diff options
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/man/nng_tls_config_version.3tls.adoc | 20 | ||||
| -rw-r--r-- | docs/ref/migrate/nng1.md | 6 |
2 files changed, 9 insertions, 17 deletions
diff --git a/docs/man/nng_tls_config_version.3tls.adoc b/docs/man/nng_tls_config_version.3tls.adoc index 5a42cb10..0c1ef262 100644 --- a/docs/man/nng_tls_config_version.3tls.adoc +++ b/docs/man/nng_tls_config_version.3tls.adoc @@ -1,6 +1,6 @@ = nng_tls_config_version(3tls) // -// Copyright 2020 Staysail Systems, Inc. <info@staysail.tech> +// Copyright 2024 Staysail Systems, Inc. <info@staysail.tech> // // This document is supplied under the terms of the MIT License, a // copy of which should be located in the distribution where this @@ -20,8 +20,6 @@ nng_tls_config_version - configure TLS version #include <nng/supplemental/tls/tls.h> typedef enum nng_tls_version { - NNG_TLS_1_0 = 0x301, - NNG_TLS_1_1 = 0x302, NNG_TLS_1_2 = 0x303, NNG_TLS_1_3 = 0x304 } nng_tls_version; @@ -41,21 +39,9 @@ By default (if this function is not called), NNG will attempt to use both TLS v1 Clients and servers will generally negotiate for the highest mutually supported TLS version. -TIP: As of this writing, we recommend setting the minimum to -`NNG_TLS_1_2` (TLS v1.2) and the maximum to `NNG_TLS_1_3` (TLS v1.3). -This gives the best security, while ensuring good interoperability. -Nearly all modern TLS implementations support TLS v1.2. - -TIP: Support for TLS v1.3 is available via external TLS engines. - -NOTE: The cipher-suites supported by TLS v1.3 are different from earlier versions. -Therefore it may be necessary to generate different certificates. - == CAVEATS -* SSL v2.0 and v3.0 are insecure, and not supported in NNG. - -* TLS v1.3 is not supported by the default _Mbed TLS_ engine at this time. +* SSL v2.0, SSL v3.0, TLS v1.0 and TLS v1.1 are insecure, and not supported in NNG. * Some TLS engines may not support limiting the maximum version. @@ -63,7 +49,7 @@ Therefore it may be necessary to generate different certificates. * Session resumption is not supported in NNG (for any TLS version). -* TLS PSK support is not supported in NNG. (This is a limitation planned to be addressed.) +* TLS PSK support is dependent upon the engine. == RETURN VALUES diff --git a/docs/ref/migrate/nng1.md b/docs/ref/migrate/nng1.md index 2c6087e2..2a1456b7 100644 --- a/docs/ref/migrate/nng1.md +++ b/docs/ref/migrate/nng1.md @@ -54,6 +54,12 @@ Likewise, when using the streams API, use the [`nng_stream_listener_set_tls`] or Note that the declarations needed for TLS configuration are now available in `<nng/nng.h>`, rather than the supplemental header. +## Old TLS Versions Removed + +Support for very old TLS versions 1.0 and 1.1 is removed. +Further, the `NNG_TLS_1_0` and `NNG_TLS_1_1` constants are also removed. +Applications should use `NNG_TLS_1_2` or even `NNG_TLS_1_3` instead. + ## Option Functions The previously deprecated `nng_pipe_getopt_xxx` family of functions is removed. |