Leave the preference order for hashes unspecified
We don't seem to have strong feelings about this, so allow ourselves to
change the order later.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index d885d21..b38bd72 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -2943,8 +2943,9 @@
* \note By default, all supported hashes whose length is at least
* 256 bits are allowed. This is the same set as the default
* for certificate verification
- * (#mbedtls_x509_crt_profile_default). Larger hashes are
- * preferred.
+ * (#mbedtls_x509_crt_profile_default).
+ * The preference order is currently unspecified and may
+ * change in future versions.
*
* \param conf SSL configuration
* \param hashes Ordered list of allowed signature hashes,
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 07569b2..3bbdcb0 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -6099,8 +6099,8 @@
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
/* The selection should be the same as mbedtls_x509_crt_profile_default in
- * x509_crt.c. Here, the order matters: larger hashes first, for consistency
- * with curves.
+ * x509_crt.c. Here, the order matters. Currently we favor stronger hashes,
+ * for no fundamental reason.
* See the documentation of mbedtls_ssl_conf_curves() for what we promise
* about this list. */
static int ssl_preset_default_hashes[] = {