Add a CHANGES.md entry regarding no_renegotiation alert

Highight the bug being fixed for DTLS users

Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27591)

(cherry picked from commit df5dff26efb6cdc96ebe50c35af394a1121e77fe)

diff --git a/CHANGES.md b/CHANGES.md
index 472b50c6d781c6aacde9b4076bf3492be6714290..6a7e81131393d7de686c5a4b65fc98bbc4ad5176 100644 (file)
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -27,6 +27,15 @@ OpenSSL 3.2
 
 ### Changes between 3.2.4 and 3.2.5 [xx XXX xxxx]
 
+ * Aligned the behaviour of TLS and DTLS in the event of a no_renegotiation
+   alert being received. Older versions of OpenSSL failed with DTLS if a
+   no_renegotiation alert was received. All versions of OpenSSL do this for TLS.
+   From 3.2 a bug was exposed that meant that DTLS ignored no_rengotiation. We
+   have now restored the original behaviour and brought DTLS back into line with
+   TLS.
+
+   *Matt Caswell*
+
  * When displaying distinguished names in the openssl application escape control
    characters by default.