From c92119f50afc2ed77f6a32141ceb0a2e80e345d6 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Sun, 9 Jul 2017 10:36:22 -0500 Subject: [PATCH] added 2.6.0 Changes --- ChangeLog | 61 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) diff --git a/ChangeLog b/ChangeLog index d95e5c1..323ebe6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -28,7 +28,68 @@ history is also available from Git. LibreSSL Portable Release Notes: +2.6.0 - New APIs, bug fixes and improvements + + * Added support for providing CRLs to libtls. Once a CRL is provided we + enable CRL checking for the full certificate chain. Based on a diff + from Jack Burton + + * Allow non-compliant clients using IP literal addresses with SNI + to connect to a server using libtls. + + * Avoid a potential NULL pointer dereference in d2i_ECPrivateKey(). + Reported by Robert Swiecki, who found the issue using honggfuzz. + + * Added definitions for three OIDs used in EV certificates. + From Kyle J. McKay + + * Plugged a memory leak in tls_ocsp_free. + + * Added tls_peer_cert_chain_pem, tls_cert_hash, and tls_hex_string to + libtls, useful in private certificate validation callbacks such as + those in relayd. + + * Converted explicit lear/free sequences to use freezero(3). + + * Reworked TLS certificate name verification code to more strictly + follow RFC 6125. + + * Cleaned up and simplified server key exchange EC point handling. + + * Added tls_keypair_clear_key for clearing key material. + + * Removed inconsistent IPv6 handling from BIO_get_accept_socket, + simplified BIO_get_host_ip and BIO_accept. + + * Fixed the openssl(1) ca command so that is generates certificates + with RFC 5280-conformant time. Problem noticed by Harald Dunkel. + + * Added ASN1_TIME_set_tm to set an asn1 from a struct tm * + + * Added SSL{,_CTX}_set_{min,max}_proto_version() functions. + + * Added HKDF (HMAC Key Derivation Function) from BoringSSL + + * Providea a tls_unload_file() function that frees the memory returned + from a tls_load_file() call, ensuring that it the contents become + inaccessible. This is specifically needed on platforms where the + library allocators may be different from the application allocator. + + * Perform reference counting for tls_config. This allows + tls_config_free() to be called as soon as it has been passed to the + final tls_configure() call, simplifying lifetime tracking for the + application. + + * Moved internal state of SSL and other structures to be opaque. + + * Dropped cipher suites with DSS authentication. + + * nc(1) improvements, including: + nc -W to terminate nc after receiving a number of packets + nc -Z for saving the peer certificate and chain in a pem file + 2.5.5 - Bug fixes + * Distinguish between self-issued certificates and self-signed certificates. The certificate verification code has special cases for self-signed certificates and without this change, self-issued