Releases: aws/s2n-tls
Releases · aws/s2n-tls
Release: v1.5.10
Weekly release for December 16 2024
Release Summary:
- Updated CMake version from 3.0 to 3.9.
- Added TLS1.2 support for RSA-PSS certificates. Previously, RSA-PSS certificates could only be used with TLS1.3.
- Customers can now use application owned certs from the rust bindings. This allows rust consumers of s2n-tls to load certificates for many domains on a single config, and also allows certificates to be shared across a config.
- Fixed a bug in certificate pem parsing. We now correctly reject certificate chains where the last certificate is unexpectedly significantly truncated (for example, missing the final "-- END CERTIFICATE --" marker).
What's Changed
- ci: add open fds valgrind check by @boquan-fang in #4851
- chore: add a cargo audit action by @dougch in #4862
- chore: bindings release 0.3.7 by @lrstewart in #4894
- test: add rust well-known-endpoint tests by @jmayclin in #4884
- test(s2n-tls-hyper): Add localhost http tests by @goatgoose in #4838
- ci: fixes for cargo audit by @dougch in #4895
- ci: grant dependabot status update permissions by @dougch in #4898
- doc: add information about s2n-tls software architecture by @boquan-fang in #4868
- test: remove load system certs functionality for s2n_default_tls13_config by @toidiu in #4897
- tests: pin tests to a numbered TLS1.2 policy by @toidiu in #4905
- build(deps): bump JulienKode/team-labeler-action from 0.1.1 to 1.3 in /.github/workflows by @dependabot in #4889
- build(deps): bump nixbuild/nix-quick-install-action from 21 to 29 in /.github/workflows by @dependabot in #4890
- test(s2n-tls-hyper): matching on s2n-tls error by @jmayclin in #4906
- build(deps): bump actions/checkout from 3 to 4 in /.github/workflows by @dependabot in #4888
- ci: Move kTLS test out of GeneralBatch by @dougch in #4904
- doc: document generating bindings with prebuilt libs2n by @jouho in #4872
- feat: add alert mappings for certificate errors by @camshaft in #4919
- test: pin optional client auth test to a TLS 1.2 policy by @toidiu in #4914
- test: expand s2n_record_read testing to both TLS1.3 and TLS1.2 by @toidiu in #4903
- build(deps): bump aws-actions/configure-aws-credentials from 4.0.1 to 4.0.2 in /.github/workflows by @dependabot in #4892
- chore: Ocsp timeout adjustment by @dougch in #4866
- chore(bindings): feature gate network tests by @jmayclin in #4907
- ci: add awslc-fips and openssl-1.0.2-fips to valgrind by @boquan-fang in #4912
- upgrade cmake version to 3.9 by @jouho in #4933
- chore: add new team member by @CarolYeh910 in #4939
- (chore): Fixes team-label github action by @maddeleine in #4935
- test: pin tests to TLS 1.2/TLS 1.3 policy by @toidiu in #4926
- fix(bindings): address clippy issues from 1.83 by @jmayclin in #4941
- ci(refactor): remove Valgrind checks from omnibus and generalBatch by @boquan-fang in #4913
- ci: add openssl-1.0.2-fips to fuzz test by @boquan-fang in #4942
- fix(s2n-tls-hyper): Add proper IPv6 address formatting by @goatgoose in #4938
- refactor: add a s2n_libcrypto_is_openssl() helper function by @toidiu in #4930
- ci(refactor): remove fuzz tests from Omnibus by @boquan-fang in #4945
- ci(refactor): remove ASAN from Omnibus and GeneralBatch by @boquan-fang in #4946
- test(bindings): run unit tests under asan by @jmayclin in #4948
- feat: feature probe S2N_LIBCRYPTO_SUPPORTS_ENGINE by @toidiu in #4878
