ChangeLog tweaks.

author: Joel Sing <joel@sing.id.au> 2020-06-01 02:33:36 +1000
committer: Joel Sing <joel@sing.id.au> 2020-06-01 02:33:36 +1000
commit: 2f8aa339c5c0d3057cc969ab90cb8e7a4fc909f7 (patch)
tree: 01dc13a1c3e5bb3e943ca3b153d01198a0ca3a9c
parent: ba5ae4fd8390249ef5a6450c45bf7bc52bf767ed (diff)
download: portable-2f8aa339c5c0d3057cc969ab90cb8e7a4fc909f7.tar.gz
portable-2f8aa339c5c0d3057cc969ab90cb8e7a4fc909f7.tar.bz2
portable-2f8aa339c5c0d3057cc969ab90cb8e7a4fc909f7.zip
1 files changed, 28 insertions, 27 deletions
diff --git a/ChangeLog b/ChangeLog
index 21fa536..69692a2 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -30,26 +30,35 @@ LibreSSL Portable Release Notes:
 3.2.0 - Development release
-        * Improve length checks in record layer and provide appropriate
+        * Enable TLS 1.3 server side in addition to client by default.
-          alerts for violations of record layer limits.
+          With this change TLS 1.3 is handled entirely on the new stack
+          and state machine, with fallback to the legacy stack and
-        * Enforce in the server that SNI hostnames be correctly formed as
+          state machine for older versions. Note that the OpenSSL TLS 1.3
-          per RFC 6066 and RFC 5890, responding with illegal parameter for
+          API is not yet visible/available.
-          a nonconformant host name.
-        * Modify openssl(1) to clear SSL_MODE_AUTO_RETRY appropriately in
+        * Improve length checks in the TLS 1.3 record layer and provide
-          various commands.
+          appropriate alerts for violations of record layer limits.
-        * Modify io behavior so that SSL_MODE_AUTO_RETRY is the default
+        * Enforce that SNI hostnames received by the TLS server are correctly
-          similar to new OpenSSL releases.
+          formed as per RFC 5890 and RFC 6066, responding with illegal parameter
+          for a nonconformant host name.
        * Support SSL_MODE_AUTO_RETRY in TLS 1.3 to allow the automatic
          retry of handshake messages.
+        * Modify I/O behavior so that SSL_MODE_AUTO_RETRY is the default
+          similar to new OpenSSL releases.
+        * Modify openssl(1) to clear SSL_MODE_AUTO_RETRY appropriately in
+          various commands.
        * Add tlsfuzzer based regression tests.
+        * Support sending certificate status requests from the TLS 1.3
+          client to request OCSP staples for leaf certificates.
        * Support sending certificate status replies from the TLS 1.3 server
-          to send OCSP staples for leaf certificates.
+          in order to send OCSP staples for leaf certificates.
        * Send correct alerts when handling failed key share extensions
          on the TLS 1.3 server.
@@ -59,34 +68,26 @@ LibreSSL Portable Release Notes:
        * Support TLS 1.3 options in the openssl(1) command.
-        * Enable TLS 1.3 server side in addition to client by default.
+        * Many alert cleanups in TLS 1.3 to provide expected alerts in failure
-          With this change TLS 1.3 is handled entirely on the new stack
+          conditions.
-          and state machine, with fallback to the legacy stack and
-          state machine for older versions.
-        * Many alert cleanups in TLS 1.3 to provide expected alerts
-          in failure conditions.
        * Modify "openssl x509" to display invalid certificate times as
          invalid, and correctly deal with the failing return case from
          X509_cmp_time so that a certificate with an invalid NotAfter does
          not appear valid.
-        * Support sending dummy change_cipher_spec records for middlebox
+        * Support sending dummy change_cipher_spec records for TLS 1.3 middlebox
          compatibility.
-        * Ensure only PSS may be used with RSA in TLS 1.3.
+        * Ensure only PSS signatures are used with RSA in TLS 1.3.
-        * The client must advertise exactly the "null" compression method
+        * Ensure that TLS 1.3 clients advertise exactly the "null" compression
-          in its legacy_compression_methods, nothing else.
+          method in its legacy_compression_methods.
-        * Incorrect use of sockaddr instead of sockaddr_storage in openssl(1)
+        * Correct use of sockaddr instead of sockaddr_storage in openssl(1)
-          s_client could lead to using 14 bytes of stack garbage instead
+          s_client, which could lead to using 14 bytes of stack garbage instead
          of an IPv6 address in DTLS mode.
-        * Support sending certificate status requests from the TLS 1.3
-          client to retrieve OCSP staples for leaf certificates.
