diff --git a/ChangeLog b/ChangeLog index 8f952b76f..dc6e4515d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -49,7 +49,7 @@ Removals * Remove the MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES compile-time option, which was off by default. Users should not trust certificates signed with SHA-1 due to the known attacks against SHA-1. - If needed, SHA-1 cerificates can still be verified by using a custom + If needed, SHA-1 certificates can still be verified by using a custom verification profile. * Removed deprecated things in psa/crypto_compat.h. Fixes #4284 diff --git a/docs/3.0-migration-guide.md b/docs/3.0-migration-guide.md index b48754165..2d031c6a4 100644 --- a/docs/3.0-migration-guide.md +++ b/docs/3.0-migration-guide.md @@ -30,7 +30,7 @@ function with the same name with `_ret` appended and check the return value. - The function `mbedtls_md_init_ctx()` was removed; please use `mbedtls_md_setup()` instead. - The functions `mbedtls_xxx_process()` were removed. You normally don't need - to call that from application code. However it you do (or it you want to + to call that from application code. However if you do (or if you want to provide your own version of that function), please use `mbedtls_internal_xxx_process()` instead, and check the return value. @@ -47,7 +47,7 @@ Deprecated names for PSA constants and types were removed --------------------------------------------------------- Some constants and types that were present in beta versions of the PSA Crypto -API were removed from in version 1.0 of specification. Please switch to the new +API were removed from version 1.0 of specification. Please switch to the new names provided by the 1.0 specification instead. Internal / alt-focused headers were moved to a private location @@ -108,7 +108,7 @@ This doesn't affect people using the default configuration as it was already disabled by default. This only affects users who called the HAVEGE modules directly (not -recommended), or users who used it though the entropy module but had it as the +recommended), or users who used it through the entropy module but had it as the only source of entropy. If you're in that case, please declare OS or hardware RNG interfaces with `mbedtls_entropy_add_source()` and/or use an entropy seed file created securely during device provisioning. See @@ -121,7 +121,7 @@ Remove support for parsing SSLv2 ClientHello This doesn't affect people using the default configuration as it was already disabled by default. -This only affects TLS servers that have clients who send a SSLv2 ClientHello. +This only affects TLS servers that have clients who send an SSLv2 ClientHello. These days clients are very unlikely to do that. If you have a client that does, please try contacting them and encouraging them to upgrade their software. @@ -134,7 +134,7 @@ disabled by default. This only affects TLS users who explicitly enabled `MBEDTLS_SSL_PROTO_SSL3` and relied on that version in order to communicate with peers that are not up -to date. If one of your peers in in that case, please try contacting them and +to date. If one of your peers is in that case, please try contacting them and encouraging them to upgrade their software. Remove support for compatibility with old Mbed TLS's truncated HMAC @@ -143,10 +143,10 @@ Remove support for compatibility with old Mbed TLS's truncated HMAC This doesn't affect people using the default configuration as it was already disabled by default. -This only affects TLS users enabled `MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT` and +This only affects TLS users who enabled `MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT` and used the Truncated HMAC extension to communicate with peers using old version of Mbed TLS. Please consider using a CCM-8 ciphersuite instead of the -Truncated HMAC extension, or convicing your peer to upgrade their version of +Truncated HMAC extension, or convincing your peer to upgrade their version of Mbed TLS. Remove support for TLS record-level compression