Clarify a point in the documentation

2024-10-18 19:21:11 +00:00 · 2015-06-17 11:49:39 +02:00 · 2015-06-17 11:49:39 +02:00 · 27716cc1da
parent b541da6ef3
commit 27716cc1da
2 changed files with 13 additions and 1 deletions
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@ -1517,7 +1517,15 @@ void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf,
 *                 use. The server can override our preference order.
 *
 *                 Both sides: limits the set of curves used by peer to the
- *                 listed curves for any use (ECDH(E), certificates).
+ *                 listed curves for any use ECDHE and the end-entity
+ *                 certificate.
+ *
+ * \note           This has no influence on which curve are allowed inside the
+ *                 certificate chains, see \c mbedtls_ssl_conf_cert_profile()
+ *                 for that. For example, if the peer's certificate chain is
+ *                 EE -> CA_int -> CA_root, then the allowed curves for EE are
+ *                 controlled by \c mbedtls_ssl_conf_curves() but for CA_int
+ *                 and CA_root it's \c mbedtls_ssl_conf_cert_profile().
 *
 * \param conf     SSL configuration
 * \param curves   Ordered list of allowed curves,
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@ -301,6 +301,10 @@ int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt,
 * \note           Same as \c mbedtls_x509_crt_verify(), but with explicit
 *                 security profile.
 *
+ * \note           The restrictions on keys (RSA minimum size, allowed curves
+ *                 for ECDSA) only applys to (intermediate) CAs, not to the
+ *                 end-entity certificate.
+ *
 * \param crt      a certificate to be verified
 * \param trust_ca the trusted CA chain
 * \param ca_crl   the CRL chain for trusted CA's