Release: v1.5.25

Weekly release for August 25 2025

Release Summary

• Add a copy of the rfc9151 policy (20250429) which pins all of the policy parts to the current version.
• Adds new TLSv1.3-enabled security policies for CloudFront's outbound ("upstream") connections to origin servers. We also add similar policies with PQ enabled.

What's Changed

• chore: bindings release 0.3.24 by @johubertj in #5455
• chore: apply clippy fixes by @johubertj in #5459
• Add fixed version of the rfc9151 policy by @Mark-Simulacrum in #5277
• test(integration): add record padding test by @jmayclin in #5451
• refactor(stuffer): Rename s2n_stuffer_has_pem_encapsulated_block by @alice-aws in #5465
• ci: don't include tls/extensions in SAW build by @lrstewart in #5466
• ci: fix wikipedia network test + better error message by @lrstewart in #5470
• refactor: setup replacement default policies by @lrstewart in #5464
• Add TLSv1.3 (classical + PQ) policies for CloudFront Upstream by @WillChilds-Klein in #5460

New Contributors

• @alice-aws made their first contribution in #5465

Full Changelog: v1.5.24...v1.5.25

Release: v1.5.24

Weekly release for August 04 2025

Release Summary

• Adds new PQ security policies with ML-KEM for the CRT.

What's Changed

• refactor(bench): unify IO methods by @jmayclin in #5434
• test(bench): add api for mutual auth handshake by @jmayclin in #5437
• chore: bindings release 0.3.23 by @CarolYeh910 in #5439
• ci: document how to manually run the codebuild jobs by @lrstewart in #5441
• chore: add Awslc fips next to CI by @dougch in #5349
• feat: add integration test for secp384r1_mlkem_1024 by @johubertj in #5438
• fix(typo): fix a typo in codebuild.yml by @boquan-fang in #5445
• build(deps): update criterion requirement from 0.6 to 0.7 in /bindings/rust/standard by @dependabot[bot] in #5442
• chore(ci): tell crt to not check submodule version by @dougch in #5450
• Add AWS-CRT-SDK-TLSv1.0-2025-PQ by @WillChilds-Klein in #5403
• chore(ci): once a week, clean the nix store for the kTLS job. by @dougch in #5430
• refactor(tls-harness): separate benchmark abstractions by @jmayclin in #5444

Full Changelog: v1.5.23...v1.5.24

Release: v1.5.23

Weekly release for July 24 2025

Release Summary

• The aws-kms-tls-auth crate is now available, which provides utilities to do TLS-PSK based authentication using IAM and KMS.
• Created a new hybrid KEM group s2n_secp384r1_mlkem_1024.
• Updated the default_pq security policy to include the secp384r1_mlkem_1024 hybrid KEM group.

What's Changed

• fix(ci): adding set -e to prevent nix develop to hide failing tests by @boquan-fang in #5393
• chore: release 0.3.22 by @boquan-fang in #5397
• docs: note that s2n_shutdown may keep reading by @lrstewart in #5370
• feat(aws-kms-tls-auth): add codec and parsing by @jmayclin in #5398
• ci: start codebuild jobs from github actions by @lrstewart in #5383
• ci: Migrate Duvet GitHub Action to duvet-action repo by @johubertj in #5400
• feat(aws-kms-tls-auth): add psk identity by @jmayclin in #5402
• feat: add ML-KEM-1024 kem definition by @johubertj in #5367
• Flip Nix integration tests to use uv/pytest by @dougch in #5352
• feat(aws-kms-tls-auth): add provider & receiver structs by @jmayclin in #5408
• ci: require repo write permissions for codebuild by @lrstewart in #5421
• docs(aws-kms-tls-auth): add readme by @jmayclin in #5409
• docs(aws-kms-tls-auth): clarify security impact of failure modes by @jmayclin in #5424
• ci: run rustfmt/clippy on standard crates by @jmayclin in #5333
• feat: add secp384r1_mlkem_1024 kem group by @johubertj in #5395
• feat(bench): add generic shutdown functionality by @jmayclin in #5426
• chore: Nix Corretto version bump/upstream by @dougch in #5427
• feature: update default_pq to support secp384r1_mlkem_1024 by @johubertj in #5433
• build(deps): bump cross-platform-actions/action from 0.28.0 to 0.29.0 in /.github/workflows in the all-gha-updates group by @dependabot[bot] in #5435

Full Changelog: v1.5.22...v1.5.23

Release: v1.5.22

Weekly release for July 07 2025

Release Summary

• Add a new security policy for CRT that supports FIPS and TLS1.2.
• The fmt::Debug message for application errors in the Rust bindings now use the application error's fmt::Debug implementation, rather than a generic message.

