package ssl

Unreleased

• Add a few verification functions (#71):

  • add_extra_chain_cert to send additional chain certificates to the peer.
  • add_cert_to_store: to allow verification of the peer certificate CA.
  • set_ip: sets the expected IP address to be verified on a SSL socket.
• Improve use_certificate_from_string (#71) to read any type of key (rather than just RSA).
• Fix a segmentation fault in the ALPN selection callback under OCaml 5 (#89).
• Audit the C FFI and add CAMLparamX and CAMLreturn calls (#90).

0.5.11

• Add digest function (#65, #66).
• Restore compatibility with openssl < 1.1.0 (#73).
• Improved compatibility with OCaml 5 (#79).
• Fix client_verify_callback for NO_NAKED_POINTERS mode. A user-provided verification function in C remains an out-of-heap pointer for 4.x for compatibility, but is boxed for OCaml 5.x or 4.x when configured with --disable-naked-pointers. (#83)

0.5.10 (2021-02-01)

• Add use_certificate_from_string (#54).
• Add get_verify_error_string, get_start_date, get_expiration_date (#57).
• Release master lock on ALPN failure (#58).
• Add version (#60).
• Switch to dune 2 (#61).

0.5.9 (2019-07-15)

• Backward compatibility with OpenSSL 1.0.2 (#53).

0.5.8 (2019-07-03)

• Better error reporting.
• Add support for hostname validation (#49).
• Add ALPN support (#37, #38, #48).

0.5.7 (2018-10-25)

• Correctly set #defines (#40).
• Correctly deal with non-existent directories for Homebrew (#42).

0.5.6 (2018-09-12)

• Switch to the dune build system.

0.5.5 (2017-10-13)

• Make sure that LDFLAGS is honored during build.

0.5.4 (2017-10-02)

• Enable safe-string compatibility (#32).
• Add -std=c99 to CFLAGS (#29).

0.5.3 (2016-11-08)

• Remove -ansi flag to be compatible with OCaml 4.04 (thanks Mark Shinwell).
• Use accessor functions for X509_STORE_CTX.
• Change CLIBS order to allow static linking.

0.5.2 (2015-11-23)

• Add OPENSSL_NO_SSL3 preprocessor flag to disable SSLv3 (thanks Jérémie Courrèges-Anglas).

0.5.1 (2015-05-27)

• Fix META file for versions of OCaml older than 4.02.0 (thanks Anil Madhavapeddy, closes #20).

0.5.0 (2015-05-18)

• Allow to honor server cipher preferences (thanks mfp, closes #18).
• Add functions for reading into/writing from bigarrays, avoiding copy (thanks mfp, closes #15).
• Support disabling SSL protocol versions (thanks Edwin Török, closes #13).
• Use Bytes instead of String for read and write, changes the ABI thus the version bump (thanks Vincent Bernardoff, closes #16, and mfp, closes #19).
• Make verbosity of client_verify_callback configurable (thanks Nicolas Trangez, closes #12).
• Fix build with old versions of SSL (thanks Edwin Török, closes #10).

0.4.7 (2014-04-21)

• Add support for TLS1.1 and TLS1.2 (thanks Thomas Calderon).
• Add function to initialize Diffie-Hellman and elliptic curve parameters (thanks Thomas Calderon and Edwin Török).
• Add set_client_SNI_hostname to specify client-side SNI hostname (thanks Mauricio Fernandez).
• Fix double leave of blocking section in ocaml_ssl_accept (thanks Edwin Török).
• Check for errors in SSL_connect/SSL_accept (thanks Jérôme Vouillon).
• Clear the error queue before calling SSL_read and similar functions; SSL_get_error does not work reliably otherwise (thanks Jérôme Vouillon).
• Allow static linking on Mingw64 (thanks schadinger).

0.4.6 (2011-10-16)

• Added write_certificate function.
• Remove support for SSLv2, which was dropped upstream (thanks Dario Teixeira).
• Added support for compiling under Win32 (thanks David Allsopp), see README.win32.
• Check for pthreads in configure.

0.4.5 (2011-03-01)

• Use pthread mutexes for locking thread-safe version of ssl.

0.4.4 (2010-01-06)

• Use SSL_CTX_use_certificate_chain_file instead of SSL_CTX_use_certificate_file.
• Added support for --enable-debugging configure option.
• Don't link with unix library and don't build in custom mode.

0.4.3 (2008-12-18)

• Don't use blocking sections in finalizers since it causes segfaults (thanks Grégoire Henry and Stéphane Glondu).

0.4.2 (2007-03-29)

• Added some missing blocking sections (reported by Oscar Hellström).

0.4.1 (2007-02-21)

• file_descr_of_socket is not marked as deprecated anymore.
• Patched the Makefile to be compatible with FreeBSD (thanks Jaap Boender).
• Explicitely link with libcrypto since we use it. Compilation should now work on Mac OS X too (thanks Janne Hellsten).

0.4.0 (2006-09-09)

• Using caml_alloc_custom and Data_custom_val to access custom blocks.
• Added set_password_callback function.
• Integrated a big patch from Chris Waterson:
• Added get_error_string function.
• Read and write are not blocking anymore, use Unix.select and file_descr_of_socket if you want blocking functions.
• Fix SSL_CTX initialization to call SSL_CTX_set_mode(3) with SSL_MODE_AUTO_RETRY flag. This causes SSL_read and SSL_write to "hide" the SSL_ERROR_WANT_(READ|WRITE) errors that may occur during renegotiation on a blocking socket.
• Fix SSL_CTX initialization to call SSL_CTX_set_mode(3) with SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER flag. This allows for a different buffer address to be passed to a restarted non-blocking write operation, which is useful since the OCaml garbage collector may move buffers around between calls.
• We do not need to store explicitely the file descriptor for SSL sockets.
• Corrected checking of errors in ocaml_ssl_read (thanks Vincent Balat and Nataliya Guts).
• input_char now raises End_of_file when no byte could be read (thanks Nataliya Guts).

0.3.1 (2005-07-21)

• The library is now under the LGPL licence + linking exception + linking with openssl exception (see COPYING for more details).

0.3.0 (2005-06-01)

• Added Ssl_threads.init function to make the library thread-safe.
• Put connect, accept and flush (and all other functions) in blocking_section to allow other threads to run in the meantime.
• Unified the three context creation functions in create_context, the certificate to use should now be sepcified with use_certificate (sorry for the API-breakage).
• Added the get_verify_result function.
• Using Store_field instead of Field(...) = ...
• Using caml namespace functions.

0.2.0 (2004-12-18)

• Many thanks to Thomas Fischbacher for his patches:
• Corrected int / val bugs when raising exceptions from C (those where found by Mike Furr too, thanks).
• Added many fonctions (but in Caml instead of C).
• Context creation functions now take the protocol as argument.
• Added the create_context function (for client and server connections).
• Added functions for verifying certificates: client_verify_callback, set_verify, set_verify_depth, verify.
• The cipher now has its own type.
• Added functions to handle ciphers: get_current_cipher, get_cipher_description, get_cipher_name, get_cipher_version, set_cipher_list.
• Added the read_certificate and load_verify_locations functions.
• Added the open_connection_with_context and flush functions.
• read and write functions are now thread-safe.
• Cleaned the stubs (function prototypes, comments, etc.).
• Updated OCamlMakefile and improved build system.

0.1.0 (2004-02-05)

• Initial release.