From 7050b1338a60e9eefcb319186a92efb187069c34 Mon Sep 17 00:00:00 2001
From: Dirkjan Ochtman <dirkjan@ochtman.nl>
Date: Fri, 13 Mar 2026 11:05:45 +0100
Subject: [PATCH 1/7] Bump version to 0.15.1

---
 Cargo.lock              | 2 +-
 librustls/Cargo.toml    | 2 +-
 librustls/cbindgen.toml | 2 +-
 librustls/src/rustls.h  | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 35dca778..96bb7f9c 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1066,7 +1066,7 @@ dependencies = [
 
 [[package]]
 name = "rustls-ffi"
-version = "0.15.0"
+version = "0.15.1"
 dependencies = [
  "libc",
  "log",
diff --git a/librustls/Cargo.toml b/librustls/Cargo.toml
index 79a88592..efddc05a 100644
--- a/librustls/Cargo.toml
+++ b/librustls/Cargo.toml
@@ -1,7 +1,7 @@
 [package]
 name = "rustls-ffi"
 # Keep in sync with defines in cbindgen.toml
-version = "0.15.0"
+version = "0.15.1"
 license = "Apache-2.0 OR ISC OR MIT"
 readme = "../README-crates.io.md"
 description = "Rustls bindings for non-Rust languages"
diff --git a/librustls/cbindgen.toml b/librustls/cbindgen.toml
index 0b3783eb..923eb3da 100644
--- a/librustls/cbindgen.toml
+++ b/librustls/cbindgen.toml
@@ -5,7 +5,7 @@ after_includes = """
 
 #define RUSTLS_VERSION_MAJOR 0
 #define RUSTLS_VERSION_MINOR 15
-#define RUSTLS_VERSION_PATCH 0
+#define RUSTLS_VERSION_PATCH 1
 
 /**
  * This gives each version part 8 bits, and leaves the 8 least significant bits
diff --git a/librustls/src/rustls.h b/librustls/src/rustls.h
index c9e0f5af..a9786647 100644
--- a/librustls/src/rustls.h
+++ b/librustls/src/rustls.h
@@ -9,7 +9,7 @@
 
 #define RUSTLS_VERSION_MAJOR 0
 #define RUSTLS_VERSION_MINOR 15
-#define RUSTLS_VERSION_PATCH 0
+#define RUSTLS_VERSION_PATCH 1
 
 /**
  * This gives each version part 8 bits, and leaves the 8 least significant bits

From 8a836ed9143922294526410a255de06a3c0ce3b3 Mon Sep 17 00:00:00 2001
From: Dirkjan Ochtman <dirkjan@ochtman.nl>
Date: Fri, 13 Mar 2026 11:06:28 +0100
Subject: [PATCH 2/7] Take rustls 0.23.37

---
 Cargo.lock           | 8 ++++----
 librustls/Cargo.toml | 2 +-
 librustls/build.rs   | 2 +-
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 96bb7f9c..67c37308 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1046,9 +1046,9 @@ checksum = "357703d41365b4b27c590e3ed91eabb1b663f07c4c084095e60cbed4362dff0d"
 
 [[package]]
 name = "rustls"
-version = "0.23.36"
+version = "0.23.37"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c665f33d38cea657d9614f766881e4d510e0eda4239891eea56b4cadcf01801b"
+checksum = "758025cb5fccfd3bc2fd74708fd4682be41d99e5dff73c377c0646c6012c73a4"
 dependencies = [
  "aws-lc-rs",
  "brotli",
@@ -2199,9 +2199,9 @@ dependencies = [
 
 [[package]]
 name = "zlib-rs"
-version = "0.5.5"
+version = "0.6.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "40990edd51aae2c2b6907af74ffb635029d5788228222c4bb811e9351c0caad3"
+checksum = "3be3d40e40a133f9c916ee3f9f4fa2d9d63435b5fbe1bfc6d9dae0aa0ada1513"
 
 [[package]]
 name = "zmij"
diff --git a/librustls/Cargo.toml b/librustls/Cargo.toml
index efddc05a..8f4640aa 100644
--- a/librustls/Cargo.toml
+++ b/librustls/Cargo.toml
@@ -30,7 +30,7 @@ prefer-post-quantum = ["aws-lc-rs", "rustls/prefer-post-quantum"]
 
