We have released LibreSSL 3.2.0, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon.
This is the first development release from the 3.2.x series, which will
eventually be part of OpenBSD 6.8. It includes the following changes:
* Enable TLS 1.3 server side in addition to client by default.
With this change TLS 1.3 is handled entirely on the new stack
and state machine, with fallback to the legacy stack and
state machine for older versions. Note that the OpenSSL TLS 1.3
API is not yet visible/available.
* Improve length checks in the TLS 1.3 record layer and provide
appropriate alerts for violations of record layer limits.
* Enforce that SNI hostnames received by the TLS server are correctly
formed as per RFC 5890 and RFC 6066, responding with illegal parameter
for a nonconformant host name.
* Support SSL_MODE_AUTO_RETRY in TLS 1.3 to allow the automatic
retry of handshake messages.
* Modify I/O behavior so that SSL_MODE_AUTO_RETRY is the default
similar to new OpenSSL releases.
* Modify openssl(1) to clear SSL_MODE_AUTO_RETRY appropriately in
* Add tlsfuzzer based regression tests.
* Support sending certificate status requests from the TLS 1.3
client to request OCSP staples for leaf certificates.
* Support sending certificate status replies from the TLS 1.3 server
in order to send OCSP staples for leaf certificates.
* Send correct alerts when handling failed key share extensions
on the TLS 1.3 server.
* Various compatibility fixes for TLS 1.3 to 1.2 fallback for
switching from the new to legacy stacks.
* Support TLS 1.3 options in the openssl(1) command.
* Many alert cleanups in TLS 1.3 to provide expected alerts in failure
* Modify "openssl x509" to display invalid certificate times as
invalid, and correctly deal with the failing return case from
X509_cmp_time so that a certificate with an invalid NotAfter does
not appear valid.
* Support sending dummy change_cipher_spec records for TLS 1.3 middlebox
* Ensure only PSS signatures are used with RSA in TLS 1.3.
* Ensure that TLS 1.3 clients advertise exactly the "null" compression
method in its legacy_compression_methods.
* Correct use of sockaddr_storage instead of sockaddr in openssl(1)
s_client, which could lead to using 14 bytes of stack garbage instead
of an IPv6 address in DTLS mode.
* Use non-expired certificates first when building a certificate chain.
The LibreSSL project continues improvement of the codebase to reflect modern,
safe programming practices. We welcome feedback and improvements from the
broader community. Thanks to all of the contributors who helped make this