diff options
| author | Brent Cook <bcook@openbsd.org> | 2017-09-03 21:52:18 -0500 |
|---|---|---|
| committer | Brent Cook <bcook@openbsd.org> | 2017-09-03 21:52:18 -0500 |
| commit | d653deef650b44dba3ac00750da83fd36b7b936d (patch) | |
| tree | 3fc1b4973949a6ecad1cfbad685117d774a26297 | |
| parent | f4d2b810cb7037fb393378dbae7b9cece77829fd (diff) | |
| download | portable-d653deef650b44dba3ac00750da83fd36b7b936d.tar.gz portable-d653deef650b44dba3ac00750da83fd36b7b936d.tar.bz2 portable-d653deef650b44dba3ac00750da83fd36b7b936d.zip | |
add 2.6.1 changelog
| -rw-r--r-- | ChangeLog | 53 |
1 files changed, 53 insertions, 0 deletions
| @@ -28,6 +28,59 @@ history is also available from Git. | |||
| 28 | 28 | ||
| 29 | LibreSSL Portable Release Notes: | 29 | LibreSSL Portable Release Notes: |
| 30 | 30 | ||
| 31 | 2.6.1 - Code removal, rewrites | ||
| 32 | |||
| 33 | * Added a "-T tlscompat" option to nc(1), which enables the use of all | ||
| 34 | TLS protocols and "compat" ciphers. This allows for TLS connections | ||
| 35 | to TLS servers that are using less than ideal cipher suites, without | ||
| 36 | having to resort to "-T tlsall" which enables all known cipher | ||
| 37 | suites. Diff from Kyle J. McKay. | ||
| 38 | |||
| 39 | * Added a new TLS extension handling framework, somewhat analogous to | ||
| 40 | BoringSSL, and converted all TLS extensions to use it. Added new TLS | ||
| 41 | extension regression tests. | ||
| 42 | |||
| 43 | * Improved and added many new manpages. Updated *check_private_key | ||
| 44 | manpages with additional cautions regarding their use. | ||
| 45 | |||
| 46 | * Cleaned up the EC key/curve configuration handling. | ||
| 47 | |||
| 48 | * Added tls_config_set_ecdhecurves() to libtls, which allows the names | ||
| 49 | of the eliptical curves that may be used during client and server | ||
| 50 | key exchange to be specified. | ||
| 51 | |||
| 52 | * Converted more code paths to use CBB/CBS. | ||
| 53 | |||
| 54 | * Removed support for DSS/DSA, since we removed the cipher suites a | ||
| 55 | while back. | ||
| 56 | |||
| 57 | * Removed NPN support. NPN was never standardised and the last draft | ||
| 58 | expired in October 2012. ALPN was standardised in July 2014 and has | ||
| 59 | been supported in LibreSSL since December 2014. NPN has also been | ||
| 60 | removed from Chromium in May 2016. | ||
| 61 | |||
| 62 | * Removed SSL_OP_CRYPTOPRO_TLSEXT_BUG workaround for old/broken | ||
| 63 | CryptoPro clients. | ||
| 64 | |||
| 65 | * Removed support for the TLS padding extension, which was added as a | ||
| 66 | workaround for an old bug in F5's TLS termintation. | ||
| 67 | |||
| 68 | * Workaround a new bug in F5's TLS termination handling the | ||
| 69 | elliptical curves extension. RFC 4492 only defines elliptic_curves | ||
| 70 | for ClientHello. However, F5 is sending it in ServerHello. We need | ||
| 71 | to skip over it since our TLS extension parsing code is now more | ||
| 72 | strict. Thanks to Armin Wolfermann and WJ Liu for reporting. | ||
| 73 | |||
| 74 | * Added ability to clamp notafter valies in certificates for systems | ||
| 75 | with 32-bit time_t. This is necessary to conform to RFC 5280 | ||
| 76 | 4.1.2.5. | ||
| 77 | |||
| 78 | * Imported SSL_CTX_set_min_proto_version(3) from OpenSSL | ||
| 79 | |||
| 80 | * Remove the original (pre-IETF) chacha20-poly1305 cipher suites. | ||
| 81 | |||
| 82 | * Reclassified ECDHE-RSA-DES-CBC3-SHA from HIGH to MEDIUM. | ||
| 83 | |||
| 31 | 2.6.0 - New APIs, bug fixes and improvements | 84 | 2.6.0 - New APIs, bug fixes and improvements |
| 32 | 85 | ||
| 33 | * Added support for providing CRLs to libtls. Once a CRL is provided we | 86 | * Added support for providing CRLs to libtls. Once a CRL is provided we |