X-Git-Url: https://git.openssl.org/gitweb/?a=blobdiff_plain;f=CHANGES;h=97254ec9678d2158dcac853d6c9ec1fdedeb33ec;hb=e4f1cda7dec46383faaa9c9945f0ddd9d1b8b75c;hp=427444a9ce71e6d525f6028b168b7f63425ad76f;hpb=b52a2738d4cd20d8cf4cf88943bee2b6789eeaf1;p=openssl.git

diff --git a/CHANGES b/CHANGES
index 427444a9ce..97254ec967 100644
--- a/CHANGES
+++ b/CHANGES
@@ -3,6 +3,11 @@
  _______________
 
  Changes between 0.9.8m (?) and 1.0.0  [xx XXX xxxx]
+  
+  *) Fix compression algorithm handling: if resuming a session use the
+     compression algorithm of the resumed session instead of determining
+     it from client hello again. Don't allow server to change algorithm.
+     [Steve Henson]
 
   *) Add load_crls() function to apps tidying load_certs() too. Add option
      to verify utility to allow additional CRLs to be included.
@@ -827,6 +832,29 @@
      [NTT]
 
  Changes between 0.9.8l (?) and 0.9.8m (?)  [xx XXX xxxx]
+  
+  *) Constify crypto/cast (i.e., <openssl/cast.h>): a CAST_KEY doesn't
+     change when encrypting or decrypting.
+     [Bodo Moeller]
+
+  *) Add option SSL_OP_LEGACY_SERVER_CONNECT which will allow clients to
+     connect (but not renegotiate) with servers which do not support RI.
+     Until RI is more widely deployed this option is enabled by default.
+     [Steve Henson]
+
+  *) Add "missing" ssl ctrls to clear options and mode.
+     [Steve Henson]
+
+  *) If client attempts to renegotiate and doesn't support RI respond with
+     a no_renegotiation alert as required by draft-ietf-tls-renegotiation.
+     Some renegotiating TLS clients will continue a connection gracefully
+     when they receive the alert. Unfortunately OpenSSL mishandled
+     this alert and would hang waiting for a server hello which it will never
+     receive. Now we treat a received no_renegotiation alert as a fatal 
+     error. This is because applications requesting a renegotiation might well
+     expect it to succeed and would have no code in place to handle the server
+     denying it so the only safe thing to do is to terminate the connection.
+     [Steve Henson]
 
   *) Add ctrl macro SSL_get_secure_renegotiation_support() which returns 1 if
      peer supports secure renegotiation and 0 otherwise. Print out peer