 +0100 | [diff] [blame] | 14 | - `MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED` and `MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH` |
| 15 | should never be returned from Mbed TLS, and there is no need to check for it. |
| Hanno Becker | 2e3ecda | 2021-06-24 11:22:22 +0100 | [diff] [blame^] | 16 | |
| Hanno Becker | 8e184e2 | 2021-05-14 17:10:27 +0100 | [diff] [blame] | 17 | Users should simply remove manual checks for those codes, and let the Mbed TLS |
| 18 | team know if -- contrary to the team's understanding -- there is in fact a situation |
| 19 | where one of them was ever returned. |
| Hanno Becker | 2e3ecda | 2021-06-24 11:22:22 +0100 | [diff] [blame^] | 20 | |
| Hanno Becker | 8e184e2 | 2021-05-14 17:10:27 +0100 | [diff] [blame] | 21 | - `MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE` has been removed, and |
| 22 | `MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL` is returned instead if the user's own certificate |
| Hanno Becker | 2e3ecda | 2021-06-24 11:22:22 +0100 | [diff] [blame^] | 23 | is too large to fit into the output buffers. |
| 24 | |
| 25 | Users should check for |
| Hanno Becker | 8e184e2 | 2021-05-14 17:10:27 +0100 | [diff] [blame] | 26 | `MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL` instead, and potentially compare the size of their |
| 27 | own certificate against the configured size of the output buffer to understand if |
| 28 | the error is due to an overly large certificate. |
| Hanno Becker | 2e3ecda | 2021-06-24 11:22:22 +0100 | [diff] [blame^] | 29 | |
| 30 | - All `MBEDTLS_ERR_SSL_BAD_HS_XXX` error code have been removed. |
| 31 | |
| 32 | Users should check for the newly introduced generic error codes |
| 33 | * `MBEDTLS_ERR_SSL_DECODE_ERROR` |
| 34 | * `MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER`, |
| 35 | * `MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE` |
| 36 | * `MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION` |
| 37 | * `MBEDTLS_ERR_SSL_BAD_CERTIFICATE` |
| 38 | * `MBEDTLS_ERR_SSL_UNRECOGNIZED_NAME` |
| 39 | instead. |
| 40 | |
| 41 | Users should check for the generic error codes instead. |