Prepare 0.15.1 release

[djc]

Fixes #632. Addresses RUSTSEC-2026-0049.

[ctz]

Update CHANGELOG.md/release notes?

[djc]

Update CHANGELOG.md/release notes?

Added an edited version of the auto-generated release notes in CHANGELOG.md.

[ctz]

Here's a claude-assisted changelog:

---

This is a minor release, updating rustls to 0.23.37 and improving documentation tooling.

Added

• Version detection macros in the C header:

  • RUSTLS_VERSION_MAJOR, RUSTLS_VERSION_MINOR, RUSTLS_VERSION_PATCH - individual version components as integers.
  • RUSTLS_VERSION_NUMBER - a single number encoding the version (major << 16 | minor << 8 | patch), similar to OpenSSL's versioning scheme.
  • rustls_version_match() test function verifies the defines match the actual library version.

• New error variants:

  • RUSTLS_RESULT_CERT_REVOCATION_LIST_UNSUPPORTED_SIGNATURE_ALGORITHM - for CRL signature algorithm errors.
  • RUSTLS_RESULT_CERT_UNSUPPORTED_SIGNATURE_ALGORITHM - for certificate signature algorithm errors.

• New API functions:

  • rustls_platform_server_cert_verifier_try_with_provider() - safer alternative to rustls_platform_server_cert_verifier_with_provider with better error reporting. The older function is now deprecated.
  • rustls_connection_get_tls13_tickets_received() - returns the number of TLS 1.3 tickets received by a client connection. This is FFI for ClientConnection::tls13_tickets_received().
  • rustls_client_connection_new_alpn() - constructs a client rustls_connection with custom ALPN protocol support that differs from the base rustls_client_config.

• Additional fields exposed in rustls_client_hello:

  • named_groups - the supported key exchange groups advertised by the client.

• Website documentation improvements:

  • Deprecated functions are now visually annotated on the documentation website.
  • The docgen tool now parses and includes deprecation messages in api.json.

Changed

• Updated rustls from 0.23.31 to 0.23.37.

• Updated rustls-platform-verifier from 0.5.3 to 0.6.2.

  • Platform server cert verifier creation is now fallible and must be handled appropriately.
  • Note: rustls_platform_server_cert_verifier_with_provider() is now deprecated in favor of rustls_platform_server_cert_verifier_try_with_provider().

• Post-quantum key exchange (X25519MLKEM768) is now preferred by default (matches upstream rustls 0.23.27).

• Bumped minimum supported Rust version (MSRV) to 1.73.

• Updated to toml 0.9.

• Various dependency updates (libc, serde, serde_json, hickory-resolver, etc.).

• CI improvements:

  • Removed dependency on nightly Rust toolchain for cbindgen. The u32_enum_builder and castable macros were replaced with simpler implementations that don't require macro expansion.
  • Better handling of PowerShell errors in Windows CI.
  • macOS artifact builds now use macos-15-intel and updated ARM64 runners.
  • Added check for uncommitted website/static/api.json diffs to ensure generated documentation is up-to-date.

• Internal improvements:

  • Replaced macros with declarative + procedural macro approach for error enum u32 mapping.
  • Simplified various internal implementations.

[djc]

That looks pretty nice -- can you get it to add references to the relevant PRs?

[cpu]

Those Claude auto-gen'd changelog notes look reasonable 👍 I still suspect we either need to call this 0.16 (I think I'd prefer not to do that) or to make a rel-0.15 branch and use that instead because of 0b3478c

[djc]

Those auto-gen'd changelog notes look reasonable 👍 I still suspect we either need to call this 0.16 (I think I'd prefer not to do that) or to make a rel-0.15 branch and use that instead because of 0b3478c

Yeah, I don't think we should release a 0.16.0 (now) that's still based on rustls 0.23.

[ctz]

Those auto-gen'd changelog notes look reasonable 👍 I still suspect we either need to call this 0.16 (I think I'd prefer not to do that) or to make a rel-0.15 branch and use that instead because of 0b3478c

Oh, yes, that's dead-on breaking. Hmm

[cpu]

Oh, yes, that's dead-on breaking. Hmm

It's in a part of the API we've called experimental, so I suppose we could just say it's fine...

EXPERIMENTAL: this feature of rustls-ffi is likely to change in the future, as the rustls library is re-evaluating their current approach to client hello handling.

[djc]

That looks pretty nice -- can you get it to add references to the relevant PRs?

And/or share the prompt?

[cpu]

I tacked on some bits for RUSTSEC-2026-0049 and updated the PR desc.

Here's a claude-assisted changelog:

Thanks! This was a useful starting point. I went through the commit history alongside this list manually and didn't surface any major omissions. I did give it a pretty heavy rework, re-arranged some items, dropping some others, adding hyperlinks/PR refs, and word-wrapping it like the previous updates. I think it's a better level of detail & presentation but I'm happy to iterate more.

can you get it to add references to the relevant PRs?

Done.

[kpcyrd]

For what it's worth regarding 0b3478c, with the way rustls-ffi is setup even patch version updates announce themselves as new/different ABI (there's no difference between major/minor/patch), and during recompile the compiler would raise an error.