|
1 | 1 | # Changelog
|
2 | 2 |
|
| 3 | +## 0.15.0 (2025-03-25) |
| 4 | + |
| 5 | +This release updates to [Rustls 0.23.25][] and increases the project minimum |
| 6 | +supported rust version (MSRV) from 1.71 to 1.74 to avoid a Rust compiler bug |
| 7 | +provoked by the ECH support in Rustls. |
| 8 | + |
| 9 | +[Rustls 0.23.25]: https://github.com/rustls/rustls/releases/tag/v%2F0.23.25 |
| 10 | + |
| 11 | +### Added |
| 12 | + |
| 13 | +* Binary releases: |
| 14 | + * Starting with the 0.15.0 release we now publish pre-built `.zip`s for: |
| 15 | + Windows (`x86_64` MSVC), Linux (`x86_64` GNU libc), and Apple (`ARM64` and |
| 16 | + `x86_64`) and a `.deb` for Debian/Ubuntu `x86_64`. These can be used to |
| 17 | + build software using `rustls-ffi` without needing `cargo`/`cargo-c`/`rustc`. |
| 18 | + |
| 19 | +* API documentation is now available online at https://ffi.rustls.dev |
| 20 | + |
| 21 | +* Post-quantum key exchange with `X25519MLKEM768`. |
| 22 | + * Enabled by default at a low priority. See the `prefer-post-quantum` feature |
| 23 | + flag to change this behavior. |
| 24 | + |
| 25 | +* New opt-in feature flags: |
| 26 | + * Optional support for making the post-quantum key exchange `X25519MLKEM768` |
| 27 | + the most-preferred key exchange by enabling the `prefer-post-quantum` |
| 28 | + feature flag. Requires the `aws-lc-rs` crypto provider. |
| 29 | + * Optional support for [RFC 8879][] certificate compression by enabling the |
| 30 | + `cert_compression` feature when building `rustls-ffi`. When enabled |
| 31 | + connections will transparently use certificate compression with Brotli or |
| 32 | + ZLib based on peer compatibility. |
| 33 | + * Optional FIPS-140-3 support using the `aws-lc-rs` provider. Enabled with the |
| 34 | + `fips` feature when building `rustls-ffi`. When enabled the `aws-lc-rs` |
| 35 | + crypto provider is used in its FIPS compatible mode. See the [Rustls |
| 36 | + project documentation][FIPS-docs] for more information on FIPS status. |
| 37 | + |
| 38 | +* Encrypted Client Hello (ECH) support for client connections. |
| 39 | + * `rustls_hpke` struct for representing supported HPKE suites. |
| 40 | + * `rustls_supported_hpke()` function for returning a const pointer to |
| 41 | + a `rustls_hpke` instance if available. Only the `aws-lc-rs` backend returns |
| 42 | + a non-`NULL` value at this time. |
| 43 | + * `rustls_client_config_builder_enable_ech_grease()` client config |
| 44 | + builder function for configuring ECH GREASE using a `rustls_hpke`. This |
| 45 | + chooses a supported HPKE suite at random and is an anti-ossification |
| 46 | + measure clients may opt-in to when not performing "real" ECH. |
| 47 | + * `rustls_client_config_builder_enable_ech()` client config builder function |
| 48 | + for configuring ECH using a `rustls_hpke` and a TLS encoded ECH config list. |
| 49 | + The encoded ECH config list should be retrieved from DNS using a secure |
| 50 | + transport, such as DNS-over-HTTPS. See the `librustls/tests/client.c` |
| 51 | + example, and the `ech-fetch.rs` tool, for example usage. |
| 52 | + |
| 53 | +* Additional connection information APIs: |
| 54 | + * Negotiated key exchange group, using |
| 55 | + `rustls_connection_get_negotiated_key_exchange_group()` for the IANA |
| 56 | + registered identifier, and |
| 57 | + `rustls_connection_get_negotiated_key_exchange_group_name()` for the name as |
| 58 | + a `rustls_str`. |
| 59 | + * Determining whether the handshake was a full TLS handshake, a full TLS |
| 60 | + handshake with an extra hello retry request (HRR) round-trip, a resumed TLS |
| 61 | + or a handshake, using `rustls_connection_handshake_kind()`. This returns |
| 62 | + a `rustls_handshake_kind` enum variant, which can be translated to |
| 63 | + a `rustls_str` using `rustls_handshake_kind_str()`. |
| 64 | + |
| 65 | +* Support for checking whether a `rustls_certified_key`'s certificate matches |
| 66 | + the corresponding private key using `rustls_certified_key_keys_match()`. |
| 67 | + |
| 68 | +* Support for queuing TLS 1.3 key updates using |
| 69 | + `rustls_connection_refresh_traffic_keys()`. |
| 70 | + |
| 71 | +* Support for strict handling of CRL expiry using |
| 72 | + `rustls_web_pki_server_cert_verifier_enforce_revocation_expiry()` to customize |
| 73 | + a `rustls_web_pki_server_cert_verifier_builder` builder instance to reject |
