FFDH in TLS: it's only a limitation for TLS 1.2, not TLS 1.3
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
diff --git a/docs/driver-only-builds.md b/docs/driver-only-builds.md
index 6bd9262..e85496a 100644
--- a/docs/driver-only-builds.md
+++ b/docs/driver-only-builds.md
@@ -278,9 +278,11 @@
removing builtin support (i.e. `MBEDTLS_DHM_C`).
Note that the PSA API only supports FFDH with RFC 7919 groups, whereas the
-Mbed TLS legacy API supports custom groups. As a consequence, the TLS layer
-of Mbed TLS only supports DHE cipher suites if built-in FFDH
+Mbed TLS legacy API supports custom groups. As a consequence, the TLS 1.2
+layer of Mbed TLS only supports DHE cipher suites if built-in FFDH
(`MBEDTLS_DHM_C`) is present, even when `MBEDTLS_USE_PSA_CRYPTO` is enabled.
+(The TLS 1.3 layer uses PSA, and this is not a limitation because the
+protocol does not allow custom FFDH groups.)
RSA
---