Add CHANGES.md entry for changed default TLS group list

author Tomas Mraz <tomas@openssl.org>

Mon, 24 Feb 2025 09:33:08 +0000 (10:33 +0100)

committer Tomas Mraz <tomas@openssl.org>

Tue, 25 Feb 2025 14:34:24 +0000 (15:34 +0100)
author Tomas Mraz <tomas@openssl.org>
Mon, 24 Feb 2025 09:33:08 +0000 (10:33 +0100)
committer Tomas Mraz <tomas@openssl.org>
Tue, 25 Feb 2025 14:34:24 +0000 (15:34 +0100)
diff --git a/CHANGES.md b/CHANGES.md

index 991a862504e507bc60d800affa09d6da50e50f2a..6eaeb760e28d2afee23755e495a94ad690d4d09d 100644 (file)
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -87,6 +87,15 @@ OpenSSL 3.5
  
     *David Kelsey*, *Martin Schmatz*
  
+ * The default TLS group list setting is now set to:
+   `?*X25519MLKEM768 / ?*X25519:?secp256r1 / ?X448:?secp384r1:?secp521r1 / ?ffdhe2048:?ffdhe3072`
+
+   This means two key shares (X25519MLKEM768 and X25519) will be sent by
+   default by the TLS client. GOST groups and FFDHE groups larger than 3072
+   bits are no longer enabled by default.
+
+   *Viktor Dukhovni*
+
   * A new random generation API has been introduced which modifies all
     of the L<RAND_bytes(3)> family of calls so they are routed through a
     specific named provider instead of being resolved via the normal DRBG
author	Tomas Mraz <tomas@openssl.org>
	Mon, 24 Feb 2025 09:33:08 +0000 (10:33 +0100)
committer	Tomas Mraz <tomas@openssl.org>
	Tue, 25 Feb 2025 14:34:24 +0000 (15:34 +0100)