From fcd9da32e8014dd9155d6653d364dbfb31e015b3 Mon Sep 17 00:00:00 2001 From: Bob Beck Date: Thu, 28 May 2020 19:50:17 -0600 Subject: [PATCH] bag of changelog for 3.2.0 --- ChangeLog | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 52 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index ab283a5..5e69fa9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -30,6 +30,48 @@ LibreSSL Portable Release Notes: 3.2.0 - Development release + * Improve length checks in record layer and provide appropritate + alerts for for violations of record layer limits. + + * Enforce in the server that SNI hostnames be correctly formed as + per RFC 6066 and RFC 5890, responding with illegal paramerter for + a nonconformant host name. + + * Modify openssl(1) to clear SSL_MODE_AUTO_RETRY appropriately in + various commands. + + * Modify io behavior so that SSL_MODE_AUTO_RETRY is the default + similar to new OpenSSL releases. + + * Support SSL_MODE_AUTO_RETRY in TLS 1.3 to allow the automatic + retry of handshake messages. + + * Add tlsfuzzer based regression tests. + + * Support sending certificate status replies from the tls13 server + to send ocsp staples for leaf certificates. + + * Send correct alerts when handling failed key share extensions + on the TLS 1.3 server. + + * Various compatibility fixes for TLS 1.3 to 1.2 fallback for + switching from the new to legacy stacks. + + * Support TLS 1.3 options in the openssl(1) command. + + * Enable TLS 1.3 server side in addition to client by default. + with this change tls13 is handled entirely on the new stack + and state machine, with fallback to the legacy stack and + state machine for older versions. + + * Many alert cleanups in TLS 1.3 to provide expected alerts + in failure conditions. + + * Modify "openssl x509" to display invalid certificate times as + invalid, and correctly deal with the failing return case from + x509_time_cmp so that a certificate with an invalid NotAfter does + not appear valid. + * Support sending dummy change_cipher_spec records for middlebox compatibility. @@ -38,12 +80,21 @@ LibreSSL Portable Release Notes: corner cases that were dealt with incorrectly. Fixed several instances of missing or incorrect alerts. + * Ensure only PSS may be used with RSA in tls 1.3 + * The client must advertise exactly the "null" compression method in its legacy_compression_field, nothing else. * Incorrect use of sockaddr instead of sockaddr_storage in the s_client could lead to using 14 bytes of stack garbage instead - of an IPv6 address in DTLS mode. + of an IPv6 address in DTLS mode. + + * Support sending certificate status from the tls13 client to retrieve + ocsp staples for leaf certificates. + + * Support sending certificate status requests from the tls13 + client to retrieve ocsp staples for leaf certificates. + 3.1.2 - Bug fix