===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/63.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -c -r1.1 -r1.2
*** www/63.html 2018/03/14 16:34:36 1.1
--- www/63.html 2018/03/16 13:33:30 1.2
***************
*** 63,550 ****
Improved hardware support, including:
! - arm: New rkgrf(4) driver
! for the Rockchip RK3399/RK3288 register file.
!
- arm: New rkclock(4)
! driver for Rockchip RK3399/RK3288 clocks.
!
- arm: New rkpinctrl(4)
! driver for controlling Rockchip RK3399/RK3288 pins.
!
- arm: New rkgpio(4) driver
! for GPIO on Rockchip SoCs.
!
- arm: New rktemp(4) driver
! for Rockchip RK3399 temperature sensors.
!
- arm: New rkiic(4) driver
! for Rockchip RK3399 I2C controllers.
!
- arm: New rkpmic(4) driver
! for the RK808 Power Management IC.
!
- arm: New dwmmc(4) driver
! for Synopsis DesignWare SD/MMC controllers.
!
- arm: New dwdog(4) driver
! for the Synopsys DesignWare watchdog timer.
!
- arm: New dwxe(4) driver
! for the Synopsys DesignWare Ethernet controller.
!
- arm: New sxitwi(4) driver
! for the two-wire bus on Allwinner SoCs.
!
- arm: New axppmic(4)
! driver for the AXP209 I2C PMIC.
!
- arm: New bcmaux(4) driver
! for clocks and interrupts on the auxilliary UART on BCM2835 devices.
!
- arm: New mvmpic(4)
! driver for an interrupt controller on Marvell ARMADA 38x.
!
- arm: New mvpxa(4)
! driver for the SD Host Controller on Marvell ARMADA 38x.
!
- arm: New mvpinctrl(4)
! driver to configure pins on Marvell ARMADA 38x.
!
- arm: New mvneta(4) driver
! the Ethernet controller on Marvell ARMADA 38x.
!
- arm: New amdisplay(4) &
! nxphdmi(4) drivers
! for the Texas Instruments AM335x LCD controller.
!
- octeon: New octcib(4) driver for
! the interrupt bus widget on CN70xx/CN71xx.
!
- octeon: New octcit(4) driver for
! the central interrupt unit version 3 on CN72xx/CN73xx/CN77xx/CN78xx.
!
- octeon: New octsctl(4) driver
! for the OCTEON SATA controller bridge.
!
- octeon: New octxctl(4) driver
! for the OCTEON USB3 controller bridge.
!
- octeon: Rhino Labs Inc. SDNA Shasta, and Ubiquiti Networks EdgeRouter 4
! and 6 are now supported.
!
- New hvs(4) driver for
! Hyper-V storage.
!
- New pcxrtc(4) driver for
! the NXP PCF8563 Real Time Clock.
!
- New urng(4) driver for USB
! random number generator devices.
!
- Intel 8265 and 3168 support was added to the
! iwm(4) driver.
!
- RTL8192CE support was added to the
! rtwn(4) driver.
!
- RT5360 support was added to the
! ral(4) driver.
!
- RTS525A support was added to the
! rtsx(4) driver.
!
- The acpibat(4) driver
! now supports _BIX entries from ACPI 4.0.
!
- ACPI hibernate support was added to the
! nvme(4) driver.
!
- Substantially improved ACPI hibernate performance in the
! ahci(4) driver.
!
- The inteldrm(4) driver
! was updated to code based on Linux 4.4.70 - it now supports Skylake,
! Kaby Lake, and Cherryview devices and has better support for Broadwell
! and Valleyview devices.
!
- The puc(4) driver now
! supports ASIX AX99100 devices.
!
- Xen platform support and the
! xbf(4) driver in particular
! have been substantially improved.
!
- The nvme(4) driver now reports
! correct last sector address to SCSI, allowing a valid GPT to be created.
!
- Repair ioapic(4) misconfigurations.
vmm(4)/
vmd(8) improvements:
! - vmctl(8) supports
! paused VM migration and memory snapshotting using send and receive commands.
!
- VPID/ASID reuse/rollover in vmm(4).
