From 8e184e2debf4e0d26f4324c4debd36d6a4844bea Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 14 May 2021 17:10:27 +0100 Subject: [PATCH] Add migration guide Signed-off-by: Hanno Becker --- .../ssl-error-code-cleanup.md | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 docs/3.0-migration-guide.d/ssl-error-code-cleanup.md diff --git a/docs/3.0-migration-guide.d/ssl-error-code-cleanup.md b/docs/3.0-migration-guide.d/ssl-error-code-cleanup.md new file mode 100644 index 000000000..49d1a0f22 --- /dev/null +++ b/docs/3.0-migration-guide.d/ssl-error-code-cleanup.md @@ -0,0 +1,20 @@ +Removal of some SSL error codes +----------------------------------------------------------------- + +This affects users manually checking for the following error codes: +- `MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED` +- `MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH` +- `MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE` + +Migration paths: +- `MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED` and `MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH` + should never be returned from Mbed TLS, and there is no need to check for it. + Users should simply remove manual checks for those codes, and let the Mbed TLS + team know if -- contrary to the team's understanding -- there is in fact a situation + where one of them was ever returned. +- `MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE` has been removed, and + `MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL` is returned instead if the user's own certificate + is too large to fit into the output buffers. Users should check for + `MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL` instead, and potentially compare the size of their + own certificate against the configured size of the output buffer to understand if + the error is due to an overly large certificate.