aboutsummaryrefslogtreecommitdiffstats
path: root/doc/relnotes/1_11_0.rst
blob: bfcdc213af9cc5230911d043b906dc2c1f79f81e (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
Version 1.11.0, 2012-07-19
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

.. note::

  In this release, many new features of C++11 are being used in the
  library. Currently GCC 4.7 and Clang 3.1 are known to work well.
  This version of the library cannot be compiled by or used with a
  C++98 compiler.

TLS and PKI Changes
""""""""""""""""""""""""""""""""""""""""

There have been many changes and improvements to :doc:`TLS
<../tls>`. The interface is now purely event driven and does not
directly interact with sockets.  New TLS features include TLS v1.2
support, client certificate authentication, renegotiation, session
tickets, and session resumption. Session information can be saved in
memory or to an encrypted SQLite3 database. Newly supported TLS
ciphersuite algorithms include using SHA-2 for message authentication,
pre shared keys and SRP for authentication and key exchange, ECC
algorithms for key exchange and signatures, and anonymous DH/ECDH key
exchange.

Support for :doc:`OCSP <../ocsp>` has been added. Currently only
client-side support exists.

The API for X.509 path validation has changed, with
``x509_path_validate`` in x509path.h now handles path validation and
``Certificate_Store`` handles storage of certificates and CRLs.

Memory Container Changes
""""""""""""""""""""""""""""""""""""""""

The memory container types have changed substantially.  The
``MemoryVector`` and ``SecureVector`` container types have been
removed, and an alias of ``std::vector`` using an allocator that
clears memory named ``secure_vector`` is used for key material, with
plain ``std::vector`` being used for everything else.

The technique used for mlock'ing memory on Linux and BSD systems is
much improved. Now a single page-aligned block of memory (the exact
limit of what we can mlock) is mmap'ed, with allocations being done
using a best-fit allocator and all metadata held outside the mmap'ed
range, in an effort to make best use of the very limited amount of
memory current Linux kernels allow unpriveledged users to lock.

New LZMA Compression Filter
""""""""""""""""""""""""""""""""""""""""

A filter using LZMA was contributed by Vojtech Kral. It is available
if LZMA support was enabled at compilation time by passing
``--with-lzma`` to ``configure.py``.

ECC Key Decoding Problem Resolved
""""""""""""""""""""""""""""""""""""""""

:rfc:`5915` adds some extended information which can be included in
ECC private keys which the ECC key decoder did not expect, causing an
exception when such a key was loaded. In particular, recent versions
of OpenSSL use these fields. Now these fields are decoded properly,
and if the public key value is included it is used, as otherwise the
public key needs to be rederived from the private key. However the
library does not include these fields on encoding keys for
compatability with software that does not expect them (including older
versions of botan).