@@ -28,6 +28,68 @@ history is also available from Git.
2828
2929LibreSSL Portable Release Notes:
3030
31+ 3.4.2 - Security fix
32+
33+ * In some situations the X.509 verifier would discard an error on an
34+ unverified certificate chain, resulting in an authentication bypass.
35+ Thanks to Ilya Shipitsin and Timo Steinlein for reporting.
36+
37+ 3.4.1 - Stable release
38+
39+ * New Features
40+ - Added support for OpenSSL 1.1.1 TLSv1.3 APIs.
41+ - Enabled the new X.509 validator to allow verification of
42+ modern certificate chains.
43+ * Portable Improvements
44+ - Ported continuous integration and test infrastructure to Github
45+ actions.
46+ - Added Universal Windows Platform (UWP) build support.
47+ - Fixed mingw-w64 builds on newer versions with missing SSP support.
48+ - Added non-executable stack annotations for CMake builds.
49+ * API and Documentation Enhancements
50+ - Added the following APIs from OpenSSL
51+ BN_bn2binpad BN_bn2lebinpad BN_lebin2bn EC_GROUP_get_curve
52+ EC_GROUP_order_bits EC_GROUP_set_curve
53+ EC_POINT_get_affine_coordinates
54+ EC_POINT_set_affine_coordinates
55+ EC_POINT_set_compressed_coordinates EVP_DigestSign
56+ EVP_DigestVerify SSL_CIPHER_find SSL_CTX_get0_privatekey
57+ SSL_CTX_get_max_early_data SSL_CTX_get_ssl_method
58+ SSL_CTX_set_ciphersuites SSL_CTX_set_max_early_data
59+ SSL_CTX_set_post_handshake_auth SSL_SESSION_get0_cipher
60+ SSL_SESSION_get_max_early_data SSL_SESSION_is_resumable
61+ SSL_SESSION_set_max_early_data SSL_get_early_data_status
62+ SSL_get_max_early_data SSL_read_early_data SSL_set0_rbio
63+ SSL_set_ciphersuites SSL_set_max_early_data
64+ SSL_set_post_handshake_auth
65+ SSL_set_psk_use_session_callback
66+ SSL_verify_client_post_handshake SSL_write_early_data
67+ - Added AES-GCM constants from RFC 7714 for SRTP.
68+ * Compatibility Changes
69+ - Implement flushing for TLSv1.3 handshakes behavior, needed for Apache.
70+ - Call the info callback on connect/accept exit in TLSv1.3,
71+ needed for p5-Net-SSLeay.
72+ - Default to using named curve parameter encoding from
73+ pre-OpenSSL 1.1.0, adding OPENSSL_EC_EXPLICIT_CURVE.
74+ - Do not ignore SSL_TLSEXT_ERR_FATAL from the ALPN callback.
75+ * Testing and Proactive Security
76+ - Added additional state machine test coverage.
77+ - Improved integration test support with ruby/openssl tests.
78+ - Error codes and callback support in new X.509 validator made
79+ compatible with p5-Net_SSLeay tests.
80+ * Internal Improvements
81+ - Numerous fixes and improvements to the new X.509 validator to
82+ ensure compatible error codes and callback support compatible
83+ with the legacy OpenSSL validator.
84+
85+ 3.4.0 - Development release
86+
87+ * Add support for OpenSSL 1.1.1 TLSv1.3 APIs.
88+
89+ * Enable new x509 validator.
90+
91+ * More details to come, testing is appreciated.
92+
31933.3.5 - Security fix
3294
3395 * A stack overread could occur when checking X.509 name constraints.
0 commit comments