Releases: rustls/rustls
0.23.7
send_close_notify
is now idempotent, in case it is accidentally called more than once.read_tls
now refuses to read further data after aclose_notify
is received, by returningOk(0)
(ie, an EOF).- Correct fix in 0.23.6 to properly discard data after
close_notify
received, avoiding a spuriousDecryptError
on subsequent calls toprocess_new_packets()
.
What's Changed
Full Changelog: v/0.23.6...v/0.23.7
0.23.6
- Improve interop with TLS1.2 servers having ECDSA certificates when using aws-lc-rs provider (#1924)
- Ignore data received after
close_notify
(#1950)
What's Changed
- MSRV 1.61 -> 1.63 by @cpu in #1902
- Install golang on macos runners by @ctz in #1919
- deps: update cargo semver compatible deps by @cpu in #1914
- crypto::aws_lc_rs: minor docs nits by @ctz in #1923
- deps: update cargo semver compatible deps by @cpu in #1928
- Small correction to the quic::PacketKey::integrity_limit doc by @MOZGIII in #1930
- README.md: fix spelling error by @ctz in #1933
- Apply suggestions from clippy 1.78 by @djc in #1934
- aws-lc-rs: reduce priority of
ECDSA_NISTP521_SHA512
by @ctz in #1924 - Rename
SignatureScheme::sign
by @ctz in #1936 - Cargo.lock: update rustls version under hickory by @ctz in #1937
- ring: cfg-gate the hmac module by @cpu in #1940
- build: emit rustc-check-cfg for bench, read_buf by @cpu in #1942
- deps: update cargo semver compatible deps by @cpu in #1943
- Smaller misc changes extracted from client-side ECH branch by @cpu in #1944
- bogo: fix config rewriting when cpp is clang by @djc in #1948
- Warn on lints, don't deny by @djc in #1949
- Ignore data appearing after close_notify by @djc in #1950
- Prepare 0.23.6 by @ctz in #1952
- deps: update cargo semver compatible deps by @cpu in #1953
New Contributors
Full Changelog: v/0.23.5...v/0.23.6
0.21.12
0.23.5
- This release corrects a denial-of-service condition in
rustls::ConnectionCommon::complete_io()
, reachable via network input. If aclose_notify
alert is received during a handshake,complete_io()
did not terminate. Callers which do not callcomplete_io()
are not affected. - Add an API (
handshake_kind()
) for learning whether a handshake was resumed or not. no-std
support has been extended, allowing use ofLimitedCache
,ResolvesServerCertUsingSni
,ServerSessionMemoryCache
,ClientSessionStore
,TicketSwitcher
and the aws-lc-rs/ringTicketer
when thehashbrown
feature is enabled and a compatibleno-std
Mutex
implementation provided.- The server name indication (SNI) client extension is now ignored when it contains an out-of-specification IP address value.
What's Changed
- Cargo.lock: update semver compatible deps by @cpu in #1874
- quic: make Suite Copy by @djc in #1879
- no-std support phase II by @pvdrz in #1688
- Relax
server_name
extension validation by @ctz in #1881 - Correct references to
VerifierBuilderError
by @ctz in #1884 - connect-tests: ignore rsa8192.badssl.com by @cpu in #1886
- deps: update semver compatible deps by @cpu in #1885
- deps: aws-lc-rs 1.6.2 -> 1.6.4 by @cpu in #1888
- build(deps): bump h2 from 0.3.24 to 0.3.26 by @dependabot in #1889
- deps: update cargo semver compatible deps by @cpu in #1892
- replace build-a-pki.sh with Rust+rcgen, rcgen 0.13 by @cpu in #1852
- docs: update ROADMAP post-quantum kex item by @cpu in #1894
- deps: update cargo semver compatible deps by @cpu in #1897
- Expose connection resumption details by @ctz in #1899
- Return
Option
fromhandshake_kind()
by @ctz in #1900 - docs: update SECURITY example by @cpu in #1903
- Correct
complete_io
behaviour whenclose_notify
alert is received by @ctz in #1905
Full Changelog: v/0.23.4...v/0.23.5
0.22.4
This release corrects a denial-of-service condition in rustls::ConnectionCommon::complete_io
, reachable via network input. If a close_notify
alert is received during a handshake, complete_io
did not terminate. Callers which do not call complete_io
are not affected.
