diff options
| author | Viktor Dukhovni <openssl-users@dukhovni.org> | 2020-07-16 23:30:43 -0200 |
|---|---|---|
| committer | Viktor Dukhovni <openssl-users@dukhovni.org> | 2020-07-21 16:40:07 -0200 |
| commit | 77174598920a05826a28d8a0bd87a3af43d3f4d8 (patch) | |
| tree | ed3d423072d3f399e583d1cc7787f1d5490a3e0e /CHANGES.md | |
| parent | 5ac582d949c4f0dbf919c99d59496035a1f7e982 (diff) | |
Avoid errors with a priori inapplicable protocol bounds
The 'MinProtocol' and 'MaxProtocol' configuration commands now silently
ignore TLS protocol version bounds when configurign DTLS-based contexts,
and conversely, silently ignore DTLS protocol version bounds when
configuring TLS-based contexts. The commands can be repeated to set
bounds of both types. The same applies with the corresponding
"min_protocol" and "max_protocol" command-line switches, in case some
application uses both TLS and DTLS.
SSL_CTX instances that are created for a fixed protocol version (e.g.
TLSv1_server_method()) also silently ignore version bounds. Previously
attempts to apply bounds to these protocol versions would result in an
error. Now only the "version-flexible" SSL_CTX instances are subject to
limits in configuration files in command-line options.
Expected to resolve #12394
Reviewed-by: Paul Dale <paul.dale@oracle.com>
GH: #12472
Diffstat (limited to 'CHANGES.md')
| -rw-r--r-- | CHANGES.md | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/CHANGES.md b/CHANGES.md index 5ff188c18c..14694739ae 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -23,6 +23,22 @@ OpenSSL 3.0 ### Changes between 1.1.1 and 3.0 [xx XXX xxxx] + * The 'MinProtocol' and 'MaxProtocol' configuration commands now silently + ignore TLS protocol version bounds when configuring DTLS-based contexts, and + conversely, silently ignore DTLS protocol version bounds when configuring + TLS-based contexts. The commands can be repeated to set bounds of both + types. The same applies with the corresponding "min_protocol" and + "max_protocol" command-line switches, in case some application uses both TLS + and DTLS. + + SSL_CTX instances that are created for a fixed protocol version (e.g. + TLSv1_server_method()) also silently ignore version bounds. Previously + attempts to apply bounds to these protocol versions would result in an + error. Now only the "version-flexible" SSL_CTX instances are subject to + limits in configuration files in command-line options. + + *Viktor Dukhovni* + * Deprecated the `ENGINE` API. Engines should be replaced with providers going forward. |