From: Neil Horman <nhorman@openssl.org>
Date: Mon, 13 Jan 2025 17:06:49 +0000 (-0500)
Subject: Add changes.md entry noting the limitations of recursive SSL calls
X-Git-Tag: openssl-3.5.0-alpha1~262
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=55f3968a4972b0dc2bc88a70dc772474658714ac;p=thirdparty%2Fopenssl.git

Add changes.md entry noting the limitations of recursive SSL calls

QUIC can't currently make recursive SSL calls, as it potentially results
in deadlock

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26361)
---

diff --git a/CHANGES.md b/CHANGES.md
index 88989b0dee1..a9adbb4e3ef 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -30,6 +30,15 @@ OpenSSL 3.5
 
 ### Changes between 3.4 and 3.5 [xx XXX xxxx]
 
+* Added support for a new callback registration SSL_CTX_set_new_pending_conn_cb,
+  which allows for application notification of new connection SSL object
+  creation, which occurs independently of calls to SSL_accept_connection().
+  Note: QUIC objects passed through SSL callbacks should not have their state
+  mutated via calls back into the SSL api until such time as they have been
+  received via a call to SSL_accept_connection().
+
+  *Neil Horman*
+
 * ML-KEM as specified in FIPS 203.
 
   Based on the original implementation in BoringSSL, ported from C++ to C,