Releases: aws/s2n-tls
Releases · aws/s2n-tls
Release: v1.5.21
Weekly release for Jun 04 2025
Release Summary
- Fixed bug preventing use of ML-DSA with mainline AWSLC built in FIPS mode
What's Changed
- feat(bindings): expose custom critical extension API by @CarolYeh910 in #5337
- tests(integ): fix nondeterministic ocsp test shutdown behavior by @lrstewart in #5340
- chore: Bindings release 0.3.21 by @dougch in #5344
- ci: workaround for nix + gnutls + ubuntu24 issue by @lrstewart in #5345
- fix: do not use "digest and sign" for ML-DSA in FIPS mode by @lrstewart in #5348
Full Changelog: v1.5.20...v1.5.21
Contributors
lrstewart, dougch, and CarolYeh910
Assets 2
Release: v1.5.20
Weekly release for May 30 2025
Release Summary:
- Add a new CertificateRequest callback to allow clients to select a certificate chain during the handshake.
- Add support for custom critical certificate extensions. Users MUST validate their custom extensions in the cert validation callback or after the handshake.
What's Changed
- feat(examples): add key log example by @jmayclin in #5314
- build(deps): bump the all-gha-updates group across 1 directory with 3 updates by @dependabot in #5315
- Add CertificateRequest certificate selection callback by @Mark-Simulacrum in #5318
- CertificateRequest Rust bindings by @Mark-Simulacrum in #5331
- chore: bindings release 0.3.20 by @goatgoose in #5332
- fix(benches): reuse config for handshakes by @jmayclin in #5319
- feat: add custom critical extension support by @CarolYeh910 in #5321
- ci: Use official libcrypto verification model repository by @goatgoose in #5336
- chore(ci): Pin parking_lot_core, lock_api by @goatgoose in #5338
Full Changelog: v1.5.19...v1.5.20
Contributors
goatgoose, Mark-Simulacrum, and 3 other contributors
Assets 2
Release: v1.5.19
Release Summary:
- Adds support for post-quantum ML-DSA certificates
What's Changed
- ci: handle 429 from yahoo.com network integ test by @lrstewart in #5280
- ci: fix expectations when using system default libcrypto by @lrstewart in #5279
- chore: bindings release 0.3.18 by @johubertj in #5284
- build(deps): bump astral-sh/setup-uv from 5 to 6 in /.github/workflows in the all-gha-updates group by @dependabot in #5273
- tests: improve coverage for s2n_stream_cipher_null by @wafuwafu13 in #5268
- chore: Add comments to track dependency requirements by @johubertj in #5287
- chore: bump standard MSRV to 1.82.0 by @johubertj in #5295
- tests: fix flaky test_serialization by @lrstewart in #5288
- build(deps): bump aws-actions/configure-aws-credentials from 4.1.0 to 4.2.0 in /.github/workflows in the all-gha-updates group by @dependabot in #5297
- build(deps): update env_logger requirement from 0.10 to 0.11 in /bindings/rust/standard by @dependabot in #5296
- tests: reduce integ test flakiness + improve debugability by @lrstewart in #5282
- feat: Add
as_ptr()API for Config by @goatgoose in #5274 - build(deps): update test-log-macros requirement from =0.2.14 to =0.2.17 in /bindings/rust/standard by @dependabot in #5290
- build(deps): update strum requirement from 0.25 to 0.27 in /bindings/rust/standard by @dependabot in #5292
- chore: bindings release 0.3.19 by @goatgoose in #5298
- build: add pull requests limit for dependabot by @boquan-fang in #5299
- build(deps): unpin test-log because of MSRV updates by @boquan-fang in #5300
- refactor: remove conn->client_hello_version by @lrstewart in #5278
- feature: add crypto support for mldsa signing by @lrstewart in #5272
- chore: Update Apache test certificates from RSA1024 to RSA2048 by @dougch in #5285
- Revert "build: add pull requests limit for dependabot" by @boquan-fang in #5302
- tests: turn verbose mode off by default in integ tests by @lrstewart in #5286
- feature: support for ML-DSA handshake signatures by @lrstewart in #5303
- feature: release ML-DSA support by @lrstewart in #5307
- fix(benches): use session ticket for resumption by @jmayclin in #5305
- tests: policy snapshot test by @lrstewart in #5309
- chore: Bump nixpkgs version to 24.11 by @dougch in #5294
- Remove unused negotiate_kem function causing build failure by @Mark-Simulacrum in #5316
New Contributors
- @wafuwafu13 made their first contribution in #5268
Full Changelog: v1.5.18...v1.5.19
Contributors
goatgoose, Mark-Simulacrum, and 7 other contributors
Assets 2
v1.5.18
Weekly release for April 28 2025
Release summary:
- Adds a new security policy (20250414), which fixes a gap in compatibility in 20250211 by extending the allowed signatures to include those on P-256.
