bag of changelog for 3.2.0

LiliumOS · May 29, 2020 · fcd9da3 · fcd9da3
1 parent 60ce6e5
commit fcd9da3
Showing 1 changed file with 52 additions and 1 deletion.
diff --git a/ChangeLog b/ChangeLog
@@ -30,6 +30,48 @@ LibreSSL Portable Release Notes:
 
 3.2.0 - Development release
 
+	* Improve length checks in record layer and provide appropritate
+	alerts for for violations of record layer limits.
+
+	* Enforce in the server that SNI hostnames be correctly formed as
+	per RFC 6066 and RFC 5890, responding with illegal paramerter for
+	a nonconformant host name.
+
+	* Modify openssl(1) to clear SSL_MODE_AUTO_RETRY appropriately in
+	various commands.
+
+	* Modify io behavior so that SSL_MODE_AUTO_RETRY is the default
+	similar to new OpenSSL releases.
+
+	* Support SSL_MODE_AUTO_RETRY in TLS 1.3 to allow the automatic
+	retry of handshake messages.
+
+	* Add tlsfuzzer based regression tests.
+
+	* Support sending certificate status replies from the tls13 server
+	  to send ocsp staples for leaf certificates.
+
+	* Send correct alerts when handling failed key share extensions
+	on the TLS 1.3 server.
+
+	* Various compatibility fixes for TLS 1.3 to 1.2 fallback for
+	switching from the new to legacy stacks.
+
+	* Support TLS 1.3 options in the openssl(1) command.
+
+	* Enable TLS 1.3 server side in addition to client by default.
+	with this change tls13 is handled entirely on the new stack
+	and state machine, with fallback to the legacy stack and
+	state machine for older versions.
+
+	* Many alert cleanups in TLS 1.3 to provide expected alerts
+	in failure conditions.
+
+	* Modify "openssl x509" to display invalid certificate times as
+	invalid, and correctly deal with the failing return case from
+	x509_time_cmp so that a certificate with an invalid NotAfter does
+	not appear valid.
+
 	* Support sending dummy change_cipher_spec records for middlebox
 	  compatibility.
 
@@ -38,12 +80,21 @@ LibreSSL Portable Release Notes:
 	  corner cases that were dealt with incorrectly. Fixed several
 	  instances of missing or incorrect alerts.
 
+	* Ensure only PSS may be used with RSA in tls 1.3
+
 	* The client must advertise exactly the "null" compression method
 	  in its legacy_compression_field, nothing else.
 
 	* Incorrect use of sockaddr instead of sockaddr_storage in the
 	  s_client could lead to using 14 bytes of stack garbage instead
-	  of an IPv6 address in DTLS mode.
+ 	  of an IPv6 address in DTLS mode.
+
+ 	* Support sending certificate status from the tls13 client to retrieve
+	  ocsp staples for leaf certificates.
+
+	* Support sending certificate status requests from the tls13
+	  client to retrieve ocsp staples for leaf certificates.
+
 
 3.1.2 - Bug fix