Skip to content

0.15.1

Choose a tag to compare

View all tags
@djc djc released this 21 Mar 09:15
· 12 commits to main since this release
v0.15.1
This tag was signed with the committer’s verified signature.
djc Dirkjan Ochtman
SSH Key Fingerprint: Nek/oTQkBpjde4wx0GVl9zJkmMae8M65edoqmLdafUE
Verified
Learn about vigilant mode.
e30b027

This is a minor release with one security fix. It updates rustls to 0.23.37.

Security

Updates rustls-webpki to 0.103.10:

This update addresses RUSTSEC-2026-0049; a security issue affecting CRL revocation checking.

This low-impact vulnerability affects users of the rustls_web_pki_[server|client]_cert_verifier_builder APIs that populated CRLs with rustls_web_pki_server_cert_verifier_builder_add_crl(). If a certificate signed by a trusted certificate authority contained multiple CRL distribution points, only the first was checked against the CRL's issuing distribution point.

In a default configuration this oversight meant that revocation checking would fail-closed with an incorrect, but safe, RUSTLS_RESULT_CERT_UNKNOWN_ISSUER error.

If configured with rustls_web_pki_client_cert_verifier_allow_unknown_revocation_status(), then revocation checking would fail-open, potentially allowing use of certificate revoked by the CRL.

Inducing this bug requires a trusted certificate issuer to be compromised, which can result in more serious revocation bypasses and security issues.

Added

  • version detection macros in the C header (#576):

    • RUSTLS_VERSION_MAJOR, RUSTLS_VERSION_MINOR, RUSTLS_VERSION_PATCH individual version components as integers.
    • RUSTLS_VERSION_NUMBER - a single number encoding the version as (major << 16 | minor << 8 | patch).

  • additional error variants (#574):

    • RUSTLS_RESULT_CERT_REVOCATION_LIST_UNSUPPORTED_SIGNATURE_ALGORITHM - for CRL signature algorithm errors.
    • RUSTLS_RESULT_CERT_UNSUPPORTED_SIGNATURE_ALGORITHM - for certificate signature algorithm errors.

  • rustls_platform_server_cert_verifier_try_with_provider() (#574):

    • A safer alternative to rustls_platform_server_cert_verifier_with_provider with better error reporting. The older function for constructing a server cert verifier backed by the platform verifier is now deprecated.

  • rustls_connection_get_tls13_tickets_received() (#574):

    • Returns the number of TLS 1.3 tickets received by a client connection. This is FFI for the Rustls ClientConnection::tls13_tickets_received() API.

  • rustls_client_connection_new_alpn() (#566):

    • constructs a client rustls_connection with custom ALPN protocol support that differs from the base rustls_client_config.

Deprecated

  • Deprecated functions are now visually annotated on the documentation website (#584) and in the header file using the appropriate clang/GCC/MSVC attributes (#579).

  • Platform server cert verifier creation is now fallible, returning a rustls_result that must be handled appropriately.
    The pre-existing rustls_platform_server_cert_verifier_with_provider() is now deprecated in favor of rustls_platform_server_cert_verifier_try_with_provider().

Changed

  • Post-quantum key exchange (X25519MLKEM768) is now preferred by default matching upstream rustls (#566)

  • An additional field is now exposed in rustls_client_hello (#574):

    • named_groups - the supported key exchange groups advertised by the client.
    • This is a breaking change, but limited to the server-side
      rustls_server_config_builder_set_hello_callback APIs that are documented
      as experimental.
Assets 7
Loading