From ab060f8c8be4b1d3f0e0b127b0ebdaf429b225d0 Mon Sep 17 00:00:00 2001 From: Timon Date: Sun, 30 Jan 2022 14:24:12 +0100 Subject: [PATCH] Move (most) release notes to one, single, seperate document. --- OLDCHANGES.md | 136 ----------------------------- README.md | 89 +------------------ RELEASE_NOTES.md | 223 +++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 224 insertions(+), 224 deletions(-) delete mode 100644 OLDCHANGES.md create mode 100644 RELEASE_NOTES.md diff --git a/OLDCHANGES.md b/OLDCHANGES.md deleted file mode 100644 index 9fd38bbf..00000000 --- a/OLDCHANGES.md +++ /dev/null @@ -1,136 +0,0 @@ -## Release history - -* 0.17.0 (2020-02-22): - - *Breaking API change*: ALPN protocols offered by the client are passed - to the server certificate resolution trait (`ResolvesServerCert`). - - *Breaking API change*: The server certificate resolution trait now - takes a struct containing its arguments, so new data can be passed - to these functions without further breaking changes. - - Signature schemes offered by the client are now filtered to those - compatible with the client-offered ciphersuites. Prior to this change - it was likely that server key type switching would not work for clients - that offer signature schemes mismatched with their ciphersuites. - - Add manual with goal-oriented documentation, and rationale for design - decisions. - - *Breaking API change*: `AlwaysResolvesClientCert::new` is now fallible, - as is `ClientConfig::set_single_client_cert`. -* 0.16.0 (2019-08-10): - - Optimisation of read path for polled non-blocking IO. - - Correct an omission in TLS1.3 middlebox compatibility mode, causing - handshake failures with servers behind buggy middleboxes. - - Move to *ring* 0.16. - - Assorted refactoring to reduce memory usage during and after - handshake. - - Update other dependencies. -* 0.15.2 (2019-04-02): - - Moved example code around for benefit of Fuchsia. - - Example code fixes for Windows -- Windows is now a tested platform. - - QUIC-specific bug fixes. - - Update dependencies. -* 0.15.1 (2019-01-29): - - Fix incorrect offering of SHA1. -* 0.15.0 (2019-01-20): - - Update dependencies. - - *Breaking API change*: ALPN protocols are now encoded as a `Vec`, not - a `String`. This alters the type of: - - `ClientConfig::alpn_protocols` - - `ClientConfig::set_protocols` - - `ServerConfig::alpn_protocols` - - `ServerConfig::set_protocols` - - `Session::get_alpn_protocol` - - Emit a warning when receiving an invalid SNI extension, such as one - including an IP address. - - Extended QUIC support for later QUIC drafts. - - Correct bug where we'd send more than one fatal alert for - handshake failure cases. - - Discontinue support for SHA1 signatures. - - Move to Rust 2018 edition. -* 0.14.0 (2018-09-30): - - Introduce client-side support for 0-RTT data in TLS1.3. - - Fix a bug in rustls::Stream for non-blocking transports. - - Move TLS1.3 support from draft 23 to final RFC8446 version. - - Don't offer (e.g.) TLS1.3 if no TLS1.3 suites are configured. - - Support stateful resumption in TLS1.3. Stateless resumption - was previously supported, but is not the default configuration. - - *Breaking API change*: `generate()` removed from `StoresServerSessions` trait. - - *Breaking API change*: `take()` added to `StoresServerSessions` trait. -* 0.13.1 (2018-08-17): - - Fix a bug in rustls::Stream for non-blocking transports - (backport). -* 0.13.0 (2018-07-15): - - Move TLS1.3 support from draft 22 to 23. - - Add support for `SSLKEYLOGFILE`; not enabled by default. - - Add support for basic usage in QUIC. - - `ServerConfig::set_single_cert` and company now report errors. - - Add support for vectored IO: `writev_tls` can now be used to - optimise system call usage. - - Support ECDSA signing for server and client authentication. - - Add type like `rustls::Stream` which