Changes between 1.0.0 and 1.1.0 [xx XXX xxxx]
+ *) Initial TLSv1.1 support. Since TLSv1.1 is very similar to TLS v1.0 only
+ a few changes are required:
+
+ Add SSL_OP_NO_TLSv1_1 flag.
+ Add TLSv1_1 methods.
+ Update version checking logic to handle version 1.1.
+ Add explicit IV handling (ported from DTLS code).
+ Add command line options to s_client/s_server.
+ [Steve Henson]
+
*) Experiemental password based recipient info support for CMS library:
implementing RFC3211.
[Steve Henson]
Changes between 0.9.8l (?) and 0.9.8m (?) [xx XXX xxxx]
+ *) Add option SSL_OP_LEGACY_SERVER_CONNECT which will allow clients to
+ connect (but not renegotiate) with servers which do not support RI.
+ Until RI is more widely deployed this option is enabled by default.
+ [Steve Henson]
+
+ *) Add "missing" ssl ctrls to clear options and mode.
+ [Steve Henson]
+
+ *) If client attempts to renegotiate and doesn't support RI respond with
+ a no_renegotiation alert as required by draft-ietf-tls-renegotiation.
+ Some renegotiating TLS clients will continue a connection gracefully
+ when they receive the alert. Unfortunately OpenSSL mishandled
+ this alert and would hang waiting for a server hello which it will never
+ receive. Now we treat a received no_renegotiation alert as a fatal
+ error. This is because applications requesting a renegotiation might well
+ expect it to succeed and would have no code in place to handle the server
+ denying it so the only safe thing to do is to terminate the connection.
+ [Steve Henson]
+
+ *) Add ctrl macro SSL_get_secure_renegotiation_support() which returns 1 if
+ peer supports secure renegotiation and 0 otherwise. Print out peer
+ renegotiation support in s_client/s_server.
+ [Steve Henson]
+
*) Replace the highly broken and deprecated SPKAC certification method with
the updated NID creation version. This should correctly handle UTF8.
[Steve Henson]
- *) Implement
- https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegotiate.txt. Re-enable
+ *) Implement draft-ietf-tls-renegotiation. Re-enable
renegotiation but require the extension as needed. Unfortunately,
SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION turns out to be a
bad idea. It has been replaced by
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION which can be set with
SSL_CTX_set_options(). This is really not recommended unless you
know what you are doing.
- [Eric Rescorla <ekr@networkresonance.com> and Ben Laurie]
+ [Eric Rescorla <ekr@networkresonance.com>, Ben Laurie, Steve Henson]
*) Fixes to stateless session resumption handling. Use initial_ctx when
issuing and attempting to decrypt tickets in case it has changed during
projects / openssl.git / blobdiff