diff options
-rw-r--r-- | doc/contents.txt | 1 | ||||
-rw-r--r-- | doc/ocsp.txt | 34 | ||||
-rw-r--r-- | doc/relnotes/1_11_0.txt | 77 |
3 files changed, 70 insertions, 42 deletions
diff --git a/doc/contents.txt b/doc/contents.txt index 835fabf82..d55c36cc3 100644 --- a/doc/contents.txt +++ b/doc/contents.txt @@ -14,6 +14,7 @@ Contents filters pubkey x509 + ocsp tls credentials_manager bigint diff --git a/doc/ocsp.txt b/doc/ocsp.txt new file mode 100644 index 000000000..51486dbc1 --- /dev/null +++ b/doc/ocsp.txt @@ -0,0 +1,34 @@ +OCSP +======================================== + +A client makes an OCSP request to what is termed an 'OCSP responder'. +This responder returns a signed response attesting that the +certificate in question has not been revoked. + +.. cpp:class:: OCSP::Request + + .. cpp:function:: OCSP::Request(const X509_Certificate& issuer_cert, \ + const X509_Certificate& subject_cert) + + Create a new OCSP request + + .. cpp:function:: std::string base64_encode() const + + Encode the current OCSP request as a base64 string. + +.. cpp:class:: OCSP::Response + + .. cpp:function:: OCSP::Response(const Certificate_Store& trusted_roots, \ + const std::vector<byte>& response) + + Deserializes *response* sent by a responder, and checks that it + was signed by a certificate associated with one of the CAs + stored in *trusted_roots*. + + .. cpp:function:: bool affirmative_response_for(const X509_Certificate& issuer, \ + const X509_Certificate& subject) const + + Returns true if and only if this OCSP response is not an error, + is signed correctly, and the response indicates that *issuer* is + not currently revoked. + diff --git a/doc/relnotes/1_11_0.txt b/doc/relnotes/1_11_0.txt index 6321eafbe..d8bc5515c 100644 --- a/doc/relnotes/1_11_0.txt +++ b/doc/relnotes/1_11_0.txt @@ -1,45 +1,38 @@ Version 1.11.0, Not Yet Released ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -* The codebase has converted to C++11. Currently GCC 4.7 and Clang 3.1 - are known to work. - -* The MemoryVector and SecureVector container types have been removed. - An alias of std::vector using an allocator that clears memory named - secure_vector is used for key material, and std::vector is used for - everything else. - -* The method of mlocking memory is much improved, and if the process - can mlock memory then it will be used automatically. - -* The TLS interface is now non-blocking and does not directly interact - with sockets. An example TLS server using asio is included which - scales to at least 64 processors. - -* X509_Store has been removed. x509_path_validate in x509path.h now - handles path validation and Certificate_Store handles storage of - certificates and CRLs. - -* Add support for OCSP - -* TLS v1.2 is now supported - -* TLS now supports session resumption. Session information can be - saved in memory or to an encrypted SQLite database. - -* TLS renegotiation is now supported - -* TLS client authentication is now supported - -* TLS SRP and PSK ciphersuites are now supported - -* TLS session tickets are now supported - -* TLS ECDH key exchange and ECDSA certificates are now supported - -* Add support for SHA-2 ciphersuites - -* Add support for anonymous DH/ECDH ciphersuites - - - +In this release, many new features of C++11 are being used in the +library. Currently GCC 4.7 and Clang 3.1 are known to work. This +version of the library cannot be compiled by or used with a C++98 +compiler. + +There have been many changes and improvements to :doc:`TLS +<../tls>`. The interface is now purely event driven and does not +directly interact with sockets. New TLS features include TLS v1.2 +support, client certificate authentication, renegotiation, session +tickets, and session resumption. Session information can be saved in +memory or to an encrypted SQLite3 database. Newly supported TLS +ciphersuite algorithms include using SHA-2 for message authentication, +pre shared keys and SRP for authentication and key exchange, ECC +algorithms for key exchange and signatures, and anonymous DH/ECDH key +exchange. + +Support for :doc:`OCSP <../ocsp>` has been added. Currently only +client-side support exists. + +The API for X.509 path validation has changed, with +``x509_path_validate`` in x509path.h now handles path validation and +``Certificate_Store`` handles storage of certificates and CRLs. + +The memory container types have changed substantially. The +MemoryVector and SecureVector container types have been removed, and +an alias of std::vector using an allocator that clears memory named +secure_vector is used for key material, with std::vector being used +for everything else. + +The technique used for mlock'ing memory on Linux and BSD systems is +much improved. Now a single page-aligned block of memory (the exact +limit of what we can mlock) is mmap'ed, with allocations being done +using a best-fit allocator and all metadata held outside the mmap'ed +range, in an effort to make best use of the very limited amount of +memory current Linux kernels allow unpriveledged users to lock. |