owns its underlying TCP stream - and rustls session. -* 0.12.0 (2018-01-06): - - New API for learning negotiated cipher suite. - - Move TLS1.3 support from draft 18 to 22. - - Allow server-side MTU configuration. - - Tested against latest BoringSSL test suite. - - Support RFC5705 exporters. - - Provide `ResolvesServerCertUsingSNI` for doing SNI-based - certificate switching. - - Allow disabling SNI extension on clients, for use with - custom server certificate verifiers where the hostname - may not make sense. - - DNS names are now typesafe, using `webpki::DNSName`. - - Update dependencies. -* 0.11.0 (2017-08-28): - - New server API for learning requested SNI name. - - Server now checks selected certificate for validity. - - Remove time crate dependency. - - Follow webpki interface changes. - - Update dependencies. -* 0.10.0 (2017-08-12): - - Request and verify SCTs using sct crate. This doesn't happen - unless you pass in some certificate transparency logs -- example code - does this. - - Request OCSP stapled response and pass to cert verifier. - Note that OCSP verification is not implemented, but this is the public - API public change required to support this. - - Allow OCSP and SCT stapling for servers. - - Refactor handshake state machines. - - Bind verifications to final state -- note API change for custom cert - verification. -* 0.9.0 (2017-06-16): - - Update dependencies. - - Add IO helper function (`complete_io`) to `rustls::Session`. - - Add blocking stream type -- `rustls::Stream` -- to ease use on top - of blocking sockets. -* 0.8.0 (2017-05-14): - - Add `dangerous_configuration` feature for unsafe features. -* 0.7.0 (2017-05-08): - - Update dependencies. -* 0.6.0 (2017-05-06): - - Update dependencies. - - Expose ring's new support for PKCS#8-format private keys. - - New API for applying limitation to internal buffer sizes. -* 0.5.8 (2017-03-16): - - Fix build on later rustc. -* 0.5.7 (2017-02-27): - - No changes from 0.5.6; republished with nightly cargo for category support. -* 0.5.6 (2017-02-19): - - RFC7627 extended master secret support - - Assorted documentation improvements -* 0.5.5 (2017-02-03): - - Crate categories. - - Protocol errors now permanent for given session. - - Exposed `ResolvesServerCert` trait for customising certification - selection. - - Exposed `SignatureScheme` enum. -* 0.5.4 (2017-01-26): - - First release with TLS1.3-draft-18 support. - - More performance improvements (now ~15Gbps per core). - - New API to learn version of negotiated connection. -* 0.5.0 (2016-09-27): - - Tickets. - - Coverage testing. - - Benchmarking. - - Massive performance improvements (from ~1Gbps to ~6Gbps per core). - - OSX support. - - Minor API corrections and additional testing. diff --git a/README.md b/README.md index d45a32b8..84148b7e 100644 --- a/README.md +++ b/README.md @@ -28,95 +28,8 @@ If you'd like to help out, please see [CONTRIBUTING.md](CONTRIBUTING.md). - Improve documentation of configuration builder types. - Ensure unused cipher suites can be removed at link-time. - Ensure single-use error types implement `std::error::Error`, and are public. -* 0.20.0 (2021-09-26) - - *Breaking change*: `Connection` is now an enum instead of a trait. You can abstract over - `ClientConnection` and `ServerConnection` with a bound like `where C: Deref>, SD: SideData`. - - *Breaking change*: the SNI arguments to `ClientCertVerifier` methods have been removed. - The `Acceptor` API now allows selecting a `ServerConfig` based on the `ClientHello` instead. - - Unclean TCP closure is now tracked by the library. This means a new error is possible when reading plaintext: - `ErrorKind::UnexpectedEof` will be returned in this case. - - *Breaking change*: insulate the rustls public API from webpki API changes: - - PKI errors are now reported using rustls-specific errors. - - There