0.9.17

• temporarily register BC provider on X.509 factory (work-around for #94)
• support Cipher#auth_tag and auth_data for GCM ciphers (e.g. aes-128-gcm)
• need to drop support for BC <= 1.50 due EC support (N/A in older BCs)
• (somehow working) draft at implementing PKey::EC (elliptic curve support)
  DH encryption expected to behave correctly
• make sure (initial) BC security provider registration works!
  ... when -Djruby.openssl.provider.register=true (due #94)
• Make ALL cipherstring match ECDHE cihphers (#91)
• fix X.509 indexBySubject returning correct index
• try to handle SSLContext.session= and also try answering session_reused?
• handle equals/hashCode on SSL::Session and raise on timeout int overflow
• Allow DSA private keys to be initialized from parameters. (#83)
• Instantiate both the private and public keys when setting parameters. (#82)

0.9.16

• add hard dependency to jar-dependencies (#74)
• Recognize Android java.version (#81)

0.9.15

• always return a Fixnum from OpenSSL::SSL::Session#timeout, OpenSSL defaults
  to 300 (been causing net/http.rb issues with timeouts on JRuby 9K)

0.9.14

• upgrade to using BC 1.54 as default (all versions >= 1.49 are supported)
  for Bouncy-Castle release notes see http://bouncycastle.org/releasenotes.html
• basic support for prompting for PEM password (working for RSA/DSA priv.key)
• avoid NPE due version field in X509Cert - make sure it's treated as 0 (#78)
  and fix settting ceritificate.serial = number
• default WairReadable/Writable backtraces to JRuby's -Xerrno.backtrace
• use hardcoded jks type for loading cacerts - for Java 9 compatibility (#79)

0.9.13

JRuby-OpenSSL is the first release that aims to be Ruby 2.3 compatible.

• SSLSocket#sysread do not copy bytes from buffer - re-use the backing array
• handle read_nonblock EOF as nil when exception: false (Ruby 2.3 compatibility)
• start exposing VERSION constant(s) directly on Jopenssl module
• better not throw EOF on SSLSocket#sysclose for compatibility with MRI
• setup "dummy" OpenSSL::OPENSSL_LIBRARY_VERSION constant for compatibility
• Ruby 2.3 compatibility - adjust to changes in MRI's openssl .rb parts
• update openssl/ssl.rb based on MRI 2.2's version
• disable backtrace generation for wait non-block errors (use an empty array)
• support SSLSocket#accept_nonblock/connect_nonblock with exception: false
• support exception: false with syswrite_nonblock and sysread_nonblock
• remove 'RSA' from RSA public key headers (#76)

0.9.12

• when the Cipher/Signature needs to be created via java reflection use a constructor
  which avoids verifying the bouncy-castle jars (which is the main reason for using
  reflection since some classloader setups fails to verify those jars) (#73)
• force US locale for date formatting
  otherwise it uses system locale, which is inconsistent with MRI.
• X509::Store.set_default_paths ignores FileNotFound errors like MRI does (#68)
• check type on X509::Store.verify
  throw a TypeError if the argument is not a OpenSSL::X509::Certificate (#69)
• keep the default x509 certs and directories in line with MRI, only if
  they do not exists fallback on cacerts from the java.home/lib/security/cacerts
• bring the default ca-certs paths/location more in line with MRI and fallback on
  jvm truststore (java.home/lib/security/cacerts) when needed

0.9.11

• add TLSv1_1_client, TLSv1_1_server, TLSv1_2_client and TLSv1_2_server options
  to ssl_version (#65)
• regression make sure we hold a buffered reader so that the loop continues
  reading PEMs - previously introduced an incompatibility with cert verify (#67)
• support negotiating up to TLS1_1 and TLS1_2 when the server supports these
  ssl_versions (#63)

0.9.10

• regression reverted fix for #49 (as it needs more work/testing) :
  keep the default x509 certs and directories in line with MRI (#49), only if
  they do not exists fallback on cacerts from the java.home/lib/security/cacerts

0.9.9

• regression causing to re-package a RaiseException in SSLSocket#accept
• fix load error: jopenssl/load -- java.lang.VerifyError: using BC 1.51 or 1.52 (#62)
• keep the default x509 certs and directories in line with MRI (#49), only if
  they do not exists fallback on cacerts from the java.home/lib/security/cacerts

0.9.8

• refactor PKCS5.pbkdf2_hmac_sha1 to use BC APIs
  thus less dependent on provider internals (jruby/jruby#3025)
• HMAC - use our SimpleKey impl so that there's less[] copy
  ... also allows for an empty key to work like MRI (jruby/jruby#2854)
• fixing oaep encryption to use correct algorithm (#54)
• [experimental] support NOT loading any (BC) jars on our own ... (#10)
• disable DHE (by default) on Java <= 7 ... on Java 8 we (still) force 1024/2048
  (see jruby/jruby#2872 and #45)
• regression handle parsing of "incomplete" X.509 certs like MRI does (#42)
• implement a CRL/certificate caching (for now off by default) in Lookup
  ... set -J-Djruby.openssl.x509.lookup.cache=true to enable
• improve Store helper concurrency (with less synchronization)
• reviewed OpenSSL's .rb parts to match those present in MRI 1.9.3 / 2.2.2
• initial support for OpenSSL::SSL::Session (id, time, timeout work)
• session_cache_mode as present in OpenSSL makes no sense with Java APIs
• use the set SSLContext#session_cache_size on the underlying javax.net API
• tidy up SSLSocket's internals + add stack-trace debugging on accept/connect
• add SSLSocket ssl_version property like MRI has (#38)
• avoid unnecessary _initialize naming - it's confusing to see in JVM tools
• use SecurityHelper to get a X.509 certificate factory
  we'll know prefer BC's X.509 factory over the built-in (Sun provider) one