Releases: mirleft/ocaml-tls
Releases · mirleft/ocaml-tls
v0.13.0
CHANGES:
- Remove static RSA and CBC ciphersuites from default configuration. The
default configuration now includes FFDHE and ECDHE key exchanges with RSA or
ECDSA/EdDSA certificates, and AEAD ciphers
(AES-GCM, AES-CCM, ChaCha20-Poly1305) (#429 by @hannesm) - Remove SHA1 from signature_algorithms in the default configuration
(#429 by @hannesm) - Support ECDSA and EdDSA certificates and private keys via x509 0.12.0 and
mirage-crypto-ec (#428 by @hannesm)
Breaking changes:- the second part of type Tls.Config.certchain is now a X509.Private_key.t
(previously Mirage_crypto_pk.Rsa.priv) - the type aliases X509_lwt.priv and X509_lwt.authenticator have been removed
- the second part of type Tls.Config.certchain is now a X509.Private_key.t
- Use mirage-crypto-ec instead of fiat-p256 and hacl_x25519 for elliptic curve
support - this adds P384 and P521 ECDH support (#428 by @hannesm) - Remove custom Monad implementation, use Result and Rresult instead
(#429 by @hannesm) - Remove Utils.Cs submodule, use Cstruct API instead (#429 by @hannesm)
- Breaking: Tls.Engine.ret type is now a result instead of a custom variant type
(#429 by @hannesm) - Breaking: Tls_lwt.Unix.epoch results in (Tls.Core.epoch_data, unit) result -
it was a custom error type previously (#429 by @hannesm)
v0.12.8
CHANGES:
- Re-add ECPointFormats hello extension (both client and server) to avoid
handshake failures with Go's TLS stack (RFC 8422 makes it optional, but go
(1.15.5) requires it) - reported by @jeffa5 at
https://discuss.ocaml.org/t/strange-prohibited-tls-1-2-cipher-suite-9d-issue/
fix by @hannesm #424
v0.12.7
v0.12.6
v0.12.5
v0.12.4
v0.12.3
v0.12.2
v0.12.1
CHANGES:
- Drop support for RC4 ciphersuite
- Raise lower TLS version in default configuration to 1.2
- tls_lwt no longer calls Mirage_crypto_rng_unix.initialize -- this needs to be
done in the application, inside Lwt_main.run:
Mirage_crypto_rng_lwt.initialize () >>= fun () ->
- Support ECDHE ciphersuites in TLS 1.2 and below as specified in RFC 8422
(requested in #413 by @ryanakca, also in #362 by @orbitz @annubiz) - drop "TLS_" prefix from ciphersuite constructors
- BUGFIX: TLS client (<= 1.2) assembling an empty Certificate message
(noticed in #413, present since 0.12.0 release) - Cleanup Packet.any_ciphersuite list (remove ARIA, CAMELLIA, KRB5, EXPORT)
- Adapt interoperability test scripts with TLS 1.3 support
v0.12.0
CHANGES:
- TLS 1.3 support
- Tracing now uses the logs library (log source tls.tracing on debug level)
- bugfix for padding in ClientHello, which computed wrong length
- bugfix hs_fragments to be set before executing the protocol handling logic
- bugfix guard RSA signature with an Insufficient_key handler, which may occur
when using an RSA key which size is too small for the used digest algorithm