- Verify peer certificates in client streams by default
- Use operating system managed default cert stores if not otherwise specified
- Windows is still an issue as it uses different cert format (I'm working on it)
- Makes everything SSL/TLS more secure without any user knowledge required
- Vastly improved support for encrypted stream servers (a-la node.js)
- Improved server support for perfect forward secrecy (PFS)
- New SSL context options/functions to expose configuration to userland
- Fix Bug #65538
Fine-Grained Peer/Host Verification Control
- Fix Bug #47030
- Client-side peer verification is now robust for high-security applications. Without SAN matching peer verification was extremely limited in terms of usefulnees.
Trivial Peer Fingerprint Verification
- Added by Tjerk
- The CA system is difficult to trust in the face of sophisticated attackers (and governments)
- Streams can now pass a
"peer_fingerprint"context option to bypass CA verification and check against a known certificate fingerprint hash for maximum security
Client Renegotiation DoS Mitigation
- TLS allows clients to renegotiate certain aspects of a session. Unfortunately, renegotiation disproportionately taxes servers relative to clients and leads to a potential vector for denial-of-service attacks against encrypted servers.
- I've got a patch in the works now and should be able to merge it this week