Merge smarter certificate selection for pre-TLS-1.2 clients

commit: e522d0fa57773d781f1fa2be6d473529f401a4c6 [log] [tgz]
author: Paul Bakker <p.j.bakker@polarssl.org> Wed Jan 14 16:12:48 2015 +0100
committer: Paul Bakker <p.j.bakker@polarssl.org> Wed Jan 14 16:12:48 2015 +0100
tree: 9df6cc2df7641899c6354e6c1ed3abf92a3df9c8
parent: 9835bc077a8880ec28c5aa27ca91f35cd480ec10 [diff] [blame]
parent: 6f303ce19e667355c0d8af1081d61d796391b1d9 [diff] [blame]
diff --git a/ChangeLog b/ChangeLog
index 0ea522e..32e20bd 100644
--- a/ChangeLog
+++ b/ChangeLog

@@ -29,6 +29,8 @@
      length of an X.509 verification chain.
    * Support for renegotiation can now be disabled at compile-time
    * Support for 1/n-1 record splitting, a countermeasure against BEAST.
+   * Certificate selection based on signature hash, prefering SHA-1 over SHA-2
+     for pre-1.2 clients when multiple certificates are available.
 
 Bugfix
    * Stack buffer overflow if ctr_drbg_update() is called with too large
@@ -51,6 +53,9 @@
    * debug_print_buf() now prints a text view in addition to hexadecimal.
    * Skip writing and parsing signature_algorithm extension if none of the
      key exchanges enabled needs certificates.
+   * A specific error is now returned when there are ciphersuites in common
+     but none of them is usable due to external factors such as no certificate
+     with a suitable (extended)KeyUsage or curve or no PSK set.
 
 = PolarSSL 1.3.9 released 2014-10-20
 Security
commit	e522d0fa57773d781f1fa2be6d473529f401a4c6	[log] [tgz]
author	Paul Bakker <p.j.bakker@polarssl.org>	Wed Jan 14 16:12:48 2015 +0100
committer	Paul Bakker <p.j.bakker@polarssl.org>	Wed Jan 14 16:12:48 2015 +0100
tree	9df6cc2df7641899c6354e6c1ed3abf92a3df9c8
parent	9835bc077a8880ec28c5aa27ca91f35cd480ec10 [diff] [blame]
parent	6f303ce19e667355c0d8af1081d61d796391b1d9 [diff] [blame]