added 2.6.0 Changes
This commit is contained in:
Brent Cook
parent
51e5279c24
commit
c92119f50a
61
ChangeLog
61
ChangeLog
@ -28,7 +28,68 @@ history is also available from Git.
|
|||||||
|
|
||||||
LibreSSL Portable Release Notes:
|
LibreSSL Portable Release Notes:
|
||||||
|
|
||||||
|
2.6.0 - New APIs, bug fixes and improvements
|
||||||
|
|
||||||
|
* Added support for providing CRLs to libtls. Once a CRL is provided we
|
||||||
|
enable CRL checking for the full certificate chain. Based on a diff
|
||||||
|
from Jack Burton
|
||||||
|
|
||||||
|
* Allow non-compliant clients using IP literal addresses with SNI
|
||||||
|
to connect to a server using libtls.
|
||||||
|
|
||||||
|
* Avoid a potential NULL pointer dereference in d2i_ECPrivateKey().
|
||||||
|
Reported by Robert Swiecki, who found the issue using honggfuzz.
|
||||||
|
|
||||||
|
* Added definitions for three OIDs used in EV certificates.
|
||||||
|
From Kyle J. McKay
|
||||||
|
|
||||||
|
* Plugged a memory leak in tls_ocsp_free.
|
||||||
|
|
||||||
|
* Added tls_peer_cert_chain_pem, tls_cert_hash, and tls_hex_string to
|
||||||
|
libtls, useful in private certificate validation callbacks such as
|
||||||
|
those in relayd.
|
||||||
|
|
||||||
|
* Converted explicit lear/free sequences to use freezero(3).
|
||||||
|
|
||||||
|
* Reworked TLS certificate name verification code to more strictly
|
||||||
|
follow RFC 6125.
|
||||||
|
|
||||||
|
* Cleaned up and simplified server key exchange EC point handling.
|
||||||
|
|
||||||
|
* Added tls_keypair_clear_key for clearing key material.
|
||||||
|
|
||||||
|
* Removed inconsistent IPv6 handling from BIO_get_accept_socket,
|
||||||
|
simplified BIO_get_host_ip and BIO_accept.
|
||||||
|
|
||||||
|
* Fixed the openssl(1) ca command so that is generates certificates
|
||||||
|
with RFC 5280-conformant time. Problem noticed by Harald Dunkel.
|
||||||
|
|
||||||
|
* Added ASN1_TIME_set_tm to set an asn1 from a struct tm *
|
||||||
|
|
||||||
|
* Added SSL{,_CTX}_set_{min,max}_proto_version() functions.
|
||||||
|
|
||||||
|
* Added HKDF (HMAC Key Derivation Function) from BoringSSL
|
||||||
|
|
||||||
|
* Providea a tls_unload_file() function that frees the memory returned
|
||||||
|
from a tls_load_file() call, ensuring that it the contents become
|
||||||
|
inaccessible. This is specifically needed on platforms where the
|
||||||
|
library allocators may be different from the application allocator.
|
||||||
|
|
||||||
|
* Perform reference counting for tls_config. This allows
|
||||||
|
tls_config_free() to be called as soon as it has been passed to the
|
||||||
|
final tls_configure() call, simplifying lifetime tracking for the
|
||||||
|
application.
|
||||||
|
|
||||||
|
* Moved internal state of SSL and other structures to be opaque.
|
||||||
|
|
||||||
|
* Dropped cipher suites with DSS authentication.
|
||||||
|
|
||||||
|
* nc(1) improvements, including:
|
||||||
|
nc -W to terminate nc after receiving a number of packets
|
||||||
|
nc -Z for saving the peer certificate and chain in a pem file
|
||||||
|
|
||||||
2.5.5 - Bug fixes
|
2.5.5 - Bug fixes
|
||||||
|
|
||||||
* Distinguish between self-issued certificates and self-signed
|
* Distinguish between self-issued certificates and self-signed
|
||||||
certificates. The certificate verification code has special cases
|
certificates. The certificate verification code has special cases
|
||||||
for self-signed certificates and without this change, self-issued
|
for self-signed certificates and without this change, self-issued
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user