 [dependencies]
 # Keep in sync with RUSTLS_CRATE_VERSION in build.rs
-rustls = { version = "=0.23.36", default-features = false, features = ["std", "tls12"] }
+rustls = { version = "=0.23.37", default-features = false, features = ["std", "tls12"] }
 webpki  = { workspace = true }
 libc = { workspace = true }
 log = { workspace = true }
diff --git a/librustls/build.rs b/librustls/build.rs
index ae073147..e2275451 100644
--- a/librustls/build.rs
+++ b/librustls/build.rs
@@ -8,7 +8,7 @@ use std::{env, fs, path::PathBuf};
 // because doing so would require a heavy-weight deserialization lib dependency
 // (and it couldn't be a _dev_ dep for use in a build script) or doing brittle
 // by-hand parsing.
-const RUSTLS_CRATE_VERSION: &str = "0.23.36";
+const RUSTLS_CRATE_VERSION: &str = "0.23.37";
 
 fn main() {
     let out_dir = PathBuf::from(env::var_os("OUT_DIR").unwrap());

From fc3c82f58f75db0883c071de61b03dc5c53e8ffa Mon Sep 17 00:00:00 2001
From: Dirkjan Ochtman <dirkjan@ochtman.nl>
Date: Fri, 13 Mar 2026 11:06:49 +0100
Subject: [PATCH 3/7] Move const to the bottom

---
 librustls/build.rs | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/librustls/build.rs b/librustls/build.rs
index e2275451..8ee6ad84 100644
--- a/librustls/build.rs
+++ b/librustls/build.rs
@@ -2,14 +2,6 @@ use std::fs::File;
 use std::io::Write;
 use std::{env, fs, path::PathBuf};
 
-// Keep in sync with Cargo.toml.
-//
-// We don't populate this automatically from the Cargo.toml at build time
-// because doing so would require a heavy-weight deserialization lib dependency
-// (and it couldn't be a _dev_ dep for use in a build script) or doing brittle
-// by-hand parsing.
-const RUSTLS_CRATE_VERSION: &str = "0.23.37";
-
 fn main() {
     let out_dir = PathBuf::from(env::var_os("OUT_DIR").unwrap());
     let include_dir = out_dir.join("include");
@@ -38,3 +30,11 @@ fn main() {
 
     println!("cargo:rerun-if-env-changed=CARGO_PKG_VERSION");
 }
+
+// Keep in sync with Cargo.toml.
+//
+// We don't populate this automatically from the Cargo.toml at build time
+// because doing so would require a heavy-weight deserialization lib dependency
+// (and it couldn't be a _dev_ dep for use in a build script) or doing brittle
+// by-hand parsing.
+const RUSTLS_CRATE_VERSION: &str = "0.23.37";

From 84dced87375889264f8f6f36ee7af11581efa54b Mon Sep 17 00:00:00 2001
From: Dirkjan Ochtman <dirkjan@ochtman.nl>
Date: Fri, 13 Mar 2026 11:30:42 +0100
Subject: [PATCH 4/7] Avoid parsing TOML with sed

---
 debian/build.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/debian/build.sh b/debian/build.sh
index d31439ab..7285aebe 100755
--- a/debian/build.sh
+++ b/debian/build.sh
@@ -4,7 +4,7 @@ set -x
 
 cd "$(dirname "$0")"
 
-VERSION=$(sed -n 's/^version = "\(.*\)"$/\1/p' ../librustls/Cargo.toml)
+VERSION=$(cargo pkgid -p rustls-ffi | sed 's/.*@//')
 if [ -z "$VERSION" ]; then
     echo "Failed to extract version from Cargo.toml" >&2
     exit 1

From d2776474fa5306e965791889b43cc290023548fe Mon Sep 17 00:00:00 2001
From: Dirkjan Ochtman <dirkjan@ochtman.nl>
Date: Fri, 13 Mar 2026 11:32:20 +0100
Subject: [PATCH 5/7] Avoid hardcoding version in deb testing workflow

---
 .github/workflows/artifacts.yaml | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/artifacts.yaml b/.github/workflows/artifacts.yaml
index 5ecbe89c..26f594a0 100644
--- a/.github/workflows/artifacts.yaml
+++ b/.github/workflows/artifacts.yaml
@@ -80,6 +80,8 @@ jobs:
   linux-deb:
     name: Linux (x86-64 GNU Deb)
     runs-on: ubuntu-22.04 # x86_64.
+    outputs:
+      version: ${{ steps.version.outputs.version }}
     steps:
       - uses: actions/checkout@v6
         with:
@@ -95,14 +97,20 @@ jobs:
         run: |
           curl -L $LINK/$CARGO_C_FILE | tar xz -C ~/.cargo/bin
 
+      - name: Extract version
+        id: version
+        run: |
+          VERSION=$(cargo pkgid -p rustls-ffi | sed 's/.*@//')
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+
       - name: Build deb
         run: ./debian/build.sh
 
