Add a CHANGES.md entry regarding no_renegotiation alert

Highight the bug being fixed for DTLS users

Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27591)

(cherry picked from commit df5dff26efb6cdc96ebe50c35af394a1121e77fe)

diff --git a/CHANGES.md b/CHANGES.md
index b26d635f81284c24e061afa00ef1867281d3e410..99cb07e8b7850fc209d1677d7831fc8e3b84ef49 100644 (file)
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -28,6 +28,15 @@ OpenSSL 3.3
 
 ### Changes between 3.3.3 and 3.3.4 [xx XXX xxxx]
 
+ * Aligned the behaviour of TLS and DTLS in the event of a no_renegotiation
+   alert being received. Older versions of OpenSSL failed with DTLS if a
+   no_renegotiation alert was received. All versions of OpenSSL do this for TLS.
+   From 3.2 a bug was exposed that meant that DTLS ignored no_rengotiation. We
+   have now restored the original behaviour and brought DTLS back into line with
+   TLS.
+
+   *Matt Caswell*
+
  * When displaying distinguished names in the openssl application escape control
    characters by default.