is now a rustls-specific root trust anchor type. - - *Breaking change*: the following types are no longer exposed in the crate root, and can instead be imported - through the `client` module exposed in the crate root: `ResolvesClientCert`, `StoresClientSessions`, - `WriteEarlyData`, `ClientSessionMemoryCache`, `NoClientSessionStorage`, `HandshakeSignatureValid`, - `ServerCertVerified`, `ServerCertVerifier`, `WebPkiVerifier` and `DangerousClientConfig`. - - *Breaking change*: the following types are no longer exposed in the crate root, and can instead be imported - through the `server` module exposed in the crate root: `AllowAnonymousOrAuthenticatedClient`, - `AllowAnyAuthenticatedClient`, `NoClientAuth`, `ResolvesServerCertUsingSni`, `NoServerSessionStorage`, - `ServerSessionMemoryCache`, `StoresServerSessions`, `ClientHello`, `ProducesTickets`, `ResolvesServerCert`, - `ClientCertVerified` and `ClientCertVerifier`. - - *Breaking API change*: `QuicExt::write_hs()` now returns a `KeyChange` type that returns handshake or 1-RTT keys. In the case of 1-RTT keys, a `KeyChange` also - includes a `Secrets` type that must be used to derive further key updates, independent from the rustls `Connection`. The `QuicExt::next_1rtt_keys()` method - has been removed. - - *Breaking API change*: QUIC header protection keys now use a new type that directly exposes a masking/unmasking operation. -* 0.20.0-beta2 (2021-07-04) - - *Breaking change*: internal buffers are now limited to 64 kB by default. Use - `Connection::set_buffer_limit` to change the buffer limits to suit your application. - - *Breaking API change*: PEM parsing now lives in the [rustls-pemfile crate](https://crates.io/crates/rustls-pemfile). - This means `rustls::internals::pemfile` and `rustls::RootCertStore::add_pem_file` no longer exist. - - *Breaking API change*: `ServerCertVerifier::verify_server_cert` and `ClientCertVerifier::verify_client_cert` - pass the end-entity and intermediate certificates separately. This means rustls deals with the case - where the certificate chain is empty, rather than leaving that to ServerCertVerifier/ClientCertVerifier - implementation. - - *Breaking API change*: `SupportedCipherSuite` is now an enum with TLS 1.2 and TLS 1.3 variants. Some of its - methods have moved to the inner `Tls12CipherSuite` and `Tls13CipherSuite` types. Instead of - `usable_for_version()`, it now has a `version()` method. `get_hash()` has been renamed - to `hash_algorithm()` and `usable_for_sigalg()` to `usable_for_signature_algorithm()`. - - There are now 80% fewer unreachable unwraps in the core crate thanks to large refactoring efforts. - - *Breaking API change*: the `WebPkiError` variant of `rustls::Error` now includes which operation failed. - - *Breaking API changes*: These public API items have been renamed to meet naming guidelines: - - `rustls::TLSError` to `rustls::Error`. - - `rustls::ResolvesServerCertUsingSNI` to `rustls::ResolvesServerCertUsingSni`. - - `rustls::WebPKIVerifier` to `rustls::WebPkiVerifier`. - - `rustls::ciphersuites` to `rustls::cipher_suites`. - - `rustls::ALL_CIPHERSUITES` to `ALL_CIPHER_SUITES`; `rustls::DEFAULT_CIPHERSUITES` to `DEFAULT_CIPHER_SUITES`. - - `rustls::ClientHello::sigschemes` to `rustls::ClientHello::signature_schemes`. - - `rustls::RootCertStore::get_subjects` to `rustls::RootCertStore::subjects`. - - `rustls::ServerSession` to `rustls::ServerConnection`. - - `rustls::ClientSession` to `rustls::ClientConnection`. - - `rustls::ServerSession::get_sni_hostname` to `rustls::ServerConnection::sni_hostname`. - - `rustls::ClientConfig::ciphersuites` to `rustls::ClientConfig::cipher_suites`. - - `rustls::ServerConfig::ciphersuites` to `rustls::ServerConfig::cipher_suites`. - - `rustls::ProducesTickets::get_lifetime` to `rustls::ProducesTickets::lifetime`. - - `rustls::Session`: `get_peer_certificates` to `peer_certificates`, `get_alpn_protocol` to `alpn_protocol`, - `get_protocol_version` to `protocol_version`, `get_negotiated_ciphersuite` to `negotiated_cipher_suite`. - - *Breaking API change*: `ResolvesServerCert::resolve` and `ResolvesClientCert::resolve` now return - `Option>` instead of `Option`. `CertifiedKey` is now an immutable - type. - - *Breaking API change*: `peer_certificates` returns a borrow rather than a copy on the - internally stored certificate chain. - - *Breaking API change*: `ClientConnection`'s DNS name parameter is now a new enum, `ServerName`, to allow future support for ECH and servers named by IP address. -* 0.19.1 (2021-04-17): - - Backport: fix security issue: there was a reachable panic in servers if a client - sent an invalid `ClientECDiffieHellmanPublic` encoding, due to an errant `unwrap()` - when parsing the encoding. -* 0.19.0 (2020-11-22): - - Ensured that `get_peer_certificates` is both better documented, and works - uniformly for both full-handshake and resumed sessions. - - Fix bug: fully qualified hostnames should have had their trailing dot - stripped when quoted in the SNI extension. -* 0.18.1 (2020-08-16): - - Fix DoS vulnerability in TLS1.3 "Middlebox Compatibility Mode" CCS handling. - This is thought to be quite minor -- see - [this commit message](https://github.com/rustls/rustls/commit/e51bf92afcd9dfbd5f4e8154b847aa5cc380913c) - for a full discussion. -* 0.18.0 (2020-07-04): - - Allow custom certificate validation implementations to also - handle handshake signature computation. This allows uses in non-web - contexts, where `webpki` is not likely to process the certificates - in use. Thanks to @DemiMarie-parity. - - Performance improvements. Thanks to @nviennot. - - Fixed client authentication being unduly rejected by client when server - uses the superseded certificate_types field of CertificateRequest. - - *Breaking API change*: The writev_tls API has been removed, in favour - of using vectored IO support now offered by std::io::Write. - - Added ed25519 support for authentication; thanks to @potatosalad. - - Support removal of unused ciphersuites at link-time. To use this, - call `ClientConfig::with_ciphersuites` instead of `ClientConfig::new`. -See [OLDCHANGES.md](OLDCHANGES.md) for further change history. +See [RELEASE_NOTES.md](RELEASE_NOTES.md) for further change history. # Documentation Lives here: https://docs.rs/rustls/ diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md new file mode 100644 index 00000000..5e8cf4d4 --- /dev/null +++ b/RELEASE_NOTES.md @@ -0,0 +1,223 @@ +## Release history: + +* 0.20.0 (2021-09-26) + - *Breaking change*: `Connection` is now an enum instead of a trait. You can abstract over + `ClientConnection` and `ServerConnection` with a bound like `where C: Deref>, SD: SideData`. + - *Breaking change*: the SNI arguments to `ClientCertVerifier` methods have been removed. + The `Acceptor` API now allows selecting a `ServerConfig` based on the `ClientHello` instead. + - Unclean TCP closure is now tracked by the library. This means a new error is possible when reading plaintext: + `ErrorKind::UnexpectedEof` will be returned in this case. + - *Breaking change*: insulate the rustls public API from webpki API changes: + - PKI errors are now reported using rustls-specific errors. + - There is now a rustls-specific root trust anchor type. + - *Breaking change*: the following types are no longer exposed in the crate root, and can instead be imported + through the `client` module exposed in the crate root: `ResolvesClientCert`, `StoresClientSessions`, + `WriteEarlyData`, `ClientSessionMemoryCache`, `NoClientSessionStorage`, `HandshakeSignatureValid`, + `ServerCertVerified`, `ServerCertVerifier`, `WebPkiVerifier` and `DangerousClientConfig`. + - *Breaking change*: the following types are