       - name: Upload deb
         uses: actions/upload-artifact@v7
         with:
-          name: librustls_0.15.0_amd64.deb
-          path: librustls_0.15.0_amd64.deb
+          name: librustls_${{ steps.version.outputs.version }}_amd64.deb
+          path: librustls_${{ steps.version.outputs.version }}_amd64.deb
 
   macos-binaries:
     name: MacOS (Arm64 and x86_64)
@@ -281,9 +289,9 @@ jobs:
       - name: Download rustls-ffi deb artifact
         uses: actions/download-artifact@v8
         with:
-          name: librustls_0.15.0_amd64.deb
+          name: librustls_${{ needs.linux-deb.outputs.version }}_amd64.deb
       - name: Install deb
-        run: sudo dpkg --install ./librustls_0.15.0_amd64.deb
+        run: sudo dpkg --install ./librustls_${{ needs.linux-deb.outputs.version }}_amd64.deb
       - name: Check copyright exists
         run: test -f /usr/share/doc/librustls/COPYRIGHT
       # Dump out what pkg-config says about the rustls package.

From f5f80e85d5fd6fb8abc15e2788478e3b6ce88bdd Mon Sep 17 00:00:00 2001
From: Dirkjan Ochtman <dirkjan@ochtman.nl>
Date: Fri, 13 Mar 2026 13:28:05 +0100
Subject: [PATCH 6/7] Update changelog

---
 CHANGELOG.md | 112 ++++++++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 101 insertions(+), 11 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index affb6395..6593c10b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,95 @@
 # Changelog
 
+## 0.15.1 (2026-03-13)
+
+This is a minor release with one security fix. It updates `rustls` to
+[0.23.37](https://github.com/rustls/rustls/releases/tag/v%2F0.23.37).
+
+### Security
+
+Updates `rustls-webpki` to
+[0.103.10](https://github.com/rustls/webpki/releases/tag/v%2F0.103.10):
+
+This update addresses
+[RUSTSEC-2026-0049](https://rustsec.org/advisories/RUSTSEC-2026-0049.html);
+a security issue affecting CRL revocation checking.
+
+This low-impact vulnerability affects users of the
+`rustls_web_pki_[server|client]_cert_verifier_builder` APIs that populated CRLs
+with `rustls_web_pki_server_cert_verifier_builder_add_crl()`. If a certificate
+signed by a trusted certificate authority contained multiple CRL distribution
+points, only the first was checked against the CRL's issuing distribution point.
+
+In a default configuration this oversight meant that revocation checking would
+fail-closed with an incorrect, but safe, `RUSTLS_RESULT_CERT_UNKNOWN_ISSUER`
+error.
+
+If configured with
+`rustls_web_pki_client_cert_verifier_allow_unknown_revocation_status()`, then
+revocation checking would fail-open, potentially allowing use of certificate
+revoked by the CRL.
+
+Inducing this bug requires a trusted certificate issuer to be compromised, which
+can result in more serious revocation bypasses and security issues.
+
+### Added
+
+* version detection macros in the C header
+  (https://github.com/rustls/rustls-ffi/pull/576): 
+  * `RUSTLS_VERSION_MAJOR`, `RUSTLS_VERSION_MINOR`, `RUSTLS_VERSION_PATCH`
+    individual version components as integers.
+  * `RUSTLS_VERSION_NUMBER` - a single number encoding the version as
+    `(major << 16 | minor << 8 | patch)`.
+
+* additional error variants (https://github.com/rustls/rustls-ffi/pull/574):
+  * `RUSTLS_RESULT_CERT_REVOCATION_LIST_UNSUPPORTED_SIGNATURE_ALGORITHM` - for
+    CRL signature algorithm errors.
+  * `RUSTLS_RESULT_CERT_UNSUPPORTED_SIGNATURE_ALGORITHM` - for certificate
+    signature algorithm errors.
+
+* `rustls_platform_server_cert_verifier_try_with_provider()`
+  (https://github.com/rustls/rustls-ffi/pull/574):
+  * A safer alternative to `rustls_platform_server_cert_verifier_with_provider`
+    with better error reporting. The older function for constructing a server
+    cert verifier backed by the platform verifier is now deprecated.
+
+* `rustls_connection_get_tls13_tickets_received()`
+  (https://github.com/rustls/rustls-ffi/pull/574):
+  * Returns the number of TLS 1.3 tickets received by a client connection. This
+    is FFI for the Rustls `ClientConnection::tls13_tickets_received()` API.
+
+* `rustls_client_connection_new_alpn()`
+  (https://github.com/rustls/rustls-ffi/pull/566):
+  * constructs a client `rustls_connection` with custom ALPN protocol support
+    that differs from the base `rustls_client_config`.
+
+### Deprecated
+
+* Deprecated functions are now visually annotated on the [documentation
+  website](https://ffi.rustls.dev).
+  (https://github.com/rustls/rustls-ffi/pull/584) and in the header file using
+  the appropriate clang/GCC/MSVC attributes
+  (https://github.com/rustls/rustls-ffi/pull/579).
+
+* Platform server cert verifier creation is now fallible, returning
+  a `rustls_result` that must be handled appropriately.
+
+  The pre-existing `rustls_platform_server_cert_verifier_with_provider()` is
+  now deprecated in favor of
+  `rustls_platform_server_cert_verifier_try_with_provider()`.
+
+### Changed
+
+* Post-quantum key exchange (`X25519MLKEM768`) is now preferred by default
+  matching upstream rustls (https://github.com/rustls/rustls-ffi/pull/566)
+
+* An additional field is now exposed in `rustls_client_hello`
+  (https://github.com/rustls/rustls-ffi/pull/574):
+  * `named_groups` - the supported key exchange groups advertised by the client.
+  * This is a breaking change, but limited to the server-side
+    `rustls_server_config_builder_set_hello_callback` APIs that are documented
+    as **experimental**.
+
 ## 0.15.0 (2025-03-25)
 
