0.23.9

• RFC8879 certificate compression is now supported. Get started by enabling the brotli and/or zlib crate features, which depend on the brotli or zlib-rs crates. We recommend brotli as it has the widest deployment so far.

What's Changed

• ci: temp. pin nightly to 2024-05-22 by @cpu in #1971
• deps: update semver compatible dependencies by @cpu in #1972
• Fix LTO setting and a clippy::use_self finding by @cpu in #1973
• ci: update cargo-check-external-types toolchain by @cpu in #1974
• fix rustc-check-cfg by @cpu in #1975
• Support RFC8879 certificate compression by @ctz in #1966
• Update roadmap to reflect initial release of the OpenSSL compat layer by @bdaehlie in #1977
• Implement RFC 9180 HPKE provider backed by aws-lc-rs by @cpu in #1963
• Tidy handshake_tests file by @ctz in #1978
• General roadmap updates. by @bdaehlie in #1979
• Minor #[allow()] cleanups by @ctz in #1982
• Prepare 0.23.9 by @ctz in #1986

Full Changelog: v/0.23.8...v/0.23.9

0.23.8

• Add support for enforcing CRL expiration, by @jasperpatterson

What's Changed

• updated the command to run the examples tlsserver-mio and tlsclient-mio by @sarath3192 in #1956
• update cargo deps by @cpu in #1960
• Misc changes around certificate encoding by @ctz in #1962
• Add support for enforcing CRL expiration by @jasperpatterson in #1922
• Certificate compression preparation by @ctz in #1964
• Prepare 0.23.8 by @ctz in #1965

New Contributors

• @sarath3192 made their first contribution in #1956
• @jasperpatterson made their first contribution in #1922

Full Changelog: v/0.23.7...v/0.23.8

0.23.7

• send_close_notify is now idempotent, in case it is accidentally called more than once.
• read_tls now refuses to read further data after a close_notify is received, by returning Ok(0) (ie, an EOF).
• Correct fix in 0.23.6 to properly discard data after close_notify received, avoiding a spurious DecryptError on subsequent calls to process_new_packets().

What's Changed

• Avoid sending multiple close notifies by @ctz in #1955

Full Changelog: v/0.23.6...v/0.23.7

0.23.6

• Improve interop with TLS1.2 servers having ECDSA certificates when using aws-lc-rs provider (#1924)
• Ignore data received after close_notify (#1950)

What's Changed

• MSRV 1.61 -> 1.63 by @cpu in #1902
• Install golang on macos runners by @ctz in #1919
• deps: update cargo semver compatible deps by @cpu in #1914
• crypto::aws_lc_rs: minor docs nits by @ctz in #1923
• deps: update cargo semver compatible deps by @cpu in #1928
• Small correction to the quic::PacketKey::integrity_limit doc by @MOZGIII in #1930
• README.md: fix spelling error by @ctz in #1933
• Apply suggestions from clippy 1.78 by @djc in #1934
• aws-lc-rs: reduce priority of ECDSA_NISTP521_SHA512 by @ctz in #1924
• Rename SignatureScheme::sign by @ctz in #1936
• Cargo.lock: update rustls version under hickory by @ctz in #1937
• ring: cfg-gate the hmac module by @cpu in #1940
• build: emit rustc-check-cfg for bench, read_buf by @cpu in #1942
• deps: update cargo semver compatible deps by @cpu in #1943
• Smaller misc changes extracted from client-side ECH branch by @cpu in #1944
• bogo: fix config rewriting when cpp is clang by @djc in #1948
• Warn on lints, don't deny by @djc in #1949
• Ignore data appearing after close_notify by @djc in #1950
• Prepare 0.23.6 by @ctz in #1952
• deps: update cargo semver compatible deps by @cpu in #1953

New Contributors

• @MOZGIII made their first contribution in #1930

Full Changelog: v/0.23.5...v/0.23.6

0.21.12

• The server name indication (SNI) client extension is now ignored when it contains an out-of-specification IP address value.
• MSRV is now 1.63.