 3.1.2 - Bug fix
        * A TLS client with peer verification disabled may crash when
author	Joel Sing <joel@sing.id.au>	2020-06-01 02:33:36 +1000
committer	Joel Sing <joel@sing.id.au>	2020-06-01 02:33:36 +1000
commit	2f8aa339c5c0d3057cc969ab90cb8e7a4fc909f7 (patch)
tree	01dc13a1c3e5bb3e943ca3b153d01198a0ca3a9c
parent	ba5ae4fd8390249ef5a6450c45bf7bc52bf767ed (diff)
download	portable-2f8aa339c5c0d3057cc969ab90cb8e7a4fc909f7.tar.gz portable-2f8aa339c5c0d3057cc969ab90cb8e7a4fc909f7.tar.bz2 portable-2f8aa339c5c0d3057cc969ab90cb8e7a4fc909f7.zip

diff --git a/ChangeLog b/ChangeLog index 21fa536..69692a2 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -30,26 +30,35 @@ LibreSSL Portable Release Notes:
30		30
31	3.2.0 - Development release	31	3.2.0 - Development release
32		32
33	* Improve length checks in record layer and provide appropriate	33	* Enable TLS 1.3 server side in addition to client by default.
34	alerts for violations of record layer limits.	34	With this change TLS 1.3 is handled entirely on the new stack
35		35	and state machine, with fallback to the legacy stack and
36	* Enforce in the server that SNI hostnames be correctly formed as	36	state machine for older versions. Note that the OpenSSL TLS 1.3
37	per RFC 6066 and RFC 5890, responding with illegal parameter for	37	API is not yet visible/available.
38	a nonconformant host name.
39		38
40	* Modify openssl(1) to clear SSL_MODE_AUTO_RETRY appropriately in	39	* Improve length checks in the TLS 1.3 record layer and provide
41	various commands.	40	appropriate alerts for violations of record layer limits.
42		41
43	* Modify io behavior so that SSL_MODE_AUTO_RETRY is the default	42	* Enforce that SNI hostnames received by the TLS server are correctly
44	similar to new OpenSSL releases.	43	formed as per RFC 5890 and RFC 6066, responding with illegal parameter
		44	for a nonconformant host name.
45		45
46	* Support SSL_MODE_AUTO_RETRY in TLS 1.3 to allow the automatic	46	* Support SSL_MODE_AUTO_RETRY in TLS 1.3 to allow the automatic
47	retry of handshake messages.	47	retry of handshake messages.
48		48
		49	* Modify I/O behavior so that SSL_MODE_AUTO_RETRY is the default
		50	similar to new OpenSSL releases.
		51
		52	* Modify openssl(1) to clear SSL_MODE_AUTO_RETRY appropriately in
		53	various commands.
		54
49	* Add tlsfuzzer based regression tests.	55	* Add tlsfuzzer based regression tests.
50		56
		57	* Support sending certificate status requests from the TLS 1.3
		58	client to request OCSP staples for leaf certificates.
		59
51	* Support sending certificate status replies from the TLS 1.3 server	60	* Support sending certificate status replies from the TLS 1.3 server
52	to send OCSP staples for leaf certificates.	61	in order to send OCSP staples for leaf certificates.
53		62
54	* Send correct alerts when handling failed key share extensions	63	* Send correct alerts when handling failed key share extensions
55	on the TLS 1.3 server.	64	on the TLS 1.3 server.
@@ -59,34 +68,26 @@ LibreSSL Portable Release Notes:
59		68
60	* Support TLS 1.3 options in the openssl(1) command.	69	* Support TLS 1.3 options in the openssl(1) command.
61		70
62	* Enable TLS 1.3 server side in addition to client by default.	71	* Many alert cleanups in TLS 1.3 to provide expected alerts in failure
63	With this change TLS 1.3 is handled entirely on the new stack	72	conditions.
64	and state machine, with fallback to the legacy stack and
65	state machine for older versions.
66
67	* Many alert cleanups in TLS 1.3 to provide expected alerts
68	in failure conditions.
69		73
70	* Modify "openssl x509" to display invalid certificate times as	74	* Modify "openssl x509" to display invalid certificate times as
71	invalid, and correctly deal with the failing return case from	75	invalid, and correctly deal with the failing return case from
72	X509_cmp_time so that a certificate with an invalid NotAfter does	76	X509_cmp_time so that a certificate with an invalid NotAfter does
73	not appear valid.	77	not appear valid.
74		78
75	* Support sending dummy change_cipher_spec records for middlebox	79	* Support sending dummy change_cipher_spec records for TLS 1.3 middlebox
76	compatibility.	80	compatibility.
77		81
78	* Ensure only PSS may be used with RSA in TLS 1.3.	82	* Ensure only PSS signatures are used with RSA in TLS 1.3.
79		83
80	* The client must advertise exactly the "null" compression method	84	* Ensure that TLS 1.3 clients advertise exactly the "null" compression
81	in its legacy_compression_methods, nothing else.	85	method in its legacy_compression_methods.
82		86
83	* Incorrect use of sockaddr instead of sockaddr_storage in openssl(1)	87	* Correct use of sockaddr instead of sockaddr_storage in openssl(1)
84	s_client could lead to using 14 bytes of stack garbage instead	88	s_client, which could lead to using 14 bytes of stack garbage instead
85	of an IPv6 address in DTLS mode.	89	of an IPv6 address in DTLS mode.
86		90
87	* Support sending certificate status requests from the TLS 1.3
88	client to retrieve OCSP staples for leaf certificates.
89
90	3.1.2 - Bug fix	91	3.1.2 - Bug fix
91		92
92	* A TLS client with peer verification disabled may crash when	93	* A TLS client with peer verification disabled may crash when