aboutsummaryrefslogtreecommitdiffstats
path: root/doc/relnotes/1_11_0.rst
blob: 1d3909dfe5a558f725ffa85e42172944aee43cf9 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
Version 1.11.0, Not Yet Released
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

In this release, many new features of C++11 are being used in the
library. Currently GCC 4.7 and Clang 3.1 are known to work. This
version of the library cannot be compiled by or used with a C++98
compiler.

There have been many changes and improvements to :doc:`TLS
<../tls>`. The interface is now purely event driven and does not
directly interact with sockets.  New TLS features include TLS v1.2
support, client certificate authentication, renegotiation, session
tickets, and session resumption. Session information can be saved in
memory or to an encrypted SQLite3 database. Newly supported TLS
ciphersuite algorithms include using SHA-2 for message authentication,
pre shared keys and SRP for authentication and key exchange, ECC
algorithms for key exchange and signatures, and anonymous DH/ECDH key
exchange.

Support for :doc:`OCSP <../ocsp>` has been added. Currently only
client-side support exists.

The API for X.509 path validation has changed, with
``x509_path_validate`` in x509path.h now handles path validation and
``Certificate_Store`` handles storage of certificates and CRLs.

The memory container types have changed substantially.  The
MemoryVector and SecureVector container types have been removed, and
an alias of std::vector using an allocator that clears memory named
secure_vector is used for key material, with std::vector being used
for everything else.

The technique used for mlock'ing memory on Linux and BSD systems is
much improved. Now a single page-aligned block of memory (the exact
limit of what we can mlock) is mmap'ed, with allocations being done
using a best-fit allocator and all metadata held outside the mmap'ed
range, in an effort to make best use of the very limited amount of
memory current Linux kernels allow unpriveledged users to lock.

:rfc:`5915` adds some extended information which can be included in
ECC private keys which the ECC key decoder did not expect, causing an
exception when such a key was loaded. In particular, recent versions
of OpenSSL use these fields. Now these fields are decoded properly,
and if the public key value is included it is used, as otherwise the
public key needs to be rederived from the private key. However the
library does not include these fields on encoding keys for
compatability with software that does not expect them (including older
versions of botan).