Skip to content

Commit cfbe105

Browse files
committed
docs: 0.15.0 CHANGELOG updates
1 parent 32adae5 commit cfbe105

File tree

1 file changed

+145
-0
lines changed

1 file changed

+145
-0
lines changed

CHANGELOG.md

Lines changed: 145 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,150 @@
11
# Changelog
22

3+
## 0.15.0 (2025-03-25)
4+
5+
This release updates to [Rustls 0.23.25][] and increases the project minimum
6+
supported rust version (MSRV) from 1.71 to 1.74 to avoid a Rust compiler bug
7+
provoked by the ECH support in Rustls.
8+
9+
[Rustls 0.23.25]: https://github.com/rustls/rustls/releases/tag/v%2F0.23.25
10+
11+
### Added
12+
13+
* Binary releases:
14+
* Starting with the 0.15.0 release we now publish pre-built `.zip`s for:
15+
Windows (`x86_64` MSVC), Linux (`x86_64` GNU libc), and Apple (`ARM64` and
16+
`x86_64`) and a `.deb` for Debian/Ubuntu `x86_64`. These can be used to
17+
build software using `rustls-ffi` without needing `cargo`/`cargo-c`/`rustc`.
18+
19+
* API documentation is now available online at https://ffi.rustls.dev
20+
21+
* Post-quantum key exchange with `X25519MLKEM768`.
22+
* Enabled by default at a low priority. See the `prefer-post-quantum` feature
23+
flag to change this behavior.
24+
25+
* New opt-in feature flags:
26+
* Optional support for making the post-quantum key exchange `X25519MLKEM768`
27+
the most-preferred key exchange by enabling the `prefer-post-quantum`
28+
feature flag. Requires the `aws-lc-rs` crypto provider.
29+
* Optional support for [RFC 8879][] certificate compression by enabling the
30+
`cert_compression` feature when building `rustls-ffi`. When enabled
31+
connections will transparently use certificate compression with Brotli or
32+
ZLib based on peer compatibility.
33+
* Optional FIPS-140-3 support using the `aws-lc-rs` provider. Enabled with the
34+
`fips` feature when building `rustls-ffi`. When enabled the `aws-lc-rs`
35+
crypto provider is used in its FIPS compatible mode. See the [Rustls
36+
project documentation][FIPS-docs] for more information on FIPS status.
37+
38+
* Encrypted Client Hello (ECH) support for client connections.
39+
* `rustls_hpke` struct for representing supported HPKE suites.
40+
* `rustls_supported_hpke()` function for returning a const pointer to
41+
a `rustls_hpke` instance if available. Only the `aws-lc-rs` backend returns
42+
a non-`NULL` value at this time.
43+
* `rustls_client_config_builder_enable_ech_grease()` client config
44+
builder function for configuring ECH GREASE using a `rustls_hpke`. This
45+
chooses a supported HPKE suite at random and is an anti-ossification
46+
measure clients may opt-in to when not performing "real" ECH.
47+
* `rustls_client_config_builder_enable_ech()` client config builder function
48+
for configuring ECH using a `rustls_hpke` and a TLS encoded ECH config list.
49+
The encoded ECH config list should be retrieved from DNS using a secure
50+
transport, such as DNS-over-HTTPS. See the `librustls/tests/client.c`
51+
example, and the `ech-fetch.rs` tool, for example usage.
52+
53+
* Additional connection information APIs:
54+
* Negotiated key exchange group, using
55+
`rustls_connection_get_negotiated_key_exchange_group()` for the IANA
56+
registered identifier, and
57+
`rustls_connection_get_negotiated_key_exchange_group_name()` for the name as
58+
a `rustls_str`.
59+
* Determining whether the handshake was a full TLS handshake, a full TLS
60+
handshake with an extra hello retry request (HRR) round-trip, a resumed TLS
61+
or a handshake, using `rustls_connection_handshake_kind()`. This returns
62+
a `rustls_handshake_kind` enum variant, which can be translated to
63+
a `rustls_str` using `rustls_handshake_kind_str()`.
64+
65+
* Support for checking whether a `rustls_certified_key`'s certificate matches
66+
the corresponding private key using `rustls_certified_key_keys_match()`.
67+
68+
* Support for queuing TLS 1.3 key updates using
69+
`rustls_connection_refresh_traffic_keys()`.
70+
71+
* Support for strict handling of CRL expiry using