- feat: TLS1.2 support for RSA-PSS certificates by @lrstewart in #4927
- ci: add change directory to third-party-src logic by @boquan-fang in #4950
- build(deps): bump github/codeql-action from 2 to 3 in /.github/workflows by @dependabot in #4917
- build(deps): bump cross-platform-actions/action from 0.23.0 to 0.26.0 in /.github/workflows by @dependabot in #4951
- build(deps): bump peaceiris/actions-gh-pages from 3 to 4 in /.github/workflows by @dependabot in #4921
- build(deps): bump actions/cache from 2.1.4 to 4.1.2 in /.github/workflows by @dependabot in #4928
- ci(refactor): deprecate Omnibus by @boquan-fang in #4953
- ci: batch dependabot updates by @jmayclin in #4959
- feat(bindings): enable application owned certs by @jmayclin in #4937
- ci: update CRT test ubuntu version to ubuntu24 by @boquan-fang in #4964
- tests: allow TLS1.2 with RSA-PSS certs in integ tests by @lrstewart in #4949
- feat(s2n-tls-hyper): Add support for negotiating HTTP/2 by @goatgoose in #4924
- build(deps): bump the all-gha-updates group in /.github/workflows with 5 updates by @dependabot in #4961
- (chore): Installs Nix in AL2023 Buildspec by @maddeleine in #4934
- chore(binding): release 0.3.8 by @boquan-fang in #4969
- chore: fix GHA for merge-queue by @dougch in #4973
- chore(bindings): move tokio examples to dedicated folder by @jmayclin in #4954
- docs: specify s2n_blob growable conditions by @jmayclin in #4943
- fix: pem parsing detection of last cert errors by @lrstewart in #4908
- refactor(bench): remove historical benchmarks by @jmayclin in #4940
New Contributors
- @dependabot made their first contribution in #4889
- @CarolYeh910 made their first contribution in #4939
Full Changelog: v1.5.9...v1.5.10
Release: v1.5.9
Weekly release for November 13 2024
Summary
- Disables use of the atexit handler to cleanup global state. See GHSA-rp9h-rf7g-hwgr.
What's Changed
- chore: configure dependabot by @dougch in #4861
- chore: broaden use of flaky mark by @dougch in #4865
- feat: Reworking cleanup behavior by @maddeleine in #4871
Full Changelog: v1.5.8...v1.5.9
Release: v1.5.8
Weekly release for November 12 2024
What's Changed
- fix: typo in comment of s2n_self_talk_tls13_test by @boquan-fang in #4864
- doc: fix incorrect README references by @jouho in #4863
- chore: bindings release 0.3.6 by @goatgoose in #4867
- build: add s2n_prelude.h to consolidate defines by @camshaft in #4465
- fix: move prelude inclusion as PRIVATE by @camshaft in #4876
- ci: remove www.mozilla.com from well-known to unblock CI by @toidiu in #4880
- ci: Clean dup source tree for CRT by @dougch in #4882
- chore: remove unused benchmarks by @jmayclin in #4869
- feat: add new security policy
20241106
by @toidiu in #4874 - chore: update github PR template by @lrstewart in #4885
- fix: fix open AF_INET sockets in s2n_self_talk_ktls_test.c by @boquan-fang in #4852
Full Changelog: v1.5.7...v1.5.8
Release: v1.5.7
Weekly release for November 01 2024
Summary
- Adds the
s2n_connection_get_certificate_match()
API, which allows users to determine whether the server was able to provide the client with a certificate chain that matched the client's SNI extension. - Adds the
s2n_cleanup_final()
API, which allows users to completely cleanup and deinitialize s2n-tls, regardless of the s2n-tls atexit configuration. - Fixes
poll_flush()
in the rust bindings to properly flush pending send data without producing an error.
