TLS improvements

Use constant time operations when checking CBC padding in TLS decryption

Fix a bug in decoding ClientHellos that prevented DTLS rehandshakes
from working: on decode the session id and hello cookie would be
swapped, causing confusion between client and server.

Various changes in the service of finding the above DTLS bug that
should have been done before now anyway - better control of handshake
timeouts (via TLS::Policy), better reporting of handshake state in the
case of an error, and finally expose the facility for per-message
application callbacks.

1 files changed, 4 insertions, 2 deletions

diff --git a/doc/manual/tls.rst b/doc/manual/tls.rst
index 554846c25..331bb56bb 100644
--- a/doc/manual/tls.rst
+++ b/doc/manual/tls.rst
@@ -517,7 +517,9 @@ policy settings from a file.
      authentication, sending data in cleartext) are also not supported
      by the implementation and cannot be negotiated.
 
-     Default value: "ChaCha20Poly1305", "AES-256/GCM", "AES-128/GCM",
+     Values without an explicit mode use old-style CBC with HMAC encryption.
+
+     Default value: "AES-256/GCM", "AES-128/GCM", "ChaCha20Poly1305",
      "AES-256/CCM", "AES-128/CCM", "AES-256/CCM-8", "AES-128/CCM-8",
      "AES-256", "AES-128"
 
@@ -570,7 +572,7 @@ policy settings from a file.
 
      Default: "ECDSA", "RSA", "DSA"
 
-     Also allowed: "" (meaning anonymous)
+     Also allowed (disabled by default): "" (meaning anonymous)
 
  .. cpp:function:: std::vector<std::string> allowed_ecc_curves() const