LibreSSL 3.3.0 Released

We have released LibreSSL 3.3.0, which will be arriving in the LibreSSL
directory of your local OpenBSD mirror soon.

This is the first development release from the 3.3.x series, which will
eventually be part of OpenBSD 6.9. It includes the following changes:

* Make openssl(1) s_server ignore -4 and -6 for compatibility with OpenSSL.

* Further cleanup of the DTLS record handling.

* Continue the replacement of the TLSv1.2 record layer by
reimplementing the read side of the TLSv1.2 record handling.

* Replace DTLSv1_enc_data() with TLSv1_1_enc_data().

* Merge d1_{clnt,srvr}.c into ssl_{clnt,srvr}.c.

* When switching from the TLSv1.3 stack to the legacy stack include
a TLS record header. This is necessary if there is more than one
handshake message in the TLS plaintext record.

* Set SO_REUSEADDR on the server socket in the openssl(1) ocsp
command.

* Fix resource handling on error in OCSP_request_add0_id().

* Add const to ssl_ciphers and tls1[23]_sigalgs* to push them into
.data.rel.ro and .rodata, respectively.

* Add a const qualifier to srtp_known_profiles.

* Simplify TLS method by removing the client and server specific
methods internally.

* Avoid casting away const in ssl_ctx_make_profiles().

* Make sure there is enough room for stashing the handshake message
when switching to the legacy TLS stack.

* Avoid explicitly conditioning an assert on DTLS1_VERSION to make
the assert work for newer DTLS versions.

* Merge SSL_ENC_METHOD into SSL_METHOD_INTERNAL.

* Send a host header with OCSP queries to make openssl(1) ocsp
work with some widely used OCSP responders.

* Fix a memory leak in the openssl(1) s_client.

* Add a flag to mark DTLS methods as DTLS to have an easy way to
recognize DTLS methods that avoids inspecting the version number.

* Implement SSL_is_dtls() and use it internally in place of the
SSL_IS_DTLS macro.

* Unbreak DTLS retransmissions for flights that include a CCS.

* Add ability to ocspcheck(8) to parse a port in the specified
OCSP URL.

* Refactor and clean up ocspcheck(8) and add regression tests.

* If x509_verify() fails, ensure that the error is set on both
the x509_verify_ctx() and its store context to make some failures
visible from SSL_get_verify_result().

* Use the X509_STORE_CTX get_issuer() callback from the new X.509
verifier to fix hashed certificate directories.

* Only check BIO_should_read() on read and BIO_should_write() on
write. Previously, BIO_should_write() was also checked after read
and BIO_should_read() after write which could cause stalls in
software that uses the same BIO for read and write.

* In openssl(1) verify, also check for error on the store context
since the return value of X509_verify_cert() is unreliable in
presence of a callback that returns 1 too often.

* Update getentropy on Windows to use Cryptography Next Generation
(CNG). wincrypt is deprecated and no longer works with newer Windows
environments, such as in Windows Store apps.

* Implement auto chain for the TLSv1.3 server since some software
relies on this.

* Handle additional certificate error cases in the new X.509 verifier.
Keep track of the errors encountered if a verify callback tells the
verifier to continue and report them back via the error on the store
context. This mimics the behavior of the old verifier that would
persist the first error encountered while building the chain.

* Report specific failures for "self signed certificates" in a way
compatible with the old verifier since software relies on the
error code.

* Implement key exporter for TLSv1.3.

* Plug a large memory leak in the new verifier caused by calling
X509_policy_check() repeatedly instead.

* Avoid leaking memory in x509_verify_chain_dup().

* Various documentation improvements, particularly around TLS methods.

The LibreSSL project continues improvement of the codebase to reflect modern,
safe programming practices. We welcome feedback and improvements from the
broader community. Thanks to all of the contributors who helped make this
release possible.