version 1.59, 2017/10/06 16:05:50 |
version 1.60, 2017/10/06 17:10:49 |
|
|
|
|
<li>LibreSSL 2.6.3 |
<li>LibreSSL 2.6.3 |
<ul> |
<ul> |
|
<li>Added support for providing CRLs to libtls - once a CRL is provided via |
|
<a href="https://man.openbsd.org/tls_config_set_crl_file.3">tls_config_set_crl_file(3)</a> |
|
or |
|
<a href="https://man.openbsd.org/tls_config_set_crl_mem.3">tls_config_set_crl_mem(3)</a>, |
|
CRL checking is enabled and required for the full certificate chain. |
<li>Reworked TLS certificate name verification code to more strictly |
<li>Reworked TLS certificate name verification code to more strictly |
follow RFC 6125. |
follow RFC 6125. |
<li>Cleaned up and simplified server key exchange EC point handling. |
<li>Cleaned up and simplified server key exchange EC point handling. |
|
|
<li>Removed SSL_OP_CRYPTOPRO_TLSEXT_BUG workaround for old/broken |
<li>Removed SSL_OP_CRYPTOPRO_TLSEXT_BUG workaround for old/broken |
CryptoPro clients. |
CryptoPro clients. |
<li>Removed support for the TLS padding extension, which was added as a |
<li>Removed support for the TLS padding extension, which was added as a |
workaround for an old bug in F5's TLS termintation. |
workaround for an old bug in F5's TLS termination. |
<li>Added ability to clamp notafter valies in certificates for systems |
<li>Added ability to clamp notafter valies in certificates for systems |
with 32-bit time_t. This is necessary to conform to RFC 5280 4.1.2.5. |
with 32-bit time_t. This is necessary to conform to RFC 5280 4.1.2.5. |
<li>Removed the original (pre-IETF) chacha20-poly1305 cipher suites. |
<li>Removed the original (pre-IETF) chacha20-poly1305 cipher suites. |