What's Changed

• chore(ci): add a cargo timing buildspec by @dougch in #5176
• build(deps): update pprof requirement from 0.14 to 0.15 in /bindings/rust/standard by @dependabot in #5334
• refactor(examples): remove connection pool by @jmayclin in #5353
• ci: Fix the sslyze test for nix by @dougch in #5283
• Include application message in Debug impl by @Mark-Simulacrum in #5359
• build: prevent needless rebuild with S2N_INTERN_LIBCRYPTO=ON and Ninja by @kou in #5356
• build(deps): bump baptiste0928/cargo-install from 3.3.0 to 3.3.1 in /.github/workflows in the all-gha-updates group by @dependabot in #5361
• tests(integv2): fix flaky session resumption test by @lrstewart in #5362
• tests(integ): add more debug logging by @lrstewart in #5363
• build(deps): bump nixbuild/nix-quick-install-action from 30 to 31 in /.github/workflows in the all-gha-updates group by @dependabot in #5366
• build(deps): bump nixbuild/nix-quick-install-action from 31 to 32 in /.github/workflows in the all-gha-updates group by @dependabot in #5371
• fix: policy util should ignore deprecated TLS1.2 kems if missing by @lrstewart in #5372
• chore: apply clippy and fmt fixes by @boquan-fang in #5386
• feature: new TLS1.2 + FIPS CRT security policy by @lrstewart in #5375

Full Changelog: v1.5.21...v1.5.22

Release: v1.5.21

Weekly release for Jun 04 2025

Release Summary

• Fixed bug preventing use of ML-DSA with mainline AWSLC built in FIPS mode

What's Changed

• feat(bindings): expose custom critical extension API by @CarolYeh910 in #5337
• tests(integ): fix nondeterministic ocsp test shutdown behavior by @lrstewart in #5340
• chore: Bindings release 0.3.21 by @dougch in #5344
• ci: workaround for nix + gnutls + ubuntu24 issue by @lrstewart in #5345
• fix: do not use "digest and sign" for ML-DSA in FIPS mode by @lrstewart in #5348

Full Changelog: v1.5.20...v1.5.21

Release: v1.5.20

Weekly release for May 30 2025

Release Summary:

• Add a new CertificateRequest callback to allow clients to select a certificate chain during the handshake.
• Add support for custom critical certificate extensions. Users MUST validate their custom extensions in the cert validation callback or after the handshake.

What's Changed

• feat(examples): add key log example by @jmayclin in #5314
• build(deps): bump the all-gha-updates group across 1 directory with 3 updates by @dependabot in #5315
• Add CertificateRequest certificate selection callback by @Mark-Simulacrum in #5318
• CertificateRequest Rust bindings by @Mark-Simulacrum in #5331
• chore: bindings release 0.3.20 by @goatgoose in #5332
• fix(benches): reuse config for handshakes by @jmayclin in #5319
• feat: add custom critical extension support by @CarolYeh910 in #5321
• ci: Use official libcrypto verification model repository by @goatgoose in #5336
• chore(ci): Pin parking_lot_core, lock_api by @goatgoose in #5338

Full Changelog: v1.5.19...v1.5.20

Release: v1.5.19

Release Summary:

• Adds support for post-quantum ML-DSA certificates

What's Changed

• ci: handle 429 from yahoo.com network integ test by @lrstewart in #5280
• ci: fix expectations when using system default libcrypto by @lrstewart in #5279
• chore: bindings release 0.3.18 by @johubertj in #5284
• build(deps): bump astral-sh/setup-uv from 5 to 6 in /.github/workflows in the all-gha-updates group by @dependabot in #5273
• tests: improve coverage for s2n_stream_cipher_null by @wafuwafu13 in #5268
• chore: Add comments to track dependency requirements by @johubertj in #5287
• chore: bump standard MSRV to 1.82.0 by @johubertj in #5295
• tests: fix flaky test_serialization by @lrstewart in #5288
• build(deps): bump aws-actions/configure-aws-credentials from 4.1.0 to 4.2.0 in /.github/workflows in the all-gha-updates group by @dependabot in #5297
• build(deps): update env_logger requirement from 0.10 to 0.11 in /bindings/rust/standard by @dependabot in #5296
• tests: reduce integ test flakiness + improve debugability by @lrstewart in #5282
• feat: Add as_ptr() API for Config by @goatgoose in #5274
• build(deps): update test-log-macros requirement from =0.2.14 to =0.2.17 in /bindings/rust/standard by @dependabot in #5290
• build(deps): update strum requirement from 0.25 to 0.27 in /bindings/rust/standard by @dependabot in #5292
• chore: bindings release 0.3.19 by @goatgoose in #5298
• build: add pull requests limit for dependabot by @boquan-fang in #5299
• build(deps): unpin test-log because of MSRV updates by @boquan-fang in #5300
• refactor: remove conn->client_hello_version by @lrstewart in #5278
• feature: add crypto support for mldsa signing by @lrstewart in #5272
• chore: Update Apache test certificates from RSA1024 to RSA2048 by @dougch in #5285
• Revert "build: add pull requests limit for dependabot" by @boquan-fang in #5302
• tests: turn verbose mode off by default in integ tests by @lrstewart in #5286
• feature: support for ML-DSA handshake signatures by @lrstewart in #5303
• feature: release ML-DSA support by @lrstewart in #5307
• fix(benches): use session ticket for resumption by @jmayclin in #5305
• tests: policy snapshot test by @lrstewart in #5309
• chore: Bump nixpkgs version to 24.11 by @dougch in #5294
• Remove unused negotiate_kem function causing build failure by @Mark-Simulacrum in #5316

New Contributors

• @wafuwafu13 made their first contribution in #5268

Full Changelog: v1.5.18...v1.5.19

v1.5.18

Weekly release for April 28 2025

Release summary:

• Adds a new security policy (20250414), which fixes a gap in compatibility in 20250211 by extending the allowed signatures to include those on P-256.

