X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=CHANGES;h=e9d3f02bca445218c1cb41e3278818f4d71af75b;hp=f534cf7aaab0daec80c1bfacc4d716ba362f1060;hb=e4646a8963fa6bc6f475afe7a9b9a46b151cfd1a;hpb=8b1a5af389fb962c7d00ffc9d003c81078033e7b diff --git a/CHANGES b/CHANGES index f534cf7aaa..e9d3f02bca 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,51 @@ Changes between 1.0.2g and 1.1.0 [xx XXX xxxx] + *) Added support for "pipelining". Ciphers that have the + EVP_CIPH_FLAG_PIPELINE flag set have a capability to process multiple + encryptions/decryptions simultaneously. There are currently no built-in + ciphers with this property but the expectation is that engines will be able + to offer it to significantly improve throughput. Support has been extended + into libssl so that multiple records for a single connection can be + processed in one go (for >=TLS 1.1). + [Matt Caswell] + + *) Added the AFALG engine. This is an async capable engine which is able to + offload work to the Linux kernel. In this initial version it only supports + AES128-CBC. The kernel must be version 4.1.0 or greater. + [Catriona Lucey] + + *) OpenSSL now uses a new threading API. It is no longer necessary to + set locking callbacks to use OpenSSL in a multi-threaded environment. There + are two supported threading models: pthreads and windows threads. It is + also possible to configure OpenSSL at compile time for "no-threads". The + old threading API should no longer be used. The functions have been + replaced with "no-op" compatibility macros. + [Alessandro Ghedini, Matt Caswell] + + *) Modify behavior of ALPN to invoke callback after SNI/servername + callback, such that updates to the SSL_CTX affect ALPN. + [Todd Short] + + *) Add SSL_CIPHER queries for authentication and key-exchange. + + *) Modify behavior of ALPN to invoke callback after SNI/servername + callback, such that updates to the SSL_CTX affect ALPN. + [Todd Short] + + *) Changes to the DEFAULT cipherlist: + - Prefer (EC)DHE handshakes over plain RSA. + - Prefer AEAD ciphers over legacy ciphers. + - Prefer ECDSA over RSA when both certificates are available. + - Prefer TLSv1.2 ciphers/PRF. + - Remove DSS, SEED, IDEA, CAMELLIA, and AES-CCM from the + default cipherlist. + [Emilia Käsper] + + *) Change the ECC default curve list to be this, in order: x25519, + secp256r1, secp521r1, secp384r1. + [Rich Salz] + *) RC4 based libssl ciphersuites are now classed as "weak" ciphers and are disabled by default. They can be re-enabled using the enable-weak-ssl-ciphers option to Configure. @@ -869,6 +914,11 @@ whose return value is often ignored. [Steve Henson] + *) New -noct, -requestct, -requirect and -ctlogfile options for s_client. + These allow SCTs (signed certificate timestamps) to be requested and + validated when establishing a connection. + [Rob Percival ] + Changes between 1.0.2f and 1.0.2g [1 Mar 2016] * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.