Add CHANGES.md and NEWS.md updates for the 3.4 release
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/25339)
This commit is contained in:
Tomas Mraz
parent
01f4b44e07
commit
5650289743
60
CHANGES.md
60
CHANGES.md
@ -29,7 +29,17 @@ OpenSSL 3.4
|
||||
|
||||
### Changes between 3.3 and 3.4 [xx XXX xxxx]
|
||||
|
||||
* XOF Digest API changes.
|
||||
* Improved base64 BIO correctness and error reporting.
|
||||
|
||||
*Viktor Dukhovni*
|
||||
|
||||
* Added support for directly fetched composite signature algorithms such as
|
||||
RSA-SHA2-256 including new API functions in the EVP_PKEY_sign,
|
||||
EVP_PKEY_verify and EVP_PKEY_verify_recover groups.
|
||||
|
||||
*Richard Levitte*
|
||||
|
||||
* XOF Digest API improvements
|
||||
|
||||
EVP_MD_CTX_get_size() and EVP_MD_CTX_size are macros that were aliased to
|
||||
EVP_MD_get_size which returns a constant value. XOF Digests such as SHAKE
|
||||
@ -44,7 +54,8 @@ OpenSSL 3.4
|
||||
|
||||
*Shane Lontis*
|
||||
|
||||
* Add FIPS indicators to the FIPS provider.
|
||||
* Added FIPS indicators to the FIPS provider.
|
||||
|
||||
FIPS 140-3 requires indicators to be used if the FIPS provider allows
|
||||
non-approved algorithms. An algorithm is approved if it passes all
|
||||
required checks such as minimum key size. By default an error will
|
||||
@ -66,19 +77,42 @@ OpenSSL 3.4
|
||||
|
||||
*Shane Lontis, Paul Dale and Po-Hsing Wu*
|
||||
|
||||
* Add debuginfo Makefile target for unix platforms to produce
|
||||
* Added support for hardware acceleration for HMAC on S390x architecture.
|
||||
|
||||
*Ingo Franzki*
|
||||
|
||||
* Added debuginfo Makefile target for unix platforms to produce
|
||||
a separate DWARF info file from the corresponding shared libs.
|
||||
|
||||
*Neil Horman*
|
||||
|
||||
* Add feature to retrieve configured TLS signature algorithms,
|
||||
* Added support for encapsulation and decapsulation operations in the
|
||||
pkeyutl command.
|
||||
|
||||
*Dmitry Belyavskiy*
|
||||
|
||||
* Added implementation of RFC 9579 (PBMAC1) in PKCS#12.
|
||||
|
||||
*Dmitry Belyavskiy*
|
||||
|
||||
* Add a new random seed source RNG `JITTER` using a statically linked
|
||||
jitterentropy library.
|
||||
|
||||
*Dimitri John Ledkov*
|
||||
|
||||
* Added a feature to retrieve configured TLS signature algorithms,
|
||||
e.g., via the openssl list command.
|
||||
|
||||
*Michael Baentsch*
|
||||
|
||||
* Deprecated TS_VERIFY_CTX_set_* functions and added replacement
|
||||
TS_VERIFY_CTX_set0_* functions with improved semantics.
|
||||
|
||||
*Tobias Erbsland*
|
||||
|
||||
* Redesigned Windows use of OPENSSLDIR/ENGINESDIR/MODULESDIR such that
|
||||
what were formerly build time locations can now be defined at run time
|
||||
with registry keys. See NOTES-WINDOWS.md
|
||||
with registry keys. See NOTES-WINDOWS.md.
|
||||
|
||||
*Neil Horman*
|
||||
|
||||
@ -110,8 +144,8 @@ OpenSSL 3.4
|
||||
|
||||
*Tomáš Mráz*
|
||||
|
||||
* Use an empty renegotiate extension in TLS client hellos instead of
|
||||
the empty renegotiation SCSV, for all connections with a minimum TLS
|
||||
* An empty renegotiate extension will be used in TLS client hellos instead
|
||||
of the empty renegotiation SCSV, for all connections with a minimum TLS
|
||||
version > 1.0.
