DANE CHANGES

Reviewed-by: Richard Levitte <levitte@openssl.org>
author: Viktor Dukhovni <openssl-users@dukhovni.org> 2016-01-07 22:00:14 -0500
committer: Viktor Dukhovni <openssl-users@dukhovni.org> 2016-01-07 22:00:14 -0500
commit: 59fd40d4e5030a7257edd11d758eab1dcebb3787 (patch)
tree: 250c0e55669e1563a59f79fb10f43707e0b414a2 /CHANGES
parent: 60d8edbc0982cc910a1edcb43cf318dc2c7c08cf (diff)
download: openssl-59fd40d4e5030a7257edd11d758eab1dcebb3787.tar.gz
1 files changed, 14 insertions, 0 deletions
diff --git a/CHANGES b/CHANGES
index b5a9e1e967..4e305721e3 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,20 @@
 
  Changes between 1.0.2e and 1.1.0  [xx XXX xxxx]
 
+  *) Support for RFC6698/RFC7671 DANE TLSA peer authentication.
+
+     Obtaining and performing DNSSEC validation of TLSA records is
+     the application's responsibility.  The application provides
+     the TLSA records of its choice to OpenSSL, and these are then
+     used to authenticate the peer.
+
+     The TLSA records need not even come from DNS.  They can, for
+     example, be used to implement local end-entity certificate or
+     trust-anchor "pinning", where the "pin" data takes the form
+     of TLSA records, which can augment or replace verification
+     based on the usual WebPKI public certification authorities.
+     [Viktor Dukhovni]
+
   *) Revert default OPENSSL_NO_DEPRECATED setting.  Instead OpenSSL
      continues to support deprecated interfaces in default builds.
      However, applications are strongly advised to compile their
author	Viktor Dukhovni <openssl-users@dukhovni.org>	2016-01-07 22:00:14 -0500
committer	Viktor Dukhovni <openssl-users@dukhovni.org>	2016-01-07 22:00:14 -0500
commit	59fd40d4e5030a7257edd11d758eab1dcebb3787 (patch)
tree	250c0e55669e1563a59f79fb10f43707e0b414a2 /CHANGES
parent	60d8edbc0982cc910a1edcb43cf318dc2c7c08cf (diff)
download	openssl-59fd40d4e5030a7257edd11d758eab1dcebb3787.tar.gz