From 55f3968a4972b0dc2bc88a70dc772474658714ac Mon Sep 17 00:00:00 2001
From: Neil Horman <nhorman@openssl.org>
Date: Mon, 13 Jan 2025 12:06:49 -0500
Subject: [PATCH] Add changes.md entry noting the limitations of recursive SSL
 calls
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

QUIC can't currently make recursive SSL calls, as it potentially results
in deadlock

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26361)
---
 CHANGES.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/CHANGES.md b/CHANGES.md
index 88989b0dee1..a9adbb4e3ef 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -30,6 +30,15 @@ OpenSSL 3.5
 
 ### Changes between 3.4 and 3.5 [xx XXX xxxx]
 
+* Added support for a new callback registration SSL_CTX_set_new_pending_conn_cb,
+  which allows for application notification of new connection SSL object
+  creation, which occurs independently of calls to SSL_accept_connection().
+  Note: QUIC objects passed through SSL callbacks should not have their state
+  mutated via calls back into the SSL api until such time as they have been
+  received via a call to SSL_accept_connection().
+
+  *Neil Horman*
+
 * ML-KEM as specified in FIPS 203.
 
   Based on the original implementation in BoringSSL, ported from C++ to C,
-- 
2.47.2