Releases: jruby/jruby-openssl
Releases · jruby/jruby-openssl
0.9.11
- add TLSv1_1_client, TLSv1_1_server, TLSv1_2_client and TLSv1_2_server options
to ssl_version (#65) - regression make sure we hold a buffered reader so that the loop continues
reading PEMs - previously introduced an incompatibility with cert verify (#67) - support negotiating up to TLS1_1 and TLS1_2 when the server supports these
ssl_versions (#63)
0.9.10
0.9.9
- regression causing to re-package a RaiseException in
SSLSocket#accept - fix load error: jopenssl/load -- java.lang.VerifyError: using BC 1.51 or 1.52 (#62)
- keep the default x509 certs and directories in line with MRI (#49), only if
they do not exists fallback on cacerts from the java.home/lib/security/cacerts
0.9.8
- refactor
PKCS5.pbkdf2_hmac_sha1to use BC APIs
thus less dependent on provider internals (jruby/jruby#3025) - HMAC - use our SimpleKey impl so that there's less[] copy
... also allows for an empty key to work like MRI (jruby/jruby#2854) - fixing oaep encryption to use correct algorithm (#54)
- [experimental] support NOT loading any (BC) jars on our own ... (#10)
- disable DHE (by default) on Java <= 7 ... on Java 8 we (still) force 1024/2048
(see jruby/jruby#2872 and #45) - regression handle parsing of "incomplete" X.509 certs like MRI does (#42)
- implement a CRL/certificate caching (for now off by default) in Lookup
... set -J-Djruby.openssl.x509.lookup.cache=true to enable - improve Store helper concurrency (with less synchronization)
- reviewed OpenSSL's .rb parts to match those present in MRI 1.9.3 / 2.2.2
- initial support for
OpenSSL::SSL::Session(id, time, timeout work) - session_cache_mode as present in OpenSSL makes no sense with Java APIs
- use the set SSLContext#session_cache_size on the underlying javax.net API
- tidy up SSLSocket's internals + add stack-trace debugging on accept/connect
- add SSLSocket ssl_version property like MRI has (#38)
- avoid unnecessary
_initializenaming - it's confusing to see in JVM tools - use SecurityHelper to get a X.509 certificate factory
we'll know prefer BC's X.509 factory over the built-in (Sun provider) one
0.9.7
- put in some more ossl to jsse mappings for SSL/TLS
(SSL_DHE_xxx, TLS_ECDH_xxx, TLS_ECDHE_xxx) - exclude SSLv2 in reported METHODS (all fine to close jruby/jruby#1874)
- support passing ssl_version as an argument to initialize SSLContext.new ...
- now that we've matched w MRI's SSLContext::METHODS don't report custom ones
- more ssl_version= compatibility fixes that match MRI (jruby/jruby#1736)
- support setting ssl_version = "TLSv1_1" (or "TLSv1_2") just like MRI
- [regression] make sure version is set when reading encoded certificate
- signature algorithm should be read as well when decoding certificate (#39)
- better accept handshake errors instead of "General SSLEngine problem (#37)
- trying to decode DER application specific objects (based on patch from #36)
- we've not been compatible with MRI's DES (EDE) - partly due DES(3) ECB
fixing jruby/jruby#2617 as well as jruby/jruby#931 - exclude reporting algorithms with CFB-1 cipher mode as supported (due #35)
- do not change CFB1 to CFB ... it's something different (although broken on BC)
- attempt to deal with update/final buffering incompatibility with MRI
- fix HMAC digest incorrect when data contains invalid characters (#33)
- add Gemfile and specify ruby-maven as dependency
- use SafePropertyAccessor to access properties instead of directly (#28)
- make sure SSLSocket's cipher and hostname are nil by default (avoids NPE)
- update to (packed) BC version 1.50 + start declaring 1.51 as semi-supported
0.9.6
- ClassCastException still happen deep within BC - turn them into SignatureExeption
- make sure empty object can be serialize via to_pem
- use the classname as message in case the exception has no message (jruby/jruby#2249)
- make sure X509Object list is synchronized properly
- use JRubyFile to get input-stream to file-resource fixes #11
- Cache the discovered classes for digest engines. Fixes #15.
