Only return VERIFY_FAILED from a single point Everything else is a fatal error. Also improve documentation about that for the vrfy callback.

commit: d0e755716f88234e19f9a8289ea3ba22861c85e7 [log] [tgz]
author: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Mon Jul 10 11:31:01 2017 +0200
committer: Simon Butcher <simon.butcher@arm.com> Fri Jul 28 13:15:57 2017 +0100
tree: f147e6ce11c1b82bf6ce0c7bcb2450088c1c3bf0
parent: 8af7bfa982dbc855d159f2e990ea33c464f969bc [diff] [blame]
diff --git a/ChangeLog b/ChangeLog
index f008cdc..354fcab 100644
--- a/ChangeLog
+++ b/ChangeLog

@@ -29,6 +29,9 @@
    * Certificate verification functions now set flags to -1 in case the full
      chain was not verified due to an internal error (including in the verify
      callback) or chain length limitations.
+   * With authmode set to optional, handshake is now aborted if the
+     verification of the peer's certificate failed due to an overlong chain or
+     a fatal error in the vrfy callback.
 
 = mbed TLS 1.3.20 released 2017-06-21
commit	d0e755716f88234e19f9a8289ea3ba22861c85e7	[log] [tgz]
author	Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>	Mon Jul 10 11:31:01 2017 +0200
committer	Simon Butcher <simon.butcher@arm.com>	Fri Jul 28 13:15:57 2017 +0100
tree	f147e6ce11c1b82bf6ce0c7bcb2450088c1c3bf0
parent	8af7bfa982dbc855d159f2e990ea33c464f969bc [diff] [blame]