From d5d04962ef23b5df2fe08c3adb486f6f7902084f Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 30 Apr 2021 16:42:35 +0200 Subject: [PATCH] Add change log and migration guide Signed-off-by: Ronald Cron --- ChangeLog.d/remove-enable-weak-ciphersuites.txt | 2 ++ .../remove-enable-weak-ciphersuites.md | 12 ++++++++++++ 2 files changed, 14 insertions(+) create mode 100644 ChangeLog.d/remove-enable-weak-ciphersuites.txt create mode 100644 docs/3.0-migration-guide.d/remove-enable-weak-ciphersuites.md diff --git a/ChangeLog.d/remove-enable-weak-ciphersuites.txt b/ChangeLog.d/remove-enable-weak-ciphersuites.txt new file mode 100644 index 000000000..97f63ebb8 --- /dev/null +++ b/ChangeLog.d/remove-enable-weak-ciphersuites.txt @@ -0,0 +1,2 @@ +Removals + * Remove MBEDTLS_ENABLE_WEAK_CIPHERSUITES configuration option. Fixes #4416. diff --git a/docs/3.0-migration-guide.d/remove-enable-weak-ciphersuites.md b/docs/3.0-migration-guide.d/remove-enable-weak-ciphersuites.md new file mode 100644 index 000000000..c3c330623 --- /dev/null +++ b/docs/3.0-migration-guide.d/remove-enable-weak-ciphersuites.md @@ -0,0 +1,12 @@ +Remove the configuration to enable weak ciphersuites in SSL / TLS +----------------------------------------------------------------- + +This does not affect users who use the default `config.h`, as this option was +already off by default. + +If you were using a weak cipher, please switch to any of the modern, +recommended ciphersuites (based on AES-GCM, AES-CCM or ChachaPoly for example) +and if your peer doesn't support any, encourage them to upgrade their software. + +If you were using a ciphersuite without encryption, you just have to +enable MBEDTLS_CIPHER_NULL_CIPHER now.