X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=CHANGES;h=f37e3d7ec640f48c26fbec3ded715898633cf5c2;hb=3b0648ebc9fb2f27ccd0cb61f290911bbf0f482a;hp=8759585721e7ea6516de3d8427ad9a8baaa71ea7;hpb=b7bfe69b665e0215daf7715adddd7fc7a4b2b63e;p=oweals%2Fopenssl.git diff --git a/CHANGES b/CHANGES index 8759585721..f37e3d7ec6 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,38 @@ Changes between 1.0.1 and 1.1.0 [xx XXX xxxx] + *) New chain verification flags for Suite B levels of security. Check + algorithms are acceptable when flags are set in X509_verify_cert. + [Steve Henson] + + *) Make tls1_check_chain return a set of flags indicating checks passed + by a certificate chain. Add additional tests to handle client + certificates: checks for matching certificate type and issuer name + comparison. + [Steve Henson] + + *) If an attempt is made to use a signature algorithm not in the peer + preference list abort the handshake. If client has no suitable + signature algorithms in response to a certificate request do not + use the certificate. + [Steve Henson] + + *) If server EC tmp key is not in client preference list abort handshake. + [Steve Henson] + + *) Add support for certificate stores in CERT structure. This makes it + possible to have different stores per SSL structure or one store in + the parent SSL_CTX. Include distint stores for certificate chain + verification and chain building. New ctrl SSL_CTRL_BUILD_CERT_CHAIN + to build and store a certificate chain in CERT structure: returing + an error if the chain cannot be built: this will allow applications + to test if a chain is correctly configured. + + Note: if the CERT based stores are not set then the parent SSL_CTX + store is used to retain compatibility with existing behaviour. + + [Steve Henson] + *) New function ssl_set_client_disabled to set a ciphersuite disabled mask based on the current session, check mask when sending client hello and checking the requested ciphersuite.