X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=CHANGES;h=a5217e48ba0f741211f437d58761ca3ba7a3816c;hp=0b8c558b0670bcb7378ad203aff3cb667329f000;hb=29eed3ddb856ab1804f65d53a673078c7f5ac38d;hpb=09375d12fb684c6991c06b473664a0630b8b2edf diff --git a/CHANGES b/CHANGES index 0b8c558b06..a5217e48ba 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,40 @@ Changes between 1.0.2g and 1.1.0 [xx XXX xxxx] + *) Modify behavior of ALPN to invoke callback after SNI/servername + callback, such that updates to the SSL_CTX affect ALPN. + [Todd Short] + + *) Add SSL_CIPHER queries for authentication and key-exchange. + + *) Modify behavior of ALPN to invoke callback after SNI/servername + callback, such that updates to the SSL_CTX affect ALPN. + [Todd Short] + + *) Changes to the DEFAULT cipherlist: + - Prefer (EC)DHE handshakes over plain RSA. + - Prefer AEAD ciphers over legacy ciphers. + - Prefer ECDSA over RSA when both certificates are available. + - Prefer TLSv1.2 ciphers/PRF. + - Remove DSS, SEED, IDEA, CAMELLIA, and AES-CCM from the + default cipherlist. + [Emilia Käsper] + + *) Change the ECC default curve list to be this, in order: x25519, + secp256r1, secp521r1, secp384r1. + [Rich Salz] + + *) RC4 based libssl ciphersuites are now classed as "weak" ciphers and are + disabled by default. They can be re-enabled using the + enable-weak-ssl-ciphers option to Configure. + [Matt Caswell] + + *) If the server has ALPN configured, but supports no protocols that the + client advertises, send a fatal "no_application_protocol" alert. + This behaviour is SHALL in RFC 7301, though it isn't universally + implemented by other servers. + [Emilia Käsper] + *) Add X25519 support. Integrate support for X25519 into EC library. This includes support for public and private key encoding using the format documented in @@ -858,6 +892,11 @@ whose return value is often ignored. [Steve Henson] + *) New -noct, -requestct, -requirect and -ctlogfile options for s_client. + These allow SCTs (signed certificate timestamps) to be requested and + validated when establishing a connection. + [Rob Percival ] + Changes between 1.0.2f and 1.0.2g [1 Mar 2016] * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.