Add MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE config option

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2026-04-04 14:08:39 +00:00 · 2021-11-24 10:47:20 +01:00 · 2021-11-24 10:47:20 +01:00 · ab65c52944
commit ab65c52944
parent c38c1f2411
1 changed files with 22 additions and 0 deletions
--- a/include/mbedtls/mbedtls_config.h
+++ b/include/mbedtls/mbedtls_config.h
@ -1505,6 +1505,28 @@
 */
 //#define MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL

+/**
+ * \def MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+ *
+ * Enable TLS 1.3 middlebox compatibility mode.
+ *
+ * As specified in Section D.4 of RFC 8446, TLS 1.3 offers a compatibility
+ * mode to make a TLS 1.3 connection more likely to pass through middle boxes
+ * expecting TLS 1.2 traffic.
+ *
+ * Turning on the compatibility mode comes at the cost of a few added bytes
+ * on the wire, but it doesn't affect compatibility with TLS 1.3 implementations
+ * that don't use it. Therefore, unless transmission bandwidth is critical and
+ * you know that middlebox compatibility issues won't occur, it is therefore
+ * recommended to set this option.
+ *
+ * Comment to disable compatibility mode for TLS 1.3. If
+ * MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL is not enabled, this option does not
+ * have any effect on the build.
+ *
+ */
+//#define MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+
 /**
 * \def MBEDTLS_SSL_PROTO_DTLS
 *