Skip to content

Releases: rustls/rustls

0.23.10

13 Jun 15:26
@cpu cpu
Compare
Choose a tag to compare
  • draft-ietf-tls-esni-18 encrypted client hello (ECH) is now supported for client applications. See the ech-client.rs example for a complete end-to-end demonstration using DNS-over-HTTPS to retrieve a server's ECH configuration for building a Rustls ClientConfig using with_ech().
  • Additional safety limits guarding against fruitless processing of small messages have been added. Rustls will now limit excessive warning-level alerts, post-handshake renegotiation attempts, key update requests, and empty plaintext fragments.
  • FIPS mode has been updated to exclude X25519 key exchange.

What's Changed

  • docs: add OpenSSF best practices badge by @cpu in #1985
  • ROADMAP: check off cert compression by @ctz in #1987
  • chore: Configure Renovate by @renovate-bot in #1984
  • chore(deps): lock file maintenance by @renovate-bot in #1991
  • Disable x25519 key exchange in fips mode by @ctz in #1993
  • aws_lc_rs: fix unused import w/ no-std by @cpu in #1994
  • Limit fruitless processing of small messages by @ctz in #1988
  • fix lib.rs examples link by @bmw in #1995
  • chore(deps): lock file maintenance by @renovate-bot in #1996
  • Revert "ci: temp. pin nightly to 2024-05-22" by @cpu in #1998
  • Encrypted Client Hello support (client only) by @cpu in #1718
  • apply nightly formatting by @cpu in #2002
  • ech: implement inner hello extension compression by @cpu in #2001
  • v0.23.10 release preparation by @cpu in #2004

New Contributors

Full Changelog: v/0.23.9...v/0.23.10

0.23.9

03 Jun 15:07
@ctz ctz
Compare
Choose a tag to compare
  • RFC8879 certificate compression is now supported. Get started by enabling the brotli and/or zlib crate features, which depend on the brotli or zlib-rs crates. We recommend brotli as it has the widest deployment so far.

What's Changed

  • ci: temp. pin nightly to 2024-05-22 by @cpu in #1971
  • deps: update semver compatible dependencies by @cpu in #1972
  • Fix LTO setting and a clippy::use_self finding by @cpu in #1973
  • ci: update cargo-check-external-types toolchain by @cpu in #1974
  • fix rustc-check-cfg by @cpu in #1975
  • Support RFC8879 certificate compression by @ctz in #1966
  • Update roadmap to reflect initial release of the OpenSSL compat layer by @bdaehlie in #1977
  • Implement RFC 9180 HPKE provider backed by aws-lc-rs by @cpu in #1963
  • Tidy handshake_tests file by @ctz in #1978
  • General roadmap updates. by @bdaehlie in #1979
  • Minor #[allow()] cleanups by @ctz in #1982
  • Prepare 0.23.9 by @ctz in #1986

Full Changelog: v/0.23.8...v/0.23.9

0.23.8

23 May 13:43
@ctz ctz
Compare
Choose a tag to compare

What's Changed

New Contributors

Full Changelog: v/0.23.7...v/0.23.8

0.23.7

17 May 17:37
@ctz ctz
Compare
Choose a tag to compare
  • send_close_notify is now idempotent, in case it is accidentally called more than once.
  • read_tls now refuses to read further data after a close_notify is received, by returning Ok(0) (ie, an EOF).
  • Correct fix in 0.23.6 to properly discard data after close_notify received, avoiding a spurious DecryptError on subsequent calls to process_new_packets().

What's Changed

  • Avoid sending multiple close notifies by @ctz in #1955

Full Changelog: v/0.23.6...v/0.23.7

0.23.6

16 May 15:14
@ctz ctz
Compare
Choose a tag to compare
  • Improve interop with TLS1.2 servers having ECDSA certificates when using aws-lc-rs provider (#1924)
  • Ignore data received after close_notify (#1950)

What's Changed

  • MSRV 1.61 -> 1.63 by @cpu in #1902
  • Install golang on macos runners by @ctz in #1919
  • deps: update cargo semver compatible deps by @cpu in #1914
  • crypto::aws_lc_rs: minor docs nits by @ctz in #1923
  • deps: update cargo semver compatible deps by @cpu in #1928
  • Small correction to the quic::PacketKey::integrity_limit doc by @MOZGIII in #1930
  • README.md: fix spelling error by @ctz in #1933
  • Apply suggestions from clippy 1.78 by @djc in #1934
  • aws-lc-rs: reduce priority of ECDSA_NISTP521_SHA512 by @ctz in #1924
  • Rename SignatureScheme::sign by @ctz in #1936
  • Cargo.lock: update rustls version under hickory by @ctz in #1937
  • ring: cfg-gate the hmac module by @cpu in #1940
  • build: emit rustc-check-cfg for bench, read_buf by @cpu in #1942
  • deps: update cargo semver compatible deps by @cpu in #1943
  • Smaller misc changes extracted from client-side ECH branch by @cpu in #1944
  • bogo: fix config rewriting when cpp is clang by @djc in #1948
  • Warn on lints, don't deny by @djc in #1949
  • Ignore data appearing after close_notify by @djc in #1950
  • Prepare 0.23.6 by @ctz in #1952
  • deps: update cargo semver compatible deps by @cpu in #1953

