Releases: rustls/rustls
0.23.12
Added support for P521 SHA-256/SHA-384 signature verification with aws-lc-rs.
What's Changed
- chore(deps): update rust crate tikv-jemallocator to 0.6 by @renovate-bot in #2045
- chore(deps): lock file maintenance by @renovate-bot in #2046
- ci: tweak renovate config by @cpu in #2047
- Support P521 SHA-256/SHA-384 signatures with aws-lc-rs by @samin-cf in #2050
- build(deps): bump openssl from 0.10.64 to 0.10.66 by @dependabot in #2051
- Prepare 0.23.12 release by @samin-cf in #2052
0.23.11
-
New feature: API for determining whether a
CertifiedKey
's certificate and private key matches:keys_match()
. This is called from existing fallible functions that accept a private key and certificate (for example,with_single_cert()
) so these functions now detect this misconfiguration.This relies on a new -- optional -- member of the
SigningKey
trait:public_key()
-- downstream implementers of this trait can opt-in to this behavior by implementing this method. -
New feature: API for determining which key exchange group a connection used:
negotiated_key_exchange_group()
-
New feature: Automatic sending of TLS1.3
key_update
messages to avoid exceeding AEAD confidentiality limits. This is complemented with a new API for manual use,refresh_traffic_keys()
-
Expose common connection items in unbuffered API (docs)
What's Changed
- docs: cross off client-side ECH from roadmap by @cpu in #2006
- fix(deps): update rust crate zlib-rs to 0.2 by @renovate-bot in #2005
- deps: use hickory-resolver 0.25 alpha release by @cpu in #2007
- chore(deps): update seanmiddleditch/gha-setup-ninja action to v5 by @renovate-bot in #2008
- (Examples) Bugfix: Use normal brackets to avoid docopt literal default by @ckcr4lyf in #2009
- docs: add ech-client.rs to examples/README.md by @cpu in #2011
- build(deps): bump curve25519-dalek from 4.1.2 to 4.1.3 by @dependabot in #2012
- Refactor integration tests to let rustfmt work by @ctz in #2014
- (Examples) Feature: Use port-prefix naming to lookup correct ECHConfig by @ckcr4lyf in #2013
- docs: word iff => if and only if by @Borber in #2015
key_update
API and automatic key refreshing by @ctz in #2003- chore(deps): lock file maintenance by @renovate-bot in #2020
- Fix flickery unbuffered examples by @ctz in #2017
key_update
review follow-up by @ctz in #2016- add warn for elided_lifetimes_in_paths by @cpu in #2025
- chore: fix some comments by @haouvw in #2026
- Tighten up ticketer decryption by @ctz in #2022
- examples Fix minor typo (ciper -> cipher) by @bheesham in #2027
- chore(deps): lock file maintenance by @renovate-bot in #2029
- unbuffered: add missing deref for
CommonState
by @ctz in #2032 - common_state: expose key exchange group by @cpu in #2028
- Add function to verify CertifiedKey consistency by @lvkv in #1954
- Avoid markdown footnotes by @ctz in #2033
- Benchmark unbuffered API by @ctz in #2024
- chore(deps): lock file maintenance by @renovate-bot in #2035
- chore(deps): lock file maintenance by @renovate-bot in #2036
- Verify CertifiedKey consistency in ConfigBuilder with_single_cert methods by @lvkv in #2034
- Implement
public_key()
for all built-inSigningKey
impls by @ctz in #2039 - Prepare 0.23.11 by @ctz in #2037
New Contributors
- @ckcr4lyf made their first contribution in #2009
- @Borber made their first contribution in #2015
- @haouvw made their first contribution in #2026
- @bheesham made their first contribution in #2027
- @lvkv made their first contribution in #1954
Full Changelog: v/0.23.10...v/0.23.11
0.23.10
- draft-ietf-tls-esni-18 encrypted client hello (ECH) is now supported for client applications. See the
ech-client.rs
example for a complete end-to-end demonstration using DNS-over-HTTPS to retrieve a server's ECH configuration for building a RustlsClientConfig
usingwith_ech()
. - Additional safety limits guarding against fruitless processing of small messages have been added. Rustls will now limit excessive warning-level alerts, post-handshake renegotiation attempts, key update requests, and empty plaintext fragments.
- FIPS mode has been updated to exclude X25519 key exchange.
What's Changed
- docs: add OpenSSF best practices badge by @cpu in #1985
- ROADMAP: check off cert compression by @ctz in #1987
- chore: Configure Renovate by @renovate-bot in #1984
- chore(deps): lock file maintenance by @renovate-bot in #1991
- Disable x25519 key exchange in fips mode by @ctz in #1993
- aws_lc_rs: fix unused import w/ no-std by @cpu in #1994
- Limit fruitless processing of small messages by @ctz in #1988
- fix lib.rs examples link by @bmw in #1995
- chore(deps): lock file maintenance by @renovate-bot in #1996
- Revert "ci: temp. pin nightly to 2024-05-22" by @cpu in #1998
- Encrypted Client Hello support (client only) by @cpu in #1718
- apply nightly formatting by @cpu in #2002
- ech: implement inner hello extension compression by @cpu in #2001
- v0.23.10 release preparation by @cpu in #2004
New Contributors
- @renovate-bot made their first contribution in #1984
- @bmw made their first contribution in #1995
Full Changelog: v/0.23.9...v/0.23.10
0.23.9
- RFC8879 certificate compression is now supported. Get started by enabling the
brotli
and/orzlib
crate features, which depend on thebrotli
orzlib-rs
crates. We recommend brotli as it has the widest deployment so far.
