1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
|
# Change Log
## [Unreleased]
## [v0.10.7] - 2018-04-30
### Added
* Added `X509Req::public_key` and `X509Req::extensions`.
* Added `RsaPrivateKeyBuilder` to allow control over initialization of optional components of an RSA
private key.
* Added DER encode/decode support to `SslSession`.
* openssl-sys now provides the `OPENSSL_VERSION_NUMBER` and `OPENSSL_LIBRESSL_VERSION_NUMBER`
environment variables to downstream build scripts which contains the hex-encoded version number
of the OpenSSL or LibreSSL distribution being built against. The other variables are deprecated.
## [v0.10.6] - 2018-03-05
### Added
* Added `SslOptions::ENABLE_MIDDLEBOX_COMPAT`.
* Added more `Sync` and `Send` implementations.
* Added `PKeyRef::id`.
* Added `Padding::PKCS1_PSS`.
* Added `Signer::set_rsa_pss_saltlen`, `Signer::set_rsa_mgf1_md`, `Signer::set_rsa_pss_saltlen`, and
`Signer::set_rsa_mgf1_md`
* Added `X509StoreContextRef::verify` to directly verify certificates.
* Added low level ECDSA support.
* Added support for TLSv1.3 custom extensions. (OpenSSL 1.1.1 only)
* Added AES-CCM support.
* Added `EcKey::from_private_components`.
* Added CMAC support.
* Added support for LibreSSL 2.7.
* Added `X509Ref::serial_number`.
* Added `Asn1IntegerRef::to_bn`.
* Added support for TLSv1.3 stateless handshakes. (OpenSSL 1.1.1 only)
### Changed
* The Cargo features previously used to gate access to version-specific OpenSSL APIs have been
removed. Those APIs will be available automatically when building against an appropriate OpenSSL
version.
* Fixed `PKey::private_key_from_der` to return a `PKey<Private>` rather than a `PKey<Public>`. This
is technically a breaking change but the function was pretty useless previously.
### Deprecated
* `X509CheckFlags::FLAG_NO_WILDCARDS` has been renamed to `X509CheckFlags::NO_WILDCARDS` and the old
name deprecated.
## [v0.10.5] - 2018-02-28
### Fixed
* `ErrorStack`'s `Display` implementation no longer writes an empty string if it contains no errors.
### Added
* Added `SslRef::version2`.
* Added `Cipher::des_ede3_cbc`.
* Added `SslRef::export_keying_material`.
* Added the ability to push an `Error` or `ErrorStack` back onto OpenSSL's error stack. Various
callback bindings use this to propagate errors properly.
* Added `SslContextBuilder::set_cookie_generate_cb` and `SslContextBuilder::set_cookie_verify_cb`.
* Added `SslContextBuilder::set_max_proto_version`, `SslContextBuilder::set_min_proto_version`,
`SslContextBuilder::max_proto_version`, and `SslContextBuilder::min_proto_version`.
### Changed
* Updated `SslConnector`'s default cipher list to match Python's.
### Deprecated
* `SslRef::version` has been deprecated. Use `SslRef::version_str` instead.
## [v0.10.4] - 2018-02-18
### Added
* Added OpenSSL 1.1.1 support.
* Added `Rsa::public_key_from_pem_pkcs1`.
* Added `SslOptions::NO_TLSV1_3`. (OpenSSL 1.1.1 only)
* Added `SslVersion`.
* Added `SslSessionCacheMode` and `SslContextBuilder::set_session_cache_mode`.
* Added `SslContextBuilder::set_new_session_callback`,
`SslContextBuilder::set_remove_session_callback`, and
`SslContextBuilder::set_get_session_callback`.
* Added `SslContextBuilder::set_keylog_callback`. (OpenSSL 1.1.1 only)
* Added `SslRef::client_random` and `SslRef::server_random`. (OpenSSL 1.1.0+ only)
### Fixed
* The `SslAcceptorBuilder::mozilla_modern` constructor now disables TLSv1.0 and TLSv1.1 in
accordance with Mozilla's recommendations.
## [v0.10.3] - 2018-02-12
### Added
* OpenSSL is now automatically detected on FreeBSD systems.
* Added `GeneralName` accessors for `rfc822Name` and `uri` variants.
