Stop disabling TLSv1.3 if ec and dh are disabled

Even if EC and DH are disabled then we may still be able to use TLSv1.3 if we have groups that have been plugged in by an external provider. Fixes #13767 Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13916)
author: Matt Caswell <matt@openssl.org> 2021-01-14 15:50:20 +0000
committer: Matt Caswell <matt@openssl.org> 2021-02-05 15:22:40 +0000
commit: a763ca11777ce01a286751f3f3dd9b106ef74f30 (patch)
tree: 7ad54dd22661b8373f57ffefdee897b6282dc225 /CHANGES.md
parent: 8b1db5d329740bd5363fd1763d4030d0e015b521 (diff)
1 files changed, 11 insertions, 0 deletions
diff --git a/CHANGES.md b/CHANGES.md
index d80016560e..7c934935eb 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -23,6 +23,17 @@ OpenSSL 3.0
 
 ### Changes between 1.1.1 and 3.0 [xx XXX xxxx]
 
+ * Combining the Configure options no-ec and no-dh no longer disables TLSv1.3.
+   Typically if OpenSSL has no EC or DH algorithms then it cannot support
+   connections with TLSv1.3. However OpenSSL now supports "pluggable" groups
+   through providers. Therefore third party providers may supply group
+   implementations even where there are no built-in ones. Attempting to create
+   TLS connections in such a build without also disabling TLSv1.3 at run time or
+   using third party provider groups may result in handshake failures. TLSv1.3
+   can be disabled at compile time using the "no-tls1_3" Configure option.
+
+   *Matt Caswell*
+
  * The undocumented function X509_certificate_type() has been deprecated;
    applications can use X509_get0_pubkey() and X509_get0_signature() to
    get the same information.
author	Matt Caswell <matt@openssl.org>	2021-01-14 15:50:20 +0000
committer	Matt Caswell <matt@openssl.org>	2021-02-05 15:22:40 +0000
commit	a763ca11777ce01a286751f3f3dd9b106ef74f30 (patch)
tree	7ad54dd22661b8373f57ffefdee897b6282dc225 /CHANGES.md
parent	8b1db5d329740bd5363fd1763d4030d0e015b521 (diff)