]>
Commit | Line | Data |
---|---|---|
81a6c781 | 1 | |
f1c236f8 | 2 | OpenSSL CHANGES |
651d0aff RE |
3 | _______________ |
4 | ||
d9c34505 DSH |
5 | Changes between 1.0.1c and 1.0.1d [xx XXX xxxx] |
6 | ||
eeca72f7 DSH |
7 | *) Fix possible deadlock when decoding public keys. |
8 | [Steve Henson] | |
9 | ||
6e164e5c DSH |
10 | *) Don't use TLS 1.0 record version number in initial client hello |
11 | if renegotiating. | |
12 | [Steve Henson] | |
d9c34505 | 13 | |
f9885acc | 14 | Changes between 1.0.1b and 1.0.1c [10 May 2012] |
c940e070 | 15 | |
d414a5a0 DSH |
16 | *) Sanity check record length before skipping explicit IV in TLS |
17 | 1.2, 1.1 and DTLS to fix DoS attack. | |
18 | ||
19 | Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic | |
20 | fuzzing as a service testing platform. | |
21 | (CVE-2012-2333) | |
22 | [Steve Henson] | |
23 | ||
5b9d0995 DSH |
24 | *) Initialise tkeylen properly when encrypting CMS messages. |
25 | Thanks to Solar Designer of Openwall for reporting this issue. | |
26 | [Steve Henson] | |
27 | ||
c76b7a1a DSH |
28 | *) In FIPS mode don't try to use composite ciphers as they are not |
29 | approved. | |
30 | [Steve Henson] | |
c940e070 | 31 | |
effa47b8 | 32 | Changes between 1.0.1a and 1.0.1b [26 Apr 2012] |
e7d2a371 | 33 | |
6791060e | 34 | *) OpenSSL 1.0.0 sets SSL_OP_ALL to 0x80000FFFL and OpenSSL 1.0.1 and |
502dfeb8 DSH |
35 | 1.0.1a set SSL_OP_NO_TLSv1_1 to 0x00000400L which would unfortunately |
36 | mean any application compiled against OpenSSL 1.0.0 headers setting | |
37 | SSL_OP_ALL would also set SSL_OP_NO_TLSv1_1, unintentionally disablng | |
6791060e | 38 | TLS 1.1 also. Fix this by changing the value of SSL_OP_NO_TLSv1_1 to |
502dfeb8 DSH |
39 | 0x10000000L Any application which was previously compiled against |
40 | OpenSSL 1.0.1 or 1.0.1a headers and which cares about SSL_OP_NO_TLSv1_1 | |
6791060e AP |
41 | will need to be recompiled as a result. Letting be results in |
42 | inability to disable specifically TLS 1.1 and in client context, | |
43 | in unlike event, limit maximum offered version to TLS 1.0 [see below]. | |
502dfeb8 DSH |
44 | [Steve Henson] |
45 | ||
5bbed295 AP |
46 | *) In order to ensure interoperabilty SSL_OP_NO_protocolX does not |
47 | disable just protocol X, but all protocols above X *if* there are | |
48 | protocols *below* X still enabled. In more practical terms it means | |
49 | that if application wants to disable TLS1.0 in favor of TLS1.1 and | |
50 | above, it's not sufficient to pass SSL_OP_NO_TLSv1, one has to pass | |
748628ce AP |
51 | SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2. This applies to |
52 | client side. | |
5bbed295 | 53 | [Andy Polyakov] |
e7d2a371 | 54 | |
531c6fc8 | 55 | Changes between 1.0.1 and 1.0.1a [19 Apr 2012] |
e733dea3 | 56 | |
8d5505d0 DSH |
57 | *) Check for potentially exploitable overflows in asn1_d2i_read_bio |
58 | BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer | |
59 | in CRYPTO_realloc_clean. | |
60 | ||
61 | Thanks to Tavis Ormandy, Google Security Team, for discovering this | |
62 | issue and to Adam Langley <agl@chromium.org> for fixing it. | |
63 | (CVE-2012-2110) | |
64 | [Adam Langley (Google), Tavis Ormandy, Google Security Team] | |
65 | ||
4d936ace BM |
66 | *) Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections. |
67 | [Adam Langley] | |
68 | ||
89bd25eb DSH |
69 | *) Workarounds for some broken servers that "hang" if a client hello |
70 | record length exceeds 255 bytes. | |
71 | ||
72 | 1. Do not use record version number > TLS 1.0 in initial client | |
73 | hello: some (but not all) hanging servers will now work. | |
74 | 2. If we set OPENSSL_MAX_TLS1_2_CIPHER_LENGTH this will truncate | |
75 | the number of ciphers sent in the client hello. This should be | |
76 | set to an even number, such as 50, for example by passing: | |
77 | -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure. | |
