factotum/libressl-portable
1
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

bag of changelog for 3.2.0

Browse Source
This commit is contained in:
Bob Beck 2020-05-28 19:50:17 -06:00
parent 60ce6e59bb
commit fcd9da32e8
1 changed files with 52 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
ChangeLog
View File

@ -30,6 +30,48 @@ LibreSSL Portable Release Notes:
3.2.0 - Development release 3.2.0 - Development release
* Improve length checks in record layer and provide appropritate
alerts for for violations of record layer limits.
* Enforce in the server that SNI hostnames be correctly formed as
per RFC 6066 and RFC 5890, responding with illegal paramerter for
a nonconformant host name.
* Modify openssl(1) to clear SSL_MODE_AUTO_RETRY appropriately in
various commands.
* Modify io behavior so that SSL_MODE_AUTO_RETRY is the default
similar to new OpenSSL releases.
* Support SSL_MODE_AUTO_RETRY in TLS 1.3 to allow the automatic
retry of handshake messages.
* Add tlsfuzzer based regression tests.
* Support sending certificate status replies from the tls13 server
to send ocsp staples for leaf certificates.
* Send correct alerts when handling failed key share extensions
on the TLS 1.3 server.
* Various compatibility fixes for TLS 1.3 to 1.2 fallback for
switching from the new to legacy stacks.
* Support TLS 1.3 options in the openssl(1) command.
* Enable TLS 1.3 server side in addition to client by default.
with this change tls13 is handled entirely on the new stack
and state machine, with fallback to the legacy stack and
state machine for older versions.
* Many alert cleanups in TLS 1.3 to provide expected alerts
in failure conditions.
* Modify "openssl x509" to display invalid certificate times as
invalid, and correctly deal with the failing return case from
x509_time_cmp so that a certificate with an invalid NotAfter does
not appear valid.
* Support sending dummy change_cipher_spec records for middlebox * Support sending dummy change_cipher_spec records for middlebox
compatibility. compatibility.
@ -38,12 +80,21 @@ LibreSSL Portable Release Notes:
corner cases that were dealt with incorrectly. Fixed several corner cases that were dealt with incorrectly. Fixed several
instances of missing or incorrect alerts. instances of missing or incorrect alerts.
* Ensure only PSS may be used with RSA in tls 1.3
* The client must advertise exactly the "null" compression method * The client must advertise exactly the "null" compression method
in its legacy_compression_field, nothing else. in its legacy_compression_field, nothing else.
* Incorrect use of sockaddr instead of sockaddr_storage in the * Incorrect use of sockaddr instead of sockaddr_storage in the
s_client could lead to using 14 bytes of stack garbage instead s_client could lead to using 14 bytes of stack garbage instead
of an IPv6 address in DTLS mode. of an IPv6 address in DTLS mode.
* Support sending certificate status from the tls13 client to retrieve
ocsp staples for leaf certificates.
* Support sending certificate status requests from the tls13
client to retrieve ocsp staples for leaf certificates.
3.1.2 - Bug fix 3.1.2 - Bug fix