Initial ChangeLog for 3.3.0

author: Theo Buehler <tb@openbsd.org> 2020-11-19 14:49:42 +0100
committer: Theo Buehler <tb@openbsd.org> 2020-11-19 14:50:52 +0100
commit: 223fbf70f537f581de15f89afef17f8c0092e166 (patch)
tree: dd47b10e42c62edf950102ca2c8d677815009ae2
parent: df3d4bb57a253f85bb60567aaea5f2dd992a9fbd (diff)
download: portable-223fbf70f537f581de15f89afef17f8c0092e166.tar.gz
portable-223fbf70f537f581de15f89afef17f8c0092e166.tar.bz2
portable-223fbf70f537f581de15f89afef17f8c0092e166.zip
1 files changed, 98 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog
index 4598456..3330a86 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -28,6 +28,104 @@ history is also available from Git.
 LibreSSL Portable Release Notes:
+3.3.0 - Development release
+        * Make openssl(1) s_server ignore -4 and -6 for compatibility with
+          OpenSSL.
+        * Further cleanup of the DTLS record handling.
+        * Continue the replacement of the TLSv1.2 record layer by
+          reimplementing the read side of the TLSv1.2 record handling.
+        * Replace DTLSv1_enc_data() with TLSv1_1_enc_data().
+        * Merge d1_{clnt,srvr}.c into ssl_{clnt,srver}.c.
+        * Fix switching from the TLSv1.3 stack to the legacy stack after
+          the record rewrite by including a TLS record header for the case
+          that there is more than one handshake message in the TLS plaintext
+          record.
+        * Set SO_REUSEADDR on the server socket in the openssl(1) ocsp
+          command.
+        * Fix resource handling on error in OCSP_request_add0_id().
+        * Add const to ssl_ciphers and tls1[23]_sigalgs* to push them into
+          .data.rel.ro and .rodata, respectively.
+        * Add a const qualifier to srtp_known_profiles.
+        * Simplify TLS method by removing the client and server specific
+          methods internally.
+        * Avoid casting away const in ssl_ctx_make_profiles().
+        * Make sure there is enough room for stashing the handshake message
+          when switching to the legacy TLS stack.
+        * Avoid explicitly conditioning an assert on DTLS1_VERSION to make
+          the assert work for newer DTLS versions.
+        * Merge SSL_ENC_METHOD into SSL_METHOD_INTERNAL.
+        * Send a host header with OCSP queries to make openssl(1) ocsp
+          work with some widely used OCSP responders.
+        * Fix a memory leak in the openssl(1) s_client.
+        * Add a flag to mark DTLS methods as DTLS to have an easy way to
+          recognize DTLS methods that avoids inspecting the version number.
+        * Implement SSL_is_dtls() and use it internally in place of the
+          SSL_IS_DTLS macro.
+        * Unbreak DTLS retransmissions for flights that include a CCS.
+        * Add ability to ocspcheck(8) to parse a port in the specified
+          OCSP URL.
+        * Refactor and clean up ocspcheck(8) and add regression tests.
+        * If x509_verify() fails, ensure that the error is set on both
+          the x509_verify_ctx() and its store context to make some failures
+          visible from SSL_get_verify_result().
+        * Use the X509_STORE_CTX get_issuer() callback from the new X.509
+          verifier to fix hashed certificate directories.
+        * Only check BIO_should_read() on read and BIO_should_write() on
+          write.  Previously, BIO_should_write() was also checked after read
+          and BIO_should_read() after write which could cause stalls in
+          software that uses the same BIO for read and write.
+        * In openssl(1) verify, also check for error on the store context
+          since the return value of X509_verify_cert() is unreliable in
+          presence of a callback that returns 1 too often.
+        * Implement auto chain for the TLSv1.3 server since some software
+          relies on this.
+        * Handle additional certificate error cases in the new X.509 verifier.
+          Keep track of the errors encountered if a verify callback tells the
+          verifier to continue and report them back via the error on the store
+          context. This mimicks the behavior of the old verifier that would
+          persist the first error encountered while building the chain.
+        * Report specific failures for "self signed certificates" in a way
+          compatible with the old verifier since software relies on the
+          error code.
+        * Implement key exporter for TLSv1.3.
+        * Plug a large memory leak in the new verifier caused by calling
+          X509_policy_check() repeatedly instead.
+        * Avoid leaking memory in x509_verify_chain_dup().
+        * Various documentation improvements, particularly around TLS methods.