What's Changed
- (feat): Adds certificate match metrics API by @maddeleine in #4844
- chore: grant duvet more permissions by @dougch in #4854
- chore: bindings release 0.3.5 by @toidiu in #4860
- test(bindings): Consolidate test pems by @goatgoose in #4858
- feat: Adds cleanup_final by @maddeleine in #4853
- fix(bindings): correct poll_flush implementation by @lrstewart in #4859
- docs: update fips documentation to specify supported libcrypto by @toidiu in #4857
- fix: close all /dev/urandom open fds by @boquan-fang in #4835
Full Changelog: v1.5.6...v1.5.7
Release: v1.5.6
Weekly release for October 23 2024
What's Changed
- chore: remove make fuzz and AFL fuzz by @jouho in #4808
- docs: update stateful resumption doc by @jouho in #4818
- Add ML-KEM Feature Probe and Test by @alexw91 in #4823
- ci: Add ubuntu24 with a new cmake buildspec by @dougch in #4824
- feature: bump cert authorities max size to 20kb by @lrstewart in #4832
- ci: add more libcryptos for fuzz batch & follow cmake idioms by @jouho in #4795
- chore: Adds print statements to help debug s2n_dynamic_load_test by @maddeleine in #4836
- Add initial support for MLKEM768 (without any new Security Policies) by @alexw91 in #4816
- ci: update ubuntu versions by @boquan-fang in #4828
- Update FIPS rules for ML-KEM by @alexw91 in #4829
- fix: some open AF_UNIX sockets in forked child processes by @boquan-fang in #4834
- ci: Re-enable asan and ubsan for fuzz tests by @jouho in #4840
- fix: fix s2n_io_pair_close_one_end by @boquan-fang in #4841
- chore: flip 2 GHAs to use short lived creds. by @dougch in #4839
- bindings: pin openssl crate to 0.10.66 by @camshaft in #4849
- fix: fix opened AF_UNIX sockets that didn't call s2n_io_pair_close by @boquan-fang in #4833
- Add new MLKEM TLS Policies by @alexw91 in #4830
- chore: remove unused compile definition by @jmayclin in #4815
- chore(GHA): Update duvet arguments by @dougch in #4850
- chore: Fix failing OIDC workflows; cleanup unused actions by @dougch in #4848
Full Changelog: v1.5.5...v1.5.6
Release: v1.5.5
What's Changed
- feat(bindings): add set receive buffering to the rust bindings by @zz85 in #4817
- feat: add s2n_cleanup_thread by @WesleyRosenblum in #4584
- chore: bindings release 0.3.4 by @jouho in #4819
- chore: bump awslc(non FIPS) to 1.36.0 by @dougch in #4821
Full Changelog: v1.5.4...v1.5.5
Release: v1.5.4
Weekly release for October 03 2024
What's Changed
- chore(bindings): pin unicode-width by @lrstewart in #4785
- fix: update ja4 compliance by @lrstewart in #4773
- docs: clarify pre-TLS1.2 support by @lrstewart in #4780
- chore: bindings release 0.3.3 by @jouho in #4791
- test: disallow explict use of "default" policy in tests by @toidiu in #4750
- Al2023 codebuild by @dougch in #4756
- ci: add buildspec file for scheduled fuzzing by @jouho in #4763
- fix: don't iterate over certs if not validating certs by @lrstewart in #4797
- fix(bindings): handle failures from wipe by @lrstewart in #4798
- ci: use temporary directory for s2n_head build by @lrstewart in #4771
- fix: pem parsing should allow single dashes in comments by @lrstewart in #4787
- refactor: clean up CMakelists.txt by @jmayclin in #4779
- test: only build requested unit tests in nix by @lrstewart in #4770
- docs: Update certificate loading documentation by @goatgoose in #4790
- ci: run clippy on all features by @lrstewart in #4809
- ci: use clang to build awslc by @dougch in #4794
- ci: check for s2n_array_len in loop bounds by @lrstewart in #4802
- Revert "test: disallow explict use of "default" policy in tests (#4750)" by @toidiu in #4812
- CI: Adding CTest memcheck to CodeBuild by @boquan-fang in #4776
- refactor(bindings): add general bindings error context by @lrstewart in #4811
