Add a CHANGES entry for the SSL_SECOP_TMP_DH change

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/13136)

diff --git a/CHANGES b/CHANGES
index fcb824c02d50448a35098286afee5f61763614b1..401ae7a339c695c0a31af9c49328f6d7d86907d6 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -9,7 +9,15 @@
 
  Changes between 1.1.1h and 1.1.1i [xx XXX xxxx]
 
-  *)
+  *) The security callback, which can be customised by application code, supports
+     the security operation SSL_SECOP_TMP_DH. This is defined to take an EVP_PKEY
+     in the "other" parameter. In most places this is what is passed. All these
+     places occur server side. However there was one client side call of this
+     security operation and it passed a DH object instead. This is incorrect
+     according to the definition of SSL_SECOP_TMP_DH, and is inconsistent with all
+     of the other locations. Therefore this client side call has been changed to
+     pass an EVP_PKEY instead.
+     [Matt Caswell]
 
  Changes between 1.1.1g and 1.1.1h [22 Sep 2020]