What's Changed
- chore(ci): revert nix installer pin by @dougch in #5251
- ci: add awslcfips to nix jobs by @dougch in #5205
- chore: add new team member by @anupamym in #5259
- chore: bindings release 0.3.17 by @anupamym in #5260
- refactor: cleanup hash to better support multiple implementations by @lrstewart in #5258
- tests: add ml-dsa test certs from RFC by @lrstewart in #5261
- feature: add support for configuring (but not yet using) ml-dsa certs by @lrstewart in #5263
- Add 20250414 security policy by @Mark-Simulacrum in #5253
- refactor: remove unused hash methods by @lrstewart in #5269
- build(deps): bump JulienKode/team-labeler-action from 1.3.0 to 2.0.0 in /.github/workflows in the all-gha-updates group by @dependabot in #5252
- build: add -Wa,-mbranches-within-32B-boundaries compiler flag by @johubertj in #5267
New Contributors
Full Changelog: v1.5.17...v1.5.18
Contributors
Mark-Simulacrum, lrstewart, and 4 other contributors
Assets 2
Release: v1.5.17
Weekly release for April 17 2025
What's Changed
- ci: pin nix installer to older version by @dougch in #5245
- chore: Fix new clippy warning by @goatgoose in #5243
- ci: rebalance integV2 testcases by @johubertj in #5232
- fix: tainted handshake.io and add large client hello test by @boquan-fang in #5208
- chore: bindings release 0.3.16 by @goatgoose in #5242
- refactor: remove legacy pkey impls by @lrstewart in #5241
- Revert "ci: exclude new setuptools (#5215)" by @jmayclin in #5226
- fix: make -fPIC flag private by @jmayclin in #5227
- doc: tainted stuffer reset operation by @boquan-fang in #5231
- feat: Expose
as_ptr()for external build by @goatgoose in #5229 - ci: pytest generate junit reports by @dougch in #5235
- ci: use correct openssl version for updated AL2023 version by @jouho in #5255
Full Changelog: v1.5.16...v1.5.17
Contributors
goatgoose, lrstewart, and 5 other contributors
Assets 2
Release: v1.5.16
Weekly release for April 03 2025
Release summary:
- This change is considered a behavior change, though we don’t expect it to have impact. The potential impact shows up as a minor decrease in the amount of session tickets sent to clients in TLS1.2 connections, which may translate to a decrease in the amount of resumed handshakes. Look for handshakes in your logs of type “NEGOTIATED:WITH_SESSION_TICKET” to determine the precise number of handshakes that will no longer be sending session tickets. #5217
- Adds s2n_connection_get_key_exchange_group for getting the negotiated named group. #5209
- Deprecate experimental TLS 1.2 PQ security policies. This does not affect ML-KEM or any use of standard TLS1.3 PQ. #5194
- Fix handshake message length integer overflow in s2n_handshake_finish_header. #5206
What's Changed
- ci: add libcrypto openssl-3.0-fips to integ tests by @lrstewart in #5202
- ci: add openssl-3.0-fips to asan build properly by @lrstewart in #5204
- fix: handshake message length integer overflow in s2n_handshake_finish_header by @boquan-fang in #5206
- chore: deprecate s2n_set by @jmayclin in #5155
- chore: binding release 0.3.14 by @maddeleine in #5210
- Remove PQ TLS 1.2 from all Security Policies by @alexw91 in #5194
- ci: exclude new setuptools by @jmayclin in #5215
- fix: Update README.md to include Rust bindings docs by @maddeleine in #5212
- feat: add s2n_connection_get_key_exchange_group by @WesleyRosenblum in #5209
- chore: bindings release 0.3.15 by @jmayclin in #5221
- ci: add openssl-3.0-fips to valgrind by @johubertj in #5211
- docs: fix openssl-3.0-fips provider requirements documentation by @lrstewart in #5214
- refactor(bindings): use implicit linking for aws-lc by @jmayclin in #5218
- fix: tighten session ticket lifetime by @CarolYeh910 in #5217
- ci: Fix cppcheck build by @goatgoose in #5238
- refactor: implement match the same for all pkeys by @lrstewart in #5224
- ci: add openssl-3.0-fips to general batch by @lrstewart in #5207
- refactor: add evp pkey size/encrypt/decrypt methods by @lrstewart in #5225
- feat(bindings): expose certificate match api by @johubertj in #5220
- ci: add ruff linting by @johubertj in #5182
Full Changelog: v1.5.15...v1.5.16
Contributors
alexw91, goatgoose, and 7 other contributors
Assets 2
Release: v1.5.15
Weekly release for March 20 2025
Release Summary:
- Added support for FIPS mode when built with FIPS-validated Openssl-3.0