 3.2.2 - Stable release
        * This is the first stable release with the new TLSv1.3
author	Theo Buehler <tb@openbsd.org>	2020-11-19 14:49:42 +0100
committer	Theo Buehler <tb@openbsd.org>	2020-11-19 14:50:52 +0100
commit	223fbf70f537f581de15f89afef17f8c0092e166 (patch)
tree	dd47b10e42c62edf950102ca2c8d677815009ae2
parent	df3d4bb57a253f85bb60567aaea5f2dd992a9fbd (diff)
download	portable-223fbf70f537f581de15f89afef17f8c0092e166.tar.gz portable-223fbf70f537f581de15f89afef17f8c0092e166.tar.bz2 portable-223fbf70f537f581de15f89afef17f8c0092e166.zip

diff --git a/ChangeLog b/ChangeLog index 4598456..3330a86 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -28,6 +28,104 @@ history is also available from Git.
28		28
29	LibreSSL Portable Release Notes:	29	LibreSSL Portable Release Notes:
30		30
		31	3.3.0 - Development release
		32
		33	* Make openssl(1) s_server ignore -4 and -6 for compatibility with
		34	OpenSSL.
		35
		36	* Further cleanup of the DTLS record handling.
		37
		38	* Continue the replacement of the TLSv1.2 record layer by
		39	reimplementing the read side of the TLSv1.2 record handling.
		40
		41	* Replace DTLSv1_enc_data() with TLSv1_1_enc_data().
		42
		43	* Merge d1_{clnt,srvr}.c into ssl_{clnt,srver}.c.
		44
		45	* Fix switching from the TLSv1.3 stack to the legacy stack after
		46	the record rewrite by including a TLS record header for the case
		47	that there is more than one handshake message in the TLS plaintext
		48	record.
		49
		50	* Set SO_REUSEADDR on the server socket in the openssl(1) ocsp
		51	command.
		52
		53	* Fix resource handling on error in OCSP_request_add0_id().
		54
		55	* Add const to ssl_ciphers and tls1[23]_sigalgs* to push them into
		56	.data.rel.ro and .rodata, respectively.
		57
		58	* Add a const qualifier to srtp_known_profiles.
		59
		60	* Simplify TLS method by removing the client and server specific
		61	methods internally.
		62
		63	* Avoid casting away const in ssl_ctx_make_profiles().
		64
		65	* Make sure there is enough room for stashing the handshake message
		66	when switching to the legacy TLS stack.
		67
		68	* Avoid explicitly conditioning an assert on DTLS1_VERSION to make
		69	the assert work for newer DTLS versions.
		70
		71	* Merge SSL_ENC_METHOD into SSL_METHOD_INTERNAL.
		72
		73	* Send a host header with OCSP queries to make openssl(1) ocsp
		74	work with some widely used OCSP responders.
		75
		76	* Fix a memory leak in the openssl(1) s_client.
		77
		78	* Add a flag to mark DTLS methods as DTLS to have an easy way to
		79	recognize DTLS methods that avoids inspecting the version number.
		80
		81	* Implement SSL_is_dtls() and use it internally in place of the
		82	SSL_IS_DTLS macro.
		83
		84	* Unbreak DTLS retransmissions for flights that include a CCS.
		85
		86	* Add ability to ocspcheck(8) to parse a port in the specified
		87	OCSP URL.
		88
		89	* Refactor and clean up ocspcheck(8) and add regression tests.
		90
		91	* If x509_verify() fails, ensure that the error is set on both
		92	the x509_verify_ctx() and its store context to make some failures
		93	visible from SSL_get_verify_result().
		94
		95	* Use the X509_STORE_CTX get_issuer() callback from the new X.509
		96	verifier to fix hashed certificate directories.
		97
		98	* Only check BIO_should_read() on read and BIO_should_write() on
		99	write. Previously, BIO_should_write() was also checked after read
		100	and BIO_should_read() after write which could cause stalls in
		101	software that uses the same BIO for read and write.
		102
		103	* In openssl(1) verify, also check for error on the store context
		104	since the return value of X509_verify_cert() is unreliable in
		105	presence of a callback that returns 1 too often.
		106
		107	* Implement auto chain for the TLSv1.3 server since some software
		108	relies on this.
		109
		110	* Handle additional certificate error cases in the new X.509 verifier.
		111	Keep track of the errors encountered if a verify callback tells the
		112	verifier to continue and report them back via the error on the store
		113	context. This mimicks the behavior of the old verifier that would
		114	persist the first error encountered while building the chain.
		115
		116	* Report specific failures for "self signed certificates" in a way
		117	compatible with the old verifier since software relies on the
		118	error code.
		119
		120	* Implement key exporter for TLSv1.3.
		121
		122	* Plug a large memory leak in the new verifier caused by calling
		123	X509_policy_check() repeatedly instead.
		124
		125	* Avoid leaking memory in x509_verify_chain_dup().
		126
		127	* Various documentation improvements, particularly around TLS methods.
		128
31	3.2.2 - Stable release	129	3.2.2 - Stable release
32		130
33	* This is the first stable release with the new TLSv1.3	131	* This is the first stable release with the new TLSv1.3