!
- SGABIOS imported as an option ROM payload in SeaBIOS (for VGA to serial
! console redirection).
!
- vmd(8) resets the
! guest VM RTC (real time clock) on host resume from suspend/hibernate
! (OpenBSD guests only).
!
- Allow guest VMs access to AVX/AVX2 host CPU features.
!
- Support for AMD SVM/RVI hosts.
!
- Allow larger guest VM memory sizes (up to MAXDSIZ sized guests - e.g.
! 32GB on amd64 hosts).
!
- Better handling of guest VM MONITOR/MWAIT and HLT instructions.
!
- Various device emulation improvements in vmd(8).
!
- Increase the virtio(4)
! queue size provided by vmd(8) from 64 to 128 entries, to increase performance.
!
- Many fixes to vmctl(8)
! and vmd(8) error handling.
IEEE 802.11 wireless stack improvements:
! - MiRA 802.11n TX rate scaling now supports devices with unequal numbers
! of Tx and Rx streams. Fixes 11n mode for some
! athn(8) devices.
!
- The iwn(8) and
! iwm(8) drivers will now start
! scanning for a new access point if they no longer receive beacons from
! the current AP.
!
- Prefer the 5GHz band over the 2GHz band during access point selection.
!
- Improved debug output in
! dmesg(8) when a wireless
! interface is put into debug mode with
! ifconfig(8).
Generic network stack improvements:
! - Incoming and forwarded IP packets are now processed without
! KERNEL_LOCK, resulting in better performances and reduced latency.
!
- The kernel no longer handles IPv6 Stateless Address
! Autoconfiguration (RFC 4862), allowing cleanup and simplification
! of the IPv6 network stack.
!
- The kernel sends IPv6 router solicitations for link local addresses
! with a link local source address.
!
- FQ-CoDel algorithm has been implemented for use with pf(4) queueing.
!
- Improved IPv6 checks for IPsec policies and made them consistent
! with IPv4.
!
- Refactored local IP delivery to process IPsec packets in a flow and
! avoid enqueueing a second time.
!
- pf(4)
! now inspects AH packets and matches on the inner protocol.
! This makes IPv4 authentication headers work like IPv6.
!
- The length of extension header chains in pf(4) is limited.
! This prevents spending excessive CPU time on crafted packets.
!
- Block IPv6 packets in
! pf(4)
! that have a hop-by-hop options header or a destination options header.
! Such packets can be passed by adding "allow-opts" to the rule.
! This makes IPv6 option handling consistent with IPv4.
!
- If the IPv4 ID gets reused too fast, pf(4) fragment reassembly
! uses a smarter strategy to drop packets.
!
- Enabled the use of per-CPU caches in the network packet allocators.
Installer improvements:
! - The installer now uses the Allotment Routing Table (ART).
!
- A unique kernel is now created by the installer to boot from after
! install/upgrade.
!
- On release installs of architectures supported by syspatch,
! "syspatch -c" is now added to rc.firsttime.
!
- Backwards compatibility code to support the 'rtsol' keyword in
! hostname.if(5)
! has been removed.
!
- The install.site and upgrade.site scripts are now
! executed at the end of the install/upgrade process.
!
- More detailed information is shown to identify disks.
!
- The IPv6 default router selection has been fixed.
!
- On the amd64 platform, AES-NI is used if present.
Routing daemons and other userland network improvements:
! - A new daemon, slaacd(8) handles IPv6
! Stateless Address Autoconfiguration (RFC 4862).
!
- rtadvd(8) now supports
! "Reducing Energy Consumption of Router Advertisements" (RFC 7772).
!
- rtadvd(8) has
! been fixed to quickly handle IPv6 prefix changes on the system.
!
- ipsecctl(8)
! can now show SA bundles and the "bundle" keyword allows them to be
! explicitly created. This avoids confusion as they were previously
! used implicitly.
!
- nc(1)
! now has a -W recvlimit option to terminate netcat after
! receiving the specified number of packets. This allows for a UDP
! request to be sent, a reply to be received and the result checked on
! the command line.
!
