=================================================================== RCS file: /cvsrepo/anoncvs/cvs/www/62.html,v retrieving revision 1.57 retrieving revision 1.58 diff -c -r1.57 -r1.58 *** www/62.html 2017/10/06 14:34:35 1.57 --- www/62.html 2017/10/06 15:59:44 1.58 *************** *** 192,197 **** --- 192,203 ---- receiving a number of packets. This allows to send a UDP request, receive a reply and check the result on the command line. +

nc(1) + now has a -Z option, allowing the peer certificate and chain to be + saved to a file in PEM format. +

A new "-T tlscompat" option was added to + nc(1), which enables the use + of all TLS protocols and libtls "compat" ciphers.

Fix a bunch of races in relayd(8) expecially in HTTP chunked mode. *************** *** 546,554 ****

LibreSSL X.X.X

--- 552,628 ----

LibreSSL 2.6.3

Reworked TLS certificate name verification code to more strictly ! follow RFC 6125. !
Cleaned up and simplified server key exchange EC point handling. !
Removed inconsistent IPv6 handling from BIO_get_accept_socket(), ! simplified BIO_get_host_ip() and BIO_accept(). !
Added definitions for three OIDs used in EV certificates. !
Relaxed SNI validation to allow non-RFC-compliant clients using literal ! IP addresses with SNI to connect to a libtls-based TLS server. !
Added tls_peer_cert_chain_pem() to libtls, useful in private certificate ! validation callbacks such as those in relayd. !
Converted explicit clear/free sequences to use ! freezero(3). !
Fixed the ! openssl(1) ! ca command so that is generates certificates with RFC 5280-conformant time. !
Added ! ASN1_TIME_set_tm(3) ! to set an ASN.1 time from a struct tm *. !
Added ! SSL{,_CTX}_set_{min,max}_proto_version(3) ! functions. !
Imported HKDF (HMAC Key Derivation Function) from BoringSSL. !
Provided a ! tls_unload_file(3) ! function that frees the memory returned from a ! tls_load_file(3) ! call, ensuring that it the contents become inaccessible. !
Implemented reference counting for libtls tls_config, allowing ! tls_config_free(3) ! to be called as soon as it has been passed to the final ! tls_configure(3) ! call, simplifying lifetime tracking for the application. !
Dropped cipher suites using DSS authentication. !
Removed support for DSS/DSA from libssl. !
Distinguish between self-issued certificates and self-signed ! certificates. The certificate verification code has special cases ! for self-signed certificates and without this change, self-issued ! certificates (which it seems are common place with ! openvpn/easyrsa) were also being included in this category. !
Added a new TLS extension handling framework and converted all ! TLS extensions to use it. !
Improved and added many new manpages. Updated ! SSL_{CTX_,}check_private_key(3) ! manpages with additional cautions regarding their use. !
Cleaned up and simplified EC key/curve configuration handling. !
Added ! tls_config_set_ecdhecurves(3) ! to libtls, which allows the names of the elliptical curves that may ! be used during client and server key exchange to be specified. !
Converted more code paths to use CBB/CBS. !
Removed NPN support - NPN was never standardised and the last draft ! expired in October 2012. !
Removed SSL_OP_CRYPTOPRO_TLSEXT_BUG workaround for old/broken ! CryptoPro clients. !
Removed support for the TLS padding extension, which was added as a ! workaround for an old bug in F5's TLS termintation. !
Added ability to clamp notafter valies in certificates for systems ! with 32-bit time_t. This is necessary to conform to RFC 5280 4.1.2.5. !
Removed the original (pre-IETF) chacha20-poly1305 cipher suites. !
Reclassified ECDHE-RSA-DES-CBC3-SHA from HIGH to MEDIUM. !
Provide a useful error with libtls if there are no OCSP URLs in a ! peer certificate. !
Keep track of which keypair is in use by a TLS context, fixing a bug ! where a TLS server with SNI would only return the OCSP staple for the ! default keypair. !
If ! tls_config_parse_protocols(3) ! is called with a NULL pointer it now ! returns the default protocols.