What's Changed
Full Changelog: v/0.22.3...v/0.22.4
0.21.11
This release corrects a denial-of-service condition in rustls::ConnectionCommon::complete_io
, reachable via network input. If a close_notify
alert is received during a handshake, complete_io
did not terminate. Callers which do not call complete_io
are not affected.
What's Changed
- rel-0.21 branch housekeeping by @ctz in #1904
- Correct
complete_io
behaviour whenclose_notify
alert is received (0.21 edition) by @ctz in #1907
Full Changelog: v/0.21.10...v/0.21.11
0.23.4
- Bug fix: correct cipher suite filtering if a custom certificate verifier offers support for
SignatureScheme::ECDSA_SHA1_Legacy
. - Improve documentation and example code around
AcceptedAlert::write
What's Changed
- ClientKeyExchangeParams: widen feature gate to avoid clippy lint by @ctz in #1866
- Add path for rustls-post-quantum -> rustls dependency by @ctz in #1865
- Correct ECDSA-SHA1 allergy by @ctz in #1869
- Improve AcceptedAlert::write documentation, example usage by @cpu in #1868
- Further new nightly clippy corrections by @ctz in #1872
Full Changelog: v/0.23.3...v/0.23.4
0.22.3
- Bug fix: return correct
ConnectionTrafficSecrets
variant fromdangerous_extract_secrets()
when AES-256-GCM is negotiated. See #1833 - Bug fix: correct cipher suite filtering if a custom certificate verifier offers support for
SignatureScheme::ECDSA_SHA1_Legacy
. See seanmonstar/reqwest#2191
What's Changed
Full Changelog: v/0.22.2...v/0.22.3
0.23.3
Release notes
- Bug fix: correct cipher suite selection when ECDHE and FFDHE suites are both offered.
What's Changed
- Prepare rustls-post-quantum 0.1.0 by @ctz in #1847
- small no-std CI tweaks by @cpu in #1848
- Use jemalloc in benchmarks by @ctz in #1849
- rustls-post-quantum: correct formatting by @ctz in #1850
- Cargo.lock: update semver compatible deps by @cpu in #1855
- Add auto build to bench-measure by @SimonTate in #1856
- small clippy fixes by @cpu in #1858
- Fix ffdhe no common cipher suite bug by @Taowyoo in #1861
- admin/coverage: pass script args to all llvm-cov calls by @ctz in #1859
- Prepare 0.23.3 by @ctz in #1863
New Contributors
- @SimonTate made their first contribution in #1856
Full Changelog: v/0.23.2...v/0.23.3
0.23.2
- Bug fix: return correct
ConnectionTrafficSecrets
variant fromdangerous_extract_secrets()
when AES-256-GCM is negotiated. - New feature: groundwork for supporting post-quantum key exchange. Experimental support for X25519Kyber768Draft00 will be released as a separate crate: rustls-post-quantum.
- Add
aws-lc-rs
crate feature as alias foraws_lc_rs
crate feature.
What's Changed
- Return correct
ConnectionTrafficSecrets
variant when AES-256-GCM is negotiated. by @Arnavion in #1834 - ci: fixup fmt unstable by @cpu in #1832
- build(deps): bump mio from 0.8.10 to 0.8.11 by @dependabot in #1837
- Fix newly found
unused_qualifications
warnings by @ctz in #1839 - Attempt to improve
merge_group
job performance by @ctz in #1840 - Fix new nightly clippy lints by @ctz in #1842
- Add an
aws-lc-rs
feature as an alias foraws_lc_rs
by @joshtriplett in #1843 - Cargo: update semver compatible deps by @cpu in #1844
- Support for X25519Kyber768Draft00 post-quantum key exchange by @ctz in #1785
- Prepare 0.23.2 by @ctz in #1846
New Contributors
Full Changelog: v/0.23.1...v/0.23.2