What's Changed
- ci: temp. pin nightly to 2024-05-22 by @cpu in #1971
- deps: update semver compatible dependencies by @cpu in #1972
- Fix LTO setting and a clippy::use_self finding by @cpu in #1973
- ci: update cargo-check-external-types toolchain by @cpu in #1974
- fix rustc-check-cfg by @cpu in #1975
- Support RFC8879 certificate compression by @ctz in #1966
- Update roadmap to reflect initial release of the OpenSSL compat layer by @bdaehlie in #1977
- Implement RFC 9180 HPKE provider backed by aws-lc-rs by @cpu in #1963
- Tidy handshake_tests file by @ctz in #1978
- General roadmap updates. by @bdaehlie in #1979
- Minor
#[allow()]
cleanups by @ctz in #1982 - Prepare 0.23.9 by @ctz in #1986
Full Changelog: v/0.23.8...v/0.23.9
0.23.8
- Add support for enforcing CRL expiration, by @jasperpatterson
What's Changed
- updated the command to run the examples tlsserver-mio and tlsclient-mio by @sarath3192 in #1956
- update cargo deps by @cpu in #1960
- Misc changes around certificate encoding by @ctz in #1962
- Add support for enforcing CRL expiration by @jasperpatterson in #1922
- Certificate compression preparation by @ctz in #1964
- Prepare 0.23.8 by @ctz in #1965
New Contributors
- @sarath3192 made their first contribution in #1956
- @jasperpatterson made their first contribution in #1922
Full Changelog: v/0.23.7...v/0.23.8
0.23.7
send_close_notify
is now idempotent, in case it is accidentally called more than once.read_tls
now refuses to read further data after aclose_notify
is received, by returningOk(0)
(ie, an EOF).- Correct fix in 0.23.6 to properly discard data after
close_notify
received, avoiding a spuriousDecryptError
on subsequent calls toprocess_new_packets()
.
What's Changed
Full Changelog: v/0.23.6...v/0.23.7
0.23.6
- Improve interop with TLS1.2 servers having ECDSA certificates when using aws-lc-rs provider (#1924)
- Ignore data received after
close_notify
(#1950)
What's Changed
- MSRV 1.61 -> 1.63 by @cpu in #1902
- Install golang on macos runners by @ctz in #1919
- deps: update cargo semver compatible deps by @cpu in #1914
- crypto::aws_lc_rs: minor docs nits by @ctz in #1923
- deps: update cargo semver compatible deps by @cpu in #1928
- Small correction to the quic::PacketKey::integrity_limit doc by @MOZGIII in #1930
- README.md: fix spelling error by @ctz in #1933
- Apply suggestions from clippy 1.78 by @djc in #1934
- aws-lc-rs: reduce priority of
ECDSA_NISTP521_SHA512
by @ctz in #1924 - Rename
SignatureScheme::sign
by @ctz in #1936 - Cargo.lock: update rustls version under hickory by @ctz in #1937
- ring: cfg-gate the hmac module by @cpu in #1940
- build: emit rustc-check-cfg for bench, read_buf by @cpu in #1942
- deps: update cargo semver compatible deps by @cpu in #1943
- Smaller misc changes extracted from client-side ECH branch by @cpu in #1944
- bogo: fix config rewriting when cpp is clang by @djc in #1948
- Warn on lints, don't deny by @djc in #1949
- Ignore data appearing after close_notify by @djc in #1950
- Prepare 0.23.6 by @ctz in #1952
- deps: update cargo semver compatible deps by @cpu in #1953
New Contributors
Full Changelog: v/0.23.5...v/0.23.6
0.21.12
0.23.5
- This release corrects a denial-of-service condition in
rustls::ConnectionCommon::complete_io()
, reachable via network input. If aclose_notify
alert is received during a handshake,complete_io()
did not terminate. Callers which do not callcomplete_io()
are not affected. - Add an API (
handshake_kind()
) for learning whether a handshake was resumed or not. no-std
support has been extended, allowing use ofLimitedCache
,ResolvesServerCertUsingSni
,ServerSessionMemoryCache
,ClientSessionStore
,TicketSwitcher
and the aws-lc-rs/ringTicketer
when thehashbrown
feature is enabled and a compatibleno-std
Mutex
implementation provided.- The server name indication (SNI) client extension is now ignored when it contains an out-of-specification IP address value.
What's Changed
- Cargo.lock: update semver compatible deps by @cpu in #1874
- quic: make Suite Copy by @djc in #1879
- no-std support phase II by @pvdrz in #1688
- Relax
server_name
extension validation by @ctz in #1881 - Correct references to
VerifierBuilderError
by @ctz in #1884 - connect-tests: ignore rsa8192.badssl.com by @cpu in #1886
- deps: update semver compatible deps by @cpu in #1885
- deps: aws-lc-rs 1.6.2 -> 1.6.4 by @cpu in #1888
- build(deps): bump h2 from 0.3.24 to 0.3.26 by @dependabot in #1889
- deps: update cargo semver compatible deps by @cpu in #1892
- replace build-a-pki.sh with Rust rcgen, rcgen 0.13 by @cpu in #1852
- docs: update ROADMAP post-quantum kex item by @cpu in #1894
- deps: update cargo semver compatible deps by @cpu in #1897
- Expose connection resumption details by @ctz in #1899
- Return
Option
fromhandshake_kind()
by @ctz in #1900 - docs: update SECURITY example by @cpu in #1903
- Correct
complete_io
behaviour whenclose_notify
alert is received by @ctz in #1905
Full Changelog: v/0.23.4...v/0.23.5
0.22.4
This release corrects a denial-of-service condition in rustls::ConnectionCommon::complete_io
, reachable via network input. If a close_notify
alert is received during a handshake, complete_io
did not terminate. Callers which do not call complete_io
are not affected.
What's Changed
Full Changelog: v/0.22.3...v/0.22.4