- avoid the rest of Ruby.getGlobalRuntime usages - only worked in 1 runtime envs
- refactored CRL - using light-weight BC API (avoids deprecated X.509 generator)
- implement X509::Certificate#to_text for happiness (the MRI-way - only RSA for now)
- allow to "fake" our inspect() support and match MRI's X509::Certificate#inspect
- decode BC's ASN1Enumarated into a OpenSSL::ASN1::Enumerated
- we can (ASN.1) encode an infinite-length bit-string constructive
- turns out all ASN1 primitives in MRI have the infinite_length attribute
- support (so-far only dummy) @servername_cb attribute on SSLSocket
- handle (CRL) extension's issuerAltName wrapping without an exception
- fix SSL (cert) verification - now working on 1.8/1.9 better than before
- do not skip first 2 bytes of key identifier hash when encoding to hex!
- match X.509 extension short-comings of the Java API in order to align with MRI
- improve cert.extension's value - extendedKeyUsage was not returned correctly
- make sure ASN1::ObjectId.new(...).ln and ASN1::ObjectId.new(...).sn are correct!
- better working to_der conversion esp. with constructives (indefinite lengths)
- improve our ASN1 decoding for better MRI compatibility
- avoiding Krypt gem dependency completely (was used for OpenSSL::PKCS5)
- cleanup OpenSSL::Digest internals - make sure block_length works for more
- OpenSSL deprecated_warning_flag and check_func API compatibility stubs
- do not force loading of jar-dependencies + possibly respect jars skipped
- X509::Name.to_a compatibility - MRI seems to never return "UNDEF"
experimental support for passing down "real" Java JCE cipher names - rewriten Cipher internals - now faster, slimmer and more compatible than ever!
- rebuilt our global ASN1Registry and refactored it (back) internally to use string oids
- report OpenSSL::VERSION 1.1.0 since 1.9.3
- fill RaiseException's cause whenever we use a factory passing down a Throwable
- allow X509::Revoked.serial= to receive an integer
- make sure X509::CRL's to_text representation si (fully) MRI compatible
- handle authority key-id unwrapping correctly in X509::Extension#value
- long time coming - OpenSSL::X509::CRL support for loading revoked entries (#5)
- Reflect Java cacert location in DEFAULT_CERT_* constants (jruby/jruby#1953)
- X509::Certificate.new MRI compatibility + make sure inspect works the same
- BN.inspect() and make sure BN.new(0) works just fine (both as in MRI)
- X509::CRL instantiation compatibility with MRI
- inspect() X509::Certificate an X509::CRL just like MRI does
- handle OpenSSL::X509::Store.add error messages correctly (fix based on #6)
- update to using BC 1.49 by default (still compatible with older versions)
- implement X509::StoreContext#current_crl method
- support X509::StoreContext cleanup and error_depth instance methods
- support disabling of warnings using system property -Djruby.openssl.warn
- Throw error when chain certs are not OpenSSL::X509::Certificate (#3)
- avoid using JRuby IO APIs (will likely not work in 9k)
- make 'jopenssl/load' also work on jruby-1.6.8 mode 1.9
0.9.5
MASSIVE internal "rewrite" to avoid depending on a registered (BC) security
provider. This releases restores compatibility with BC version 1.47 while being
compatible with newer bouncy-castle jars as well (1.48, 1.49 and 1.50).
- handle SSLErrorWaitReadable/Writable as SSLErrors on Ruby 1.8 and 1.9 mode
- Treat SSL NOT_HANDSHAKING as FINISHED
- only add DER.TRUE when encoding X.509 extension when non-critical
- do not der encode non-critical flag in X509::Extension (jruby/jruby#389)
- SSLContext internals + support
SSLContext::METHODScorrectly (jruby/jruby#1596) - correct visibility of initialize* and respond_to_missing? methods
- fix spinning indefinitely on partial TLS record (jruby/jruby#1280)
- Support file input for PKey::RSA.new
- fix bug jruby/jruby#1156
- openssl: add handling for base 0 to new and to_s