bag of changelog for 3.2.0

author: Bob Beck <beck@openbsd.org> 2020-05-28 19:50:17 -0600
committer: Bob Beck <beck@openbsd.org> 2020-05-28 19:50:17 -0600
commit: fcd9da32e8014dd9155d6653d364dbfb31e015b3 (patch)
tree: f5e6c7d050a9b4d749122b760af71a11161f3673
parent: 60ce6e59bb83c65f3172cdfc69928242e7003820 (diff)
download: portable-fcd9da32e8014dd9155d6653d364dbfb31e015b3.tar.gz
portable-fcd9da32e8014dd9155d6653d364dbfb31e015b3.tar.bz2
portable-fcd9da32e8014dd9155d6653d364dbfb31e015b3.zip
1 files changed, 52 insertions, 1 deletions
diff --git a/ChangeLog b/ChangeLog
index ab283a5..5e69fa9 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -30,6 +30,48 @@ LibreSSL Portable Release Notes:
 3.2.0 - Development release
+        * Improve length checks in record layer and provide appropritate
+        alerts for for violations of record layer limits.
+        * Enforce in the server that SNI hostnames be correctly formed as
+        per RFC 6066 and RFC 5890, responding with illegal paramerter for
+        a nonconformant host name.
+        * Modify openssl(1) to clear SSL_MODE_AUTO_RETRY appropriately in
+        various commands.
+        * Modify io behavior so that SSL_MODE_AUTO_RETRY is the default
+        similar to new OpenSSL releases.
+        * Support SSL_MODE_AUTO_RETRY in TLS 1.3 to allow the automatic
+        retry of handshake messages.
+        * Add tlsfuzzer based regression tests.
+        * Support sending certificate status replies from the tls13 server
+          to send ocsp staples for leaf certificates.
+        * Send correct alerts when handling failed key share extensions
+        on the TLS 1.3 server.
+        * Various compatibility fixes for TLS 1.3 to 1.2 fallback for
+        switching from the new to legacy stacks.
+        * Support TLS 1.3 options in the openssl(1) command.
+        * Enable TLS 1.3 server side in addition to client by default.
+        with this change tls13 is handled entirely on the new stack
+        and state machine, with fallback to the legacy stack and
+        state machine for older versions.
+        * Many alert cleanups in TLS 1.3 to provide expected alerts
+        in failure conditions.
+        * Modify "openssl x509" to display invalid certificate times as
+        invalid, and correctly deal with the failing return case from
+        x509_time_cmp so that a certificate with an invalid NotAfter does
+        not appear valid.
        * Support sending dummy change_cipher_spec records for middlebox
          compatibility.
@@ -38,12 +80,21 @@ LibreSSL Portable Release Notes:
          corner cases that were dealt with incorrectly. Fixed several
          instances of missing or incorrect alerts.
+        * Ensure only PSS may be used with RSA in tls 1.3
        * The client must advertise exactly the "null" compression method
          in its legacy_compression_field, nothing else.
        * Incorrect use of sockaddr instead of sockaddr_storage in the
          s_client could lead to using 14 bytes of stack garbage instead
-          of an IPv6 address in DTLS mode.
+          of an IPv6 address in DTLS mode.
+        * Support sending certificate status from the tls13 client to retrieve
+          ocsp staples for leaf certificates.
+        * Support sending certificate status requests from the tls13
+          client to retrieve ocsp staples for leaf certificates.
 3.1.2 - Bug fix
author	Bob Beck <beck@openbsd.org>	2020-05-28 19:50:17 -0600
committer	Bob Beck <beck@openbsd.org>	2020-05-28 19:50:17 -0600
commit	fcd9da32e8014dd9155d6653d364dbfb31e015b3 (patch)
tree	f5e6c7d050a9b4d749122b760af71a11161f3673
parent	60ce6e59bb83c65f3172cdfc69928242e7003820 (diff)
download	portable-fcd9da32e8014dd9155d6653d364dbfb31e015b3.tar.gz portable-fcd9da32e8014dd9155d6653d364dbfb31e015b3.tar.bz2 portable-fcd9da32e8014dd9155d6653d364dbfb31e015b3.zip

diff --git a/ChangeLog b/ChangeLog index ab283a5..5e69fa9 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -30,6 +30,48 @@ LibreSSL Portable Release Notes:
30		30
31	3.2.0 - Development release	31	3.2.0 - Development release
32		32
		33	* Improve length checks in record layer and provide appropritate
		34	alerts for for violations of record layer limits.
		35
		36	* Enforce in the server that SNI hostnames be correctly formed as
		37	per RFC 6066 and RFC 5890, responding with illegal paramerter for
		38	a nonconformant host name.
		39
		40	* Modify openssl(1) to clear SSL_MODE_AUTO_RETRY appropriately in
		41	various commands.
		42
		43	* Modify io behavior so that SSL_MODE_AUTO_RETRY is the default
		44	similar to new OpenSSL releases.
		45
		46	* Support SSL_MODE_AUTO_RETRY in TLS 1.3 to allow the automatic
		47	retry of handshake messages.
		48
		49	* Add tlsfuzzer based regression tests.
		50
		51	* Support sending certificate status replies from the tls13 server
		52	to send ocsp staples for leaf certificates.
		53
		54	* Send correct alerts when handling failed key share extensions
		55	on the TLS 1.3 server.
		56
		57	* Various compatibility fixes for TLS 1.3 to 1.2 fallback for
		58	switching from the new to legacy stacks.
		59
		60	* Support TLS 1.3 options in the openssl(1) command.
		61
		62	* Enable TLS 1.3 server side in addition to client by default.
		63	with this change tls13 is handled entirely on the new stack
		64	and state machine, with fallback to the legacy stack and
		65	state machine for older versions.
		66
		67	* Many alert cleanups in TLS 1.3 to provide expected alerts
		68	in failure conditions.
		69
		70	* Modify "openssl x509" to display invalid certificate times as
		71	invalid, and correctly deal with the failing return case from
		72	x509_time_cmp so that a certificate with an invalid NotAfter does
		73	not appear valid.
		74
33	* Support sending dummy change_cipher_spec records for middlebox	75	* Support sending dummy change_cipher_spec records for middlebox
34	compatibility.	76	compatibility.
35		77
@@ -38,12 +80,21 @@ LibreSSL Portable Release Notes:
38	corner cases that were dealt with incorrectly. Fixed several	80	corner cases that were dealt with incorrectly. Fixed several
39	instances of missing or incorrect alerts.	81	instances of missing or incorrect alerts.
40		82
		83	* Ensure only PSS may be used with RSA in tls 1.3
		84
41	* The client must advertise exactly the "null" compression method	85	* The client must advertise exactly the "null" compression method
42	in its legacy_compression_field, nothing else.	86	in its legacy_compression_field, nothing else.
43		87
44	* Incorrect use of sockaddr instead of sockaddr_storage in the	88	* Incorrect use of sockaddr instead of sockaddr_storage in the
45	s_client could lead to using 14 bytes of stack garbage instead	89	s_client could lead to using 14 bytes of stack garbage instead
46	of an IPv6 address in DTLS mode.	90	of an IPv6 address in DTLS mode.
		91
		92	* Support sending certificate status from the tls13 client to retrieve
		93	ocsp staples for leaf certificates.
		94
		95	* Support sending certificate status requests from the tls13
		96	client to retrieve ocsp staples for leaf certificates.
		97
47		98
48	3.1.2 - Bug fix	99	3.1.2 - Bug fix
49		100