X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=CHANGES;h=8f1baae41834a6710bb69bcbcceb27d35368158a;hp=2bd941825e110e29a54b52d8c3ae95947bfdbbea;hb=484f8762352351598ffab55be6e6612891c291b7;hpb=0e05b51fe5eecb9cf6801636b3eca48d2cfef80f diff --git a/CHANGES b/CHANGES index 2bd941825e..8f1baae418 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,71 @@ Changes between 1.0.1 and 1.0.2 [xx XXX xxxx] + *) Add new "valid_flags" field to CERT_PKEY structure which determines what + the certificate can be used for (if anything). Set valid_flags field + in new tls1_check_chain function. Simplify ssl_set_cert_masks which used + to have similar checks in it. + + Add new "cert_flags" field to CERT structure and include a "strict mode". + This enforces some TLS certificate requirements (such as only permitting + certificate signature algorithms contained in the supported algorithms + extension) which some implementations ignore: this option should be used + with caution as it could cause interoperability issues. + [Steve Henson] + + *) Update and tidy signature algorithm extension processing. Work out + shared signature algorithms based on preferences and peer algorithms + and print them out in s_client and s_server. Abort handshake if no + shared signature algorithms. + [Steve Henson] + + *) Add new functions to allow customised supported signature algorithms + for SSL and SSL_CTX structures. Add options to s_client and s_server + to support them. + [Steve Henson] + + *) New function SSL_certs_clear() to delete all references to certificates + from an SSL structure. Before this once a certificate had been added + it couldn't be removed. + [Steve Henson] + + *) Integrate hostname, email address and IP address checking with certificate + verification. New verify options supporting checking in opensl utility. + [Steve Henson] + + *) Fixes and wildcard matching support to hostname and email checking + functions. Add manual page. + [Florian Weimer (Red Hat Product Security Team)] + + *) New functions to check a hostname email or IP address against a + certificate. Add options x509 utility to print results of checks against + a certificate. + [Steve Henson] + + *) Fix OCSP checking. + [Rob Stradling and Ben Laurie] + + *) Backport support for partial chain verification: if an intermediate + certificate is explicitly trusted (using -addtrust option to x509 + utility for example) the verification is sucessful even if the chain + is not complete. + The OCSP checking fix depends on this backport. + [Steve Henson and Rob Stradling ] + + *) Add -trusted_first option which attempts to find certificates in the + trusted store even if an untrusted chain is also supplied. + [Steve Henson] + + *) MIPS assembly pack updates: support for MIPS32r2 and SmartMIPS ASE, + platform support for Linux and Android. + [Andy Polyakov] + + *) Call OCSP Stapling callback after ciphersuite has been chosen, so + the right response is stapled. Also change current certificate to + the certificate actually sent. + See http://rt.openssl.org/Ticket/Display.html?id=2836. + [Rob Stradling ] + *) Support for linux-x32, ILP32 environment in x86_64 framework. [Andy Polyakov] @@ -67,6 +132,9 @@ Changes between 1.0.1c and 1.0.1d [xx XXX xxxx] + *) Make openssl verify return errors. + [Chris Palmer and Ben Laurie] + *) Fix possible deadlock when decoding public keys. [Steve Henson]