min
/
boring2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
boring2/CHANGELOG.md

8.4 KiB
Raw Blame History

Change Log

Unreleased

v0.10.7 - 2018-04-30

Added

  • Added X509Req::public_key and X509Req::extensions.
  • Added RsaPrivateKeyBuilder to allow control over initialization of optional components of an RSA private key.
  • Added DER encode/decode support to SslSession.
  • openssl-sys now provides the OPENSSL_VERSION_NUMBER and OPENSSL_LIBRESSL_VERSION_NUMBER environment variables to downstream build scripts which contains the hex-encoded version number of the OpenSSL or LibreSSL distribution being built against. The other variables are deprecated.

v0.10.6 - 2018-03-05

Added

  • Added SslOptions::ENABLE_MIDDLEBOX_COMPAT.
  • Added more Sync and Send implementations.
  • Added PKeyRef::id.
  • Added Padding::PKCS1_PSS.
  • Added Signer::set_rsa_pss_saltlen, Signer::set_rsa_mgf1_md, Signer::set_rsa_pss_saltlen, and Signer::set_rsa_mgf1_md
  • Added X509StoreContextRef::verify to directly verify certificates.
  • Added low level ECDSA support.
  • Added support for TLSv1.3 custom extensions. (OpenSSL 1.1.1 only)
  • Added AES-CCM support.
  • Added EcKey::from_private_components.
  • Added CMAC support.
  • Added support for LibreSSL 2.7.
  • Added X509Ref::serial_number.
  • Added Asn1IntegerRef::to_bn.
  • Added support for TLSv1.3 stateless handshakes. (OpenSSL 1.1.1 only)

Changed

  • The Cargo features previously used to gate access to version-specific OpenSSL APIs have been removed. Those APIs will be available automatically when building against an appropriate OpenSSL version.
  • Fixed PKey::private_key_from_der to return a PKey<Private> rather than a PKey<Public>. This is technically a breaking change but the function was pretty useless previously.

Deprecated

  • X509CheckFlags::FLAG_NO_WILDCARDS has been renamed to X509CheckFlags::NO_WILDCARDS and the old name deprecated.

v0.10.5 - 2018-02-28

Fixed

  • ErrorStack's Display implementation no longer writes an empty string if it contains no errors.

Added

  • Added SslRef::version2.
  • Added Cipher::des_ede3_cbc.
  • Added SslRef::export_keying_material.
  • Added the ability to push an Error or ErrorStack back onto OpenSSL's error stack. Various callback bindings use this to propagate errors properly.
  • Added SslContextBuilder::set_cookie_generate_cb and SslContextBuilder::set_cookie_verify_cb.
  • Added SslContextBuilder::set_max_proto_version, SslContextBuilder::set_min_proto_version, SslContextBuilder::max_proto_version, and SslContextBuilder::min_proto_version.

Changed

  • Updated SslConnector's default cipher list to match Python's.

Deprecated

  • SslRef::version has been deprecated. Use SslRef::version_str instead.

v0.10.4 - 2018-02-18

Added

  • Added OpenSSL 1.1.1 support.
  • Added Rsa::public_key_from_pem_pkcs1.
  • Added SslOptions::NO_TLSV1_3. (OpenSSL 1.1.1 only)
  • Added SslVersion.
  • Added SslSessionCacheMode and SslContextBuilder::set_session_cache_mode.
  • Added SslContextBuilder::set_new_session_callback, SslContextBuilder::set_remove_session_callback, and SslContextBuilder::set_get_session_callback.
  • Added SslContextBuilder::set_keylog_callback. (OpenSSL 1.1.1 only)
  • Added SslRef::client_random and SslRef::server_random. (OpenSSL 1.1.0+ only)

Fixed

  • The SslAcceptorBuilder::mozilla_modern constructor now disables TLSv1.0 and TLSv1.1 in accordance with Mozilla's recommendations.

v0.10.3 - 2018-02-12

Added

  • OpenSSL is now automatically detected on FreeBSD systems.
  • Added GeneralName accessors for rfc822Name and uri variants.
  • Added DES-EDE3 support.

Fixed

  • Fixed a memory leak in X509StoreBuilder::add_cert.

v0.10.2 - 2018-01-11

Added

  • Added ConnectConfiguration::set_use_server_name_indication and ConnectConfiguration::set_verify_hostname for use in contexts where you don't have ownership of the ConnectConfiguration.

v0.10.1 - 2018-01-10

Added

  • Added a From<ErrorStack> for ssl::Error implementation.

v0.10.0 - 2018-01-10

Compatibility

  • openssl 0.10 still uses openssl-sys 0.9, so openssl 0.9 and 0.10 can coexist without issue.

Added

  • The ssl::select_next_proto function can be used to easily implement the ALPN selection callback in a "standard" way.
  • FIPS mode support is available in the fips module.
  • Accessors for the Issuer and Issuer Alternative Name fields of X509 certificates have been added.
  • The X509VerifyResult can now be set in the certificate verification callback via X509StoreContextRef::set_error.

Changed

  • All constants have been moved to associated constants of their type. For example, bn::MSB_ONE is now bn::MsbOption::ONE.

  • Asymmetric key types are now parameterized over what they contain. In OpenSSL, the same type is used for key parameters, public keys, and private keys. Unfortunately, some APIs simply assume that certain components are present and will segfault trying to use things that aren't there.

    The pkey module contains new tag types named Params, Public, and Private, and the Dh, Dsa, EcKey, Rsa, and PKey have a type parameter set to one of those values. This allows the Signer constructor to indicate that it requires a private key at compile time for example. Previously, Signer would simply segfault if provided a key without private components.

  • ALPN support has been changed to more directly model OpenSSL's own APIs. Instead of a single method used for both the server and client sides which performed everything automatically, the SslContextBuilder::set_alpn_protos and SslContextBuilder::set_alpn_select_callback handle the client and server sides respectively.

  • SslConnector::danger_connect_without_providing_domain_for_certificate_verification_and_server_name_indication has been removed in favor of new methods which provide more control. The ConnectConfiguration::use_server_name_indication method controls the use of Server Name Indication (SNI), and the ConnectConfiguration::verify_hostname method controls the use of hostname verification. These can be controlled independently, and if both are disabled, the domain argument to ConnectConfiguration::connect is ignored.

  • Shared secret derivation is now handled by the new derive::Deriver type rather than pkey::PKeyContext, which has been removed.

  • ssl::Error is now no longer an enum, and provides more direct access to the relevant state.

  • SslConnectorBuilder::new has been moved and renamed to SslConnector::builder.

  • SslAcceptorBuilder::mozilla_intermediate and SslAcceptorBuilder::mozilla_modern have been moved to SslAcceptor and no longer take the private key and certificate chain. Install those manually after creating the builder.

  • X509VerifyError is now X509VerifyResult and can now have the "ok" value in addition to error values.

  • x509::X509FileType is now ssl::SslFiletype.

  • Asymmetric key serialization and deserialization methods now document the formats that they correspond to, and some have been renamed to better indicate that.

Removed

  • All deprecated APIs have been removed.
  • NPN support has been removed. It has been supersceded by ALPN, and is hopefully no longer being used in practice. If you still depend on it, please file an issue!
  • SslRef::compression has been removed.
  • Some ssl::SslOptions flags have been removed as they no longer do anything.

Older

Look at the release tags for information about older releases.