[openssl-commits] [openssl] master update

Viktor Dukhovni viktor at openssl.org
Fri Jan 8 03:01:18 UTC 2016 

The branch master has been updated
       via  59fd40d4e5030a7257edd11d758eab1dcebb3787 (commit)
      from  60d8edbc0982cc910a1edcb43cf318dc2c7c08cf (commit)


- Log -----------------------------------------------------------------
commit 59fd40d4e5030a7257edd11d758eab1dcebb3787
Author: Viktor Dukhovni <openssl-users at dukhovni.org>
Date:   Thu Jan 7 22:00:14 2016 -0500

    DANE CHANGES
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 CHANGES | 14 ++++++++++++++
 NEWS    |  1 +
 2 files changed, 15 insertions(+)

diff --git a/CHANGES b/CHANGES
index b5a9e1e..4e30572 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,20 @@
 
  Changes between 1.0.2e and 1.1.0  [xx XXX xxxx]
 
+  *) Support for RFC6698/RFC7671 DANE TLSA peer authentication.
+
+     Obtaining and performing DNSSEC validation of TLSA records is
+     the application's responsibility.  The application provides
+     the TLSA records of its choice to OpenSSL, and these are then
+     used to authenticate the peer.
+
+     The TLSA records need not even come from DNS.  They can, for
+     example, be used to implement local end-entity certificate or
+     trust-anchor "pinning", where the "pin" data takes the form
+     of TLSA records, which can augment or replace verification
+     based on the usual WebPKI public certification authorities.
+     [Viktor Dukhovni]
+
   *) Revert default OPENSSL_NO_DEPRECATED setting.  Instead OpenSSL
      continues to support deprecated interfaces in default builds.
      However, applications are strongly advised to compile their
diff --git a/NEWS b/NEWS
index 13e1a91..17fee47 100644
--- a/NEWS
+++ b/NEWS
@@ -28,6 +28,7 @@
         argument, or via the "--api=1.1.0|1.0.0|0.9.8" option.
       o Application software can be compiled with -DOPENSSL_API_COMPAT=version
         to ensure that features deprecated before that version are not exposed.
+      o Support for RFC6698/RFC7671 DANE TLSA peer authentication
 
   Major changes between OpenSSL 1.0.2d and OpenSSL 1.0.2e [3 Dec 2015]

More information about the openssl-commits mailing list