tls: add a mutual authentication test

Also, make it clearer that TLS keys and certificates can only
be set once on a configuration.  (mbedTLS makes this confusing!)

This mutual test is only fully validated on mbed, because wolfSSL
seems to not properly validate this in many configurations.

2 files changed, 9 insertions, 0 deletions

diff --git a/docs/ref/migrate/nng1.md b/docs/ref/migrate/nng1.md
index 2b305b75..cb7bc539 100644
--- a/docs/ref/migrate/nng1.md
+++ b/docs/ref/migrate/nng1.md
@@ -60,6 +60,13 @@ Support for very old TLS versions 1.0 and 1.1 is removed.
 Further, the `NNG_TLS_1_0` and `NNG_TLS_1_1` constants are also removed.
 Applications should use `NNG_TLS_1_2` or even `NNG_TLS_1_3` instead.
 
+## Only One TLS Key/Cert Per Configuration
+
+The ability to configure multiple keys and certificates for a given TLS configuration object is removed.
+(The [`nng_tls_config_own_cert`] will return [`NNG_EBUSY`] if it has already been called for the configuration.)
+The intended purpose was to support alternative cryptographic algorithms, but this is not necessary, was never
+used, and was error prone.
+
 ## Support for Local Addresses in Dial URLs Removed
 
 NNG 1.x had an undocumented ability to specify the local address to bind
diff --git a/docs/ref/xref.md b/docs/ref/xref.md
index d36f96e8..5e030bed 100644
--- a/docs/ref/xref.md
+++ b/docs/ref/xref.md
@@ -98,6 +98,8 @@
 [`nng_recv`]: /TODO.md
 [`nng_listener_get_url`]: /TODO.md
 [`nng_dialer_get_url`]: /TODO.md
+[`nng_tls_config`]: /TODO.md
+[`nng_tls_config_own_cert`]: /TODO.md
 
 <!-- Macros -->