]>
Commit | Line | Data |
---|---|---|
651d0aff | 1 | |
f1c236f8 | 2 | OpenSSL CHANGES |
651d0aff RE |
3 | _______________ |
4 | ||
c90341a1 RL |
5 | Changes between 0.9.5a and 0.9.6 [xx XXX 2000] |
6 | ||
aa826d88 BM |
7 | *) Fix SSL 2.0 rollback checking: Due to an off-by-one error in |
8 | RSA_padding_check_SSLv23(), special padding was never detected | |
9 | and thus the SSL 3.0/TLS 1.0 countermeasure against protocol | |
10 | version rollback attacks was not effective. | |
11 | ||
37569e64 BM |
12 | In s23_clnt.c, don't use special rollback-attack detection padding |
13 | (RSA_SSLV23_PADDING) if SSL 2.0 is the only protocol enabled in the | |
14 | client; similarly, in s23_srvr.c, don't do the rollback check if | |
15 | SSL 2.0 is the only protocol enabled in the server. | |
16 | [Bodo Moeller] | |
17 | ||
ca1e465f RL |
18 | *) Make it possible to get hexdumps of unprintable data with 'openssl |
19 | asn1parse'. By implication, the functions ASN1_parse_dump() and | |
20 | BIO_dump_indent() are added. | |
21 | [Richard Levitte] | |
22 | ||
a657546f DSH |
23 | *) New functions ASN1_STRING_print_ex() and X509_NAME_print_ex() |
24 | these print out strings and name structures based on various | |
25 | flags including RFC2253 support and proper handling of | |
26 | multibyte characters. Added options to the 'x509' utility | |
27 | to allow the various flags to be set. | |
28 | [Steve Henson] | |
29 | ||
284ef5f3 DSH |
30 | *) Various fixes to use ASN1_TIME instead of ASN1_UTCTIME. |
31 | Also change the functions X509_cmp_current_time() and | |
32 | X509_gmtime_adj() work with an ASN1_TIME structure, | |
33 | this will enable certificates using GeneralizedTime in validity | |
34 | dates to be checked. | |
35 | [Steve Henson] | |
36 | ||
37 | *) Make the NEG_PUBKEY_BUG code (which tolerates invalid | |
38 | negative public key encodings) on by default, | |
39 | NO_NEG_PUBKEY_BUG can be set to disable it. | |
40 | [Steve Henson] | |
41 | ||
42 | *) New function c2i_ASN1_OBJECT() which acts on ASN1_OBJECT | |
43 | content octets. An i2c_ASN1_OBJECT is unnecessary because | |
44 | the encoding can be trivially obtained from the structure. | |
45 | [Steve Henson] | |
46 | ||
fa729135 BM |
47 | *) crypto/err.c locking bugfix: Use write locks (CRYPTO_w_[un]lock), |
48 | not read locks (CRYPTO_r_[un]lock). | |
49 | [Bodo Moeller] | |
50 | ||
b436a982 RL |
51 | *) A first attempt at creating official support for shared |
52 | libraries through configuration. I've kept it so the | |
53 | default is static libraries only, and the OpenSSL programs | |
54 | are always statically linked for now, but there are | |
55 | preparations for dynamic linking in place. | |
56 | This has been tested on Linux and True64. | |
57 | [Richard Levitte] | |
58 | ||
c0722725 UM |
59 | *) Randomness polling function for Win9x, as described in: |
60 | Peter Gutmann, Software Generation of Practically Strong | |
61 | Random Numbers. | |
62 |