| 74 | + CRLs with a next update in the past. |
| 75 | + |
| 76 | +* Support for building `rustls-ffi` without any built in cryptography providers. |
| 77 | + This is mainly helpful for users that don't intend to use `aws-lc-rs` or |
| 78 | + `*ring*` but instead will bring their own FFI-ready `rustls_crypto_provider`. |
| 79 | + |
| 80 | +* SSLKEYLOG support: |
| 81 | + * For simple logging to a file, use |
| 82 | + `rustls_server_config_builder_set_key_log_file()` or |
| 83 | + `rustls_client_config_builder_set_key_log_file()` with a client/server |
| 84 | + config builder to have the `SSLKEYLOGFILE` env var used to log an NSS |
| 85 | + formatted key log file appropriate for use with Wireshark and other tools. |
| 86 | + * For deeper integration, use `rustls_server_config_builder_set_key_log()` or |
| 87 | + `rustls_client_config_builder_set_key_log()` to configure C callbacks to be |
| 88 | + invoked to decide which secrets are logged and to do the logging. |
| 89 | + * See `librustls/tests/client.c` and `librustls/tests/server.c` for example |
| 90 | + usage. |
| 91 | + |
| 92 | +* FIPS-140-3 APIs: |
| 93 | + * `rustls_default_fips_provider()` for instantiating a FIPS compatible |
| 94 | + `rustls_crypto_provider` (requires "fips" feature enabled). |
| 95 | + * `rustls_crypto_provider_fips()` for determining if a `rustls_crypto_provider` |
| 96 | + is FIPS compatible or not. |
| 97 | + * `rustls_client_config_fips()` for determining if a `rustls_client_config` |
| 98 | + was built with a FIPS compatible `rustls_crypto_provider`. |
| 99 | + * `rustls_server_config_fips()` for determining if a `rustls_server_config` |
| 100 | + was built with a FIPS compatible `rustls_crypto_provider`. |
| 101 | + * `rustls_connection_fips()` for determining if a `rustls_connection` was |
| 102 | + created from a `rustls_client_config` or `rustls_server_config` that was |
| 103 | + built with a FIPS compatible `rustls_crypto_provider`. |
| 104 | + |
| 105 | +* Additional `rustls_result` error variants: |
| 106 | + * `RUSTLS_RESULT_CERT_EXPIRED_REVOCATION_LIST`, |
| 107 | + `RUSTLS_RESULT_MESSAGE_CERTIFICATE_PAYLOAD_TOO_LARGE`, |
| 108 | + `RUSTLS_RESULT_INCONSISTENT_KEYS_KEYS_MISMATCH`, |
| 109 | + `RUSTLS_RESULT_INCONSISTENT_KEYS_UNKNOWN`, |
| 110 | + `RUSTLS_RESULT_INVALID_ENCRYPTED_CLIENT_HELLO_INVALID_CONFIG_LIST`, |
| 111 | + `RUSTLS_RESULT_INVALID_ENCRYPTED_CLIENT_HELLO_NO_COMPATIBLE_CONFIG`, |
| 112 | + `RUSTLS_RESULT_INVALID_ENCRYPTED_CLIENT_HELLO_SNI_REQUIRED`. |
| 113 | + |
| 114 | +[RFC 8879]: https://www.rfc-editor.org/rfc/rfc8879 |
| 115 | +[FIPS-docs]: https://docs.rs/rustls/latest/rustls/manual/_06_fips/index.html |
| 116 | + |
| 117 | +### Changed |
| 118 | + |
| 119 | +* Calling `rustls_server_config_builder_build()` with no certificate/key |
| 120 | + configured previously returned `RUSTLS_RESULT_GENERAL`, it now returns |
| 121 | + `RUSTLS_RESULT_NO_CERT_RESOLVER`. |
| 122 | + |
| 123 | +* The `rustls_server_connection_get_server_name()` function now returns |
| 124 | + a `rustls_str` instead of writing to a user provided buffer with out |
| 125 | + parameters. |
| 126 | + |
| 127 | +* The `rustls_server_config_builder_set_persistence()` function is now `void` |
| 128 | + instead of returning a `rustls_error`. |
| 129 | + |
| 130 | +* [cargo-c][] is now the only supported method for building `rustls-ffi`. It |
| 131 | + supports building both static and shared libraries as well as making `.pc` |
| 132 | + pkg-config files per-platform. The pre-existing GNU `Makefile` has been |
| 133 | + removed in favour of `cargo-c`. See our README for more information. |
| 134 | + |
| 135 | +* Building the client/server **examples** now requires `cmake`. The GNU Makefile |
| 136 | + has been removed in favour of unifying the example build system with `cmake`. |
| 137 | + Users only interested in building `rustls-ffi` (not the example applications) |
| 138 | + do not require `cmake` unless it is a requirement of their chosen cryptography |
| 139 | + provider (e.g. `aws-lc-rs` in fips mode). |
| 140 | + |
| 141 | +[cargo-c]: https://github.com/lu-zero/cargo-c |
| 142 | + |
| 143 | +### Removed |
| 144 | + |
| 145 | +* N/A |
| 146 | + |
| 147 | + |
3 | 148 | ## 0.14.1 (2024-11-22)
|
4 | 149 |
|
5 | 150 | This release updates to [Rustls 0.23.18][] and increases the project MSRV from
|
|
0 commit comments