- Update PQ code to be generic over EVP_KEM API's by @alexw91 in #4810
- feature(bindings): scheduled renegotiation via poll_recv by @lrstewart in #4764
- refactor: make s2n_array_len constant by @lrstewart in #4801
Full Changelog: v1.5.3...v1.5.4
Release: v1.5.3
Weekly release for September 20 2024
What's Changed
- fix: add missing null-checks in s2n_connection.c by @jouho in #4754
- fix(bindings): unpin jobserver by @toidiu in #4758
- fix: update handling of ja4 alpn edge cases by @lrstewart in #4755
- CI: enable fuzz test build with cmake by @jouho in #4743
- ci: Emit CloudWatch metrics from rust benchmarks by @goatgoose in #4742
- chore(bindings): release 0.3.2 by @dougch in #4760
- test: avoid mutating static configs in tests by @toidiu in #4749
- ci: use newer version of libFuzzer by @jouho in #4762
- test: use seccomp on handshake test by @lrstewart in #4768
- test: refactor pcap test to use version from rtshark by @lrstewart in #4774
- docs(bindings): example for Policy::from_version by @jmayclin in #4731
- ci: refactor fuzz buildspec by @jouho in #4783
Full Changelog: v1.5.2...v1.5.3
Release: v1.5.2
Weekly release for September 06 2024
What's Changed
- fix(bindings): ConfigPool should always yield associated connections by @jmayclin in #4708
- Adding a harness for session resumption in regression test by @kaukabrizvi in #4706
- chore(bindings): release 0.3.1 by @dougch in #4719
- docs: Add a supported platforms section by @dougch in #4695
- Reorder PR and Mainline in Regression Test Runner by @kaukabrizvi in #4720
- chore: bump versions of aws-lc and aws-lc-fips by @dougch in #4716
- fix: correct JA4 alpn parsing by @lrstewart in #4721
- tests: add JA4 pcap tests by @lrstewart in #4714
- refactor: minor fixes for common fingerprint code by @lrstewart in #4712
- fix: resolve UBSAN violations in the codebase by @boquan-fang in #4722
- chore: cleanup old docker dev build by @dougch in #4729
- ci: add separate license check by @jmayclin in #4727
- fix(ci): update CBMC proofs' Makefile.common by @tautschnig in #4703
- fix: Cleanup libcrypto errors by @goatgoose in #4733
- chore(integrationv2): add license header by @jmayclin in #4732
- ci: Add UBSAN test to the sanitizer by @boquan-fang in #4740
- tests(pcaps): download additional pcaps by @lrstewart in #4728
- docs: add test readme by @jmayclin in #4718
- Update to CBMC 6.2.0 by @rod-chapman in #4746
- ci:Al2023 CodeBuild script by @dougch in #4737
- refactor: make s2n_stuffer_read_hex match s2n_stuffer_read by @lrstewart in #4726
- refactor: move s2n_result functions inline by @camshaft in #4739
- tests(pcap): fix support for older tshark versions by @lrstewart in #4744
- Replace memcmp to s2n_constant_time_equals by @boquan-fang in #4709
Full Changelog: v1.5.1...v1.5.2
Release: v1.5.1
Weekly release for August 20 2024
What's Changed
- docs: add pq to usage guide by @lrstewart in #4677
- chore: remove unused benchmarks by @jmayclin in #4696
- Modify regression threshold to configurable percentage by @kaukabrizvi in #4698
- New s2n core member by @boquan-fang in #4707
- Add s2n_signature_preferences_20240521 by @raycoll in #4565
- fix: Initial config influences client hello parsing by @maddeleine in #4676
- ci(nix): Startup/configure apache for renegotiate test under nix by @dougch in #4592
- fix: building for AL2 by @lucykorea414 in #4679
- Clarify s2nc/s2nd PQ output by @lrstewart in #4702
- feat: JA4 fingerprinting by @lrstewart in #4669
- Add performance regression tests in CI by @kaukabrizvi in #4701
New Contributors
- @boquan-fang made their first contribution in #4707
- @lucykorea414 made their first contribution in #4679
Full Changelog: v1.5.0...v1.5.1