Fix wording of ChangeLog and 3DES_REMOVE docs

2018-11-26 20:57:49 +00:00 · 2018-11-26 20:57:49 +00:00 · 22a8905686
commit 22a8905686
parent 4a512281ec
2 changed files with 13 additions and 5 deletions
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@ -696,6 +696,13 @@
 * to enable (some of) them with mbedtls_ssl_conf_ciphersuites() by including
 * them explicitly.
 *
+ * A man-in-the browser attacker can recover authentication tokens sent through
+ * a TLS connection using a 3DES based cipher suite (see "On the Practical
+ * (In-)Security of 64-bit Block Ciphers" by Karthikeyan Bhargavan and Gaëtan
+ * Leurent, see https://sweet32.info/SWEET32_CCS16.pdf). If this attack falls
+ * in your threat model or you are unsure, then you should keep this option
+ * enabled to remove 3DES based cipher suites.
+ *
 * Comment this macro to keep 3DES in the default ciphersuite list.
 */
 #define MBEDTLS_REMOVE_3DES_CIPHERSUITES