Mbed-TLS · gilles-peskine-arm · Feb 28, 2025 · Jan 24, 2025 · Jan 28, 2025 · Jan 29, 2025
diff --git a/ChangeLog.d/tls-hs-defrag-in.txt b/ChangeLog.d/tls-hs-defrag-in.txt
@@ -3,3 +3,10 @@ Bugfix
      by the spec. Lack of support was causing handshake failures with some
      servers, especially with TLS 1.3 in practice (though both protocol
      version could be affected in principle, and both are fixed now).
+     The initial fragment for each handshake message must be at least 4 bytes.
+
+     Server-side, defragmentation of the ClientHello message is only
+     supported if the server accepts TLS 1.3 (regardless of whether the
+     ClientHello is 1.3 or 1.2). That is, servers configured (either
+     at compile time or at runtime) to only accept TLS 1.2 will
+     still fail the handshake if the ClientHello message is fragmented.
diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py
@@ -53,6 +53,11 @@ def _has_word_re(words: typing.Iterable[str],
             # https://github.com/Mbed-TLS/mbedtls/issues/9581
             'Opaque key for server authentication: invalid key: decrypt with ECC key, no async',
             'Opaque key for server authentication: invalid key: ecdh with RSA key, no async',
+            # Temporary disable Handshake defragmentation tests until mbedtls
+            # pr #10011 has been merged.
+            'Handshake defragmentation on client: len=4, TLS 1.2',
+            'Handshake defragmentation on client: len=5, TLS 1.2',
+            'Handshake defragmentation on client: len=13, TLS 1.2'
         ],
         'test_suite_config.mbedtls_boolean': [
             # We never test with CBC/PKCS5/PKCS12 enabled but