Add new "valid_flags" field to CERT_PKEY structure which determines what

[openssl.git] / CHANGES

diff --git a/CHANGES b/CHANGES
index a1c6e46710e8102f9ac52bb332dfa27fd068794a..8f1baae41834a6710bb69bcbcceb27d35368158a 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,29 @@
 
  Changes between 1.0.1 and 1.0.2 [xx XXX xxxx]
 
+  *) Add new "valid_flags" field to CERT_PKEY structure which determines what
+     the certificate can be used for (if anything). Set valid_flags field 
+     in new tls1_check_chain function. Simplify ssl_set_cert_masks which used
+     to have similar checks in it.
+
+     Add new "cert_flags" field to CERT structure and include a "strict mode".
+     This enforces some TLS certificate requirements (such as only permitting
+     certificate signature algorithms contained in the supported algorithms
+     extension) which some implementations ignore: this option should be used
+     with caution as it could cause interoperability issues.
+     [Steve Henson]
+
+  *) Update and tidy signature algorithm extension processing. Work out
+     shared signature algorithms based on preferences and peer algorithms
+     and print them out in s_client and s_server. Abort handshake if no
+     shared signature algorithms.
+     [Steve Henson]
+
+  *) Add new functions to allow customised supported signature algorithms
+     for SSL and SSL_CTX structures. Add options to s_client and s_server
+     to support them.
+     [Steve Henson]
+
   *) New function SSL_certs_clear() to delete all references to certificates
      from an SSL structure. Before this once a certificate had been added
      it couldn't be removed.