Permalink
Browse files

DANE CHANGES

Reviewed-by: Richard Levitte <levitte@openssl.org>
  • Loading branch information...
Viktor Dukhovni
Viktor Dukhovni committed Jan 8, 2016
1 parent 60d8edb commit 59fd40d4e5030a7257edd11d758eab1dcebb3787
Showing with 15 additions and 0 deletions.
  1. +14 −0 CHANGES
  2. +1 −0 NEWS
View
14 CHANGES
@@ -4,6 +4,20 @@
Changes between 1.0.2e and 1.1.0 [xx XXX xxxx]
*) Support for RFC6698/RFC7671 DANE TLSA peer authentication.
Obtaining and performing DNSSEC validation of TLSA records is
the application's responsibility. The application provides
the TLSA records of its choice to OpenSSL, and these are then
used to authenticate the peer.
The TLSA records need not even come from DNS. They can, for
example, be used to implement local end-entity certificate or
trust-anchor "pinning", where the "pin" data takes the form
of TLSA records, which can augment or replace verification
based on the usual WebPKI public certification authorities.
[Viktor Dukhovni]
*) Revert default OPENSSL_NO_DEPRECATED setting. Instead OpenSSL
continues to support deprecated interfaces in default builds.
However, applications are strongly advised to compile their
View
1 NEWS
@@ -28,6 +28,7 @@
argument, or via the "--api=1.1.0|1.0.0|0.9.8" option.
o Application software can be compiled with -DOPENSSL_API_COMPAT=version
to ensure that features deprecated before that version are not exposed.
o Support for RFC6698/RFC7671 DANE TLSA peer authentication
Major changes between OpenSSL 1.0.2d and OpenSSL 1.0.2e [3 Dec 2015]

0 comments on commit 59fd40d

Please sign in to comment.