Add guidance around certificate auto-chaining in TLS

PORTING.md

@@ -302,4 +302,25 @@ Using [`CRYPTO_BUFFER`](https://commondatastorage.googleapis.com/chromium-boring
 
 ### Asynchronous and opaque private keys
 
-OpenSSL offers the ENGINE API for implementing opaque private keys (i.e. private keys where software only has oracle access because the secrets are held in special hardware or on another machine). While the ENGINE API has been mostly removed from BoringSSL, it is still possible to support opaque keys in this way. However, when using such keys with TLS and BoringSSL, you should strongly prefer using `SSL_PRIVATE_KEY_METHOD` via `SSL[_CTX]_set_private_key_method`. This allows a handshake to be suspended while the private operation is in progress. It also supports more forms of opaque key as it exposes higher-level information about the operation to be performed.
+OpenSSL offers the ENGINE API for implementing opaque private keys (i.e. private keys where software only has oracle access because the secrets are held in special hardware or on another machine). While the ENGINE API has been mostly removed from BoringSSL, it is still possible to support opaque keys in this way. However, when using such keys with TLS and BoringSSL, you should strongly prefer using `SSL_PRIVATE_KEY_METHOD` via `SSL[_CTX]_set_private_key_method`. This allows a handshake to be suspended while the private operation is in progress. It also supports more forms of opaque key as it exposes higher-level information about the operation to be performed.
+
+## X.509 Certificate Auto-Chaining Disabled by Default
+TLS client or server certificates are loaded using `SSL_CTX_use_certificate_chain_file` or
+`SSL_use_certificate_chain_file`. The file must contain the leaf certificate, and may be followed by one or
+more CA certificates (chain certificates) used to establish the authenticity of the leaf certificate.
+
+By default AWS-LC does not perform X.509 certificate auto-chaining when constructing the TLS client or server
+certificate to be sent over the TLS connection as part of a `Certificate` message frame. AWS-LC TLS
+client or server will only send the contents that were loaded by either `SSL_CTX_use_certificate_chain_file` or
+`SSL_use_certificate_chain_file`, that is to say the leaf and zero more CA chain certificates if provided.
+This differs from the default OpenSSL behavior, specifically when a single leaf certificate is provided without the
+accompanying chain. In such an instance OpenSSL will attempt to construct the chain of certificates from the configured
+trust store necessary to establish the authenticity of the leaf certificate, and will send that construct chain over the
+wire.
+
+This behavior can be re-enabled in AWS-LC by clearing the `SSL_MODE_NO_AUTO_CHAIN` configuration flag.
+See [configuration-differences](docs/porting/configuration-differences.md).
+
+### Affect on Integrations
+The default behavior of not performing auto-chaining can have impact to higher-level integrations like CPython or Ruby
+if using software builds that utilize AWS-LC for the underlying TLS implementation.