no longer exposed in the crate root, and can instead be imported + through the `server` module exposed in the crate root: `AllowAnonymousOrAuthenticatedClient`, + `AllowAnyAuthenticatedClient`, `NoClientAuth`, `ResolvesServerCertUsingSni`, `NoServerSessionStorage`, + `ServerSessionMemoryCache`, `StoresServerSessions`, `ClientHello`, `ProducesTickets`, `ResolvesServerCert`, + `ClientCertVerified` and `ClientCertVerifier`. + - *Breaking API change*: `QuicExt::write_hs()` now returns a `KeyChange` type that returns handshake or 1-RTT keys. In the case of 1-RTT keys, a `KeyChange` also + includes a `Secrets` type that must be used to derive further key updates, independent from the rustls `Connection`. The `QuicExt::next_1rtt_keys()` method + has been removed. + - *Breaking API change*: QUIC header protection keys now use a new type that directly exposes a masking/unmasking operation. +* 0.20.0-beta2 (2021-07-04) + - *Breaking change*: internal buffers are now limited to 64 kB by default. Use + `Connection::set_buffer_limit` to change the buffer limits to suit your application. + - *Breaking API change*: PEM parsing now lives in the [rustls-pemfile crate](https://crates.io/crates/rustls-pemfile). + This means `rustls::internals::pemfile` and `rustls::RootCertStore::add_pem_file` no longer exist. + - *Breaking API change*: `ServerCertVerifier::verify_server_cert` and `ClientCertVerifier::verify_client_cert` + pass the end-entity and intermediate certificates separately. This means rustls deals with the case + where the certificate chain is empty, rather than leaving that to ServerCertVerifier/ClientCertVerifier + implementation. + - *Breaking API change*: `SupportedCipherSuite` is now an enum with TLS 1.2 and TLS 1.3 variants. Some of its + methods have moved to the inner `Tls12CipherSuite` and `Tls13CipherSuite` types. Instead of + `usable_for_version()`, it now has a `version()` method. `get_hash()` has been renamed + to `hash_algorithm()` and `usable_for_sigalg()` to `usable_for_signature_algorithm()`. + - There are now 80% fewer unreachable unwraps in the core crate thanks to large refactoring efforts. + - *Breaking API change*: the `WebPkiError` variant of `rustls::Error` now includes which operation failed. + - *Breaking API changes*: These public API items have been renamed to meet naming guidelines: + - `rustls::TLSError` to `rustls::Error`. + - `rustls::ResolvesServerCertUsingSNI` to `rustls::ResolvesServerCertUsingSni`. + - `rustls::WebPKIVerifier` to `rustls::WebPkiVerifier`. + - `rustls::ciphersuites` to `rustls::cipher_suites`. + - `rustls::ALL_CIPHERSUITES` to `ALL_CIPHER_SUITES`; `rustls::DEFAULT_CIPHERSUITES` to `DEFAULT_CIPHER_SUITES`. + - `rustls::ClientHello::sigschemes` to `rustls::ClientHello::signature_schemes`. + - `rustls::RootCertStore::get_subjects` to `rustls::RootCertStore::subjects`. + - `rustls::ServerSession` to `rustls::ServerConnection`. + - `rustls::ClientSession` to `rustls::ClientConnection`. + - `rustls::ServerSession::get_sni_hostname` to `rustls::ServerConnection::sni_hostname`. + - `rustls::ClientConfig::ciphersuites` to `rustls::ClientConfig::cipher_suites`. + - `rustls::ServerConfig::ciphersuites` to `rustls::ServerConfig::cipher_suites`. + - `rustls::ProducesTickets::get_lifetime` to `rustls::ProducesTickets::lifetime`. + - `rustls::Session`: `get_peer_certificates` to `peer_certificates`, `get_alpn_protocol` to `alpn_protocol`, + `get_protocol_version` to `protocol_version`, `get_negotiated_ciphersuite` to `negotiated_cipher_suite`. + - *Breaking API change*: `ResolvesServerCert::resolve` and `ResolvesClientCert::resolve` now return + `Option>` instead of `Option`. `CertifiedKey` is now an immutable + type. + - *Breaking API change*: `peer_certificates` returns a borrow rather than a copy on the + internally stored certificate chain. + - *Breaking