- nc(1)
! now has a -Z option, allowing the peer certificate and chain to be
! saved to a file in PEM format.
!
- A new -T tlscompat option was added to
! nc(1), which enables the use
! of all TLS protocols and libtls "compat" ciphers.
!
- Various races have been fixed in
! relayd(8),
! expecially in HTTP chunked mode.
!
- ndp(8) now shows the
! relevant NDP information when run in a non-default routing
! domain.
!
- ifstated(8) now
! copes with interface departures/arrivals.
!
- bgpd(8) can now
! be started multiple times in different
! routing domains,
! this provides virtual router functionality.
Security improvements:
! - A new function
! freezero(3)
! to easily clear and free memory holding sensitive data has been added.
!
- Double free detection has been improved when the F
! malloc(3) option is used.
! The existing S option now includes F.
!
- The TIOCSTI
! tty ioctl has been removed. The I/O-loops in the last two consumers
! csh(1) and
! mail(1)
! were rewritten to cope with the removal.
!
- Trapsleds, a new mitigation that significantly reduces the amount of
! nops in the instruction stream, replacing them with trap instructions
! or jump-over-trap sequences, thereby requiring greater accuracy for
! targetting potential gadgets.
!
- Kernel Address Randomized Link (KARL), a new "link-kit" allows the .o
! files of the kernel to be relinked in a random order, creating a unique
! kernel for each boot. /bsd is now non-readable to users, to try to
! keep the secret.
!
- Like with libc previously,
! rc(8) re-links libcrypto on
! startup, placing the objects in a random order.
!
- In addition to libcrypto, to deter code reuse exploits,
! rc(8) re-links
! ld.so on
! startup, placing the objects in a random order.
!
- If process accounting is activated with
! accton(8),
! the daily mail shows pledge violations and program crashes.
! lastcomm(1)
! uses the flags P and T for such processes.
!
- pflogd(8) uses the
! fork+exec model.
!
- tcpdump(8) uses the
! fork+exec model.
!
- ifstated(8)
! uses pledge(2).
!
- snmpd(8) and
! snmpctl(8) now use
! pledge(2).
!
- Tighter pledge for at(1).
!
- Fixed and simplified pledge logic for
! nc(1).
!
- More application of
! recallocarray(3)
! in userland, and tracked sizes to
! free(9) in the kernel.
!
- Achieve higher levels of paranoia regarding structure packing, and
! clear many kernel objects before passing to userland.
!
- Disable some optimizations in
! clang(1)
! due to incompatibility with security.
!
- For instance, cope with
! clang(1)'s assumption
! that static or const
! objects placed in unknown sections (such as .openbsd.randomdata)
! are surely always 0, and therefore such memory accesses can be
! optimized away.
!
- In kernel, randomly bias down the top-of-stack per kthread.
dhcpd(8)/
dhcrelay(8) improvements:
! - Add support for echo-client-id statement to
! dhcpd.conf(5).
!
- Take greater care to process all data read, and only data read, from the
! bpf(4)
! socket.
!
- Use /dev/bpf instead of /dev/bpf0.
!
- Handle DHCPINFORM messages from clients behind a DHCP relay.
!
- Fix handling of
! carp(4)
! interfaces in
! dhcrelay(8).
!
- Don't stop
! dhcrelay(8)
! logging to stderr when it is started with the -d option.
dhclient(8) improvements:
! - Log messages reworked and clarified, in particular by prefixing
! the name of the relevant network interface.
!
- Treat SSID as 0 to 32 bytes of binary data, not a string.
!
- Use RTM_PROPOSAL to take control of an interface rather than flipping
! interface down and up in the hope that other
! dhclient(8)
! instances notice.
!
- Reduce file operations needed by -L option by opening file at
! startup and using it throughout process lifetime.
!
- Improve resolv.conf(5)
! handling by reducing writes and more reliably determining which interface
! has the current default route.
!
- Take greater care to process all data read, and only data read, from the
! bpf(4)
! socket.
!
- Improve the determination of the link state of an interface.
!
- Decline inappropriate lease offers as soon as they are deemed
! inappropriate.
!
