From: Joe Orton Date: Tue, 25 Sep 2018 11:58:31 +0000 (+0000) Subject: Try to be a bit more concise in OpenSSL 1.1.1/TLSv1.3 changes, X-Git-Tag: 2.4.36~29 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cbf2e96cdbf4826803f4c36dc290aad43f869350;p=thirdparty%2Fapache%2Fhttpd.git Try to be a bit more concise in OpenSSL 1.1.1/TLSv1.3 changes, apportion blame/credit widely. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1841920 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 91b05eebdce..96434120a48 100644 --- a/CHANGES +++ b/CHANGES @@ -5,18 +5,11 @@ Changes with Apache 2.4.36 before signals handling to avoid lifetime issues on restart or shutdown. PR 62658. [Yann Ylavic] - *) mod_ssl: add experimental support for TLSv1.3 (tested with OpenSSL v1.1.1-pre9. - SSL(Proxy)CipherSuite now has an optional first parameter for the protocol the ciphers are for. - Directive "SSLVerifyClient" now triggers certificate retrieval from the client. - Verifying the client fails exactly the same for HTTP/2 connections for all SSL protocols, - as this would need to trigger the master connection thread - which we do not support - right now. - Renegotiation of ciphers is intentionally ignored for TLSv1.3 connections. "SSLCipherSuite" - does not allow to specify TLSv1.3 ciphers in a directory context (because it cannot work) and - TLSv1.2 or lower ciphers are not relevant for 1.3, as cipher suites are completely separate. - Sites which make use of such TLSv1.2 feature need to evaluate carefully if or how they - can match their needs onto the TLSv1.3 protocol. - [Yann Ylavic, Stefan Eissing] + *) mod_ssl: Add support for OpenSSL 1.1.1 and TLSv1.3. TLSv1.3 has + behavioural changes compared to v1.2 and earlier; client and + configuration changes should be expected. SSLCipherSuite is + enhanced for TLSv1.3 ciphers, but applies at vhost level only. + [Stefan Eissing, Yann Ylavic, Ruediger Pluem, Joe Orton] *) mod_auth_basic: Be less tolerant when parsing the credencial. Only spaces should be accepted after the authorization scheme. \t are also tolerated.