Update ocsp usage message and docs.

[openssl.git] / CHANGES

diff --git a/CHANGES b/CHANGES
index ea29f5abfda631291656a04a6408670672c47025..719a7ff22b88ea97d8a56288398b32c85f8a3058 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,15 @@
 
  Changes between 0.9.7a and 0.9.8  [xx XXX xxxx]
 
+  *) Support for nameConstraints certificate extension.
+     [Steve Henson]
+
+  *) Support for policyConstraints certificate extension.
+     [Steve Henson]
+
+  *) Support for policyMappings certificate extension.
+     [Steve Henson]
+
   *) Fixed a typo bug that would cause ENGINE_set_default() to set an
      ENGINE as defaults for all supported algorithms irrespective of
      the 'flags' parameter. 'flags' is now honoured, so applications
@@ -466,8 +475,19 @@
      in ssl3_get_client_key_exchange (ssl/s3_srvr.c).
      [Bodo Moeller]
 
+  *) Turn on RSA blinding by default in the default implementation
+     to avoid a timing attack. Applications that don't want it can call
+     RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING.
+     They would be ill-advised to do so in most cases.
+     [Ben Laurie, Steve Henson, Geoff Thorpe]
+
+  *) Change RSA blinding code so that it works when the PRNG is not
+     seeded (in this case, the secret RSA exponent is abused as
+     an unpredictable seed -- if it is not unpredictable, there
+     is no point in blinding anyway).
+     [Bodo Moeller]
+
 yet to be integrated into this CVS branch:
-- RSA blinding changes
 - Geoff's ENGINE_set_default() fix
 
   *) Target "mingw" now allows native Windows code to be generated in