- Drop support for the timestamp formats used in lease files created
! more than four years ago.
!
- Accept an offer from the server that sent the first copy of
! the offer, not the server that sent the last copy.
!
- Don't delete addresses and routes when exiting.
!
- Ensure IPv6 packets are not read from sockets.
!
- Don't silently ignore obsolete keywords in
! dhclient.conf(5).
!
- Reduce memory footprint by shrinking oversized static buffers.
!
- Eliminate repeated socket opens by opening the required sockets during
! startup.
!
- Fix construction of unicast UDP packets, broken in 5.6.
!
- Improve determination of when a renewed lease requires interface
! configuration changes.
!
- Don't exit when addresses are manually added or deleted from an
! interface.
!
- Don't support option 33, classfull IP addresses.
!
- Fix configuration of default routes supplied by classless route options.
!
- Consider
! dhclient.conf(5)
! contents when determining what MTU value to configure.
!
- Consider
! dhclient.conf(5)
! contents when creating the content of
! resolv.conf(5).
!
- Delete direct routes when routes are flushed.
!
- Don't label routes with "DHCLIENT nnnn".
!
- Don't delete addresses or routes that will be immediately added back.
!
- Delete addresses and routes only when a renewal request is NAK'ed.
!
- Don't wait forever for requested information on the default route.
!
- Don't exit when an attempt to send a packet fails.
!
- Don't log a packet send when the send fails.
!
- Remove the -u option, broken since 2013 without complaints.
!
- Use /dev/bpf instead of /dev/bpf0.
Assorted improvements:
! - The i386 and
! amd64
! platforms have switched to using
! clang(1)
! as the base system compiler.
!
- Improved UTF-8 line editing support for
! ksh(1)
! Emacs and Vi input mode.
!
- The HISTFILE of ksh(1) now uses
! a plain text format. Support for the
! HISTCONTROL
! environment variable was added.
!
- The performance of the memory deallocator used by
! ksh(1) has been fixed.
!
- The emacs-usemeta ksh(1)
! flag is no longer needed and is now deprecated.
!
- New futex(2) syscall.
!
- New pthread
! mutex and
! condition
! variable implementations improving latency
! of threaded applications.
!
- New POSIX xlocale
! implementation written from scratch, complete in the sense that
! all POSIX *locale(3) and *_l(3) functions are included, but in
! OpenBSD, we of course only really care about
LC_CTYPE
! and we only support ASCII and UTF-8.
! - Automatic hibernation and suspend by
! apmd
! when battery is low.
!
- New ctfdump(1) and
! ctfconv(1)
! tools to manipulate CTF (Compact C Type Format).
!
- The error handling in
! syslogd(8)
! has been improved.
! Even if internal errors occur, the daemon tries to keep
! unaffected subsystems active.
! So as many messages as possible are logged.
! They can be filtered by severity and facility "syslog".
!
- syslogd(8) can now suppress "last message repeated" which is
! useful for remote logging.
!
- syslogd(8) can listen on multiple TLS sockets.
!
- syslogd(8) closes the *.514 UDP sockets when they are not
! needed.
!
- Truncate log messages at 8192 bytes everywhere.
!
- newsyslog(8)
! now skips and logs invalid config lines.
!
- Nested mount points are umounted in correct order.
!
- Fix creation of
! softraid(4)
! CONCAT volumes.
!
- Include
! softraid(4)
! volume and backing disk information in i/o error messages.
!
- Make
! vioscsi(4)
! a normal
! scsi(4)
! device by eliminating its use of the obsolete XS_NO_CCB mechanism.
!
- Remove last vestiges of now unused XS_NO_CCB mechanism.
!
- Userspace can now get the address of the thread control block
! without a system call on OCTEON II and later.
!
- FPU is enabled on OCTEON III.
!
- GENERIC kernels now include a .SUNW_ctf section containing CTF data.
!
- New ddb(4) kill
! command, send an uncatchable SIGABRT to a process.
!
- New ddb(4) pprint
! command, using CTF information to "pretty print" global symbols.
!
- New ddb(4)
! show struct command, using CTF information to display the content
! of in memory C structures.
!
