===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/62.html,v
retrieving revision 1.59
retrieving revision 1.60
diff -c -r1.59 -r1.60
*** www/62.html	2017/10/06 16:05:50	1.59
--- www/62.html	2017/10/06 17:10:49	1.60
***************
*** 556,561 ****
--- 556,566 ----
  
  <li>LibreSSL 2.6.3
      <ul>
+     <li>Added support for providing CRLs to libtls - once a CRL is provided via
+ 	<a href="https://man.openbsd.org/tls_config_set_crl_file.3">tls_config_set_crl_file(3)</a>
+         or
+ 	<a href="https://man.openbsd.org/tls_config_set_crl_mem.3">tls_config_set_crl_mem(3)</a>,
+         CRL checking is enabled and required for the full certificate chain.
      <li>Reworked TLS certificate name verification code to more strictly
          follow RFC 6125.
      <li>Cleaned up and simplified server key exchange EC point handling.
***************
*** 611,617 ****
      <li>Removed SSL_OP_CRYPTOPRO_TLSEXT_BUG workaround for old/broken
          CryptoPro clients.
      <li>Removed support for the TLS padding extension, which was added as a
!         workaround for an old bug in F5's TLS termintation.
      <li>Added ability to clamp notafter valies in certificates for systems
          with 32-bit time_t. This is necessary to conform to RFC 5280 4.1.2.5.
      <li>Removed the original (pre-IETF) chacha20-poly1305 cipher suites.
--- 616,622 ----
      <li>Removed SSL_OP_CRYPTOPRO_TLSEXT_BUG workaround for old/broken
          CryptoPro clients.
      <li>Removed support for the TLS padding extension, which was added as a
!         workaround for an old bug in F5's TLS termination.
      <li>Added ability to clamp notafter valies in certificates for systems
          with 32-bit time_t. This is necessary to conform to RFC 5280 4.1.2.5.
      <li>Removed the original (pre-IETF) chacha20-poly1305 cipher suites.