11# Changelog
22
3+ ## 0.15.1 (2026-03-13)
4+
5+ This is a minor release with one security fix. It updates ` rustls ` to
6+ [ 0.23.37] ( https://github.com/rustls/rustls/releases/tag/v%2F0.23.37 ) .
7+
8+ ### Security
9+
10+ Updates ` rustls-webpki ` to
11+ [ 0.103.10] ( https://github.com/rustls/webpki/releases/tag/v%2F0.103.10 ) :
12+
13+ This update addresses
14+ [ RUSTSEC-2026-0049] ( https://rustsec.org/advisories/RUSTSEC-2026-0049.html ) ;
15+ a security issue affecting CRL revocation checking.
16+
17+ This low-impact vulnerability affects users of the
18+ ` rustls_web_pki_[server|client]_cert_verifier_builder ` APIs that populated CRLs
19+ with ` rustls_web_pki_server_cert_verifier_builder_add_crl() ` . If a certificate
20+ signed by a trusted certificate authority contained multiple CRL distribution
21+ points, only the first was checked against the CRL's issuing distribution point.
22+
23+ In a default configuration this oversight meant that revocation checking would
24+ fail-closed with an incorrect, but safe, ` RUSTLS_RESULT_CERT_UNKNOWN_ISSUER `
25+ error.
26+
27+ If configured with
28+ ` rustls_web_pki_client_cert_verifier_allow_unknown_revocation_status() ` , then
29+ revocation checking would fail-open, potentially allowing use of certificate
30+ revoked by the CRL.
31+
32+ Inducing this bug requires a trusted certificate issuer to be compromised, which
33+ can result in more serious revocation bypasses and security issues.
34+
35+ ### Added
36+
37+ * version detection macros in the C header
38+ (https://github.com/rustls/rustls-ffi/pull/576 ):
39+ * ` RUSTLS_VERSION_MAJOR ` , ` RUSTLS_VERSION_MINOR ` , ` RUSTLS_VERSION_PATCH `
40+ individual version components as integers.
41+ * ` RUSTLS_VERSION_NUMBER ` - a single number encoding the version as
42+ ` (major << 16 | minor << 8 | patch) ` .
43+
44+ * additional error variants (https://github.com/rustls/rustls-ffi/pull/574 ):
45+ * ` RUSTLS_RESULT_CERT_REVOCATION_LIST_UNSUPPORTED_SIGNATURE_ALGORITHM ` - for
46+ CRL signature algorithm errors.
47+ * ` RUSTLS_RESULT_CERT_UNSUPPORTED_SIGNATURE_ALGORITHM ` - for certificate
48+ signature algorithm errors.
49+
50+ * ` rustls_platform_server_cert_verifier_try_with_provider() `
51+ (https://github.com/rustls/rustls-ffi/pull/574 ):
52+ * A safer alternative to ` rustls_platform_server_cert_verifier_with_provider `
53+ with better error reporting. The older function for constructing a server
54+ cert verifier backed by the platform verifier is now deprecated.
55+
56+ * ` rustls_connection_get_tls13_tickets_received() `
57+ (https://github.com/rustls/rustls-ffi/pull/574 ):
58+ * Returns the number of TLS 1.3 tickets received by a client connection. This
59+ is FFI for the Rustls ` ClientConnection::tls13_tickets_received() ` API.
60+
61+ * ` rustls_client_connection_new_alpn() `
62+ (https://github.com/rustls/rustls-ffi/pull/566 ):
63+ * constructs a client ` rustls_connection ` with custom ALPN protocol support
64+ that differs from the base ` rustls_client_config ` .
65+
66+ ### Deprecated
67+
68+ * Deprecated functions are now visually annotated on the [ documentation
69+ website] ( https://ffi.rustls.dev ) .
70+ (https://github.com/rustls/rustls-ffi/pull/584 ) and in the header file using
71+ the appropriate clang/GCC/MSVC attributes
72+ (https://github.com/rustls/rustls-ffi/pull/579 ).
73+
74+ * Platform server cert verifier creation is now fallible, returning
75+ a ` rustls_result ` that must be handled appropriately.
76+
77+ The pre-existing ` rustls_platform_server_cert_verifier_with_provider() ` is
78+ now deprecated in favor of
79+ ` rustls_platform_server_cert_verifier_try_with_provider() ` .
80+
81+ ### Changed
82+
83+ * Post-quantum key exchange (` X25519MLKEM768 ` ) is now preferred by default
84+ matching upstream rustls (https://github.com/rustls/rustls-ffi/pull/566 )
85+
86+ * An additional field is now exposed in ` rustls_client_hello `
87+ (https://github.com/rustls/rustls-ffi/pull/574 ):
88+ * ` named_groups ` - the supported key exchange groups advertised by the client.
89+ * This is a breaking change, but limited to the server-side
90+ ` rustls_server_config_builder_set_hello_callback ` APIs that are documented
91+ as ** experimental** .
92+
393## 0.15.0 (2025-03-25)
494
595This release updates to [ Rustls 0.23.25] [ ] and increases the project minimum
@@ -184,7 +274,7 @@ requirements.
184274 * Ciphersuites supported by a specific ` rustls_crypto_provider ` can be retrieved with
185275 ` rustls_crypto_provider_ciphersuites_len() ` and ` rustls_crypto_provider_ciphersuites_get() ` .
