Weekly release for Jan 5, 2026

Release Summary:

• Enables certificate intent validation by default. This also adds a config API s2n_config_disable_x509_intent_verification() to disable it if necessary
• Fixed an issue where selected_key_exchange_group for a resumed TLS 1.2 connection would incorrectly report secp256r1.

What's Changed

• build(deps): bump ytanikin/pr-conventional-commits from 1.4.2 to 1.5.1 in /.github/workflows in the all-gha-updates group by @dependabot[bot] in https://github.com/aws/s2n-tls/pull/5656
• ci: add typo check to ci by @brimonk in https://github.com/aws/s2n-tls/pull/5491
• Import Cloudfront PQ TLS Policies by @alexw91 in https://github.com/aws/s2n-tls/pull/5539
• feat(build): Improve OpenSSL libcrypto discovery by @goatgoose in https://github.com/aws/s2n-tls/pull/5572
• test: update CRL certs to comply with intent validation by @CarolYeh910 in https://github.com/aws/s2n-tls/pull/5651
• (chore): Rust bindings bump 0.3.32 by @maddeleine in https://github.com/aws/s2n-tls/pull/5662
• ci: update clang format version by @CarolYeh910 in https://github.com/aws/s2n-tls/pull/5661
• (chore): Revert "feat(build): Improve OpenSSL libcrypto discovery (#5572)" by @maddeleine in https://github.com/aws/s2n-tls/pull/5664
• feat: verify certificate issuer intent by default by @CarolYeh910 in https://github.com/aws/s2n-tls/pull/5657
• chore: Fix increase in Rust unit test timings by @maddeleine in https://github.com/aws/s2n-tls/pull/5677
• feat: add handshake event by @jmayclin in https://github.com/aws/s2n-tls/pull/5635
• test(integration): add async cert verify and offload 'stress' test by @kaukabrizvi in https://github.com/aws/s2n-tls/pull/5653
• test(integration): refactor PQ tests to utilize in-memory harness by @kaukabrizvi in https://github.com/aws/s2n-tls/pull/5667
• build(deps): bump the all-gha-updates group across 1 directory with 4 updates by @dependabot[bot] in https://github.com/aws/s2n-tls/pull/5675
• build(deps): bump cross-platform-actions/action from 0.31.0 to 0.32.0 in /.github/workflows in the all-gha-updates group by @dependabot[bot] in https://github.com/aws/s2n-tls/pull/5685
• Fix: print diagnostics to stdout in s2n_resume_test by @ravindran-dev in https://github.com/aws/s2n-tls/pull/5660
• Fix: Unpin the rust nightly toolchain version by @VIM4L-M in https://github.com/aws/s2n-tls/pull/5682
• fix: incorrect group reported for TLS 1.2 session resumption by @jmayclin in https://github.com/aws/s2n-tls/pull/5673
• test: confirm errors for no matching parameters by @jmayclin in https://github.com/aws/s2n-tls/pull/5679
• test(integration): add rust test for prefer low latency by @kaukabrizvi in https://github.com/aws/s2n-tls/pull/5684
• test(integration): add BoringSSL cohort to expand mTLS coverage by @kaukabrizvi in https://github.com/aws/s2n-tls/pull/5659
• Fix unit test build errors under -Werror by @thulasiramk-2310 in https://github.com/aws/s2n-tls/pull/5686

New Contributors

• @brimonk made their first contribution in https://github.com/aws/s2n-tls/pull/5491
• @ravindran-dev made their first contribution in https://github.com/aws/s2n-tls/pull/5660
• @VIM4L-M made their first contribution in https://github.com/aws/s2n-tls/pull/5682
• @thulasiramk-2310 made their first contribution in https://github.com/aws/s2n-tls/pull/5686

Full Changelog: https://github.com/aws/s2n-tls/compare/v1.6.3...v1.6.4