Skip to content

Release: v1.6.0

Choose a tag to compare

View all tags
@crypto-transport-libs-ci-bot crypto-transport-libs-ci-bot released this 30 Oct 18:51
v1.6.0
6aefe74
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Weekly release for October 30 2025

Release Summary:

  • Multiple changes to the s2n-tls default policy:
    1. Added TLS13 support
    2. Added Post-Quantum key exchange
    3. Removed CBC ciphersuites
  • Changes to the RFC9151 policy: Removes RSA key exchange and DHE cipher suites. Use the numbered version of this policy instead (20250429) to maintain the current preferences.
  • Adds support for PQ only policies, which should not include classical ECC curves. This feature only works on libcryptos that support TLS 1.3 and PQ kem groups.
  • Fixed a validation issue in s2n_connection_deserialize() where malformed protocol version bytes could result in invalid connection state and inconsistent TLS behavior.
  • Add a synchronous rust binding API for s2n_cert_validation_callback
  • Upgrades MSRV for extended crates (s2n-tls-sys, s2n-tls, s2n-tls-tokio) from 1.63 to 1.72

What's Changed

  • docs: Small doc changes for KTLS by @maddeleine in #5521
  • ci: install missing rust component for gitthub action workflows by @jouho in #5528
  • refactor(aws-kms-tls-auth): add hmac based psk derivation by @jmayclin in #5519
  • chore: bindings release 0.3.27 by @jouho in #5526
  • fix(usage-guide): Update book.toml for mdbook 0.5 release by @goatgoose in #5535
  • bindings(rust): bump extended crates MSRV to 1.72.0 by @jouho in #5534
  • feat(bindings): expose cert validation callback by @CarolYeh910 in #5357
  • chore: bindings release 0.3.28 by @goatgoose in #5540
  • chore: add new team member by @kaukabrizvi in #5542
  • fix: validate protocol version during connection deserialization by @jouho in #5523
  • chore(bindings): revert dependency pins by @jmayclin in #5544
  • refactor(aws-kms-tls-auth): psk provider using HMAC psks by @jmayclin in #5530
  • chore: update bindgen version to v0.69.0 by @boquan-fang in #5396
  • refactor 1/2: Fix security policy version in tests to numbered string by @maddeleine in #5549
  • refactor: add psk receiver by @jmayclin in #5552
  • build(deps): update rtshark requirement from 3.1.0 to 4.0.0 in /tests/pcap in the all-cargo-updates group across 1 directory by @dependabot[bot] in #5555
  • fix(aws-kms-tls-auth): supress logging & version bump by @jmayclin in #5554
  • refactor 2/2: Fix security policy version in tests to numbered string by @maddeleine in #5553
  • fix(test): Reduce s2n_security_policies_test duration by @goatgoose in #5558
  • docs: update nix integration test instructions for uvinteg function by @kaukabrizvi in #5550
  • build(deps): bump the all-gha-updates group across 1 directory with 4 updates by @dependabot[bot] in #5548
  • build(deps): update zeroize requirement from =1.7.0 to =1.8.2 in /bindings/rust/extended by @dependabot[bot] in #5537
  • build(deps): update regex requirement from =1.9.6 to =1.12.1 in /bindings/rust/extended by @dependabot[bot] in #5556
  • feat: Improve supported cipher suites in RFC9151 policy by @goatgoose in #5559
  • ci: pin to older kissat version to unblock CBMC by @lrstewart in #5581
  • fix: update test broken by Openssl dhe generation change by @lrstewart in #5580
  • feat: output utility for security policy by @jouho in #5502
  • feat: add PQ only policy support by @CarolYeh910 in #5545
  • fix: update test_pq_only policy snapshot by @CarolYeh910 in #5583
  • refactor: Adds tls13 ciphersuites to default/default_fips policy by @maddeleine in #5560
  • build(deps): bump the all-gha-updates group in /.github/workflows with 2 updates by @dependabot[bot] in #5585
  • ci: scope down GitHub Token permissions by @AdnaneKhan in #5570

New Contributors

Full Changelog: v1.5.27...v1.6.0

Contributors

AdnaneKhan, goatgoose, and 8 other contributors
Assets 2
Loading