TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / afb2fe1acf7c7379029d5f605e3533fa5c43d4a3^! / . / docs / architecture / tls13-support.md
commitafb2fe1acf7c7379029d5f605e3533fa5c43d4a3[log] [tgz]
authorTom Cosgrove <tom.cosgrove@arm.com>Wed Jun 29 16:36:12 2022 +0100
committerTom Cosgrove <tom.cosgrove@arm.com>Wed Jun 29 16:36:12 2022 +0100
tree8ab8c9b604790b835d65894426d716a6240f7e17
parent1dc6848679982dde8b7cd42a547358eb04fed6ca [diff] [blame]
Document that MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is required by MBEDTLS_SSL_PROTO_TLS1_3

Also have check_config.h enforce this. And MBEDTLS_SSL_EXPORT_KEYS has been removed,
so no longer mention it.

Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>

diff --git a/docs/architecture/tls13-support.md b/docs/architecture/tls13-support.md
index 6c39bc5..1a8c03c 100644
--- a/docs/architecture/tls13-support.md
+++ b/docs/architecture/tls13-support.md

@@ -136,10 +136,16 @@
 
 - Compatibility with existing SSL/TLS build options:
 
-  The TLS 1.3 MVP is compatible with all TLS 1.2 configuration options in the
-  sense that when enabling the TLS 1.3 MVP in the library there is no need to
-  modify the configuration for TLS 1.2. The MBEDTLS_USE_PSA_CRYPTO configuration
-  option is an exception though, the TLS 1.3 MVP is not compatible with it.
+  The TLS 1.3 MVP is compatible with nearly all TLS 1.2 configuration options
+  in the sense that when enabling the TLS 1.3 MVP in the library there is rarely
+  any need to modify the configuration from that used for TLS 1.2.
+
+  The two exceptions to this are:
+
+  - The TLS 1.3 MVP is not compatible with MBEDTLS_USE_PSA_CRYPTO, so this option
+    must be disabled.
+  - The TLS 1.3 MVP requires MBEDTLS_SSL_KEEP_PEER_CERTIFICATE, so this option
+    must be enabled.
 
   Mbed TLS SSL/TLS related features are not supported or not applicable to the
   TLS 1.3 MVP:
@@ -152,12 +158,11 @@
   | MBEDTLS_SSL_DEBUG_ALL                    | no      |
   | MBEDTLS_SSL_ENCRYPT_THEN_MAC             | n/a     |
   | MBEDTLS_SSL_EXTENDED_MASTER_SECRET       | n/a     |
-  | MBEDTLS_SSL_KEEP_PEER_CERTIFICATE        | no      |
+  | MBEDTLS_SSL_KEEP_PEER_CERTIFICATE        | no (1)  |
   | MBEDTLS_SSL_RENEGOTIATION                | n/a     |
   | MBEDTLS_SSL_MAX_FRAGMENT_LENGTH          | no      |
   |                                          |         |
   | MBEDTLS_SSL_SESSION_TICKETS              | no      |
-  | MBEDTLS_SSL_EXPORT_KEYS                  | no (1)  |
   | MBEDTLS_SSL_SERVER_NAME_INDICATION       | no      |
   | MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH       | no      |
   |                                          |         |
@@ -178,7 +183,7 @@
   |                                          |         |
   | MBEDTLS_USE_PSA_CRYPTO                   | no      |
 
-  (1) Some support has already been upstreamed but it is incomplete.
+  (1) This option must remain in its default state of enabled.
   (2) Key exchange configuration options for TLS 1.3 will likely to be
       organized around the notion of key exchange mode along the line
       of the MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_NONE/PSK/PSK_EPHEMERAL/EPHEMERAL