What's Changed

• chore(ci): revert nix installer pin by @dougch in #5251
• ci: add awslcfips to nix jobs by @dougch in #5205
• chore: add new team member by @anupamym in #5259
• chore: bindings release 0.3.17 by @anupamym in #5260
• refactor: cleanup hash to better support multiple implementations by @lrstewart in #5258
• tests: add ml-dsa test certs from RFC by @lrstewart in #5261
• feature: add support for configuring (but not yet using) ml-dsa certs by @lrstewart in #5263
• Add 20250414 security policy by @Mark-Simulacrum in #5253
• refactor: remove unused hash methods by @lrstewart in #5269
• build(deps): bump JulienKode/team-labeler-action from 1.3.0 to 2.0.0 in /.github/workflows in the all-gha-updates group by @dependabot in #5252
• build: add -Wa,-mbranches-within-32B-boundaries compiler flag by @johubertj in #5267

New Contributors

• @anupamym made their first contribution in #5259

Full Changelog: v1.5.17...v1.5.18

Release: v1.5.17

Weekly release for April 17 2025

What's Changed

• ci: pin nix installer to older version by @dougch in #5245
• chore: Fix new clippy warning by @goatgoose in #5243
• ci: rebalance integV2 testcases by @johubertj in #5232
• fix: tainted handshake.io and add large client hello test by @boquan-fang in #5208
• chore: bindings release 0.3.16 by @goatgoose in #5242
• refactor: remove legacy pkey impls by @lrstewart in #5241
• Revert "ci: exclude new setuptools (#5215)" by @jmayclin in #5226
• fix: make -fPIC flag private by @jmayclin in #5227
• doc: tainted stuffer reset operation by @boquan-fang in #5231
• feat: Expose as_ptr() for external build by @goatgoose in #5229
• ci: pytest generate junit reports by @dougch in #5235
• ci: use correct openssl version for updated AL2023 version by @jouho in #5255

Full Changelog: v1.5.16...v1.5.17

Release: v1.5.16

Weekly release for April 03 2025

Release summary:

• This change is considered a behavior change, though we don’t expect it to have impact. The potential impact shows up as a minor decrease in the amount of session tickets sent to clients in TLS1.2 connections, which may translate to a decrease in the amount of resumed handshakes. Look for handshakes in your logs of type “NEGOTIATED:WITH_SESSION_TICKET” to determine the precise number of handshakes that will no longer be sending session tickets. #5217
• Adds s2n_connection_get_key_exchange_group for getting the negotiated named group. #5209
• Deprecate experimental TLS 1.2 PQ security policies. This does not affect ML-KEM or any use of standard TLS1.3 PQ. #5194
• Fix handshake message length integer overflow in s2n_handshake_finish_header. #5206

What's Changed

• ci: add libcrypto openssl-3.0-fips to integ tests by @lrstewart in #5202
• ci: add openssl-3.0-fips to asan build properly by @lrstewart in #5204
• fix: handshake message length integer overflow in s2n_handshake_finish_header by @boquan-fang in #5206
• chore: deprecate s2n_set by @jmayclin in #5155
• chore: binding release 0.3.14 by @maddeleine in #5210
• Remove PQ TLS 1.2 from all Security Policies by @alexw91 in #5194
• ci: exclude new setuptools by @jmayclin in #5215
• fix: Update README.md to include Rust bindings docs by @maddeleine in #5212
• feat: add s2n_connection_get_key_exchange_group by @WesleyRosenblum in #5209
• chore: bindings release 0.3.15 by @jmayclin in #5221
• ci: add openssl-3.0-fips to valgrind by @johubertj in #5211
• docs: fix openssl-3.0-fips provider requirements documentation by @lrstewart in #5214
• refactor(bindings): use implicit linking for aws-lc by @jmayclin in #5218
• fix: tighten session ticket lifetime by @CarolYeh910 in #5217
• ci: Fix cppcheck build by @goatgoose in #5238
• refactor: implement match the same for all pkeys by @lrstewart in #5224
• ci: add openssl-3.0-fips to general batch by @lrstewart in #5207
• refactor: add evp pkey size/encrypt/decrypt methods by @lrstewart in #5225
• feat(bindings): expose certificate match api by @johubertj in #5220
• ci: add ruff linting by @johubertj in #5182

Full Changelog: v1.5.15...v1.5.16