- x86: ddb(4) uses CTF data
! to display the correct number of function arguments in backtraces.
!
- Power off all codecs in
! azalia(4) to avoid static
! noise in speakers and headphones on reboot.
!
- Fix i386 boot regression seen on very old 486DX CPUs.
!
- New witness(4) tool
! for debugging lock order issues in the kernel.
! The tool is not built in by default, and only amd64, hppa and i386
! are supported.
!
- Modernize some bizzare tty behaviours of getty(8).
!
- Some subtle changes to pledge(2) to satisfy requirements observed
! in real life.
!
- Prefer use of waitpid(2) rather than wait(3) where possible, to
! avoid problems with pre-existing children.
!
- Rewrite swaths of machine-dependent system call stub code in ld.so(1)
! in a more portable fashion.
!
- Per-CPU
! caches implemented in pools.
!
- Mutex,
! condition-variable,
! thread-specific data,
! pthread_once(3),
! and pthread_exit(3)
! routines moved to libc from libpthread for ease of library
! use and compatibility with other OSes.
!
- Added getptmfd(3),
! fdopenpty(3), and
! fdforkpty(3)
! to simplify privilege separation and use of pledge(2).
!
- Improved computational complexity in various cases of
! strstr(3),
! qsort(3),
! and glob(3).
!
- Added support for EV_RECEIPT and EV_DISPATCH to
! kqueue(2).
!
- Added fktrace(2).
OpenSMTPD 6.0.0
! - Fix an off-by-one in the config parser that made 65535 an invalid port.
!
- Fix a fd leak in the session congestion mechanism.
!
- Fix a possible crash when relaying with smtps.
!
- Remove support for the "listen secure" syntax (expicitely define two listeners for tls and smtps instead).
!
- Remove experimental support for filters.
!
- Assorted code and documentation cleanups and improvements.
--- 63,131 ----
Improved hardware support, including:
vmm(4)/
vmd(8) improvements:
IEEE 802.11 wireless stack improvements:
Generic network stack improvements:
Installer improvements:
Routing daemons and other userland network improvements:
Security improvements:
dhcpd(8)/
dhcrelay(8) improvements:
dhclient(8) improvements:
Assorted improvements:
OpenSMTPD 6.0.0
***************
*** 552,776 ****
- Security:
! - sftp-server(8): in read-only mode, sftp-server was incorrectly
! permitting creation of zero-length files.
- New/changed features:
! - Add RemoteCommand option to specify a command in the
! ssh(1)
! config file instead of giving it on the client's command
! line.
! The feature allows to automate tasks using ssh config.
!
- sshd(8): add ExposeAuthInfo option that enables writing details of
! the authentication methods used (including public keys where
! applicable) to a file that is exposed via a $SSH_USER_AUTH
! environment variable in the subsequent session.
!
- ssh(1): add support for reverse dynamic forwarding. In this mode,
! ssh will act as a SOCKS4/5 proxy and forward connections
! to destinations requested by the remote SOCKS client. This mode
! is requested using extended syntax for the -R and RemoteForward
! options and, because it is implemented solely at the client,
! does not require the server be updated to be supported.
!
- sshd(8): allow LogLevel directive in sshd_config Match blocks.
!
- ssh-keygen(1): allow inclusion of arbitrary string or flag
! certificate extensions and critical options.
!
- ssh-keygen(1): allow ssh-keygen to use a key held in ssh-agent as
! a CA when signing certificates.
!
- ssh(1)/sshd(8): allow IPQoS=none in ssh/sshd to not set an explicit
! ToS/DSCP value and just use the operating system default.
!
- ssh-add(1): added -q option to make ssh-add quiet on success.
!
- ssh(1): expand the StrictHostKeyChecking option with two new
! settings. The first "accept-new" will automatically accept
! hitherto-unseen keys but will refuse connections for changed or
! invalid hostkeys. This is a safer subset of the current behaviour
! of StrictHostKeyChecking=no. The second setting "off", is a synonym
! for the current behaviour of StrictHostKeyChecking=no: accept new
! host keys, and continue connection for hosts with incorrect
! hostkeys. A future release will change the meaning of
! StrictHostKeyChecking=no to the behaviour of "accept-new".