What's Changed
- chore(ci): pin symbolic-common by @lrstewart in #5166
- chore: binding release 0.3.13 by @lrstewart in #5167
- refactor: add libcrypto PRF impl for openssl-3.0-fips by @lrstewart in #5158
- build(deps): bump nixbuild/nix-quick-install-action from 29 to 30 in /.github/workflows in the all-gha-updates group by @dependabot in #5153
- style: fix redundant return by @jmayclin in #5150
- chore: update git blame ignore commit ID by @johubertj in #5164
- tests: fix flaky ja4 test by @lrstewart in #5169
- fix: mark chachapoly as unavailable with openssl-3.0-fips by @lrstewart in #5168
- fix(ruff): resolve linting errors detected by Ruff by @johubertj in #5140
- chore: pin once_cell version to unblock the CI by @boquan-fang in #5174
- ci: use ruff --diff instead of --check by @lrstewart in #5177
- (docs): Improve PQ docs by @maddeleine in #5173
- test(integv2): add partial support for OpenSSL 3.0 provider by @johubertj in #5131
- ci: make start_codebuild.sh work for forks by @lrstewart in #5178
- chore: add inline noqa suppression by @johubertj in #5159
- test(integv2): reduce parameter selection by @johubertj in #5161
- test: fix self-talk pkey offload test for openssl-3.0-fips by @lrstewart in #5175
- chore: bump linting action Ubuntu version by @boquan-fang in #5186
- build(deps): update aws-lc-rs version to remove paste deps by @boquan-fang in #5192
- ci: cleanup awslc-fips versioning by @dougch in #5156
- chore: include Need By Date section in github issue template by @boquan-fang in #5187
- ci: move openssl3fips build to existing asan build by @lrstewart in #5181
- fix: openssl-3.0-fips should use separate private rand by @lrstewart in #5184
- fix: remove unnecessary RC4 restriction by @lrstewart in #5170
- fix: openssl-3.0-fips should use libcrypto HKDF by @lrstewart in #5183
- ci: defend against unset version number in awslc installer by @dougch in #5195
- feature: openssl-3.0-fips support by @lrstewart in #5191
Full Changelog: v1.5.14...v1.5.15
Contributors
lrstewart, dependabot, and 5 other contributors
Assets 2
Release: v1.5.14
Weekly release for March 05 2025
Release Summary
- Customers can now associate an arbitrary context with application owned certificate chains in the rust bindings.
- A small memory leak related to session resumption was resolved. Long lived applications with session resumption enabled will see a reduction in the memory footprint of s2n_config.
What's Changed
- tests: use sig schemes as source of truth for valid hash+sig algs by @lrstewart in #5129
- build(deps): update rtshark requirement from 2.9.0 to 3.1.0 in /tests/pcap in the all-cargo-updates group across 1 directory by @dependabot in #5087
- test(integv2): fixes to allow test_record_padding to partially run by @johubertj in #5099
- chore(nix): Add aws-lc-fips 2022/4 by @dougch in #5109
- chore(ruff): apply formatting and integrate into CI by @johubertj in #5138
- feat(bindings): expose context on cert chain by @jmayclin in #5132
- refactor: cleanup prf header by @lrstewart in #5144
- refactor: add alternative EVP signing method by @lrstewart in #5141
- fix: memory leak during STEK rotation by @jmayclin in #5146
- chore(ci): make the awslc fips install script version aware by @dougch in #5100
- refactor: remove unused prf hmac impls by @lrstewart in #5148
- chore(bindings): change in rustup behavior by @dougch in #5160
- chore: git-blame-ignore ruff formatting by @johubertj in #5151
- tests: try to make s2n_mem_usage_test more useful by @lrstewart in #5139
Full Changelog: v1.5.13...v1.5.14
Contributors
lrstewart, dependabot, and 3 other contributors
Assets 2
Release: v1.5.13
Weekly release for February 22 2025
Release Summary
- Add bindings for the External PSK functionality.
- Adds
20250211, a TLS 1.3-exclusive security policy intended for RFC 9151 migration. - A breaking change was made to the renegotiation callback interface. This only affects Rust customers using the unstable-renegotiate
feature. - Adds an option to prevent s2n-tls from overriding the libcrypto RAND engine.
- Adds async support to
s2n_cert_validation_callback. - Reduced connection memory usage by an estimated 4 to 5 percent.
- A successful cert validation callback should return only
S2N_SUCCESS. Previously, both 0 and any positive return value were considered successful.
