0.10.0

0.10.0 (2019-02-28)

• tls: fix extensions length (used to include the 2 byte extension length field)
  if padding is inserted (introduced on May 5, 2014 in #73)
• tls-mirage: adapt to mirage-kv 2.0.0 API (#384, @samoht)

0.9.3

0.9.3 (2019-01-07)

• tls: do not require client sent ciphersuites to be a proper set
  (interoperability with some android devices)
• tls_lwt: delay error from writing to peer while reading, record errors only
  if state is active (fixes #347)
• migrate opam file to opam 2.0 format

0.9.2

0.9.2 (2018-08-24)

• compatibility with ppx_sexp_conv >v0.11.0 (#381), required for 4.07.0
• support ALPN (#378, @bobbypriambodo)

0.9.1

0.9.1 (2018-02-26)

• Tls_lwt: use Tls.Config instead of Config directly to avoid polluting imported
  names (#376, @rgrinberg)

0.9.0

0.9.0 (2017-12-23)

• renegotiation semantics (#375)
  allow acceptable_ca, authenticator, and own_cert to be updated (Config.with_x)
  semantics of reneg is blocking
  {Tls_lwt.Unix|Tls_mirage}.reneg ~drop:bool drops data of earlier epoch
• implement acceptable_ca (#332, @reynir)
• fix client renegotiation with ExtendedMasterSecret (#373, broken since 0.7.0)
• Config.client can get ~peer_name (#373)
• Asn.Time.t is Ptime.t now (asn1-combinators.0.2.0, x509.0.6.0, #372)
• cleanups (#360, #363, #369, @rgrinberg)
• remove 3DES CBC SHA from default ciphers (#359)

0.8.0

0.8.0 (2017-02-01)

• lwt: in Unix.client_of_fd the named argument host is now optional (#336)
• mirage: in client_of_flow the (positional) hostname argument is now optional (#336)
• mirage: adapt to PCLOCK interface (@mattgray #329 #331)
• build system migrated from oasis to topkg (#342)
• mirage: adapt to MirageOS3 (@yomimono @samoht #338 #349 #350 #351 #353)
• lwt: do not crash on double close (@vbmithr #345)
• fixed docstring typos (@mor1 #340)

Beyond camlp4

• remove camlp4 dependency (use cstruct ppx and sexplib ppx instead)

• sort client extensions, there are servers which dislike an extension without
  data at the end, thus try to send extensions with data at the end (#319)

• initial GCM support (#310)

• fix hs_can_handle_appdata (#315):
  Initially we allowed application data always after the first handshake.

  Turns out, between CCS and Finished there is new crypto_context in place
  which has not yet been authenticated -- bad idea to accept application data
  at that point (beginning of 2015 in OCaml TLS).

  The fix was to only allow application data in Established state (and block
  in Tls_lwt/Tls_mirage when the user requested renegotiation) (December 2015
  in OCaml-TLS).

  Renegotiation was also turned off by default when we introduced resumption
  (mid October 2015): both features together (without mitigating via session
  hash) allow the triple handshake.

  It turns out, the server side can happily accept application data from the
  other side when it just sent a HelloRequest (and waits for the ClientHello;
  same is true for the client side, waiting for the ServerHello in
  renegotiation case might be interleaved with application data) to let the
  client initiate a new handshake. By this commit, OCaml-TLS allows
  application data then.

  In the end, it is a pretty academic thing anyways, since nobody uses
  renegotiation with OCaml-TLS in the field.

• during verification of a digitally signed: checked that the used hash
  algorithm is one of the configured ones (#313)

• unify return type of handshake and change cipher spec handler (#314)

• separate client and server extensions (#317)

• type equality (no longer generative error type), use result (#318)

• removed Printer (was barely useful)

resuming normal operations

• session resumption (via session ID) support (#283)
  Config contains session_cache : SessionID.t -> epoch_data option
  and cached_session : epoch_data option
• session hash and extended master secret (RFC 7627) support (#287)

semantic changes

• disable renegotiation by default (#300)
• stack blocks (both Mirage and Lwt) while renegotiating (#304)
• Engine.handshake_in_progress no longer exist
• Hex_fingerprint /Fingerprint authenticators no longer exist
• Mirage X509 does no longer prefix keys and trust anchors with "tls/" in the path

minor fixes

• fix concurrent read/write in tls_mirage (#303)
• expose own_random and peer_random in epoch_data (@cfcs, #297)
• public key pinning (X509_lwt) via Hex_key_fingerprint /Key_fingerprint (#301)
• certificate chain and peer certificate are exposed via epoch_data (new path-building X.509 interface)

sanity and fixes

from CHANGES:

• API: dropped 'perfect' from forward secrecy in Config.Ciphers:
  fs instead of pfs, fs_of instead of pfs_of
• API: type epoch_data moved from Engine to Core
• removed Cstruct_s now that cstruct (since 1.6.0) provides
  s-expression marshalling
• require at least 1024 bit DH group, use FFDHE 2048 bit DH group
  by default instead of oakley2 (logjam)
• more specific alerts:
  • UNRECOGNIZED_NAME: if hostname in SNI does not match
  • UNSUPPORTED_EXTENSION: if server hello has an extension not present in
    client hello
  • ILLEGAL_PARAMETER: if a parse error occured
• encrypt outgoing alerts
• fix off-by-one in handling empty TLS records: if a record is less than 5
  bytes, treat as a fragment. exactly 5 bytes might already be a valid
  application data frame

temporarily stable

• updates to extension enum (contributed by Dave Garrett #264)
• removed entropy feeding (done by nocrypto) #265
• Tls_lwt file descriptor lifecycle: not eagerly close file descriptors #266