!
- ssh(1): add SyslogFacility option to ssh(1) matching the equivalent
! option in sshd(8).
- The following significant bugs have been fixed in this release:
! - ssh(1): use HostKeyAlias if specified instead of hostname for
! matching host certificate principal names.
!
- sftp(1): implement sorting for globbed ls.
!
- ssh(1): add a user@host prefix to client's "Permission denied"
! messages, useful in particular when using "stacked" connections
! (e.g. ssh -J) where it's not clear which host is denying.
!
- ssh(1): accept unknown EXT_INFO extension values that contain \0
! characters. These are legal, but would previously cause fatal
! connection errors if received.
!
- ssh(1)/sshd(8): repair compression statistics printed at
! connection exit.
!
- sftp(1): print '?' instead of incorrect link count (that the
! protocol doesn't provide) for remote listings.
!
- ssh(1): return failure rather than fatal() for more cases during
! session multiplexing negotiations. Causes the session to fall back
! to a non-mux connection if they occur.
!
- ssh(1): mention that the server may send debug messages to explain
! public key authentication problems under some circumstances.
!
- Translate OpenSSL error codes to better report incorrect passphrase
! errors when loading private keys.
!
- sshd(8): adjust compatibility patterns for WinSCP to correctly
! identify versions that implement only the legacy DH group exchange
! scheme.
!
- ssh(1): print the "Killed by signal 1" message only at LogLevel
! verbose so that it is not shown at the default level; prevents it
! from appearing during ssh -J and equivalent ProxyCommand configs.
!
- ssh-keygen(1): when generating all hostkeys (ssh-keygen -A), clobber
! existing keys if they exist but are zero length. zero-length keys
! could previously be made if ssh-keygen failed or was interrupted part
! way through generating them.
!
- ssh(1): fix pledge(2) violation in the escape sequence "~&" used to
! place the current session in the background.
!
- ssh-keyscan(1): avoid double-close() on file descriptors.
!
- sshd(8): avoid reliance on shared use of pointers shared between
! monitor and child sshd processes.
!
- sshd_config(8): document available AuthenticationMethods.
!
- ssh(1): avoid truncation in some login prompts.
!
- ssh(1): make "--" before the hostname terminate argument processing
! after the hostname too.
!
- ssh-keygen(1): switch from aes256-cbc to aes256-ctr for encrypting
! new-style private keys. Fixes problems related to private key
! handling for no-OpenSSL builds.
!
- ssh(1): warn and do not attempt to use keys when the public and
! private halves do not match.
!
- sftp(1): don't print verbose error message when ssh disconnects
! from under sftp.
!
- sshd(8): fix keepalive scheduling problem: activity on a forwarded
! port from preventing the keepalive from being sent.
!
- sshd(8): when started without root privileges, don't require the
! privilege separation user or path to exist. Makes running the
! regression tests easier without touching the filesystem.
!
- Make integrity.sh regression tests more robust against timeouts.
!
- ssh(1)/sshd(8): correctness fix for channels implementation: accept
! channel IDs greater than 0x7FFFFFFF.
LibreSSL 2.6.3
! - Added support for providing CRLs to libtls - once a CRL is provided via
! tls_config_set_crl_file(3)
! or
! tls_config_set_crl_mem(3),
! CRL checking is enabled and required for the full certificate chain.
!
- Reworked TLS certificate name verification code to more strictly
! follow RFC 6125.
!
- Cleaned up and simplified server key exchange EC point handling.
!
- Removed inconsistent IPv6 handling from BIO_get_accept_socket(),
! simplified BIO_get_host_ip() and BIO_accept().
!
- Added definitions for three OIDs used in EV certificates.
!
- Relaxed SNI validation to allow non-RFC-compliant clients using literal
! IP addresses with SNI to connect to a libtls-based TLS server.
!
- Added tls_peer_cert_chain_pem() to libtls, useful in private certificate
! validation callbacks such as those in relayd.
!
- Converted explicit clear/free sequences to use
! freezero(3).
!
