add -trusted_first option and verify flag

[openssl.git] / CHANGES

diff --git a/CHANGES b/CHANGES
index 621387772479a5d0f61fa0f9dbf4af796a136599..1a7d4c35fce6cf2a5233718d4c42e1865f5449e9 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,20 @@
 
  Changes between 1.0.0 and 1.1.0  [xx XXX xxxx]
 
+  *) Add -trusted_first option which attempts to find certificates in the
+     trusted store even if an untrusted chain is also supplied.
+     [Steve Henson]
+
+  *) Initial experimental support for explicitly trusted non-root CAs. 
+     OpenSSL still tries to build a complete chain to a root but if an
+     intermediate CA has a trust setting included that is used. The first
+     setting is used: whether to trust or reject.
+     [Steve Henson]
+
+  *) New -verify_name option in command line utilities to set verification
+     parameters by name.
+     [Steve Henson]
+
   *) Initial CMAC implementation. WARNING: EXPERIMENTAL, API MAY CHANGE.
      Add CMAC pkey methods.
      [Steve Henson]
@@ -896,7 +910,11 @@
   *) Change 'Configure' script to enable Camellia by default.
      [NTT]
 
- Changes between 0.9.8l (?) and 0.9.8m (?)  [xx XXX xxxx]
+ Changes between 0.9.8l and 0.9.8m  [xx XXX xxxx]
+
+  *) Fix X509_STORE locking: Every 'objs' access requires a lock (to
+     accommodate for stack sorting, always a write lock!).
+     [Bodo Moeller]
 
   *) On some versions of WIN32 Heap32Next is very slow. This can cause
      excessive delays in the RAND_poll(): over a minute. As a workaround