diff options
author | Matt Caswell <matt@openssl.org> | 2021-01-14 15:50:20 +0000 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2021-02-05 15:22:40 +0000 |
commit | a763ca11777ce01a286751f3f3dd9b106ef74f30 (patch) | |
tree | 7ad54dd22661b8373f57ffefdee897b6282dc225 /CHANGES.md | |
parent | 8b1db5d329740bd5363fd1763d4030d0e015b521 (diff) |
Stop disabling TLSv1.3 if ec and dh are disabled
Even if EC and DH are disabled then we may still be able to use TLSv1.3
if we have groups that have been plugged in by an external provider.
Fixes #13767
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13916)
Diffstat (limited to 'CHANGES.md')
-rw-r--r-- | CHANGES.md | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/CHANGES.md b/CHANGES.md index d80016560e..7c934935eb 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -23,6 +23,17 @@ OpenSSL 3.0 ### Changes between 1.1.1 and 3.0 [xx XXX xxxx] + * Combining the Configure options no-ec and no-dh no longer disables TLSv1.3. + Typically if OpenSSL has no EC or DH algorithms then it cannot support + connections with TLSv1.3. However OpenSSL now supports "pluggable" groups + through providers. Therefore third party providers may supply group + implementations even where there are no built-in ones. Attempting to create + TLS connections in such a build without also disabling TLSv1.3 at run time or + using third party provider groups may result in handshake failures. TLSv1.3 + can be disabled at compile time using the "no-tls1_3" Configure option. + + *Matt Caswell* + * The undocumented function X509_certificate_type() has been deprecated; applications can use X509_get0_pubkey() and X509_get0_signature() to get the same information. |