X-Git-Url: https://git.openssl.org/gitweb/?a=blobdiff_plain;f=CHANGES;h=4e305721e38aaf10094be3a874c28894a89e9a7d;hb=7ff970ef55a1552e5a1acc6d337250c755b7fd0d;hp=7a444266ff589b4c84f3fd533862ba57f6af5358;hpb=1ee3b17fa0efc0505c157f537c976d188bfa25b3;p=openssl.git diff --git a/CHANGES b/CHANGES index 7a444266ff..4e305721e3 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,59 @@ Changes between 1.0.2e and 1.1.0 [xx XXX xxxx] + *) Support for RFC6698/RFC7671 DANE TLSA peer authentication. + + Obtaining and performing DNSSEC validation of TLSA records is + the application's responsibility. The application provides + the TLSA records of its choice to OpenSSL, and these are then + used to authenticate the peer. + + The TLSA records need not even come from DNS. They can, for + example, be used to implement local end-entity certificate or + trust-anchor "pinning", where the "pin" data takes the form + of TLSA records, which can augment or replace verification + based on the usual WebPKI public certification authorities. + [Viktor Dukhovni] + + *) Revert default OPENSSL_NO_DEPRECATED setting. Instead OpenSSL + continues to support deprecated interfaces in default builds. + However, applications are strongly advised to compile their + source files with -DOPENSSL_API_COMPAT=0x10100000L, which hides + the declarations of all interfaces deprecated in 0.9.8, 1.0.0 + or the 1.1.0 releases. + + In environments in which all applications have been ported to + not use any deprecated interfaces OpenSSL's Configure script + should be used with the --api=1.1.0 option to entirely remove + support for the deprecated features from the library and + unconditionally disable them in the installed headers. + Essentially the same effect can be achieved with the "no-deprecated" + argument to Configure, except that this will always restrict + the build to just the latest API, rather than a fixed API + version. + + As applications are ported to future revisions of the API, + they should update their compile-time OPENSSL_API_COMPAT define + accordingly, but in most cases should be able to continue to + compile with later releases. + + The OPENSSL_API_COMPAT versions for 1.0.0, and 0.9.8 are + 0x10000000L and 0x00908000L, respectively. However those + versions did not support the OPENSSL_API_COMPAT feature, and + so applications are not typically tested for explicit support + of just the undeprecated features of either release. + [Viktor Dukhovni] + + *) Add support for setting the minimum and maximum supported protocol. + It can bet set via the SSL_set_min_proto_version() and + SSL_set_max_proto_version(), or via the SSL_CONF's MinProtocol and + MaxProtcol. It's recommended to use the new APIs to disable + protocols instead of disabling individual protocols using + SSL_set_options() or SSL_CONF's Protocol. This change also + removes support for disabling TLS 1.2 in the OpenSSL TLS + client at compile time by defining OPENSSL_NO_TLS1_2_CLIENT. + [Kurt Roeckx] + *) Support for ChaCha20 and Poly1305 added to libcrypto and libssl. [Andy Polyakov] @@ -54,7 +107,8 @@ *) SSL_{CTX_}set_ecdh_auto() has been removed and ECDH is support is always enabled now. If you want to disable the support you should - exclude it using the list of supported ciphers. + exclude it using the list of supported ciphers. This also means that the + "-no_ecdhe" option has been removed from s_server. [Kurt Roeckx] *) SSL_{CTX}_set_tmp_ecdh() which can set 1 EC curve now internally calls @@ -83,8 +137,9 @@ *) The demo files in crypto/threads were moved to demo/threads. [Rich Salz] - *) Removed obsolete engines: 4758cca, aep, atalla, cswift, nuron and sureware. - [Matt Caswell] + *) Removed obsolete engines: 4758cca, aep, atalla, cswift, nuron, gmp, + and sureware. + [Matt Caswell, Rich Salz] *) New ASN.1 embed macro. @@ -140,6 +195,12 @@ [Richard Levitte] + *) Revamped memory debug; only -DCRYPTO_MDEBUG and -DCRYPTO_MDEBUG_ABORT + are used; the latter aborts on memory leaks (usually checked on exit). + Some undocumented "set malloc, etc., hooks" functions were removed + and others were changed. All are now documented. + [Rich Salz] + *) In DSA_generate_parameters_ex, if the provided seed is too short, return an error [Rich Salz and Ismo Puustinen ] @@ -210,6 +271,10 @@ *) Added HTTP GET support to the ocsp command. [Rich Salz] + *) Changed default digest for the dgst and enc commands from MD5 to + sha256 + [Rich Salz] + *) RAND_pseudo_bytes has been deprecated. Users should use RAND_bytes instead. [Matt Caswell]