===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/62.html,v
retrieving revision 1.57
retrieving revision 1.58
diff -u -r1.57 -r1.58
--- www/62.html 2017/10/06 14:34:35 1.57
+++ www/62.html 2017/10/06 15:59:44 1.58
@@ -192,6 +192,12 @@
receiving a number of packets.
This allows to send a UDP request, receive a reply and check
the result on the command line.
+
nc(1)
+ now has a -Z option, allowing the peer certificate and chain to be
+ saved to a file in PEM format.
+ A new "-T tlscompat" option was added to
+ nc(1), which enables the use
+ of all TLS protocols and libtls "compat" ciphers.
Fix a bunch of races in
relayd(8)
expecially in HTTP chunked mode.
@@ -546,9 +552,77 @@
-
LibreSSL X.X.X
+LibreSSL 2.6.3
- - ...
+
- Reworked TLS certificate name verification code to more strictly
+ follow RFC 6125.
+
- Cleaned up and simplified server key exchange EC point handling.
+
- Removed inconsistent IPv6 handling from BIO_get_accept_socket(),
+ simplified BIO_get_host_ip() and BIO_accept().
+
- Added definitions for three OIDs used in EV certificates.
+
- Relaxed SNI validation to allow non-RFC-compliant clients using literal
+ IP addresses with SNI to connect to a libtls-based TLS server.
+
- Added tls_peer_cert_chain_pem() to libtls, useful in private certificate
+ validation callbacks such as those in relayd.
+
- Converted explicit clear/free sequences to use
+ freezero(3).
+
- Fixed the
+ openssl(1)
+ ca command so that is generates certificates with RFC 5280-conformant time.
+
- Added
+ ASN1_TIME_set_tm(3)
+ to set an ASN.1 time from a struct tm *.
+
- Added
+ SSL{,_CTX}_set_{min,max}_proto_version(3)
+ functions.
+
- Imported HKDF (HMAC Key Derivation Function) from BoringSSL.
+
- Provided a
+ tls_unload_file(3)
+ function that frees the memory returned from a
+ tls_load_file(3)
+ call, ensuring that it the contents become inaccessible.
+
- Implemented reference counting for libtls tls_config, allowing
+ tls_config_free(3)
+ to be called as soon as it has been passed to the final
+ tls_configure(3)
+ call, simplifying lifetime tracking for the application.
+
- Dropped cipher suites using DSS authentication.
+
- Removed support for DSS/DSA from libssl.
+
- Distinguish between self-issued certificates and self-signed
+ certificates. The certificate verification code has special cases
+ for self-signed certificates and without this change, self-issued
+ certificates (which it seems are common place with
+ openvpn/easyrsa) were also being included in this category.
+
- Added a new TLS extension handling framework and converted all
+ TLS extensions to use it.
+
- Improved and added many new manpages. Updated
+ SSL_{CTX_,}check_private_key(3)
+ manpages with additional cautions regarding their use.
+
- Cleaned up and simplified EC key/curve configuration handling.
+
- Added
+ tls_config_set_ecdhecurves(3)
+ to libtls, which allows the names of the elliptical curves that may
+ be used during client and server key exchange to be specified.
+
- Converted more code paths to use CBB/CBS.
+
- Removed NPN support - NPN was never standardised and the last draft
+ expired in October 2012.
+
- Removed SSL_OP_CRYPTOPRO_TLSEXT_BUG workaround for old/broken
+ CryptoPro clients.
+
- Removed support for the TLS padding extension, which was added as a
+ workaround for an old bug in F5's TLS termintation.
+
- Added ability to clamp notafter valies in certificates for systems
+ with 32-bit time_t. This is necessary to conform to RFC 5280 4.1.2.5.
+
- Removed the original (pre-IETF) chacha20-poly1305 cipher suites.
+
- Reclassified ECDHE-RSA-DES-CBC3-SHA from HIGH to MEDIUM.
+
- Provide a useful error with libtls if there are no OCSP URLs in a
+ peer certificate.
+
- Keep track of which keypair is in use by a TLS context, fixing a bug
+ where a TLS server with SNI would only return the OCSP staple for the
+ default keypair.
+
- If
+ tls_config_parse_protocols(3)
+ is called with a NULL pointer it now
+ returns the default protocols.