diff options
author | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-01-07 22:00:14 -0500 |
---|---|---|
committer | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-01-07 22:00:14 -0500 |
commit | 59fd40d4e5030a7257edd11d758eab1dcebb3787 (patch) | |
tree | 250c0e55669e1563a59f79fb10f43707e0b414a2 | |
parent | 60d8edbc0982cc910a1edcb43cf318dc2c7c08cf (diff) |
DANE CHANGES
Reviewed-by: Richard Levitte <levitte@openssl.org>
-rw-r--r-- | CHANGES | 14 | ||||
-rw-r--r-- | NEWS | 1 |
2 files changed, 15 insertions, 0 deletions
@@ -4,6 +4,20 @@ Changes between 1.0.2e and 1.1.0 [xx XXX xxxx] + *) Support for RFC6698/RFC7671 DANE TLSA peer authentication. + + Obtaining and performing DNSSEC validation of TLSA records is + the application's responsibility. The application provides + the TLSA records of its choice to OpenSSL, and these are then + used to authenticate the peer. + + The TLSA records need not even come from DNS. They can, for + example, be used to implement local end-entity certificate or + trust-anchor "pinning", where the "pin" data takes the form + of TLSA records, which can augment or replace verification + based on the usual WebPKI public certification authorities. + [Viktor Dukhovni] + *) Revert default OPENSSL_NO_DEPRECATED setting. Instead OpenSSL continues to support deprecated interfaces in default builds. However, applications are strongly advised to compile their @@ -28,6 +28,7 @@ argument, or via the "--api=1.1.0|1.0.0|0.9.8" option. o Application software can be compiled with -DOPENSSL_API_COMPAT=version to ensure that features deprecated before that version are not exposed. + o Support for RFC6698/RFC7671 DANE TLSA peer authentication Major changes between OpenSSL 1.0.2d and OpenSSL 1.0.2e [3 Dec 2015] |