path: root/crypto/openssl/CHANGES
diff options
authorJung-uk Kim <jkim@FreeBSD.org>2020-09-25 22:43:14 +0000
committerJung-uk Kim <jkim@FreeBSD.org>2020-09-25 22:43:14 +0000
commit7fc1f569abf7c799c6334297ee020a01b5d3d71e (patch)
tree6494fa45d06ccd27128ac6675e338eb0ee59ac62 /crypto/openssl/CHANGES
parent2367fca656edb8ea52e6a2f7d8ef63e3a38966d6 (diff)
MFS: r366176
Merge OpenSSL 1.1.1h. Approved by: re (gjb)
Notes: svn path=/releng/12.2/; revision=366177
Diffstat (limited to 'crypto/openssl/CHANGES')
1 files changed, 27 insertions, 0 deletions
diff --git a/crypto/openssl/CHANGES b/crypto/openssl/CHANGES
index 057405b0bff9..7ea3d2b82322 100644
--- a/crypto/openssl/CHANGES
+++ b/crypto/openssl/CHANGES
@@ -7,6 +7,33 @@
https://github.com/openssl/openssl/commits/ and pick the appropriate
release branch.
+ Changes between 1.1.1g and 1.1.1h [22 Sep 2020]
+ *) Certificates with explicit curve parameters are now disallowed in
+ verification chains if the X509_V_FLAG_X509_STRICT flag is used.
+ [Tomas Mraz]
+ *) The 'MinProtocol' and 'MaxProtocol' configuration commands now silently
+ ignore TLS protocol version bounds when configuring DTLS-based contexts, and
+ conversely, silently ignore DTLS protocol version bounds when configuring
+ TLS-based contexts. The commands can be repeated to set bounds of both
+ types. The same applies with the corresponding "min_protocol" and
+ "max_protocol" command-line switches, in case some application uses both TLS
+ and DTLS.
+ SSL_CTX instances that are created for a fixed protocol version (e.g.
+ TLSv1_server_method()) also silently ignore version bounds. Previously
+ attempts to apply bounds to these protocol versions would result in an
+ error. Now only the "version-flexible" SSL_CTX instances are subject to
+ limits in configuration files in command-line options.
+ [Viktor Dukhovni]
+ *) Handshake now fails if Extended Master Secret extension is dropped
+ on renegotiation.
+ [Tomas Mraz]
+ *) The Oracle Developer Studio compiler will start reporting deprecated APIs
Changes between 1.1.1f and 1.1.1g [21 Apr 2020]
*) Fixed segmentation fault in SSL_check_chain()