From: Matt Caswell Date: Wed, 21 Aug 2024 10:16:54 +0000 (+0100) Subject: Add a CHANGES.md entry X-Git-Tag: openssl-3.5.0-alpha1~641 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=198e5a847ad3914ea90df15bc20f9d7e839b736a;p=thirdparty%2Fopenssl.git Add a CHANGES.md entry Reviewed-by: Tim Hudson Reviewed-by: Neil Horman Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/26683) --- diff --git a/CHANGES.md b/CHANGES.md index e63c4642835..5a16e267c6d 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -30,39 +30,44 @@ OpenSSL 3.5 ### Changes between 3.4 and 3.5 [xx XXX xxxx] -* For TLSv1.3: Add capability for a client to send multiple key shares. Extend the scope of - `SSL_OP_CIPHER_SERVER_PREFERENCE` to cover server-side key exchange group selection. - Extend the server-side key exchange group selection algorithm and related group list syntax - to support multiple group priorities, e.g. to prioritize (hybrid-)KEMs. + * Added new API calls to enable 3rd party QUIC stacks to use the OpenSSL TLS + implementation. - *David Kelsey*, *Martin Schmatz* + *Matt Caswell* -* A new random generation API has been introduced which modifies all - of the L family of calls so they are routed through a - specific named provider instead of being resolved via the normal DRBG - chaining. In a future OpenSSL release, this will obsolete RAND_METHOD. + * For TLSv1.3: Add capability for a client to send multiple key shares. Extend the scope of + `SSL_OP_CIPHER_SERVER_PREFERENCE` to cover server-side key exchange group selection. + Extend the server-side key exchange group selection algorithm and related group list syntax + to support multiple group priorities, e.g. to prioritize (hybrid-)KEMs. - *Dr Paul Dale* + *David Kelsey*, *Martin Schmatz* -* New inline functions were added to support loads and stores of unsigned - 16-bit, 32-bit and 64-bit integers in either little-endian or big-endian - form, regardless of the host byte-order. See the `OPENSSL_load_u16_le(3)` - manpage for details. + * A new random generation API has been introduced which modifies all + of the L family of calls so they are routed through a + specific named provider instead of being resolved via the normal DRBG + chaining. In a future OpenSSL release, this will obsolete RAND_METHOD. - *Viktor Dukhovni* + *Dr Paul Dale* -* All the BIO_meth_get_*() functions allowing reuse of the internal OpenSSL - BIO method implementations were deprecated. The reuse is unsafe due to - dependency on the code of the internal methods not changing. + * New inline functions were added to support loads and stores of unsigned + 16-bit, 32-bit and 64-bit integers in either little-endian or big-endian + form, regardless of the host byte-order. See the `OPENSSL_load_u16_le(3)` + manpage for details. - *Tomáš Mráz* + *Viktor Dukhovni* + + * All the BIO_meth_get_*() functions allowing reuse of the internal OpenSSL + BIO method implementations were deprecated. The reuse is unsafe due to + dependency on the code of the internal methods not changing. + + *Tomáš Mráz* -* Support DEFAULT keyword and '-' prefix in SSL_CTX_set1_groups_list(). - SSL_CTX_set1_groups_list() now supports the DEFAULT keyword which sets the - available groups to the default selection. The '-' prefix allows the calling - application to remove a group from the selection. + * Support DEFAULT keyword and '-' prefix in SSL_CTX_set1_groups_list(). + SSL_CTX_set1_groups_list() now supports the DEFAULT keyword which sets the + available groups to the default selection. The '-' prefix allows the calling + application to remove a group from the selection. - *Frederik Wedel-Heinen* + *Frederik Wedel-Heinen* * Updated the default encryption cipher for the `req`, `cms`, and `smime` applications from `des-ede3-cbc` to `aes-256-cbc`.