Skip to content

sanity and fixes

Compare
Choose a tag to compare
@hannesm hannesm released this 02 Jul 13:35

from CHANGES:

  • API: dropped 'perfect' from forward secrecy in Config.Ciphers:
    fs instead of pfs, fs_of instead of pfs_of
  • API: type epoch_data moved from Engine to Core
  • removed Cstruct_s now that cstruct (since 1.6.0) provides
    s-expression marshalling
  • require at least 1024 bit DH group, use FFDHE 2048 bit DH group
    by default instead of oakley2 (logjam)
  • more specific alerts:
    • UNRECOGNIZED_NAME: if hostname in SNI does not match
    • UNSUPPORTED_EXTENSION: if server hello has an extension not present in
      client hello
    • ILLEGAL_PARAMETER: if a parse error occured
  • encrypt outgoing alerts
  • fix off-by-one in handling empty TLS records: if a record is less than 5
    bytes, treat as a fragment. exactly 5 bytes might already be a valid
    application data frame