0.12.2

• [fix] work-around JRuby 9.2 autoload behavior (#248)
  to be able to install jruby-openssl >= 0.12 on JRuby 9.2
  while the default gem (shipped with JRuby) is < 0.12
• [feat] support alpn negotiation in ssl context (#247)
• [feat] support Java cipher names on SSLContext#ciphers=
• [fix] properly handle require_jar fallback

0.12.1

• improved compatibility with the openssl gem (version 2.2.1)
• JOSSL now ships with a single set of openssl .rb files
  • providing compat with required_ruby_version = '>= 2.3.0'
  • flat set of .rb files at lib/openssl/ (based on openssl gem)
• revisited OpenSSL::SSL::SSLContext::DEFAULT_PARAMS defaults
  • implicit verify_hostname default .rb callback still a noop
  • TLS continues to rely on the Java SSL engine for hostname checks
• working TLS 1.3 support
• droped Java 1.7 support (at least Java 8 needed to use the gem)
• fixed SSLContext#options matches C OpenSSL (using OP_ALL)
• no longer filter out SSLv2 (for improved OpenSSL compatibility)
• implemented naive SSLContext#ciphers caching to speed-up TLS
• StoreError raised due a Java exception now retain native cause

0.11.0

NOTE: This release aims to adapt the certificate verification logic to be aligned
with OpenSSL 1.1.1 as a resolution to issues due DST Root CA X3 expiration, more
details at: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

The port is expected to be superior compared to the simple legacy verification,
however in case of issues the previous algorithm is still around and can be toggled
using JRUBY_OPTS="-J-Djruby.openssl.x509.store.verify=legacy" system property.

• OpenSSL 1.1.1 cert verification port (fixes #236) (#239)

• as a side-effect part of the PR to "allow multiple certs with same SubjectDN"
  (#198) got reverted, this has been causing verification regressions (since 0.10.5)
  for some users (#232) and is expected to be fixed

• [fix] replace deprecated getPeerCertificateChain (#231)

0.10.7

• [feat] upgrade BC library to 1.68
• [fix] SSLContext#ciphers= (fixes #221 and jruby/jruby#3100) (#222)
• [fix] Java::JavaLang::StringIndexOutOfBoundsException on ctx.cipher=[] (fixes #220) (#223)
• [fix] SSLContext#ciphers= compatibility (fixes #223) (#220)
• [fix] Match OpenSSL::X509::Name.hash implementation with Ruby (#216, #218)
• [fix] OpenSSL::SSL::SSLContext#min_version= failure (#215)
• [fix] adds OpenSSL::Cipher#iv_len= setter (#208)

0.10.5

• [fix] EC key sign/verify (#193)
• [feat] upgrade BC library to 1.65
• [refactor] clean security helpers to avoid reflection (#197)
• Just use normal getInstance to get KeyFactory (fixes #197)
• Allow multiple Certificates with the same SubjectDN in the store (#198)
• Try direct path for MessageDigest before invasive path (#194)
  (relates to jruby/jruby#6098)
• [refactor] avoid NativeException usage (jruby/jruby#5646)

0.10.4

• Use CertificateFactory.getInstance rather than reflection
  eliminates one of the module warnings we have been seeing (#161)

0.10.3

• [fix] implement (missing) PKey::DSA#params
• [fix] authorityKeyIdentifier ext (general-name) value
• [fix] authority keyid extension's :always part optional (#174)
• [fix] work-around for not setting certificate serial
  raise a more friendly error (jruby/jruby#1691)
• [fix] PKey.read not parsing RSA pub-key (#176)
• [feat] support reading DSA (public key) in full DER
• [fix] RSA key DER format to closely follow OpenSSL
• [fix] add missing ASN1 factory methods (Null, EndOfContent)
• [fix] support getting password from block for PKeys
• [fix] incorrect ASN.1 for wrapped Integer type
• [fix] correct public key for subjectKeyIdentifier ext (#173)
• [fix] invalid Cert#sign handling -> raise (instead of ClassCastException)
• [feat] more TLS (GCM) ciphers - supported on Java 8+
• [feat] add ECDHE-RSA-AES128-GCM-SHA256 as supported cipher (#185)
• [feat] add support for ECDHE-RSA-AES256-GCM-SHA384 (#187)
• [fix] try hard not to fail on unkown oids (OpenSSL::X509::Certificate#to_text)
• update Bouncy-Castle to 1.62 (and handle supported BC compatibility)

0.10.2

• update Bouncy-Castle to 1.61 (and handle supported BC compatibility)
• [fix] avoid NPE when CRL fails to parse (invalid str) (jruby/jruby#5619)
• hide (deprecated) Jopenssl constant
• default OpenSSL.warn to warnings-enabled flag
• only un-restrict jce when its restricted
• OpenSSL::Cipher#update additional buffer argument (#170) (jruby/jruby#5242)

0.10.1

• loading JOpenSSL's native ext part the JRuby 9.2 (internal) way
• avoid, once again, installing BC provider on boot (due OCSP support)
• [feat] support OpenSSL::KDF as a (semi) OpenSSL::PKCS5 replacement
• rename ugly-sh "Jopenssl" constant to JOpenSSL
• support PKCS7#decrypt with 1 argument (pkey only - without certificate)
• undo some of the call-sites in SSLSocket - account for sub-classes (#165)
• follow-up to provide == for X.509 types (like C-OpenSSL does in 2.1)
• validate iter parameter on Cipher#pkcs5_keyivgen (since OpenSSL 2.0.8)
• remove openssl/pkcs7.rb -> since 1.8 no longer supported

0.10.0

NOTE: dropped support for anything below ~ JRuby 1.7.20

• drop support for Java 1.6 and compile using Java 7
• improve java.version detection for Java 9/10 (pre-releases)
• subject alt name parsing fixes (#140) - thanks @roadrunner2
• fix loading of Subject/Issuer-Alt-Name extensions. (#144)
• normalize all constants in CipherStrings as public (#146)
• upgrade BC to 1.59 and dropped support for BC < 1.55
• include BC's JSSE provider as we're planning on using it, eventually
• setup OpenSSL::ExtConfig emulation - mostly (conservative) guesses
• at last, do BN comparison == vs eql? properly - just like MRI
• get BN.new("...", 0) working as OpenSSL does - using MPI format
• allow for SSLContext#dup to work (copy-ing Ruby level i-vars only)
• fix signature-alg to default to NULL and report it as 0.0 (like MRI)
• account for ASN1Integers when transforming issuer serial numbers
  to_text in AuthorityKeyIdentifier extensions (#147) - thanks @lampad
• copy bytes since it might be a shared (unsafe) buffer (#150)
• don't use padding for streaming cipher modes (#155) - thanks @dgolombek
• avoid ByteList#length() usage for forward (JRuby 9.2) compatibility
• prepare for using BC's JSSE implementation as an SSL support backend
  allow to set SSL provider name (-Djruby.openssl.ssl.provider=...)