- Fixed the
! openssl(1)
! ca command so that it generates certificates with RFC 5280-conformant time.
!
- Added
! ASN1_TIME_set_tm(3)
! to set an ASN.1 time from a struct tm *.
!
- Added
! SSL{,_CTX}_set_{min,max}_proto_version(3)
! functions.
!
- Imported HKDF (HMAC Key Derivation Function) from BoringSSL.
!
- Provided a
! tls_unload_file(3)
! function that frees the memory returned from a
! tls_load_file(3)
! call, ensuring that the contents become inaccessible.
!
- Implemented reference counting for libtls tls_config, allowing
! tls_config_free(3)
! to be called as soon as it has been passed to the final
! tls_configure(3)
! call, simplifying lifetime tracking for the application.
!
- Dropped cipher suites using DSS authentication.
!
- Removed support for DSS/DSA from libssl.
!
- Distinguish between self-issued certificates and self-signed
! certificates. The certificate verification code has special cases
! for self-signed certificates and without this change, self-issued
! certificates (which it seems are common place with
! openvpn/easyrsa) were also being included in this category.
!
- Added a new TLS extension handling framework and converted all
! TLS extensions to use it.
!
- Improved and added many new manpages. Updated
! SSL_{CTX_,}check_private_key(3)
! manpages with additional cautions regarding their use.
!
- Cleaned up and simplified EC key/curve configuration handling.
!
- Added
! tls_config_set_ecdhecurves(3)
! to libtls, which allows the names of the elliptical curves that may
! be used during client and server key exchange to be specified.
!
- Converted more code paths to use CBB/CBS.
!
- Removed NPN support - NPN was never standardised and the last draft
! expired in October 2012.
!
- Removed SSL_OP_CRYPTOPRO_TLSEXT_BUG workaround for old/broken
! CryptoPro clients.
!
- Removed support for the TLS padding extension, which was added as a
! workaround for an old bug in F5's TLS termination.
!
- Added ability to clamp notafter values in certificates for systems
! with 32-bit time_t. This is necessary to conform to RFC 5280 4.1.2.5.
!
- Removed the original (pre-IETF) chacha20-poly1305 cipher suites.
!
- Reclassified ECDHE-RSA-DES-CBC3-SHA from HIGH to MEDIUM.
!
- Provide a useful error with libtls if there are no OCSP URLs in a
! peer certificate.
!
- Keep track of which keypair is in use by a TLS context, fixing a bug
! where a TLS server with SNI would only return the OCSP staple for the
! default keypair.
!
- If
! tls_config_parse_protocols(3)
! is called with a NULL pointer it now
! returns the default protocols.
mandoc 1.14.3
! - Full mandoc.db(5)
! databases are now enabled by default, allowing semantic searching
! with apropos(1)
! without any local configuration changes.
!
- Full integration of the former
! mdoclint(1)
! utility into mandoc(1)
!
-Wall, new -Wstyle and
! -Wopenbsd message levels, and many new messages,
! for example about typos in .Sh lines,
! unknown .Xr targets, and links to self.
! - Additional steps unifying the
! mdoc(7),
! man(7), and
! roff(7) parsers:
! use one common data type and
! ohash_init(3)
! for all requests and macros and support creation of syntax tree
! nodes in the roff(7) parser, allowing support for many new
! low-level roff(7) features.
! Only about 25 ports still need
USE_GROFF now.
! - Many improvements to
! tbl(7)
! parsing and formatting,
! including automatic line wrapping inside table columns.
!
- Many improvements to
! eqn(7)
! parsing and formatting, including better font selection,
! recognition of well-known mathematical function names, and writing
! of
<mn> and <mo> HTML tags.
! - Intelligible rendering of mathematical symbols in
!
-Tascii output.
! - Several parsing and rendering improvements for the
! mdoc(7)
!
.Lk macro.
! - Some CSS improvements in HTML output, in particular for the
! mdoc(7)
!
.Bl macro.
--- 133,160 ----
- Security:
- New/changed features:
- The following significant bugs have been fixed in this release:
LibreSSL 2.6.3
mandoc 1.14.3