summaryrefslogtreecommitdiffstats
path: root/CHANGES
diff options
context:
space:
mode:
authorMatt Caswell <matt@openssl.org>2018-02-21 18:47:12 +0100
committerMatt Caswell <matt@openssl.org>2018-03-14 11:15:50 +0100
commit2b527b9b3233eb312a4bf17b044660aa213883b6 (patch)
tree2c3a6ebb35fe9877bc1423c8cd3371bebcaf8cfa /CHANGES
parentAdd documentation for TLSv1.3 ciphersuite configuration (diff)
downloadopenssl-2b527b9b3233eb312a4bf17b044660aa213883b6.tar.xz
openssl-2b527b9b3233eb312a4bf17b044660aa213883b6.zip
Update CHANGES with details of TLSv1.3 ciphersuite configuration
Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5392)
Diffstat (limited to 'CHANGES')
-rw-r--r--CHANGES16
1 files changed, 10 insertions, 6 deletions
diff --git a/CHANGES b/CHANGES
index dcbe2916c4..0e275c31e0 100644
--- a/CHANGES
+++ b/CHANGES
@@ -9,6 +9,15 @@
Changes between 1.1.0g and 1.1.1 [xx XXX xxxx]
+ *) Separated TLSv1.3 ciphersuite configuration out from TLSv1.2 ciphersuite
+ configuration. TLSv1.3 ciphersuites are not compatible with TLSv1.2 and
+ below. Similarly TLSv1.2 ciphersuites are not compatible with TLSv1.3.
+ In order to avoid issues where legacy TLSv1.2 ciphersuite configuration
+ would otherwise inadvertently disable all TLSv1.3 ciphersuites the
+ configuraton has been separated out. See the ciphers man page or the
+ SSL_CTX_set_ciphersuites() man page for more information.
+ [Matt Caswell]
+
*) On POSIX (BSD, Linux, ...) systems the ocsp(1) command running
in responder mode now supports the new "-multi" option, which
spawns the specified number of child processes to handle OCSP
@@ -35,12 +44,7 @@
*) Support for TLSv1.3 added. Note that users upgrading from an earlier
version of OpenSSL should review their configuration settings to ensure
- that they are still appropriate for TLSv1.3. In particular if no TLSv1.3
- ciphersuites are enabled then OpenSSL will refuse to make a connection
- unless (1) TLSv1.3 is explicitly disabled or (2) the ciphersuite
- configuration is updated to include suitable ciphersuites. The DEFAULT
- ciphersuite configuration does include TLSv1.3 ciphersuites. For further
- information on this and other related issues please see:
+ that they are still appropriate for TLSv1.3. For further information see:
https://www.openssl.org/blog/blog/2018/02/08/tlsv1.3/
NOTE: In this pre-release of OpenSSL a draft version of the