What's Changed

• v0.21.12 release preparation by @cpu in #1925

Full Changelog: v/0.21.11...v/0.21.12

0.23.5

• This release corrects a denial-of-service condition in rustls::ConnectionCommon::complete_io(), reachable via network input. If a close_notify alert is received during a handshake, complete_io() did not terminate. Callers which do not call complete_io() are not affected.
• Add an API (handshake_kind()) for learning whether a handshake was resumed or not.
• no-std support has been extended, allowing use of LimitedCache, ResolvesServerCertUsingSni, ServerSessionMemoryCache, ClientSessionStore, TicketSwitcher and the aws-lc-rs/ring Ticketer when the hashbrown feature is enabled and a compatible no-std Mutex implementation provided.
• The server name indication (SNI) client extension is now ignored when it contains an out-of-specification IP address value.

What's Changed

• Cargo.lock: update semver compatible deps by @cpu in #1874
• quic: make Suite Copy by @djc in #1879
• no-std support phase II by @pvdrz in #1688
• Relax server_name extension validation by @ctz in #1881
• Correct references to VerifierBuilderError by @ctz in #1884
• connect-tests: ignore rsa8192.badssl.com by @cpu in #1886
• deps: update semver compatible deps by @cpu in #1885
• deps: aws-lc-rs 1.6.2 -> 1.6.4 by @cpu in #1888
• build(deps): bump h2 from 0.3.24 to 0.3.26 by @dependabot in #1889
• deps: update cargo semver compatible deps by @cpu in #1892
• replace build-a-pki.sh with Rust+rcgen, rcgen 0.13 by @cpu in #1852
• docs: update ROADMAP post-quantum kex item by @cpu in #1894
• deps: update cargo semver compatible deps by @cpu in #1897
• Expose connection resumption details by @ctz in #1899
• Return Option from handshake_kind() by @ctz in #1900
• docs: update SECURITY example by @cpu in #1903
• Correct complete_io behaviour when close_notify alert is received by @ctz in #1905

Full Changelog: v/0.23.4...v/0.23.5

0.22.4

This release corrects a denial-of-service condition in rustls::ConnectionCommon::complete_io, reachable via network input. If a close_notify alert is received during a handshake, complete_io did not terminate. Callers which do not call complete_io are not affected.

What's Changed

• Correct complete_io behaviour when close_notify alert is received (0.22 edition) by @ctz in #1906

Full Changelog: v/0.22.3...v/0.22.4

0.21.11

This release corrects a denial-of-service condition in rustls::ConnectionCommon::complete_io, reachable via network input. If a close_notify alert is received during a handshake, complete_io did not terminate. Callers which do not call complete_io are not affected.

What's Changed

• rel-0.21 branch housekeeping by @ctz in #1904
• Correct complete_io behaviour when close_notify alert is received (0.21 edition) by @ctz in #1907

Full Changelog: v/0.21.10...v/0.21.11

0.23.4

• Bug fix: correct cipher suite filtering if a custom certificate verifier offers support for SignatureScheme::ECDSA_SHA1_Legacy.
• Improve documentation and example code around AcceptedAlert::write

What's Changed

• ClientKeyExchangeParams: widen feature gate to avoid clippy lint by @ctz in #1866
• Add path for rustls-post-quantum -> rustls dependency by @ctz in #1865
• Correct ECDSA-SHA1 allergy by @ctz in #1869
• Improve AcceptedAlert::write documentation, example usage by @cpu in #1868
• Further new nightly clippy corrections by @ctz in #1872

Full Changelog: v/0.23.3...v/0.23.4

0.22.3

• Bug fix: return correct ConnectionTrafficSecrets variant from dangerous_extract_secrets() when AES-256-GCM is negotiated. See #1833
• Bug fix: correct cipher suite filtering if a custom certificate verifier offers support for SignatureScheme::ECDSA_SHA1_Legacy. See seanmonstar/reqwest#2191

What's Changed

• rel-0.22 CI fixes by @cpu in #1814
• Port #1869 to 0.22 release line by @ctz in #1870

Full Changelog: v/0.22.2...v/0.22.3