Gilles Peskine
Gilles Peskine
Switch the test coverage analysis in `analyze_outcomes.py` to enforcement mode. In other words, the CI will now complain if there is a test case that is not executed in any...
Release candidate for Mbed TLS 3.6.2, indented to be used without a complicated history. Cherry-picks just the bug fix from https://github.com/Mbed-TLS/mbedtls/pull/9691, plus a changelog entry, plus a version bump and...
Remove the RSA-decryption key exchange. Note that this doesn't affect any key exchange that uses an RSA signature in combination with a Diffie-Hellman key exchange (`DHE_RSA`, `ECDHE_RSA`, `ECDH_RSA`). * Prerequisites:...
Remove the DHE-PSK key exchange. * Prerequisites: * Test cases: none * Config option: `MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED` * Key exchange type: `MBEDTLS_KEY_EXCHANGE_DHE_PSK` * Affected cipher suite macros regex: `MBEDTLS_TLS_DHE_PSK_\w+` * Full list...
Remove the DHE-RSA key exchange. This completes the removal of finite-field Diffie-Hellman from TLS 1.2. Note that it remains available in TLS 1.3. * Prerequisites: * https://github.com/Mbed-TLS/mbedtls/issues/9684 * Test cases:...
There are a few TLS 1.2 test cases where we're currently using a DHE key exchange, but we could indifferently use ECDHE. Since [we are removing DHE](https://github.com/Mbed-TLS/mbedtls/issues/9685), we need to...
Remove the RSA-PSK key exchange in TLS 1.2. * Prerequisites: none. * Config option: `MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED` * Key exchange type: `MBEDTLS_KEY_EXCHANGE_RSA_PSK` * Affected cipher suite macros regex: `MBEDTLS_TLS_RSA_PSK_\w+` * Full list...
Definition of done: no longer need the `'Config: !PSA_WANT_ALG_HMAC'`, `'Config: !PSA_WANT_KEY_TYPE_HMAC'` and `Config: !PSA_WANT_ALG_TLS12_PRF` ignore list entries in the test coverage analysis in `analyze_outcomes.py`. Note that 3.6 and development have...
Prerequisite: https://github.com/Mbed-TLS/mbedtls/issues/9685 Now that finite-field Diffie-Hellman is no longer used in TLS 1.2, we no longer need DH-specific code in `compat.sh`. (It is still needed in `ssl-opt.sh` for TLS 1.3.)...
Build the library with X.509 enabled, but without any TLS cipher suite that uses certificates. The build fails. Observed on `mbedtls-3.6.1` and `development` from today. The problems must have been...