X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=CHANGES;h=67c92f822fee9c91b8c6d4b34bd21ddac421bd79;hp=6c1a127ec9e478d3b0e05054194425f99d6d0a68;hb=e8e5b46e2b92b234791b8be3331cdc0f187d4bbe;hpb=4d524040bc81d2db46a5530ba10a98686ab1c3ca

diff --git a/CHANGES b/CHANGES
index 6c1a127ec9..67c92f822f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,66 @@
 
  Changes between 0.9.8a and 0.9.9  [xx XXX xxxx]
 
+  *) Add support for TLS extensions, specifically for the HostName extension
+     so far.  The SSL_SESSION, SSL_CTX, and SSL data structures now have new
+     members for HostName support.
+
+     New functions (subject to change):
+
+         SSL_get_servername()
+         SSL_get_servername_type()
+         SSL_set_SSL_CTX()
+
+     New CTRL codes and macros (subject to change):
+
+         SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
+                                 - SSL_CTX_set_tlsext_servername_callback()
+         SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG
+                                      - SSL_CTX_set_tlsext_servername_arg()
+         SSL_CTRL_SET_TLSEXT_HOSTNAME           - SSL_set_tlsext_hostname()
+         SSL_CTRL_GET_TLSEXT_HOSTNAME     [similar to SSL_get_servername()]
+         SSL_CTRL_SET_TLSEXT_SERVERNAME_DONE
+                                         - SSL_set_tlsext_servername_done()
+
+     openssl s_client has a new '-servername' option.
+
+     openssl s_server has new options '-servername', '-cert2', and '-key2'
+     (subject to change); this allows testing the HostName extension for a
+     specific single host name ('-cert' and '-key' remain fallbacks for
+     handshakes without HostName negotiation).
+
+     [Peter Sylvester,  Remy Allais, Christophe Renou]
+
+  *) Whirlpool hash implementation is added.
+     [Andy Polyakov]
+
+  *) BIGNUM code on 64-bit SPARCv9 targets is switched from bn(64,64) to
+     bn(64,32). Because of instruction set limitations it doesn't have
+     any negative impact on performance. This was done mostly in order
+     to make it possible to share assembler modules, such as bn_mul_mont
+     implementations, between 32- and 64-bit builds without hassle.
+     [Andy Polyakov]
+
+  *) Disable rogue ciphersuites:
+
+      - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
+      - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
+      - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")
+
+     The latter two were purportedly from
+     draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really
+     appear there.
+
+     Other ciphersuites from draft-ietf-tls-56-bit-ciphersuites-01.txt
+     remain enabled for now, but are just as unofficial, and the ID
+     has long expired; these will probably disappear soon.
+     [Bodo Moeller]
+
+  *) Move code previously exiled into file crypto/ec/ec2_smpt.c
+     to ec2_smpl.c, and no longer require the OPENSSL_EC_BIN_PT_COMP
+     macro.
+     [Bodo Moeller]
+
   *) New candidate for BIGNUM assembler implementation, bn_mul_mont,
      dedicated Montgomery multiplication procedure, is introduced.
      BN_MONT_CTX is modified to allow bn_mul_mont to reach for higher
@@ -51,6 +111,40 @@
   *) Add print and set support for Issuing Distribution Point CRL extension.
      [Steve Henson]
 
+ Changes between 0.9.8a and 0.9.8b  [XX xxx XXXX]
+
+  *) Update support for ECC-based TLS ciphersuites according to
+     draft-ietf-tls-ecc-12.txt with proposed changes.
+     [Douglas Stebila]
+
+  *) New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free() to support
+     opaque EVP_CIPHER_CTX handling.
+     [Steve Henson]
+
+  *) Fixes and enhancements to zlib compression code. We now only use
+     "zlib1.dll" and use the default __cdecl calling convention on Win32
+     to conform with the standards mentioned here:
+           http://www.zlib.net/DLL_FAQ.txt
+     Static zlib linking now works on Windows and the new --with-zlib-include
+     --with-zlib-lib options to Configure can be used to supply the location
+     of the headers and library. Gracefully handle case where zlib library
+     can't be loaded.
+     [Steve Henson]
+
+  *) Several fixes and enhancements to the OID generation code. The old code
+     sometimes allowed invalid OIDs (1.X for X >= 40 for example), couldn't
+     handle numbers larger than ULONG_MAX, truncated printing and had a
+     non standard OBJ_obj2txt() behaviour.
+     [Steve Henson]
+
+  *) Add support for building of engines under engine/ as shared libraries
+     under VC++ build system.
+     [Steve Henson]
+
+  *) Corrected the numerous bugs in the Win32 path splitter in DSO.
+     Hopefully, we will not see any false combination of paths any more.
+     [Richard Levitte]
+
  Changes between 0.9.8 and 0.9.8a  [11 Oct 2005]
 
   *) Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING
@@ -78,7 +172,7 @@
 
   *) Extended Windows CE support.
      [Satoshi Nakamura and Andy Polyakov]
- 
+
   *) Initialize SSL_METHOD structures at compile time instead of during
      runtime, thus removing the need for a lock.
      [Steve Henson]
@@ -977,6 +1071,9 @@
 
  Changes between 0.9.7f and 0.9.7g  [11 Apr 2005]
 
+  [NB: OpenSSL 0.9.7h and later 0.9.7 patch levels were released after
+  OpenSSL 0.9.8.]
+
   *) Fixes for newer kerberos headers. NB: the casts are needed because
      the 'length' field is signed on one version and unsigned on another
      with no (?) obvious way to tell the difference, without these VC++