API change*: `ClientConnection`'s DNS name parameter is now a new enum, `ServerName`, to allow future support for ECH and servers named by IP address. +* 0.19.1 (2021-04-17): + - Backport: fix security issue: there was a reachable panic in servers if a client + sent an invalid `ClientECDiffieHellmanPublic` encoding, due to an errant `unwrap()` + when parsing the encoding. +* 0.19.0 (2020-11-22): + - Ensured that `get_peer_certificates` is both better documented, and works + uniformly for both full-handshake and resumed sessions. + - Fix bug: fully qualified hostnames should have had their trailing dot + stripped when quoted in the SNI extension. +* 0.18.1 (2020-08-16): + - Fix DoS vulnerability in TLS1.3 "Middlebox Compatibility Mode" CCS handling. + This is thought to be quite minor -- see + [this commit message](https://github.com/rustls/rustls/commit/e51bf92afcd9dfbd5f4e8154b847aa5cc380913c) + for a full discussion. +* 0.18.0 (2020-07-04): + - Allow custom certificate validation implementations to also + handle handshake signature computation. This allows uses in non-web + contexts, where `webpki` is not likely to process the certificates + in use. Thanks to @DemiMarie-parity. + - Performance improvements. Thanks to @nviennot. + - Fixed client authentication being unduly rejected by client when server + uses the superseded certificate_types field of CertificateRequest. + - *Breaking API change*: The writev_tls API has been removed, in favour + of using vectored IO support now offered by std::io::Write. + - Added ed25519 support for authentication; thanks to @potatosalad. + - Support removal of unused ciphersuites at link-time. To use this, + call `ClientConfig::with_ciphersuites` instead of `ClientConfig::new`. +* 0.17.0 (2020-02-22): + - *Breaking API change*: ALPN protocols offered by the client are passed + to the server certificate resolution trait (`ResolvesServerCert`). + - *Breaking API change*: The server certificate resolution trait now + takes a struct containing its arguments, so new data can be passed + to these functions without further breaking changes. + - Signature schemes offered by the client are now filtered to those + compatible with the client-offered ciphersuites. Prior to this change + it was likely that server key type switching would not work for clients + that offer signature schemes mismatched with their ciphersuites. + - Add manual with goal-oriented documentation, and rationale for design + decisions. + - *Breaking API change*: `AlwaysResolvesClientCert::new` is now fallible, + as is `ClientConfig::set_single_client_cert`. +* 0.16.0 (2019-08-10): + - Optimisation of read path for polled non-blocking IO. + - Correct an omission in TLS1.3 middlebox compatibility mode, causing + handshake failures with servers behind buggy middleboxes. + - Move to *ring* 0.16. + - Assorted refactoring to reduce memory usage during and after + handshake. + - Update other dependencies. +* 0.15.2 (2019-04-02): + - Moved example code around for benefit of Fuchsia. + - Example code fixes for Windows -- Windows is now a tested platform. + - QUIC-specific bug fixes. + - Update dependencies. +* 0.15.1 (2019-01-29): + - Fix incorrect offering of SHA1. +* 0.15.0 (2019-01-20): + - Update dependencies. + - *Breaking API change*: ALPN protocols are now encoded as a `Vec`, not + a `String`. This alters the type of: + - `ClientConfig::alpn_protocols` + - `ClientConfig::set_protocols` + - `ServerConfig::alpn_protocols` + - `ServerConfig::set_protocols` + - `Session::get_alpn_protocol` + - Emit a warning when receiving an invalid SNI extension, such as one + including an IP address. + - Extended QUIC support for later QUIC drafts. + - Correct bug where we'd send more than one fatal alert for + handshake failure cases. + - Discontinue support for SHA1 signatures. + - Move to Rust 2018 