===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/62.html,v
retrieving revision 1.57
retrieving revision 1.58
diff -c -r1.57 -r1.58
*** www/62.html 2017/10/06 14:34:35 1.57
--- www/62.html 2017/10/06 15:59:44 1.58
***************
*** 192,197 ****
--- 192,203 ----
receiving a number of packets.
This allows to send a UDP request, receive a reply and check
the result on the command line.
+
nc(1)
+ now has a -Z option, allowing the peer certificate and chain to be
+ saved to a file in PEM format.
+ A new "-T tlscompat" option was added to
+ nc(1), which enables the use
+ of all TLS protocols and libtls "compat" ciphers.
Fix a bunch of races in
relayd(8)
expecially in HTTP chunked mode.
***************
*** 546,554 ****
!
LibreSSL X.X.X
--- 552,628 ----
!
LibreSSL 2.6.3
! - Reworked TLS certificate name verification code to more strictly
! follow RFC 6125.
!
- Cleaned up and simplified server key exchange EC point handling.
!
- Removed inconsistent IPv6 handling from BIO_get_accept_socket(),
! simplified BIO_get_host_ip() and BIO_accept().
!
- Added definitions for three OIDs used in EV certificates.
!
- Relaxed SNI validation to allow non-RFC-compliant clients using literal
! IP addresses with SNI to connect to a libtls-based TLS server.
!
- Added tls_peer_cert_chain_pem() to libtls, useful in private certificate
! validation callbacks such as those in relayd.
!
- Converted explicit clear/free sequences to use
! freezero(3).
!
- Fixed the
! openssl(1)
! ca command so that is generates certificates with RFC 5280-conformant time.
!
- Added
! ASN1_TIME_set_tm(3)
! to set an ASN.1 time from a struct tm *.
!
- Added
! SSL{,_CTX}_set_{min,max}_proto_version(3)
! functions.
!
- Imported HKDF (HMAC Key Derivation Function) from BoringSSL.
!
- Provided a
! tls_unload_file(3)
! function that frees the memory returned from a
! tls_load_file(3)
! call, ensuring that it the contents become inaccessible.
!
- Implemented reference counting for libtls tls_config, allowing
! tls_config_free(3)
! to be called as soon as it has been passed to the final
! tls_configure(3)
! call, simplifying lifetime tracking for the application.
!
- Dropped cipher suites using DSS authentication.
!
- Removed support for DSS/DSA from libssl.
!
- Distinguish between self-issued certificates and self-signed
! certificates. The certificate verification code has special cases
! for self-signed certificates and without this change, self-issued
! certificates (which it seems are common place with
! openvpn/easyrsa) were also being included in this category.
!
- Added a new TLS extension handling framework and converted all
! TLS extensions to use it.
!
- Improved and added many new manpages. Updated
! SSL_{CTX_,}check_private_key(3)
! manpages with additional cautions regarding their use.
!
- Cleaned up and simplified EC key/curve configuration handling.
!
- Added
! tls_config_set_ecdhecurves(3)
! to libtls, which allows the names of the elliptical curves that may
! be used during client and server key exchange to be specified.
!
- Converted more code paths to use CBB/CBS.
!
- Removed NPN support - NPN was never standardised and the last draft
! expired in October 2012.
!
- Removed SSL_OP_CRYPTOPRO_TLSEXT_BUG workaround for old/broken
! CryptoPro clients.
!
- Removed support for the TLS padding extension, which was added as a
! workaround for an old bug in F5's TLS termintation.
!
- Added ability to clamp notafter valies in certificates for systems
! with 32-bit time_t. This is necessary to conform to RFC 5280 4.1.2.5.
!
- Removed the original (pre-IETF) chacha20-poly1305 cipher suites.
!
- Reclassified ECDHE-RSA-DES-CBC3-SHA from HIGH to MEDIUM.
!
- Provide a useful error with libtls if there are no OCSP URLs in a
! peer certificate.
!
- Keep track of which keypair is in use by a TLS context, fixing a bug
! where a TLS server with SNI would only return the OCSP staple for the
! default keypair.
!
- If
! tls_config_parse_protocols(3)
! is called with a NULL pointer it now
! returns the default protocols.