 This release updates to [Rustls 0.23.25][] and increases the project minimum
@@ -184,7 +274,7 @@ requirements.
   * Ciphersuites supported by a specific `rustls_crypto_provider` can be retrieved with
     `rustls_crypto_provider_ciphersuites_len()` and `rustls_crypto_provider_ciphersuites_get()`.
   * Ciphersuites supported by the current process-wide default crypto provider (if any) can
-    be retrieved with `rustls_default_crypto_provider_ciphersuites_len()` and 
+    be retrieved with `rustls_default_crypto_provider_ciphersuites_len()` and
     `rustls_default_crypto_provider_ciphersuites_get()`.
   * A buffer can be filled with cryptographically secure random data from
     a specific `rustls_crypto_provider` using `rustls_crypto_provider_random()`,
@@ -201,7 +291,7 @@ requirements.
      based on the current process-wide default.
    * `rustls_crypto_provider_builder_new_with_base` will construct a builder
      based on a specified `rustls_crypto_provider`.
-   * Customization of supported ciphersuites can be achieved with 
+   * Customization of supported ciphersuites can be achieved with
      `rustls_crypto_provider_builder_set_cipher_suites()`.
    * The default process-wide provider can be installed from a builder using
      `rustls_crypto_provider_builder_build_as_default()`, if it has not already
@@ -231,7 +321,7 @@ requirements.
   more information on supported platforms.
     * Use `rustls_platform_server_cert_verifier()` to construct a platform verifier
       that uses the default crypto provider.
-    * Use `rustls_platform_server_cert_verifier_with_provider()` to construct a 
+    * Use `rustls_platform_server_cert_verifier_with_provider()` to construct a
       platform verifier that uses the specified `rustls_crypto_provider`.
     * The returned `rustls_server_cert_verifier` can be used with
       a `rustls_client_config_builder` with
@@ -264,7 +354,7 @@ requirements.
 
 * `rustls_server_config_builder_build()` and
   `rustls_client_config_builder_build()` now use out-parameters for the
-  `rustls_server_config` or `rustls_client_config`, and return a `rustls_result`. 
+  `rustls_server_config` or `rustls_client_config`, and return a `rustls_result`.
   This allows returning an error if the build operation fails because a suitable
   crypto provider was not available.
 
@@ -286,7 +376,7 @@ requirements.
   functions (`rustls_all_ciphersuites_len()`,
   `rustls_all_ciphersuites_get_entry()`, `rustls_default_ciphersuites_len()` and
   `rustls_default_ciphersuites_get_entry()`) have been
-  removed. Ciphersuite support is dictated by the `rustls_crypto_provider`. 
+  removed. Ciphersuite support is dictated by the `rustls_crypto_provider`.
   * Use `rustls_default_supported_ciphersuites()` to retrieve
     a `rustls_supported_ciphersuites` for the default `rustls_crypto_provider`.
   * Use `rustls_crypto_provider_ciphersuites()` to retrieve a
@@ -307,7 +397,7 @@ only cryptographic provider.
 * A new `rustls_accepted_alert` type is added. Calling
   `rustls_accepted_alert_bytes` on this type produces TLS data to write
   in the case where a server acceptor encountered an error accepting a client.
-  The returned TLS data should be written to the connection before freeing 
+  The returned TLS data should be written to the connection before freeing
   the `rustls_accepted_alert` by calling `rustls_accepted_alert_write_tls` with
   a `rustls_write_callback` implementation.
 