edition. +* 0.14.0 (2018-09-30): + - Introduce client-side support for 0-RTT data in TLS1.3. + - Fix a bug in rustls::Stream for non-blocking transports. + - Move TLS1.3 support from draft 23 to final RFC8446 version. + - Don't offer (e.g.) TLS1.3 if no TLS1.3 suites are configured. + - Support stateful resumption in TLS1.3. Stateless resumption + was previously supported, but is not the default configuration. + - *Breaking API change*: `generate()` removed from `StoresServerSessions` trait. + - *Breaking API change*: `take()` added to `StoresServerSessions` trait. +* 0.13.1 (2018-08-17): + - Fix a bug in rustls::Stream for non-blocking transports + (backport). +* 0.13.0 (2018-07-15): + - Move TLS1.3 support from draft 22 to 23. + - Add support for `SSLKEYLOGFILE`; not enabled by default. + - Add support for basic usage in QUIC. + - `ServerConfig::set_single_cert` and company now report errors. + - Add support for vectored IO: `writev_tls` can now be used to + optimise system call usage. + - Support ECDSA signing for server and client authentication. + - Add type like `rustls::Stream` which owns its underlying TCP stream + and rustls session. +* 0.12.0 (2018-01-06): + - New API for learning negotiated cipher suite. + - Move TLS1.3 support from draft 18 to 22. + - Allow server-side MTU configuration. + - Tested against latest BoringSSL test suite. + - Support RFC5705 exporters. + - Provide `ResolvesServerCertUsingSNI` for doing SNI-based + certificate switching. + - Allow disabling SNI extension on clients, for use with + custom server certificate verifiers where the hostname + may not make sense. + - DNS names are now typesafe, using `webpki::DNSName`. + - Update dependencies. +* 0.11.0 (2017-08-28): + - New server API for learning requested SNI name. + - Server now checks selected certificate for validity. + - Remove time crate dependency. + - Follow webpki interface changes. + - Update dependencies. +* 0.10.0 (2017-08-12): + - Request and verify SCTs using sct crate. This doesn't happen + unless you pass in some certificate transparency logs -- example code + does this. + - Request OCSP stapled response and pass to cert verifier. + Note that OCSP verification is not implemented, but this is the public + API public change required to support this. + - Allow OCSP and SCT stapling for servers. + - Refactor handshake state machines. + - Bind verifications to final state -- note API change for custom cert + verification. +* 0.9.0 (2017-06-16): + - Update dependencies. + - Add IO helper function (`complete_io`) to `rustls::Session`. + - Add blocking stream type -- `rustls::Stream` -- to ease use on top + of blocking sockets. +* 0.8.0 (2017-05-14): + - Add `dangerous_configuration` feature for unsafe features. +* 0.7.0 (2017-05-08): + - Update dependencies. +* 0.6.0 (2017-05-06): + - Update dependencies. + - Expose ring's new support for PKCS#8-format private keys. + - New API for applying limitation to internal buffer sizes. +* 0.5.8 (2017-03-16): + - Fix build on later rustc. +* 0.5.7 (2017-02-27): + - No changes from 0.5.6; republished with nightly cargo for category support. +* 0.5.6 (2017-02-19): + - RFC7627 extended master secret support + - Assorted documentation improvements +* 0.5.5 (2017-02-03): + - Crate categories. + - Protocol errors now permanent for given session. + - Exposed `ResolvesServerCert` trait for customising certification + selection. + - Exposed `SignatureScheme` enum. +* 0.5.4 (2017-01-26): + - First release with TLS1.3-draft-18 support. + - More performance improvements (now ~15Gbps per core). + - New API to learn version of negotiated connection. +* 0.5.0 (2016-09-27): + - Tickets. + - Coverage testing. + - Benchmarking. + - Massive performance improvements (from ~1Gbps to ~6Gbps per core). + - OSX support. + - Minor API corrections and additional testing.