More 1.11.1 notes. Update TLS docs

2 files changed, 53 insertions, 7 deletions

diff --git a/doc/relnotes/1_11_1.rst b/doc/relnotes/1_11_1.rst
index 655c418a1..002437cc9 100644
--- a/doc/relnotes/1_11_1.rst
+++ b/doc/relnotes/1_11_1.rst
@@ -1,6 +1,34 @@
 Version 1.11.1, Not Yet Released
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
+TLS and DTLS
+""""""""""""""""""""""""""""""""""""""""
+
+Initial support for DTLS (v1.0 and v1.2) is available in this
+release.
+
+Added :cpp:func:`TLS::Policy::acceptable_protocol_version`
+and :cpp:func:`TLS::Policy::allow_server_initiated_renegotiation`
+
+:cpp:class:`TLS::Session_Manager_In_Memory` now chooses a random
+256-bit key at startup and encrypts all sessions (using the existing
+:cpp:func:`TLS::Session::encrypt` mechanism) while they are stored in
+memory. This is primarily to reduce pressure on ``mlock``ed memory, as
+each session normally requires 48 bytes of locked memory for the
+master secret, whereas now only 32 bytes are needed total. This change
+may also make it slightly harder for an attacker to extract session
+data from memory dumps (eg with a cold boot attack).
+
+TLS clients were not sending a next protocol message during a session
+resumption, which would cause resumption failures with servers that
+support NPN if NPN was being offered by the client.
+
+A heartbeat request send by the counterparty during a handshake would
+be passed to the application callback as a heartbeat response.
+
+Public Key Strength Checking
+""""""""""""""""""""""""""""""""""""""""
+
 A new function :cpp:func:`Public_Key::estimated_strength` returns
 an estimate for the upper bound of the strength of the key. For
 instance for an RSA key, it will return an estimate of how many
diff --git a/doc/tls.rst b/doc/tls.rst
index 09b9da3d3..e9cc07aa7 100644
--- a/doc/tls.rst
+++ b/doc/tls.rst
@@ -279,7 +279,12 @@ There are also functions for serialization and deserializing sessions:
                                                RandomNumberGenerator& rng)
 
       Encrypts a session using a symmetric key *key* and returns a raw
-      binary value that can later be passed to ``decrypt``.
+      binary value that can later be passed to ``decrypt``. The key
+      may be of any length.
+
+      Currently the implementation uses AES-256 in CBC mode with a
+      SHA-256 HMAC. The keys for these are derived from *key* using
+      KDF2(SHA-256).
 
    .. cpp:function:: static Session decrypt(const byte ciphertext[], \
                                             size_t length, \
@@ -410,12 +415,6 @@ be negotiated during a handshake.
 
 .. cpp:class:: TLS::Policy
 
- .. cpp:function:: Protocol_Version min_version() const
-
-     Returns the minimum protocol version we are willing to negotiate.
-
-     Default: SSL v3
-
  .. cpp:function:: Protocol_Version pref_version() const
 
      Return the protocol version we would prefer to negotiate. This is
@@ -423,6 +422,13 @@ be negotiated during a handshake.
 
      Default: TLS v1.2
 
+ .. cpp:function:: bool acceptable_protocol_version(const Protocol_Version& version)
+
+     Return true if this version of the protocol is one that we are
+     willing to negotiate.
+
+     Default: True for all known protocol versions
+
  .. cpp:function:: std::vector<std::string> allowed_ciphers() const
 
      Returns the list of ciphers we are willing to negotiate, in order
@@ -432,6 +438,10 @@ be negotiated during a handshake.
 
      Also allowed: "Camellia-256", "Camellia-128", "SEED"
 
+     .. note::
+
+        ARC4 will never be negotiated in DTLS due to protocol limitations
+
  .. cpp:function:: std::vector<std::string> allowed_macs() const
 
      Returns the list of algorithms we are willing to use for
@@ -489,6 +499,14 @@ be negotiated during a handshake.
 
         TLS compression is not currently supported.
 
+ .. cpp:function:: bool allow_server_initiated_renegotiation() const
+
+     If this function returns true, a client will accept a
+     server-initiated renegotiation attempt. Otherwise it will send
+     the server a non-fatal ``no_renegotiation`` alert.
+
+     Default: true
+
  .. cpp:function:: bool allow_insecure_renegotiation() const
 
      If this function returns true, we will allow renegotiation attempts