* Added DES-EDE3 support.
### Fixed
* Fixed a memory leak in `X509StoreBuilder::add_cert`.
## [v0.10.2] - 2018-01-11
### Added
* Added `ConnectConfiguration::set_use_server_name_indication` and
`ConnectConfiguration::set_verify_hostname` for use in contexts where you don't have ownership
of the `ConnectConfiguration`.
## [v0.10.1] - 2018-01-10
### Added
* Added a `From<ErrorStack> for ssl::Error` implementation.
## [v0.10.0] - 2018-01-10
### Compatibility
* openssl 0.10 still uses openssl-sys 0.9, so openssl 0.9 and 0.10 can coexist without issue.
### Added
* The `ssl::select_next_proto` function can be used to easily implement the ALPN selection callback
in a "standard" way.
* FIPS mode support is available in the `fips` module.
* Accessors for the Issuer and Issuer Alternative Name fields of X509 certificates have been added.
* The `X509VerifyResult` can now be set in the certificate verification callback via
`X509StoreContextRef::set_error`.
### Changed
* All constants have been moved to associated constants of their type. For example, `bn::MSB_ONE`
is now `bn::MsbOption::ONE`.
* Asymmetric key types are now parameterized over what they contain. In OpenSSL, the same type is
used for key parameters, public keys, and private keys. Unfortunately, some APIs simply assume
that certain components are present and will segfault trying to use things that aren't there.
The `pkey` module contains new tag types named `Params`, `Public`, and `Private`, and the
`Dh`, `Dsa`, `EcKey`, `Rsa`, and `PKey` have a type parameter set to one of those values. This
allows the `Signer` constructor to indicate that it requires a private key at compile time for
example. Previously, `Signer` would simply segfault if provided a key without private
components.
* ALPN support has been changed to more directly model OpenSSL's own APIs. Instead of a single
method used for both the server and client sides which performed everything automatically, the
`SslContextBuilder::set_alpn_protos` and `SslContextBuilder::set_alpn_select_callback` handle
the client and server sides respectively.
* `SslConnector::danger_connect_without_providing_domain_for_certificate_verification_and_server_name_indication`
has been removed in favor of new methods which provide more control. The
`ConnectConfiguration::use_server_name_indication` method controls the use of Server Name
Indication (SNI), and the `ConnectConfiguration::verify_hostname` method controls the use of
hostname verification. These can be controlled independently, and if both are disabled, the
domain argument to `ConnectConfiguration::connect` is ignored.
* Shared secret derivation is now handled by the new `derive::Deriver` type rather than
`pkey::PKeyContext`, which has been removed.
* `ssl::Error` is now no longer an enum, and provides more direct access to the relevant state.
* `SslConnectorBuilder::new` has been moved and renamed to `SslConnector::builder`.
* `SslAcceptorBuilder::mozilla_intermediate` and `SslAcceptorBuilder::mozilla_modern` have been
moved to `SslAcceptor` and no longer take the private key and certificate chain. Install those
manually after creating the builder.
* `X509VerifyError` is now `X509VerifyResult` and can now have the "ok" value in addition to error
values.
* `x509::X509FileType` is now `ssl::SslFiletype`.
* Asymmetric key serialization and deserialization methods now document the formats that they
correspond to, and some have been renamed to better indicate that.
### Removed
* All deprecated APIs have been removed.
* NPN support has been removed. It has been supersceded by ALPN, and is hopefully no longer being
used in practice. If you still depend on it, please file an issue!
* `SslRef::compression` has been removed.
* Some `ssl::SslOptions` flags have been removed as they no longer do anything.
## Older
Look at the [release tags] for information about older releases.
[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.7...master
[v0.10.7]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.6...openssl-v0.10.7
[v0.10.6]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.5...openssl-v0.10.6
[v0.10.5]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.4...openssl-v0.10.5
[v0.10.4]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.3...openssl-v0.10.4
[v0.10.3]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.2...openssl-v0.10.3
[v0.10.2]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.1...openssl-v0.10.2
[v0.10.1]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.0...openssl-v0.10.1
[v0.10.0]: https://github.com/sfackler/rust-openssl/compare/v0.9.23...openssl-v0.10.0
[release tags]: https://github.com/sfackler/rust-openssl/releases
|