From ce9f08a11bafb4a594b1e72978bfc87771409cb2 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 26 Sep 2025 19:21:15 +0200 Subject: [PATCH] More removals found in changelog entries Signed-off-by: Gilles Peskine --- docs/4.0-migration-guide/configuration.md | 10 ++++++++++ docs/4.0-migration-guide/feature-removals.md | 10 ++++++++++ 2 files changed, 20 insertions(+) diff --git a/docs/4.0-migration-guide/configuration.md b/docs/4.0-migration-guide/configuration.md index 0065de4542..c8e54f657b 100644 --- a/docs/4.0-migration-guide/configuration.md +++ b/docs/4.0-migration-guide/configuration.md @@ -32,3 +32,13 @@ TF-PSA-Crypto exposes its version through ``, similar t ### Removal of `check_config.h` The header `mbedtls/check_config.h` is no longer present. Including it from user configuration files was already obsolete in Mbed TLS 3.x, since it enforces properties the configuration as adjusted by `mbedtls/build_info.h`, not properties that the user configuration is expected to meet. + +### Changes to TLS options + +#### Enabling null cipher suites + +The option to enable null cipher suites in TLS 1.2 has been renamed from `MBEDTLS_CIPHER_NULL_CIPHER` to `MBEDTLS_SSL_NULL_CIPHERSUITES`. It remains disabled in the default configuration. + +#### Removal of backward compatibility options + +The option `MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT` has been removed. Only the version standardized in RFC 9146 is supported now. diff --git a/docs/4.0-migration-guide/feature-removals.md b/docs/4.0-migration-guide/feature-removals.md index 8b2c4d0b8f..b958f864fc 100644 --- a/docs/4.0-migration-guide/feature-removals.md +++ b/docs/4.0-migration-guide/feature-removals.md @@ -140,3 +140,13 @@ mbedtls_ssl_conf_dh_param_bin() mbedtls_ssl_conf_dh_param_ctx() mbedtls_ssl_conf_dhm_min_bitlen() ``` + +### Removal of elliptic curves + +Following their removal from the crypto library, elliptic curves of less than 250 bits (secp192r1, secp192k1, secp224r1, secp224k1) are no longer supported in certificates and in TLS. + +### Removal of deprecated functions + +The deprecated functions `mbedtls_ssl_conf_min_version()` and `mbedtls_ssl_conf_max_version()`, and the associated constants `MBEDTLS_SSL_MAJOR_VERSION_3`, `MBEDTLS_SSL_MINOR_VERSION_3` and `MBEDTLS_SSL_MINOR_VERSION_4` have been removed. Use `mbedtls_ssl_conf_min_tls_version()` and `mbedtls_ssl_conf_max_tls_version()` with `MBEDTLS_SSL_VERSION_TLS1_2` or `MBEDTLS_SSL_VERSION_TLS1_3` instead. + +The deprecated function `mbedtls_ssl_conf_sig_hashes()` has been removed. Use `mbedtls_ssl_conf_sig_algs()` instead.