78 | Most broken servers should now work. | |
79 | 3. If all else fails setting OPENSSL_NO_TLS1_2_CLIENT will disable | |
80 | TLS 1.2 client support entirely. | |
502dfeb8 | 81 | [Steve Henson] |
d2f950c9 AP |
82 | |
83 | *) Fix SEGV in Vector Permutation AES module observed in OpenSSH. | |
84 | [Andy Polyakov] | |
85 | ||
f3dcae15 | 86 | Changes between 1.0.0h and 1.0.1 [14 Mar 2012] |
9472baae | 87 | |
0cd7a032 DSH |
88 | *) Add compatibility with old MDC2 signatures which use an ASN1 OCTET |
89 | STRING form instead of a DigestInfo. | |
90 | [Steve Henson] | |
91 | ||
16b7c81d DSH |
92 | *) The format used for MDC2 RSA signatures is inconsistent between EVP |
93 | and the RSA_sign/RSA_verify functions. This was made more apparent when | |
94 | OpenSSL used RSA_sign/RSA_verify for some RSA signatures in particular | |
95 | those which went through EVP_PKEY_METHOD in 1.0.0 and later. Detect | |
96 | the correct format in RSA_verify so both forms transparently work. | |
97 | [Steve Henson] | |
98 | ||
fc6800d1 DSH |
99 | *) Some servers which support TLS 1.0 can choke if we initially indicate |
100 | support for TLS 1.2 and later renegotiate using TLS 1.0 in the RSA | |
101 | encrypted premaster secret. As a workaround use the maximum pemitted | |
102 | client version in client hello, this should keep such servers happy | |
103 | and still work with previous versions of OpenSSL. | |
104 | [Steve Henson] | |
105 | ||
bd6941cf DSH |
106 | *) Add support for TLS/DTLS heartbeats. |
107 | [Robin Seggelmann <seggelmann@fh-muenster.de>] | |
108 | ||
6e750fcb DSH |
109 | *) Add support for SCTP. |
110 | [Robin Seggelmann <seggelmann@fh-muenster.de>] | |
111 | ||
62308f3f DSH |
112 | *) Improved PRNG seeding for VOS. |
113 | [Paul Green <Paul.Green@stratus.com>] | |
114 | ||
cecafcce AP |
115 | *) Extensive assembler packs updates, most notably: |
116 | ||
117 | - x86[_64]: AES-NI, PCLMULQDQ, RDRAND support; | |
118 | - x86[_64]: SSSE3 support (SHA1, vector-permutation AES); | |
119 | - x86_64: bit-sliced AES implementation; | |
120 | - ARM: NEON support, contemporary platforms optimizations; | |
121 | - s390x: z196 support; | |
122 | - *: GHASH and GF(2^m) multiplication implementations; | |
123 | ||
124 | [Andy Polyakov] | |
125 | ||
ca0efb75 DSH |
126 | *) Make TLS-SRP code conformant with RFC 5054 API cleanup |
127 | (removal of unnecessary code) | |
128 | [Peter Sylvester <peter.sylvester@edelweb.fr>] | |
129 | ||
b1d74291 BL |
130 | *) Add TLS key material exporter from RFC 5705. |
131 | [Eric Rescorla] | |
132 | ||
060a38a2 BL |
133 | *) Add DTLS-SRTP negotiation from RFC 5764. |
134 | [Eric Rescorla] | |
135 | ||
e2809bfb BL |
136 | *) Add Next Protocol Negotiation, |
137 | http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-00. Can be | |
138 | disabled with a no-npn flag to config or Configure. Code donated | |
139 | by Google. | |
140 | [Adam Langley <agl@google.com> and Ben Laurie] | |
141 | ||
9c37519b BM |
142 | *) Add optional 64-bit optimized implementations of elliptic curves NIST-P224, |
143 | NIST-P256, NIST-P521, with constant-time single point multiplication on | |
144 | typical inputs. Compiler support for the nonstandard type __uint128_t is | |
3d520f7c BM |
145 | required to use this (present in gcc 4.4 and later, for 64-bit builds). |
146 | Code made available under Apache License version 2.0. | |
9c37519b | 147 | |
3d520f7c BM |
148 | Specify "enable-ec_nistp_64_gcc_128" on the Configure (or config) command |
149 | line to include this in your build of OpenSSL, and run "make depend" (or | |
150 | "make update"). This enables the following EC_METHODs: | |
9c37519b BM |
151 | |
152 | EC_GFp_nistp224_method() | |
153 | EC_GFp_nistp256_method() | |
154 | EC_GFp_nistp521_method() | |
155 | ||
156 | EC_GROUP_new_by_curve_name() will automatically use these (while | |
157 | EC_GROUP_new_curve_GFp() currently prefers the more flexible | |
158 | implementations). | |
159 |