186276 * Ciphersuites supported by the current process-wide default crypto provider (if any) can
187- be retrieved with ` rustls_default_crypto_provider_ciphersuites_len() ` and
277+ be retrieved with ` rustls_default_crypto_provider_ciphersuites_len() ` and
188278 ` rustls_default_crypto_provider_ciphersuites_get() ` .
189279 * A buffer can be filled with cryptographically secure random data from
190280 a specific ` rustls_crypto_provider ` using ` rustls_crypto_provider_random() ` ,
@@ -201,7 +291,7 @@ requirements.
201291 based on the current process-wide default.
202292 * ` rustls_crypto_provider_builder_new_with_base ` will construct a builder
203293 based on a specified ` rustls_crypto_provider ` .
204- * Customization of supported ciphersuites can be achieved with
294+ * Customization of supported ciphersuites can be achieved with
205295 ` rustls_crypto_provider_builder_set_cipher_suites() ` .
206296 * The default process-wide provider can be installed from a builder using
207297 ` rustls_crypto_provider_builder_build_as_default() ` , if it has not already
@@ -231,7 +321,7 @@ requirements.
231321 more information on supported platforms.
232322 * Use ` rustls_platform_server_cert_verifier() ` to construct a platform verifier
233323 that uses the default crypto provider.
234- * Use ` rustls_platform_server_cert_verifier_with_provider() ` to construct a
324+ * Use ` rustls_platform_server_cert_verifier_with_provider() ` to construct a
235325 platform verifier that uses the specified ` rustls_crypto_provider ` .
236326 * The returned ` rustls_server_cert_verifier ` can be used with
237327 a ` rustls_client_config_builder ` with
@@ -264,7 +354,7 @@ requirements.
264354
265355* ` rustls_server_config_builder_build() ` and
266356 ` rustls_client_config_builder_build() ` now use out-parameters for the
267- ` rustls_server_config ` or ` rustls_client_config ` , and return a ` rustls_result ` .
357+ ` rustls_server_config ` or ` rustls_client_config ` , and return a ` rustls_result ` .
268358 This allows returning an error if the build operation fails because a suitable
269359 crypto provider was not available.
270360
@@ -286,7 +376,7 @@ requirements.
286376 functions (` rustls_all_ciphersuites_len() ` ,
287377 ` rustls_all_ciphersuites_get_entry() ` , ` rustls_default_ciphersuites_len() ` and
288378 ` rustls_default_ciphersuites_get_entry() ` ) have been
289- removed. Ciphersuite support is dictated by the ` rustls_crypto_provider ` .
379+ removed. Ciphersuite support is dictated by the ` rustls_crypto_provider ` .
290380 * Use ` rustls_default_supported_ciphersuites() ` to retrieve
291381 a ` rustls_supported_ciphersuites ` for the default ` rustls_crypto_provider ` .
292382 * Use ` rustls_crypto_provider_ciphersuites() ` to retrieve a
@@ -307,7 +397,7 @@ only cryptographic provider.
307397* A new ` rustls_accepted_alert ` type is added. Calling
308398 ` rustls_accepted_alert_bytes ` on this type produces TLS data to write
309399 in the case where a server acceptor encountered an error accepting a client.
310- The returned TLS data should be written to the connection before freeing
400+ The returned TLS data should be written to the connection before freeing
311401 the ` rustls_accepted_alert ` by calling ` rustls_accepted_alert_write_tls ` with
312402 a ` rustls_write_callback ` implementation.
313403
@@ -367,19 +457,19 @@ and 0.12.0 continues to use `*ring*` as the only cryptographic provider.
367457 ` rustls_root_cert_store_builder_add_pem ` and
368458 ` rustls_root_cert_store_builder_load_roots_from_file ` .
369459* The client verifier builders (
370- ` rustls_allow_any_anonymous_or_authenticated_client_builder ` , and
460+ ` rustls_allow_any_anonymous_or_authenticated_client_builder ` , and
371461 ` rustls_allow_any_authenticated_client_builder ` ) as well as the client
372- verifier types (` rustls_allow_any_anonymous_or_authenticated_client_verifier ` ,
462+ verifier types (` rustls_allow_any_anonymous_or_authenticated_client_verifier ` ,
373463 ` rustls_allow_any_authenticated_client_verifier ` ) have been replaced with
374464 ` rustls_web_pki_client_cert_verifier_builder ` and ` rustls_client_cert_verifier ` .
375- * The server config client verifier setters
465+ * The server config client verifier setters
376466 (` rustls_server_config_builder_set_client_verifier ` and
377467 ` rustls_server_config_builder_set_client_verifier_optional ` ) have been
378468 replaced with ` rustls_server_config_builder_set_client_verifier ` .
379- * The client config builder functions for specifying root trust anchors
469+ * The client config builder functions for specifying root trust anchors
380470 (` rustls_client_config_builder_use_roots ` and
381471 ` rustls_client_config_builder_load_roots_from_file ` ) have been replaced
382- with a server certificate verifier builder
472+ with a server certificate verifier builder
383473 (` rustls_web_pki_server_cert_verifier_builder ` ) constructed with
384474 ` rustls_web_pki_server_cert_verifier_builder_new ` and
385475 a ` rustls_root_cert_store ` . The built ` rustls_web_pki_server_cert_verifier `
0 commit comments