Use negated option for controlling TLS support.
A positive option looks better, but comes with the following compatibility
issue: people using a custom config.h that is not based on the default
config.h and need TLS support would need to manually change their config in
order to still get TLS.
Work around that by making the public option negative. Internally the positive
option is used, though.
In the future (when preparing the next major version), we might want to switch
back to a positive option as this would be more consistent with other options
we have.
diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h
index b3677b5..34f1a3b 100644
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@@ -566,7 +566,7 @@
#endif
#if defined(MBEDTLS_SSL_TLS_C) && \
- ( !defined(MBEDTLS_SSL_PROTO_TLS) && !defined(MBEDTLS_SSL_PROTO_DTLS) )
+ ( defined(MBEDTLS_SSL_PROTO_NO_TLS) && !defined(MBEDTLS_SSL_PROTO_DTLS) )
#error "MBEDTLS_SSL_TLS_C defined, but neither TLS or DTLS is active"
#endif
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index e0b5ba4..1653f89 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -1508,7 +1508,7 @@
* Enable this and MBEDTLS_SSL_PROTO_TLS1_2 to enable DTLS 1.2,
* and/or this and MBEDTLS_SSL_PROTO_TLS1_1 to enable DTLS 1.0.
*
- * \see MBEDTLS_SSL_PROTO_TLS
+ * \see MBEDTLS_SSL_PROTO_NO_TLS
*
* Requires: MBEDTLS_SSL_PROTO_TLS1_1
* or MBEDTLS_SSL_PROTO_TLS1_2
@@ -1518,25 +1518,22 @@
#define MBEDTLS_SSL_PROTO_DTLS
/**
- * \def MBEDTLS_SSL_PROTO_TLS
+ * \def MBEDTLS_SSL_PROTO_NO_TLS
*
- * Enable support for SSL/TLS (all available versions).
+ * Disable support for SSL/TLS (all available versions) - this doesn't affect
+ * support for DTLS which is controlled by #MBEDTLS_SSL_PROTO_DTLS.
*
- * Enable this and MBEDTLS_SSL_PROTO_TLS1_2 to enable TLS 1.2;
- * enable this and MBEDTLS_SSL_PROTO_TLS1_1 to enable TLS 1.1;
- * enable this and MBEDTLS_SSL_PROTO_TLS1 to enable TLS 1.0;
- * and/or this and MBEDTLS_SSL_PROTO_SSL3 to enable SSL 3.0 (deprecated).
+ * Disable this and enable MBEDTLS_SSL_PROTO_TLS1_2 to enable TLS 1.2;
+ * disable this and enable MBEDTLS_SSL_PROTO_TLS1_1 to enable TLS 1.1;
+ * disable this and enable MBEDTLS_SSL_PROTO_TLS1 to enable TLS 1.0;
+ * disable this and enable MBEDTLS_SSL_PROTO_SSL3 to enable SSL 3.0.
*
- * \see MBEDTLS_SSL_PROTO_DTLS
+ * Requirements: if this macro is disabled, at least one of the above
+ * TLS versions needs to be enabled.
*
- * Requires: MBEDTLS_SSL_PROTO_TLS1_2
- * or MBEDTLS_SSL_PROTO_TLS1_1
- * or MBEDTLS_SSL_PROTO_TLS1
- * or MBEDTLS_SSL_PROTO_SSL3 (deprecated)
- *
- * Comment this macro to disable support for TLS
+ * Uncomment this macro to disable support for TLS.
*/
-#define MBEDTLS_SSL_PROTO_TLS
+//#define MBEDTLS_SSL_PROTO_NO_TLS
/**
* \def MBEDTLS_SSL_ALPN
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 653f857..1a4eaf6 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -1337,8 +1337,8 @@
/**
* \brief Set the transport type (TLS or DTLS).
- * Default: TLS if #MBEDTLS_SSL_PROTO_TLS is defined, else
- * DTLS.
+ * Default: TLS unless #MBEDTLS_SSL_PROTO_NO_TLS is defined,
+ * else DTLS.
*
* \note For DTLS, you must either provide a recv callback that
* doesn't block, or one that handles timeouts, see
diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h
index 1c8709f..e6c829d 100644
--- a/include/mbedtls/ssl_internal.h
+++ b/include/mbedtls/ssl_internal.h
@@ -58,6 +58,12 @@
#define inline __inline
#endif
+/* The public option is negative for backwards compatibility,
+ * but internally a poisitive option is more convenient. */
+#if !defined(MBEDTLS_SSL_PROTO_NO_TLS)
+#define MBEDTLS_SSL_PROTO_TLS
+#endif
+
/* Determine minimum supported version */
#define MBEDTLS_SSL_MIN_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3