0.23.7

• send_close_notify is now idempotent, in case it is accidentally called more than once.
• read_tls now refuses to read further data after a close_notify is received, by returning Ok(0) (ie, an EOF).
• Correct fix in 0.23.6 to properly discard data after close_notify received, avoiding a spurious DecryptError on subsequent calls to process_new_packets().

What's Changed

• Avoid sending multiple close notifies by @ctz in #1955

Full Changelog: v/0.23.6...v/0.23.7

0.23.6

• Improve interop with TLS1.2 servers having ECDSA certificates when using aws-lc-rs provider (#1924)
• Ignore data received after close_notify (#1950)

What's Changed

• MSRV 1.61 -> 1.63 by @cpu in #1902
• Install golang on macos runners by @ctz in #1919
• deps: update cargo semver compatible deps by @cpu in #1914
• crypto::aws_lc_rs: minor docs nits by @ctz in #1923
• deps: update cargo semver compatible deps by @cpu in #1928
• Small correction to the quic::PacketKey::integrity_limit doc by @MOZGIII in #1930
• README.md: fix spelling error by @ctz in #1933
• Apply suggestions from clippy 1.78 by @djc in #1934
• aws-lc-rs: reduce priority of ECDSA_NISTP521_SHA512 by @ctz in #1924
• Rename SignatureScheme::sign by @ctz in #1936
• Cargo.lock: update rustls version under hickory by @ctz in #1937
• ring: cfg-gate the hmac module by @cpu in #1940
• build: emit rustc-check-cfg for bench, read_buf by @cpu in #1942
• deps: update cargo semver compatible deps by @cpu in #1943
• Smaller misc changes extracted from client-side ECH branch by @cpu in #1944
• bogo: fix config rewriting when cpp is clang by @djc in #1948
• Warn on lints, don't deny by @djc in #1949
• Ignore data appearing after close_notify by @djc in #1950
• Prepare 0.23.6 by @ctz in #1952
• deps: update cargo semver compatible deps by @cpu in #1953

New Contributors

• @MOZGIII made their first contribution in #1930

Full Changelog: v/0.23.5...v/0.23.6

0.21.12

• The server name indication (SNI) client extension is now ignored when it contains an out-of-specification IP address value.
• MSRV is now 1.63.

What's Changed

• v0.21.12 release preparation by @cpu in #1925

Full Changelog: v/0.21.11...v/0.21.12

0.23.5

• This release corrects a denial-of-service condition in rustls::ConnectionCommon::complete_io(), reachable via network input. If a close_notify alert is received during a handshake, complete_io() did not terminate. Callers which do not call complete_io() are not affected.
• Add an API (handshake_kind()) for learning whether a handshake was resumed or not.
• no-std support has been extended, allowing use of LimitedCache, ResolvesServerCertUsingSni, ServerSessionMemoryCache, ClientSessionStore, TicketSwitcher and the aws-lc-rs/ring Ticketer when the hashbrown feature is enabled and a compatible no-std Mutex implementation provided.
• The server name indication (SNI) client extension is now ignored when it contains an out-of-specification IP address value.

What's Changed

• Cargo.lock: update semver compatible deps by @cpu in #1874
• quic: make Suite Copy by @djc in #1879
• no-std support phase II by @pvdrz in #1688
• Relax server_name extension validation by @ctz in #1881
• Correct references to VerifierBuilderError by @ctz in #1884
• connect-tests: ignore rsa8192.badssl.com by @cpu in #1886
• deps: update semver compatible deps by @cpu in #1885
• deps: aws-lc-rs 1.6.2 -> 1.6.4 by @cpu in #1888
• build(deps): bump h2 from 0.3.24 to 0.3.26 by @dependabot in #1889
• deps: update cargo semver compatible deps by @cpu in #1892
• replace build-a-pki.sh with Rust+rcgen, rcgen 0.13 by @cpu in #1852
• docs: update ROADMAP post-quantum kex item by @cpu in #1894
• deps: update cargo semver compatible deps by @cpu in #1897
• Expose connection resumption details by @ctz in #1899
• Return Option from handshake_kind() by @ctz in #1900
• docs: update SECURITY example by @cpu in #1903
• Correct complete_io behaviour when close_notify alert is received by @ctz in #1905

Full Changelog: v/0.23.4...v/0.23.5

0.22.4

This release corrects a denial-of-service condition in rustls::ConnectionCommon::complete_io, reachable via network input. If a close_notify alert is received during a handshake, complete_io did not terminate. Callers which do not call complete_io are not affected.