What's Changed
- test: add minimal openssl-3.0-fips test by @lrstewart in #5081
- feat(bindings): add external psk apis by @jmayclin in #5061
- Fixed formatting for debugging statements by @johubertj in #5094
- chore: ktls buildspec by @dougch in #5083
- chore: bindings release 0.3.11 by @goatgoose in #5098
- fix(integrationv2): Skip unsupported client auth tests by @goatgoose in #5096
- build(deps): bump aws-actions/configure-aws-credentials from 4.0.2 to 4.1.0 in /.github/workflows in the all-gha-updates group across 1 directory by @dependabot in #5107
- refactor: remove s2n_hmac_is_available by @lrstewart in #5104
- refactor: remove unused evp support for md5+sha1 by @lrstewart in #5106
- fix: allow b64 decoding using libcrypto for sidechannel resistance by @jmayclin in #5103
- fix: don't enable custom random for openssl fips by @jmayclin in #5093
- ci: add default provider to openssl-3.0-fips by @lrstewart in #5114
- Revert "refactor: remove unused evp support for md5+sha1 (#5106)" by @lrstewart in #5118
- Add new security policy (20250211) by @Mark-Simulacrum in #5111
- refactor: move "s2n_libcrypto_is" methods into s2n_libcrypto.h by @lrstewart in #5117
- bindings: unpin openssl crate from a specific patch version by @boquan-fang in #5120
- chore: fix a typo in API comments by @boquan-fang in #5123
- build(deps): update rand requirement by @boquan-fang in #5125
- fix(bindings): make Context borrow immutable by @jmayclin in #5071
- feat: Option to disable RAND engine override by @goatgoose in #5108
- refactor: use EVP_MD_fetch() if available by @lrstewart in #5116
- chore: binding release 0.3.12 by @boquan-fang in #5128
- fix(bindings): remove mutation behind Arc by @jmayclin in #5124
- chore: remove unused well-known-endpoints.py by @jmayclin in #5127
- feat: add async cert validation support by @CarolYeh910 in #5110
- ci: add check for third-party-src in disable rand override buildspec by @boquan-fang in #5137
- refactor: always use EVP hashing by @lrstewart in #5121
- fix: update callback return value by @CarolYeh910 in #5136
- ci: always set values for command line defines by @lrstewart in #5126
Full Changelog: v1.5.12...v1.5.13
Contributors
goatgoose, Mark-Simulacrum, and 7 other contributors
Assets 2
Release: v1.5.12
Weekly release for February 10 2025
Release summary
- Fix the improper calculation of session ticket lifetime.
- Adds support for consuming s2n-tls from CMake FetchContent with interning enabled.
- Adds a new Security Policy deprecation mechanism, and deprecate the SIKE PQ Security Policies.
What's Changed
- fix(bindings): Specify correct minimum versions by @goatgoose in #5028
- ci: add timeout for cbmc proof by @boquan-fang in #5038
- test: add sslv2 client hello test w/ jvm by @jmayclin in #5019
- docs: add C / s2n-tls-sys doc references to s2n-tls docs by @lrstewart in #5012
- Add Security Policy Deprecation API by @alexw91 in #5034
- ci: add openssl-3.0-fips builds by @lrstewart in #5037
- fix: initial config should not influence sslv2 by @jmayclin in #4987
- chore: bindings release for 0.3.10 by @boquan-fang in #5046
- chore: bump osx Openssl to latest by @dougch in #5041
- chore: fix typos by @jmayclin in #5052
- build(deps): bump cross-platform-actions/action from 0.26.0 to 0.27.0 in /.github/workflows in the all-gha-updates group by @dependabot in #5053
- ci: pin duvet version by @lrstewart in #5057
- refactor: remove openssl-1.0.2-fips 'allow md5' logic by @lrstewart in #5048
- ci: Adding integ tests back to integv2 by @maddeleine in #5054
- refactor: cleanup CBMC proofs after #5048 by @lrstewart in #5058
- feat(bench): impl into for base config type by @jmayclin in #5056
- Revert "ci: remove openssl-1.0.2-fips builds (#4995)" by @lrstewart in #5060
- ci: change rust-toolchain format to toml by @CarolYeh910 in #5070
- ci: Emit benchmark metrics from scheduled runs by @goatgoose in #5064
- fix(bindings): prevent temp connection free after panic by @jmayclin in #5067
- docs(integv2): add architecture diagram by @jmayclin in #5072
- docs(s2n-tls-hyper): Add hyper client/server example by @goatgoose in #5069
- ci: fix dependabot, commit & check Cargo.toml by @CarolYeh910 in #5065
- fix(integration): Update PQ integration test expectations by @goatgoose in #5082
- fix: add support for
S2N_INTERN_LIBCRYPTOwith FetchContent by @kou in #5076 - fix: calculation of session ticket age by @boquan-fang in #5001
- fix: error for uninit psk, check for all-zero psk by @jmayclin in #5084
- fix: don't use DEPENDS with add_custom_command(TARGET) by @kou in #5074
- fix(ci): Allow validate_start_codebuild to run on pushes to main by @goatgoose in #5080
New Contributors
Full Changelog: v1.5.11...v1.5.12
Contributors
kou, alexw91, and 8 other contributors