*Rajeev Ranjan*
- * Added support for requesting CRL in CMP.
+ * Added support for retrieving certificate request templates and CRLs in CMP,
+ with the respective CLI options `-template`,
+ `-crlcert`, `-oldcrl`, `-crlout`, `-crlform>`, and `-rsp_crl`.
This work was sponsored by Siemens AG.
- `certProfile` request message header and respective `-profile` CLI option
- support for delayed delivery of all types of response messages
+ This work was sponsored by Siemens AG.
+
*David von Oheimb*
* The build of exporters (such as `.pc` files for pkg-config) cleaned up to
*Fergus Dall*
- * Added support for securely getting root CA certificate update in
- CMP.
-
- *David von Oheimb*
-
* Improved contention on global write locks by using more read locks where
appropriate.
*David von Oheimb*
* Various fixes and extensions to the CMP+CRMF implementation and the `cmp` app
- in particular supporting requests for central key generation, generalized
- polling, and various types of genm/genp exchanges defined in CMP Updates.
+ in particular supporting various types of genm/genp exchanges such as getting
+ CA certificates and root CA cert updates defined in CMP Updates [RFC 9480],
+ as well as the `-srvcertout` and `-serial` CLI options.
+
+ This work was sponsored by Siemens AG.
*David von Oheimb*
FIPS compliance can be claimed. Enable this using the configuration
option `enable-fips-jitter`.
+ * Support for central key generation in CMP
+
OpenSSL 3.4
-----------
* Support for integrity-only cipher suites TLS_SHA256_SHA256 and
TLS_SHA384_SHA384 in TLS 1.3, as defined in RFC 9150
- * Support for requesting CRL in CMP
+ * Support for retrieving certificate request templates and CRLs in CMP
* Support for additional X.509v3 extensions related to Attribute Certificates
* Added X509_STORE_get1_objects to avoid issues with the existing
X509_STORE_get0_objects API in multi-threaded applications.
+ * Support for using certificate profiles and extened delayed delivery in CMP
+
This release incorporates the following potentially significant or incompatible
changes:
The B<-engine> option was deprecated in OpenSSL 3.0.
-The B<-profile> option was added in OpenSSL 3.3.
+The B<-oldwithold>, B<-newwithnew>, B<-newwithold>, B<-oldwithnew>,
+The B<-srvcertout>, and B<-serial> option were added in OpenSSL 3.2, as well
+as an extension of B<-cacertsout> to use when getting CA certificates.
+Since then, the B<-issuer> may be used also for certificates to be revoked.
-B<-crlcert>, B<-oldcrl>, B<-crlout>, B<-crlform>
+The B<-profile> and B<-no_cache_extracerts> options were added in OpenSSL 3.3,
+as well as support for delayed delivery of all types of response messages.
+
+The B<-template>, B<-crlcert>, B<-oldcrl>, B<-crlout>, B<-crlform>
and B<-rsp_crl> options were added in OpenSSL 3.4.
B<-centralkeygen>, b<-newkeyout>, B<-rsp_key> and
OSSL_CMP_CTX_get0_geninfo_ITAVs() was added in OpenSSL 3.3.
+Support for central key generation, requested via B<OSSL_CRMF_POPO_NONE>,
+was added in OpenSSL 3.5.
+
=head1 COPYRIGHT
Copyright 2007-2024 The OpenSSL Project Authors. All Rights Reserved.
projects / thirdparty / openssl.git / commitdiff