What's Changed

• Correct complete_io behaviour when close_notify alert is received (0.22 edition) by @ctz in #1906

Full Changelog: v/0.22.3...v/0.22.4

0.21.11

This release corrects a denial-of-service condition in rustls::ConnectionCommon::complete_io, reachable via network input. If a close_notify alert is received during a handshake, complete_io did not terminate. Callers which do not call complete_io are not affected.

What's Changed

• rel-0.21 branch housekeeping by @ctz in #1904
• Correct complete_io behaviour when close_notify alert is received (0.21 edition) by @ctz in #1907

Full Changelog: v/0.21.10...v/0.21.11

0.23.4

• Bug fix: correct cipher suite filtering if a custom certificate verifier offers support for SignatureScheme::ECDSA_SHA1_Legacy.
• Improve documentation and example code around AcceptedAlert::write

What's Changed

• ClientKeyExchangeParams: widen feature gate to avoid clippy lint by @ctz in #1866
• Add path for rustls-post-quantum -> rustls dependency by @ctz in #1865
• Correct ECDSA-SHA1 allergy by @ctz in #1869
• Improve AcceptedAlert::write documentation, example usage by @cpu in #1868
• Further new nightly clippy corrections by @ctz in #1872

Full Changelog: v/0.23.3...v/0.23.4

0.22.3

• Bug fix: return correct ConnectionTrafficSecrets variant from dangerous_extract_secrets() when AES-256-GCM is negotiated. See #1833
• Bug fix: correct cipher suite filtering if a custom certificate verifier offers support for SignatureScheme::ECDSA_SHA1_Legacy. See seanmonstar/reqwest#2191

What's Changed

• rel-0.22 CI fixes by @cpu in #1814
• Port #1869 to 0.22 release line by @ctz in #1870

Full Changelog: v/0.22.2...v/0.22.3

0.23.3

Release notes

• Bug fix: correct cipher suite selection when ECDHE and FFDHE suites are both offered.

What's Changed

• Prepare rustls-post-quantum 0.1.0 by @ctz in #1847
• small no-std CI tweaks by @cpu in #1848
• Use jemalloc in benchmarks by @ctz in #1849
• rustls-post-quantum: correct formatting by @ctz in #1850
• Cargo.lock: update semver compatible deps by @cpu in #1855
• Add auto build to bench-measure by @SimonTate in #1856
• small clippy fixes by @cpu in #1858
• Fix ffdhe no common cipher suite bug by @Taowyoo in #1861
• admin/coverage: pass script args to all llvm-cov calls by @ctz in #1859
• Prepare 0.23.3 by @ctz in #1863

New Contributors

• @SimonTate made their first contribution in #1856

Full Changelog: v/0.23.2...v/0.23.3

0.23.2

• Bug fix: return correct ConnectionTrafficSecrets variant from dangerous_extract_secrets() when AES-256-GCM is negotiated.
• New feature: groundwork for supporting post-quantum key exchange. Experimental support for X25519Kyber768Draft00 will be released as a separate crate: rustls-post-quantum.
• Add aws-lc-rs crate feature as alias for aws_lc_rs crate feature.

What's Changed

• Return correct ConnectionTrafficSecrets variant when AES-256-GCM is negotiated. by @Arnavion in #1834
• ci: fixup fmt unstable by @cpu in #1832
• build(deps): bump mio from 0.8.10 to 0.8.11 by @dependabot in #1837
• Fix newly found unused_qualifications warnings by @ctz in #1839
• Attempt to improve merge_group job performance by @ctz in #1840
• Fix new nightly clippy lints by @ctz in #1842
• Add an aws-lc-rs feature as an alias for aws_lc_rs by @joshtriplett in #1843
• Cargo: update semver compatible deps by @cpu in #1844
• Support for X25519Kyber768Draft00 post-quantum key exchange by @ctz in #1785
• Prepare 0.23.2 by @ctz in #1846

New Contributors

• @Arnavion made their first contribution in #1834

Full Changelog: v/0.23.1...v/0.23.2