Releases: rustls/rustls
0.23.9
- RFC8879 certificate compression is now supported. Get started by enabling the
brotli
and/orzlib
crate features, which depend on thebrotli
orzlib-rs
crates. We recommend brotli as it has the widest deployment so far.
What's Changed
- ci: temp. pin nightly to 2024-05-22 by @cpu in #1971
- deps: update semver compatible dependencies by @cpu in #1972
- Fix LTO setting and a clippy::use_self finding by @cpu in #1973
- ci: update cargo-check-external-types toolchain by @cpu in #1974
- fix rustc-check-cfg by @cpu in #1975
- Support RFC8879 certificate compression by @ctz in #1966
- Update roadmap to reflect initial release of the OpenSSL compat layer by @bdaehlie in #1977
- Implement RFC 9180 HPKE provider backed by aws-lc-rs by @cpu in #1963
- Tidy handshake_tests file by @ctz in #1978
- General roadmap updates. by @bdaehlie in #1979
- Minor
#[allow()]
cleanups by @ctz in #1982 - Prepare 0.23.9 by @ctz in #1986
Full Changelog: v/0.23.8...v/0.23.9
0.23.8
- Add support for enforcing CRL expiration, by @jasperpatterson
What's Changed
- updated the command to run the examples tlsserver-mio and tlsclient-mio by @sarath3192 in #1956
- update cargo deps by @cpu in #1960
- Misc changes around certificate encoding by @ctz in #1962
- Add support for enforcing CRL expiration by @jasperpatterson in #1922
- Certificate compression preparation by @ctz in #1964
- Prepare 0.23.8 by @ctz in #1965
New Contributors
- @sarath3192 made their first contribution in #1956
- @jasperpatterson made their first contribution in #1922
Full Changelog: v/0.23.7...v/0.23.8
0.23.7
send_close_notify
is now idempotent, in case it is accidentally called more than once.read_tls
now refuses to read further data after aclose_notify
is received, by returningOk(0)
(ie, an EOF).- Correct fix in 0.23.6 to properly discard data after
close_notify
received, avoiding a spuriousDecryptError
on subsequent calls toprocess_new_packets()
.
What's Changed
Full Changelog: v/0.23.6...v/0.23.7
0.23.6
- Improve interop with TLS1.2 servers having ECDSA certificates when using aws-lc-rs provider (#1924)
- Ignore data received after
close_notify
(#1950)
What's Changed
- MSRV 1.61 -> 1.63 by @cpu in #1902
- Install golang on macos runners by @ctz in #1919
- deps: update cargo semver compatible deps by @cpu in #1914
- crypto::aws_lc_rs: minor docs nits by @ctz in #1923
- deps: update cargo semver compatible deps by @cpu in #1928
- Small correction to the quic::PacketKey::integrity_limit doc by @MOZGIII in #1930
- README.md: fix spelling error by @ctz in #1933
- Apply suggestions from clippy 1.78 by @djc in #1934
- aws-lc-rs: reduce priority of
ECDSA_NISTP521_SHA512
by @ctz in #1924 - Rename
SignatureScheme::sign
by @ctz in #1936 - Cargo.lock: update rustls version under hickory by @ctz in #1937
- ring: cfg-gate the hmac module by @cpu in #1940
- build: emit rustc-check-cfg for bench, read_buf by @cpu in #1942
- deps: update cargo semver compatible deps by @cpu in #1943
- Smaller misc changes extracted from client-side ECH branch by @cpu in #1944
- bogo: fix config rewriting when cpp is clang by @djc in #1948
- Warn on lints, don't deny by @djc in #1949
- Ignore data appearing after close_notify by @djc in #1950
- Prepare 0.23.6 by @ctz in #1952
- deps: update cargo semver compatible deps by @cpu in #1953
New Contributors
Full Changelog: v/0.23.5...v/0.23.6
0.21.12
0.23.5
- This release corrects a denial-of-service condition in
rustls::ConnectionCommon::complete_io()
, reachable via network input. If aclose_notify
alert is received during a handshake,complete_io()
did not terminate. Callers which do not callcomplete_io()
are not affected. - Add an API (
handshake_kind()
) for learning whether a handshake was resumed or not. no-std
support has been extended, allowing use ofLimitedCache
,ResolvesServerCertUsingSni
,ServerSessionMemoryCache
,ClientSessionStore
,TicketSwitcher
and the aws-lc-rs/ringTicketer
when thehashbrown
feature is enabled and a compatibleno-std
Mutex
implementation provided.- The server name indication (SNI) client extension is now ignored when it contains an out-of-specification IP address value.
