0.15.0 release preparation

[cpu]

Using this branch both to get the CHANGELOG.md update started, and to track some things I've been considering blockers for finalizing a 0.15.0 release.

Hoping to finalize this in early Jan since I'll be switching to a volunteer contributor Jan 1st and don't know how much bandwidth I'll have for rustls-ffi work afterwards. (Edit: this estimate was indeed overly optimistic :-P)

0.15.0 TODO

• Initial changelog content
• Outstanding features:
  • Small breaking API changes (Two small breaking API changes before next release #516)
  • API documentation website (Parse rustls.h to generate an API docs website #510)
  • Binary artifacts (ci: build binary artifacts for pushes/PRs #506)
  • Post-quantum KX support (rustls 0.23.22, opt-in prefer-post-quantum feature flag #520) (blocked on upstream work)
  • rustls_result rework (?) (Implement more ergonomic rustls_result? #513) - decided against this at the current time.
  • drop rand dependency: fips feature: appears to use rand chacha #529
  • compat Makefile Add Makefile that invokes cargo-c #525
• Bugs:
  • FIPS deps improvements fips feature: both fips and non-fips aws-lc-sys is compiled and present in the library #528
  • ECH error mapping: error: map InvalidEncryptedClientHello errors #547
  • LICENSE files in pre-built artifacts ci: include LICENSE files in artifact zips/deb #535
  • rustls_error: correct output buffer length handling rustls_error: correct output buffer length handling #551
• Downstream validation
  • mod_tls (github CI workflow for module on linux icing/mod_tls#4 and ci: restore aws-lc-rs crypto provider, use cargo-c for librustls install icing/mod_tls#5)
  • curl SSLKEYLOGFILE support - prototyped in Rustls: Support sslkeylogfile curl/curl#15803
  • curl ECH support
  • curl platform verifier support
  • curl docs/CI rustls-ffi updates
• Final changelog updates

[cpu]

Downstream validation

I picked this up today. I started a curl branch and:

• reworked the Rustls docs to adapt to the removal of the GNU makefile
• reworked CI to use the pre-built .deb from our CI instead of building rustls-ffi from source
• cherry-picked yedayak's work on SSLKEYLOGFILE support (fixing one small warning in the process)
• cherry-picked yedayak's work on client certificate support (and replacing the FIXME with a call to rustls_certified_key_keys_match())
• implemented support for ECH GREASE, ECH w/ command line b64 encoded ECH config list, and ECH w/ DoH fetched HTTPS config lists.

I haven't looked at the platform verifier bits yet, and the branch needs some tidying, but it does demonstrate ECH working correctly:

[daniel@noire:~/Code/C/curl]$ ./cmake-build-test/src/curl --version
curl 8.13.0-DEV (Linux) libcurl/8.13.0-DEV rustls-ffi/0.15.0/rustls/0.23.22/aws-lc-rs zlib/1.3.1 brotli/1.1.0 zstd/1.5.6 libidn2/2.3.7 libpsl/0.21.5 nghttp2/1.61.0
Release-Date: [unreleased]
Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns mqtt pop3 pop3s rtsp smtp smtps telnet tftp ws wss
Features: alt-svc AsynchDNS brotli ECH HSTS HTTP2 HTTPS-proxy HTTPSRR IDN IPv6 Largefile libz PSL SSL threadsafe UnixSockets zstd

[daniel@noire:~/Code/C/curl]$ ./cmake-build-test/src/curl -v --ech true --doh-url https://one.one.one.one/dns-query --tlsv1.3 https://cloudflare-ech.com/cdn-cgi/trace 2>/dev/null | grep 'sni='
sni=encrypted

My plan is to wait for rustls/rustls#2383 to land, and then finish the polish on my curl branch (CI passing, test coverage, etc) before finally publishing this release and then opening the curl PR from the WIP branch.

[cpu]

I haven't looked at the platform verifier bits yet, and the branch needs some tidying

I split out some initial tidying and its up for review in curl/curl#16796

I also reworked my WIP branch w/ the 0.15 features and added support for the platform verifier. That work is available in a draft PR on my fork pending the 0.15 release: cpu/curl#1

I think all that's left to do is update the changelog. I'll take a look at that shortly.

[cpu]

cpu requested review from djc and ctz now

I went through and did a final CHANGELOG.md update pass & I think this is ready to go. Once it's merged I'll cut a release using the CHANGELOG content as the release notes (& attach the pre-built artifacts from the main CI run).

[djc]

cpu requested review from djc and ctz now

I went through and did a final CHANGELOG.md update pass & I think this is ready to go. Once it's merged I'll cut a release using the CHANGELOG content as the release notes (& attach the pre-built artifacts from the main CI run).

Should this stop being a draft then?

[cpu]

Should this stop being a draft then?

Sorry, thought I had already clicked the button. Done!

[djc]

Looks okay to me!

[cpu]

• Created v0.15.0 git tag
• Published rustls-ffi v0.15.0 at registry crates-io
• Created v0.15.0 GitHub Release w/ artifacts from the main build.