New Contributors

Full Changelog: v/0.23.5...v/0.23.6

0.21.12

26 Apr 14:51
@cpu cpu
Compare
Choose a tag to compare
  • The server name indication (SNI) client extension is now ignored when it contains an out-of-specification IP address value.
  • MSRV is now 1.63.

What's Changed

  • v0.21.12 release preparation by @cpu in #1925

Full Changelog: v/0.21.11...v/0.21.12

0.23.5

19 Apr 15:16
@ctz ctz
Compare
Choose a tag to compare
  • This release corrects a denial-of-service condition in rustls::ConnectionCommon::complete_io(), reachable via network input. If a close_notify alert is received during a handshake, complete_io() did not terminate. Callers which do not call complete_io() are not affected.
  • Add an API (handshake_kind()) for learning whether a handshake was resumed or not.
  • no-std support has been extended, allowing use of LimitedCache, ResolvesServerCertUsingSni, ServerSessionMemoryCache, ClientSessionStore, TicketSwitcher and the aws-lc-rs/ring Ticketer when the hashbrown feature is enabled and a compatible no-std Mutex implementation provided.
  • The server name indication (SNI) client extension is now ignored when it contains an out-of-specification IP address value.

What's Changed

  • Cargo.lock: update semver compatible deps by @cpu in #1874
  • quic: make Suite Copy by @djc in #1879
  • no-std support phase II by @pvdrz in #1688
  • Relax server_name extension validation by @ctz in #1881
  • Correct references to VerifierBuilderError by @ctz in #1884
  • connect-tests: ignore rsa8192.badssl.com by @cpu in #1886
  • deps: update semver compatible deps by @cpu in #1885
  • deps: aws-lc-rs 1.6.2 -> 1.6.4 by @cpu in #1888
  • build(deps): bump h2 from 0.3.24 to 0.3.26 by @dependabot in #1889
  • deps: update cargo semver compatible deps by @cpu in #1892
  • replace build-a-pki.sh with Rust+rcgen, rcgen 0.13 by @cpu in #1852
  • docs: update ROADMAP post-quantum kex item by @cpu in #1894
  • deps: update cargo semver compatible deps by @cpu in #1897
  • Expose connection resumption details by @ctz in #1899
  • Return Option from handshake_kind() by @ctz in #1900
  • docs: update SECURITY example by @cpu in #1903
  • Correct complete_io behaviour when close_notify alert is received by @ctz in #1905

Full Changelog: v/0.23.4...v/0.23.5

0.22.4

19 Apr 15:18
@ctz ctz
Compare
Choose a tag to compare

This release corrects a denial-of-service condition in rustls::ConnectionCommon::complete_io, reachable via network input. If a close_notify alert is received during a handshake, complete_io did not terminate. Callers which do not call complete_io are not affected.

What's Changed

  • Correct complete_io behaviour when close_notify alert is received (0.22 edition) by @ctz in #1906

Full Changelog: v/0.22.3...v/0.22.4

0.21.11

19 Apr 15:22
@ctz ctz
Compare
Choose a tag to compare

This release corrects a denial-of-service condition in rustls::ConnectionCommon::complete_io, reachable via network input. If a close_notify alert is received during a handshake, complete_io did not terminate. Callers which do not call complete_io are not affected.

What's Changed

  • rel-0.21 branch housekeeping by @ctz in #1904
  • Correct complete_io behaviour when close_notify alert is received (0.21 edition) by @ctz in #1907

Full Changelog: v/0.21.10...v/0.21.11

0.23.4

25 Mar 15:13
@ctz ctz
Compare
Choose a tag to compare
  • Bug fix: correct cipher suite filtering if a custom certificate verifier offers support for SignatureScheme::ECDSA_SHA1_Legacy.
  • Improve documentation and example code around AcceptedAlert::write

What's Changed

  • ClientKeyExchangeParams: widen feature gate to avoid clippy lint by @ctz in #1866
  • Add path for rustls-post-quantum -> rustls dependency by @ctz in #1865
  • Correct ECDSA-SHA1 allergy by @ctz in #1869
  • Improve AcceptedAlert::write documentation, example usage by @cpu in #1868
  • Further new nightly clippy corrections by @ctz in #1872

Full Changelog: v/0.23.3...v/0.23.4