|
||||
|
||||
*Tim Perry*
|
||||
@ -129,6 +163,13 @@ OpenSSL 3.4
|
||||
|
||||
*Rajeev Ranjan*
|
||||
|
||||
* Added support for issuedOnBehalfOf, auditIdentity, basicAttConstraints,
|
||||
userNotice, acceptablePrivilegePolicies, acceptableCertPolicies,
|
||||
subjectDirectoryAttributes, associatedInformation, delegatedNameConstraints,
|
||||
holderNameConstraints and targetingInformation X.509v3 extensions.
|
||||
|
||||
*Jonathan M. Wilbur*
|
||||
|
||||
* Added Attribute Certificate (RFC 5755) support. Attribute
|
||||
Certificates can be created, parsed, modified and printed via the
|
||||
public API. There is no command-line tool support at this time.
|
||||
@ -208,11 +249,6 @@ OpenSSL 3.3
|
||||
|
||||
### Changes between 3.2 and 3.3.0 [9 Apr 2024]
|
||||
|
||||
* Add a new random seed source RNG `JITTER` using a statically linked
|
||||
jitterentropy library.
|
||||
|
||||
*Dimitri John Ledkov*
|
||||
|
||||
* The `-verify` option to the `openssl crl` and `openssl req` will make
|
||||
the program exit with 1 on failure.
|
||||
|
||||
|
||||
57
NEWS.md
57
NEWS.md
@ -28,7 +28,62 @@ OpenSSL.
|
||||
|
||||
This release is in development.
|
||||
|
||||
* Added initial Attribute Certificate (RFC 5755) support.
|
||||
This release incorporates the following potentially significant or incompatible
|
||||
changes:
|
||||
|
||||
* Deprecation of TS_VERIFY_CTX_set_* functions and addition of replacement
|
||||
TS_VERIFY_CTX_set0_* functions with improved semantics
|
||||
|
||||
* Redesigned use of OPENSSLDIR/ENGINESDIR/MODULESDIR on Windows such that
|
||||
what were formerly build time locations can now be defined at run time
|
||||
with registry keys
|
||||
|
||||
* The X25519 and X448 key exchange implementation in the FIPS provider
|
||||
is unapproved and has `fips=no` property.
|
||||
|
||||
* SHAKE-128 and SHAKE-256 implementations have no default digest length
|
||||
anymore. That means these algorithms cannot be used with
|
||||
EVP_DigestFinal/_ex() unless the `xoflen` param is set before.
|
||||
|
||||
* Setting `config_diagnostics=1` in the config file will cause errors to
|
||||
be returned from SSL_CTX_new() and SSL_CTX_new_ex() if there is an error
|
||||
in the ssl module configuration.
|
||||
|
||||
* An empty renegotiate extension will be used in TLS client hellos instead
|
||||
of the empty renegotiation SCSV, for all connections with a minimum TLS
|
||||
version > 1.0.
|
||||
|
||||
* Deprecation of SSL_SESSION_get_time(), SSL_SESSION_set_time() and
|
||||
SSL_CTX_flush_sessions() functions in favor of their respective `_ex`
|
||||
functions which are Y2038-safe on platforms with Y2038-safe `time_t`
|
||||
|
||||
This release adds the following new features:
|
||||
|
||||
* Support for directly fetched composite signature algorithms such as
|
||||
RSA-SHA2-256 including new API functions
|
||||
|
||||
* FIPS indicators support in the FIPS provider and various updates of the FIPS
|
||||
provider required for future FIPS 140-3 validations
|
||||
|
||||
* Implementation of RFC 9579 (PBMAC1) in PKCS#12
|
||||
|
||||
* An optional additional random seed source RNG `JITTER` using a statically
|
||||
linked jitterentropy library
|
||||
|
||||
* New options `-not_before` and `-not_after` for explicit setting start and
|
||||
end dates of certificates created with the `req` and `x509` apps
|
||||
|
||||
* Support for integrity-only cipher suites TLS_SHA256_SHA256 and
|
||||
TLS_SHA384_SHA384 in TLS 1.3, as defined in RFC 9150
|
||||
|
||||
* Support for requesting CRL in CMP
|
||||
|
||||
* Support for additional X.509v3 extensions related to Attribute Certificates
|
||||
|
||||
* Initial Attribute Certificate (RFC 5755) support
|
||||
|
||||
* Possibility to customize ECC groups initialization to use precomputed values
|
||||
to save CPU time and use of this feature by the P-256 implementation
|
||||
|
||||
OpenSSL 3.3
|
||||
-----------
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user