Clear error queue when starting SSL_CTX_use_certificate_chain_file

[openssl.git] / CHANGES

diff --git a/CHANGES b/CHANGES
index d3d56373668b44b3f1cb678585a130f61c32ea7b..c726ac5f000ce3a6381af5f15a2c70923af9ab26 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -686,13 +686,27 @@
 
  Changes between 0.9.8g and 0.9.8h  [xx XXX xxxx]
 
+  *) Clear error queue in SSL_CTX_use_certificate_chain_file()
+
+     Clear the error queue to ensure that error entries left from
+     older function calls do not interfere with the correct operation.
+     [Lutz Jaenicke, Erik de Castro Lopo]
+
+  *) Remove root CA certificates of commercial CAs:
+
+     The OpenSSL project does not recommend any specific CA and does not
+     have any policy with respect to including or excluding any CA.
+     Therefore it does not make any sense to ship an arbitrary selection
+     of root CA certificates with the OpenSSL software.
+     [Lutz Jaenicke]
+
   *) RSA OAEP patches to fix two separate invalid memory reads.
      The first one involves inputs when 'lzero' is greater than
      'SHA_DIGEST_LENGTH' (it would read about SHA_DIGEST_LENGTH bytes
      before the beginning of from). The second one involves inputs where
      the 'db' section contains nothing but zeroes (there is a one-byte
      invalid read after the end of 'db').
-     [Ivan Nestlerlode <inestlerode@us.ibm.com>]
+     [Ivan Nestlerode <inestlerode@us.ibm.com>]
   
   *) Add TLS session ticket callback. This allows an application to set
      TLS ticket cipher and HMAC keys rather than relying on hardcoded fixed