This release is based on LibreSSL 3.4.1:
https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.4.1-relnotes.txt
The shared library major version of libtls has been bumped to 22.
tls_connect(3) and friends now strip a trailing dot from servername.
A release tarball for this version can be downloaded from:
https://causal.agency/libretls/libretls-3.4.1.tar.gz
----- Original message -----
From: Brent Cook <busterb@gmail.com>
To: announce@openbsd.org
Cc: libressl@openbsd.org
Subject: LibreSSL 3.4.1 Released
Date: Thursday, October 14, 2021 21:10
We have released LibreSSL 3.4.1, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon. This is the
first stable release for the 3.4.x branch, also available with OpenBSD 7.0.
It includes the following changes from LibreSSL 3.3.x
* New Features
- Added support for OpenSSL 1.1.1 TLSv1.3 APIs.
- Enabled the new X.509 validator to allow verification of
modern certificate chains.
* Portable Improvements
- Added Universal Windows Platform (UWP) build support.
- Fixed mingw-w64 builds on newer versions with missing SSP support.
* API and Documentation Enhancements
- Added the following APIs from OpenSSL
BN_bn2binpad BN_bn2lebinpad BN_lebin2bn EC_GROUP_get_curve
EC_GROUP_order_bits EC_GROUP_set_curve
EC_POINT_get_affine_coordinates
EC_POINT_set_affine_coordinates
EC_POINT_set_compressed_coordinates EVP_DigestSign
EVP_DigestVerify SSL_CIPHER_find SSL_CTX_get0_privatekey
SSL_CTX_get_max_early_data SSL_CTX_get_ssl_method
SSL_CTX_set_ciphersuites SSL_CTX_set_max_early_data
SSL_CTX_set_post_handshake_auth SSL_SESSION_get0_cipher
SSL_SESSION_get_max_early_data SSL_SESSION_is_resumable
SSL_SESSION_set_max_early_data SSL_get_early_data_status
SSL_get_max_early_data SSL_read_early_data SSL_set0_rbio
SSL_set_ciphersuites SSL_set_max_early_data
SSL_set_post_handshake_auth
SSL_set_psk_use_session_callback
SSL_verify_client_post_handshake SSL_write_early_data
- Added AES-GCM constants from RFC 7714 for SRTP.
* Compatibility Changes
- Implement flushing for TLSv1.3 handshakes behavior, needed for Apache.
- Call the info callback on connect/accept exit in TLSv1.3,
needed for p5-Net-SSLeay.
- Default to using named curve parameter encoding from
pre-OpenSSL 1.1.0, adding OPENSSL_EC_EXPLICIT_CURVE.
- Do not ignore SSL_TLSEXT_ERR_FATAL from the ALPN callback.
* Testing and Proactive Security
- Added additional state machine test coverage.
- Improved integration test support with ruby/openssl tests.
- Error codes and callback support in new X.509 validator made
compatible with p5-Net_SSLeay tests.
* Internal Improvements
- Numerous fixes and improvements to the new X.509 validator to
ensure compatible error codes and callback support compatible
with the legacy OpenSSL validator.
The LibreSSL project continues improvement of the codebase to reflect modern,
safe programming practices. We welcome feedback and improvements from the
broader community. Thanks to all of the contributors who helped make this
release possible.