72+
`rustls_web_pki_server_cert_verifier_enforce_revocation_expiry()` to customize
73+
a `rustls_web_pki_server_cert_verifier_builder` builder instance to reject
74+
CRLs with a next update in the past.
75+
76+
* Support for building `rustls-ffi` without any built in cryptography providers.
77+
This is mainly helpful for users that don't intend to use `aws-lc-rs` or
78+
`*ring*` but instead will bring their own FFI-ready `rustls_crypto_provider`.
79+
80+
* SSLKEYLOG support:
81+
* For simple logging to a file, use
82+
`rustls_server_config_builder_set_key_log_file()` or
83+
`rustls_client_config_builder_set_key_log_file()` with a client/server
84+
config builder to have the `SSLKEYLOGFILE` env var used to log an NSS
85+
formatted key log file appropriate for use with Wireshark and other tools.
86+
* For deeper integration, use `rustls_server_config_builder_set_key_log()` or
87+
`rustls_client_config_builder_set_key_log()` to configure C callbacks to be
88+
invoked to decide which secrets are logged and to do the logging.
89+
* See `librustls/tests/client.c` and `librustls/tests/server.c` for example
90+
usage.
91+
92+
* FIPS-140-3 APIs:
93+
* `rustls_default_fips_provider()` for instantiating a FIPS compatible
94+
`rustls_crypto_provider` (requires "fips" feature enabled).
95+
* `rustls_crypto_provider_fips()` for determining if a `rustls_crypto_provider`
96+
is FIPS compatible or not.
97+
* `rustls_client_config_fips()` for determining if a `rustls_client_config`
98+
was built with a FIPS compatible `rustls_crypto_provider`.
99+
* `rustls_server_config_fips()` for determining if a `rustls_server_config`
100+
was built with a FIPS compatible `rustls_crypto_provider`.
101+
* `rustls_connection_fips()` for determining if a `rustls_connection` was
102+
created from a `rustls_client_config` or `rustls_server_config` that was
103+
built with a FIPS compatible `rustls_crypto_provider`.
104+
105+
* Additional `rustls_result` error variants:
106+
* `RUSTLS_RESULT_CERT_EXPIRED_REVOCATION_LIST`,
107+
`RUSTLS_RESULT_MESSAGE_CERTIFICATE_PAYLOAD_TOO_LARGE`,
108+
`RUSTLS_RESULT_INCONSISTENT_KEYS_KEYS_MISMATCH`,
109+
`RUSTLS_RESULT_INCONSISTENT_KEYS_UNKNOWN`,
110+
`RUSTLS_RESULT_INVALID_ENCRYPTED_CLIENT_HELLO_INVALID_CONFIG_LIST`,
111+
`RUSTLS_RESULT_INVALID_ENCRYPTED_CLIENT_HELLO_NO_COMPATIBLE_CONFIG`,
112+
`RUSTLS_RESULT_INVALID_ENCRYPTED_CLIENT_HELLO_SNI_REQUIRED`.
113+
114+
[RFC 8879]: https://www.rfc-editor.org/rfc/rfc8879
115+
[FIPS-docs]: https://docs.rs/rustls/latest/rustls/manual/_06_fips/index.html
116+
117+
### Changed
118+
119+
* Calling `rustls_server_config_builder_build()` with no certificate/key
120+
configured previously returned `RUSTLS_RESULT_GENERAL`, it now returns
121+
`RUSTLS_RESULT_NO_CERT_RESOLVER`.
122+
123+
* The `rustls_server_connection_get_server_name()` function now returns
124+
a `rustls_str` instead of writing to a user provided buffer with out
125+
parameters.
126+
127+
* The `rustls_server_config_builder_set_persistence()` function is now `void`
128+
instead of returning a `rustls_error`.
129+
130+
* [cargo-c][] is now the only supported method for building `rustls-ffi`. It
131+
supports building both static and shared libraries as well as making `.pc`
132+
pkg-config files per-platform. The pre-existing GNU `Makefile` has been
133+
removed in favour of `cargo-c`. See our README for more information.
134+
135+
* Building the client/server **examples** now requires `cmake`. The GNU Makefile
136+
has been removed in favour of unifying the example build system with `cmake`.
137+
Users only interested in building `rustls-ffi` (not the example applications)
138+
do not require `cmake` unless it is a requirement of their chosen cryptography
139+
provider (e.g. `aws-lc-rs` in fips mode).
140+
141+
[cargo-c]: https://github.com/lu-zero/cargo-c
142+
143+
### Removed
144+
145+
* N/A
146+
147+
3148
## 0.14.1 (2024-11-22)
4149

5150
This release updates to [Rustls 0.23.18][] and increases the project MSRV from

0 commit comments

Comments
 (0)