@@ -367,19 +457,19 @@ and 0.12.0 continues to use `*ring*` as the only cryptographic provider.
   `rustls_root_cert_store_builder_add_pem` and
   `rustls_root_cert_store_builder_load_roots_from_file`.
 * The client verifier builders (
-  `rustls_allow_any_anonymous_or_authenticated_client_builder`, and 
+  `rustls_allow_any_anonymous_or_authenticated_client_builder`, and
   `rustls_allow_any_authenticated_client_builder`) as well as the client
-  verifier types (`rustls_allow_any_anonymous_or_authenticated_client_verifier`, 
+  verifier types (`rustls_allow_any_anonymous_or_authenticated_client_verifier`,
   `rustls_allow_any_authenticated_client_verifier`) have been replaced with
   `rustls_web_pki_client_cert_verifier_builder` and `rustls_client_cert_verifier`.
-* The server config client verifier setters 
+* The server config client verifier setters
   (`rustls_server_config_builder_set_client_verifier` and
   `rustls_server_config_builder_set_client_verifier_optional`) have been
   replaced with `rustls_server_config_builder_set_client_verifier`.
-* The client config builder functions for specifying root trust anchors 
+* The client config builder functions for specifying root trust anchors
   (`rustls_client_config_builder_use_roots` and
   `rustls_client_config_builder_load_roots_from_file`) have been replaced
-  with a server certificate verifier builder 
+  with a server certificate verifier builder
   (`rustls_web_pki_server_cert_verifier_builder`) constructed with
   `rustls_web_pki_server_cert_verifier_builder_new` and
   a `rustls_root_cert_store`. The built `rustls_web_pki_server_cert_verifier`

From cc866ec1a1a345bf9a88f67dc93f08c96e0ac907 Mon Sep 17 00:00:00 2001
From: Daniel McCarney <daniel@binaryparadox.net>
Date: Fri, 20 Mar 2026 20:05:42 -0400
Subject: [PATCH 7/7] Cargo: update rustls-webpki, aws-lc-[rs|sys|sys-fips]

cargo update -p rustls-webpki -p aws-lc-rs -p aws-lc-sys -p aws-lc-fips-sys
---
 Cargo.lock | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 67c37308..bcc7ad32 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -51,9 +51,9 @@ checksum = "1505bd5d3d116872e7271a6d4e16d81d0c8570876c8de68093a09ac269d8aac0"
 
 [[package]]
 name = "aws-lc-fips-sys"
-version = "0.13.12"
+version = "0.13.13"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5ed8cd42adddefbdb8507fb7443fa9b666631078616b78f70ed22117b5c27d90"
+checksum = "f8bce4948d2520386c6d92a6ea2d472300257702242e5a1d01d6add52bd2e7c1"
 dependencies = [
  "bindgen",
  "cc",
@@ -65,9 +65,9 @@ dependencies = [
 
 [[package]]
 name = "aws-lc-rs"
-version = "1.16.1"
+version = "1.16.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "94bffc006df10ac2a68c83692d734a465f8ee6c5b384d8545a636f81d858f4bf"
+checksum = "a054912289d18629dc78375ba2c3726a3afe3ff71b4edba9dedfca0e3446d1fc"
 dependencies = [
  "aws-lc-fips-sys",
  "aws-lc-sys",
@@ -76,9 +76,9 @@ dependencies = [
 
 [[package]]
 name = "aws-lc-sys"
-version = "0.38.0"
+version = "0.39.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4321e568ed89bb5a7d291a7f37997c2c0df89809d7b6d12062c81ddb54aa782e"
+checksum = "1fa7e52a4c5c547c741610a2c6f123f3881e409b714cd27e6798ef020c514f0a"
 dependencies = [
  "cc",
  "cmake",
@@ -1143,9 +1143,9 @@ checksum = "f87165f0995f63a9fbeea62b64d10b4d9d8e78ec6d7d51fb2125fda7bb36788f"
 
 [[package]]
 name = "rustls-webpki"
-version = "0.103.9"
+version = "0.103.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d7df23109aa6c1567d1c575b9952556388da57401e4ace1d15f79eedad0d8f53"
+checksum = "df33b2b81ac578cabaf06b89b0631153a3f416b0a886e8a7a1707fb51abbd1ef"
 dependencies = [
  "aws-lc-rs",
  "ring",