Only return VERIFY_FAILED from a single point
Everything else is a fatal error. Also improve documentation about that for
the vrfy callback.
diff --git a/ChangeLog b/ChangeLog
index 9bf6a17..d35457b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -6,6 +6,9 @@
* Certificate verification functions now set flags to -1 in case the full
chain was not verified due to an internal error (including in the verify
callback) or chain length limitations.
+ * With authmode set to optional, handshake is now aborted if the
+ verification of the peer's certificate failed due to an overlong chain or
+ a fatal error in the vrfy callback.
= mbed TLS 2.5.1 released 2017-06-21