Set correct minimal versions in default conf
Set `MBEDTLS_SSL_MIN_MAJOR_VERSION` and `MBEDTLS_SSL_MIN_MINOR_VERSION`
instead of `MBEDTLS_SSL_MAJOR_VERSION_3` and `MBEDTLS_SSL_MINOR_VERSION_1`
diff --git a/ChangeLog b/ChangeLog
index a6fa6bb..6dab645 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -41,17 +41,6 @@
* Direct manipulation of structure fields of RSA contexts is deprecated.
Users are advised to use the extended RSA API instead.
-API Changes
- * Extend RSA interface by multiple functions allowing structure-
- independent setup and export of RSA contexts. Most notably,
- mbedtls_rsa_import and mbedtls_rsa_complete are introduced for setting
- up RSA contexts from partial key material and having them completed to the
- needs of the implementation automatically. This allows to setup private RSA
- contexts from keys consisting of N,D,E only, even if P,Q are needed for the
- purpose or CRT and/or blinding.
- * The configuration option MBEDTLS_RSA_ALT can be used to define alternative
- implementations of the RSA interface declared in rsa.h.
-
Bugfix
* Fix ssl_parse_record_header() to silently discard invalid DTLS records
as recommended in RFC 6347 Section 4.1.2.7.
@@ -101,6 +90,10 @@
RSA test suite where the failure of CTR DRBG initialization lead to
freeing an RSA context and several MPI's without proper initialization
beforehand.
+ * Fix setting version TLSv1 as minimal version, even if TLS 1
+ is not enabled. Set `MBEDTLS_SSL_MIN_MAJOR_VERSION`
+ and `MBEDTLS_SSL_MIN_MINOR_VERSION` instead
+ of `MBEDTLS_SSL_MAJOR_VERSION_3` and `MBEDTLS_SSL_MINOR_VERSION_1`
Changes
* Extend cert_write example program by options to set the CRT version
@@ -114,6 +107,17 @@
* Tighten the RSA PKCS#1 v1.5 signature verification code and remove the
undeclared dependency of the RSA module on the ASN.1 module.
+API Changes
+ * Extend RSA interface by multiple functions allowing structure-
+ independent setup and export of RSA contexts. Most notably,
+ mbedtls_rsa_import and mbedtls_rsa_complete are introduced for setting
+ up RSA contexts from partial key material and having them completed to the
+ needs of the implementation automatically. This allows to setup private RSA
+ contexts from keys consisting of N,D,E only, even if P,Q are needed for the
+ purpose or CRT and/or blinding.
+ * The configuration option MBEDTLS_RSA_ALT can be used to define alternative
+ implementations of the RSA interface declared in rsa.h.
+
= mbed TLS 2.6.0 branch released 2017-08-10
Security
diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h
index 756360b..56e376b 100644
--- a/include/mbedtls/ssl_internal.h
+++ b/include/mbedtls/ssl_internal.h
@@ -69,6 +69,9 @@
#endif /* MBEDTLS_SSL_PROTO_TLS1 */
#endif /* MBEDTLS_SSL_PROTO_SSL3 */
+#define MBEDTLS_SSL_MIN_VALID_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1
+#define MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
+
/* Determine maximum supported version */
#define MBEDTLS_SSL_MAX_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 2690e46..bc98708 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -7602,8 +7602,14 @@
* Default
*/
default:
- conf->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
- conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_1; /* TLS 1.0 */
+ conf->min_major_ver = ( MBEDTLS_SSL_MIN_MAJOR_VERSION >
+ MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION ) ?
+ MBEDTLS_SSL_MIN_MAJOR_VERSION :
+ MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION;
+ conf->min_minor_ver = ( MBEDTLS_SSL_MIN_MINOR_VERSION >
+ MBEDTLS_SSL_MIN_VALID_MINOR_VERSION ) ?
+ MBEDTLS_SSL_MIN_MINOR_VERSION :
+ MBEDTLS_SSL_MIN_VALID_MINOR_VERSION;
conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;