mirror of
https://github.com/openssl/openssl.git
synced 2024-11-27 05:21:51 +08:00
Harmonize CHANGES in HEAD.
This commit is contained in:
parent
be0d31b166
commit
0e1f390bad
120
CHANGES
120
CHANGES
@ -2,7 +2,7 @@
|
||||
OpenSSL CHANGES
|
||||
_______________
|
||||
|
||||
Changes between 1.0.1 and 1.1.0 [xx XXX xxxx]
|
||||
Changes between 1.0.x and 1.1.0 [xx XXX xxxx]
|
||||
|
||||
*) New Suite B modes for TLS code. These use and enforce the requirements
|
||||
of RFC6460: restrict ciphersuites, only permit Suite B algorithms and
|
||||
@ -107,57 +107,6 @@
|
||||
certificates.
|
||||
[Steve Henson]
|
||||
|
||||
*) RFC 5878 support.
|
||||
[Emilia Kasper, Adam Langley, Ben Laurie (Google)]
|
||||
|
||||
*) Support for automatic EC temporary key parameter selection. If enabled
|
||||
the most preferred EC parameters are automatically used instead of
|
||||
hardcoded fixed parameters. Now a server just has to call:
|
||||
SSL_CTX_set_ecdh_auto(ctx, 1) and the server will automatically
|
||||
support ECDH and use the most appropriate parameters.
|
||||
[Steve Henson]
|
||||
|
||||
*) Enhance and tidy EC curve and point format TLS extension code. Use
|
||||
static structures instead of allocation if default values are used.
|
||||
New ctrls to set curves we wish to support and to retrieve shared curves.
|
||||
Print out shared curves in s_server. New options to s_server and s_client
|
||||
to set list of supported curves.
|
||||
[Steve Henson]
|
||||
|
||||
*) New ctrls to retrieve supported signature algorithms and
|
||||
supported curve values as an array of NIDs. Extend openssl utility
|
||||
to print out received values.
|
||||
[Steve Henson]
|
||||
|
||||
*) Add new APIs EC_curve_nist2nid and EC_curve_nid2nist which convert
|
||||
between NIDs and the more common NIST names such as "P-256". Enhance
|
||||
ecparam utility and ECC method to recognise the NIST names for curves.
|
||||
[Steve Henson]
|
||||
|
||||
*) Enhance SSL/TLS certificate chain handling to support different
|
||||
chains for each certificate instead of one chain in the parent SSL_CTX.
|
||||
[Steve Henson]
|
||||
|
||||
*) Support for fixed DH ciphersuite client authentication: where both
|
||||
server and client use DH certificates with common parameters.
|
||||
[Steve Henson]
|
||||
|
||||
*) Support for fixed DH ciphersuites: those requiring DH server
|
||||
certificates.
|
||||
[Steve Henson]
|
||||
|
||||
*) Transparently support X9.42 DH parameters when calling
|
||||
PEM_read_bio_DHparameters. This means existing applications can handle
|
||||
the new parameter format automatically.
|
||||
[Steve Henson]
|
||||
|
||||
*) Initial experimental support for X9.42 DH parameter format: mainly
|
||||
to support use of 'q' parameter for RFC5114 parameters.
|
||||
[Steve Henson]
|
||||
|
||||
*) Add DH parameters from RFC5114 including test data to dhtest.
|
||||
[Steve Henson]
|
||||
|
||||
*) Update fips_test_suite to support multiple command line options. New
|
||||
test to induce all self test errors in sequence and check expected
|
||||
failures.
|
||||
@ -395,6 +344,69 @@
|
||||
whose return value is often ignored.
|
||||
[Steve Henson]
|
||||
|
||||
Changes between 1.0.1 and 1.0.2 [xx XXX xxxx]
|
||||
|
||||
*) Support for linux-x32, ILP32 environment in x86_64 framework.
|
||||
[Andy Polyakov]
|
||||
|
||||
*) RFC 5878 support.
|
||||
[Emilia Kasper, Adam Langley, Ben Laurie (Google)]
|
||||
|
||||
*) Experimental multi-implementation support for FIPS capable OpenSSL.
|
||||
When in FIPS mode the approved implementations are used as normal,
|
||||
when not in FIPS mode the internal unapproved versions are used instead.
|
||||
This means that the FIPS capable OpenSSL isn't forced to use the
|
||||
(often lower perfomance) FIPS implementations outside FIPS mode.
|
||||
[Steve Henson]
|
||||
|
||||
*) Transparently support X9.42 DH parameters when calling
|
||||
PEM_read_bio_DHparameters. This means existing applications can handle
|
||||
the new parameter format automatically.
|
||||
[Steve Henson]
|
||||
|
||||
*) Initial experimental support for X9.42 DH parameter format: mainly
|
||||
to support use of 'q' parameter for RFC5114 parameters.
|
||||
[Steve Henson]
|
||||
|
||||
*) Add DH parameters from RFC5114 including test data to dhtest.
|
||||
[Steve Henson]
|
||||
|
||||
*) Support for automatic EC temporary key parameter selection. If enabled
|
||||
the most preferred EC parameters are automatically used instead of
|
||||
hardcoded fixed parameters. Now a server just has to call:
|
||||
SSL_CTX_set_ecdh_auto(ctx, 1) and the server will automatically
|
||||
support ECDH and use the most appropriate parameters.
|
||||
[Steve Henson]
|
||||
|
||||
*) Enhance and tidy EC curve and point format TLS extension code. Use
|
||||
static structures instead of allocation if default values are used.
|
||||
New ctrls to set curves we wish to support and to retrieve shared curves.
|
||||
Print out shared curves in s_server. New options to s_server and s_client
|
||||
to set list of supported curves.
|
||||
[Steve Henson]
|
||||
|
||||
*) New ctrls to retrieve supported signature algorithms and
|
||||
supported curve values as an array of NIDs. Extend openssl utility
|
||||
to print out received values.
|
||||
[Steve Henson]
|
||||
|
||||
*) Add new APIs EC_curve_nist2nid and EC_curve_nid2nist which convert
|
||||
between NIDs and the more common NIST names such as "P-256". Enhance
|
||||
ecparam utility and ECC method to recognise the NIST names for curves.
|
||||
[Steve Henson]
|
||||
|
||||
*) Enhance SSL/TLS certificate chain handling to support different
|
||||
chains for each certificate instead of one chain in the parent SSL_CTX.
|
||||
[Steve Henson]
|
||||
|
||||
*) Support for fixed DH ciphersuite client authentication: where both
|
||||
server and client use DH certificates with common parameters.
|
||||
[Steve Henson]
|
||||
|
||||
*) Support for fixed DH ciphersuites: those requiring DH server
|
||||
certificates.
|
||||
[Steve Henson]
|
||||
|
||||
Changes between 1.0.1c and 1.0.1d [xx XXX xxxx]
|
||||
|
||||
*) Fix possible deadlock when decoding public keys.
|
||||
@ -489,10 +501,6 @@
|
||||
the correct format in RSA_verify so both forms transparently work.
|
||||
[Steve Henson]
|
||||
|
||||
*) Add compatibility with old MDC2 signatures which use an ASN1 OCTET
|
||||
STRING form instead of a DigestInfo.
|
||||
[Steve Henson]
|
||||
|
||||
*) Some servers which support TLS 1.0 can choke if we initially indicate
|
||||
support for TLS 1.2 and later renegotiate using TLS 1.0 in the RSA
|
||||
encrypted premaster secret. As a workaround use the maximum pemitted
|
||||
|
Loading…
Reference in New Issue
Block a user