What's Changed
- Cargo.lock: update semver compatible deps by @cpu in #1874
- quic: make Suite Copy by @djc in #1879
- no-std support phase II by @pvdrz in #1688
- Relax
server_name
extension validation by @ctz in #1881 - Correct references to
VerifierBuilderError
by @ctz in #1884 - connect-tests: ignore rsa8192.badssl.com by @cpu in #1886
- deps: update semver compatible deps by @cpu in #1885
- deps: aws-lc-rs 1.6.2 -> 1.6.4 by @cpu in #1888
- build(deps): bump h2 from 0.3.24 to 0.3.26 by @dependabot in #1889
- deps: update cargo semver compatible deps by @cpu in #1892
- replace build-a-pki.sh with Rust+rcgen, rcgen 0.13 by @cpu in #1852
- docs: update ROADMAP post-quantum kex item by @cpu in #1894
- deps: update cargo semver compatible deps by @cpu in #1897
- Expose connection resumption details by @ctz in #1899
- Return
Option
fromhandshake_kind()
by @ctz in #1900 - docs: update SECURITY example by @cpu in #1903
- Correct
complete_io
behaviour whenclose_notify
alert is received by @ctz in #1905
Full Changelog: v/0.23.4...v/0.23.5
0.22.4
This release corrects a denial-of-service condition in rustls::ConnectionCommon::complete_io
, reachable via network input. If a close_notify
alert is received during a handshake, complete_io
did not terminate. Callers which do not call complete_io
are not affected.
What's Changed
Full Changelog: v/0.22.3...v/0.22.4
0.21.11
This release corrects a denial-of-service condition in rustls::ConnectionCommon::complete_io
, reachable via network input. If a close_notify
alert is received during a handshake, complete_io
did not terminate. Callers which do not call complete_io
are not affected.
What's Changed
- rel-0.21 branch housekeeping by @ctz in #1904
- Correct
complete_io
behaviour whenclose_notify
alert is received (0.21 edition) by @ctz in #1907
Full Changelog: v/0.21.10...v/0.21.11
0.23.4
- Bug fix: correct cipher suite filtering if a custom certificate verifier offers support for
SignatureScheme::ECDSA_SHA1_Legacy
. - Improve documentation and example code around
AcceptedAlert::write
What's Changed
- ClientKeyExchangeParams: widen feature gate to avoid clippy lint by @ctz in #1866
- Add path for rustls-post-quantum -> rustls dependency by @ctz in #1865
- Correct ECDSA-SHA1 allergy by @ctz in #1869
- Improve AcceptedAlert::write documentation, example usage by @cpu in #1868
- Further new nightly clippy corrections by @ctz in #1872
Full Changelog: v/0.23.3...v/0.23.4
0.22.3
- Bug fix: return correct
ConnectionTrafficSecrets
variant fromdangerous_extract_secrets()
when AES-256-GCM is negotiated. See #1833 - Bug fix: correct cipher suite filtering if a custom certificate verifier offers support for
SignatureScheme::ECDSA_SHA1_Legacy
. See seanmonstar/reqwest#2191
What's Changed
Full Changelog: v/0.22.2...v/0.22.3