[thirdparty/openssl.git] / CHANGES


 OpenSSL CHANGES
 _______________

 Changes between 1.0.1f and 1.0.1g [xx XXX xxxx]

  *) TLS pad extension: draft-agl-tls-padding-02

     Workaround for the "TLS hang bug" (see FAQ and PR#2771): if the
     TLS client Hello record length value would otherwise be > 255 and
     less that 512 pad with a dummy extension containing zeroes so it
     is at least 512 bytes long.

     To enable it use an unused extension number (for example chrome uses
     35655) using:

     e.g. -DTLSEXT_TYPE_padding=35655

     Since the extension is ignored the actual number doesn't matter as long
     as it doesn't clash with any existing extension.

     This will be updated when the extension gets an official number.

     [Adam Langley, Steve Henson]

 Changes between 1.0.1e and 1.0.1f [6 Jan 2014]

  *) Fix for TLS record tampering bug. A carefully crafted invalid 
     handshake could crash OpenSSL with a NULL pointer exception.
     Thanks to Anton Johansson for reporting this issues.
     (CVE-2013-4353)

  *) Keep original DTLS digest and encryption contexts in retransmission
     structures so we can use the previous session parameters if they need
     to be resent. (CVE-2013-6450)
     [Steve Henson]

  *) Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which
     avoids preferring ECDHE-ECDSA ciphers when the client appears to be
     Safari on OS X.  Safari on OS X 10.8..10.8.3 advertises support for
     several ECDHE-ECDSA ciphers, but fails to negotiate them.  The bug
     is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing
     10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer.
     [Rob Stradling, Adam Langley]

 Changes between 1.0.1d and 1.0.1e [11 Feb 2013]

  *) Correct fix for CVE-2013-0169. The original didn't work on AES-NI
     supporting platforms or when small records were transferred.
     [Andy Polyakov, Steve Henson]

 Changes between 1.0.1c and 1.0.1d [5 Feb 2013]

  *) Make the decoding of SSLv3, TLS and DTLS CBC records constant time.

     This addresses the flaw in CBC record processing discovered by 
     Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
     at: http://www.isg.rhul.ac.uk/tls/     

     Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
     Security Group at Royal Holloway, University of London
     (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
Commit	Line	Data
81a6c781	1
f1c236f8	2	OpenSSL CHANGES
651d0aff RE	3	_______________
651d0aff RE	4
a7304e4b DSH	5	Changes between 1.0.1f and 1.0.1g [xx XXX xxxx]
a7304e4b DSH	6
4a55631e DSH	7	*) TLS pad extension: draft-agl-tls-padding-02
	8
	9	Workaround for the "TLS hang bug" (see FAQ and PR#2771): if the
	10	TLS client Hello record length value would otherwise be > 255 and
	11	less that 512 pad with a dummy extension containing zeroes so it
	12	is at least 512 bytes long.
	13
	14	To enable it use an unused extension number (for example chrome uses
	15	35655) using:
	16
	17	e.g. -DTLSEXT_TYPE_padding=35655
	18
	19	Since the extension is ignored the actual number doesn't matter as long
	20	as it doesn't clash with any existing extension.
	21
	22	This will be updated when the extension gets an official number.
	23
	24	[Adam Langley, Steve Henson]
a7304e4b	25
0d877634	26	Changes between 1.0.1e and 1.0.1f [6 Jan 2014]
3151e328	27
197e0ea8 DSH	28	*) Fix for TLS record tampering bug. A carefully crafted invalid
	29	handshake could crash OpenSSL with a NULL pointer exception.
	30	Thanks to Anton Johansson for reporting this issues.
	31	(CVE-2013-4353)
	32
34628967 DSH	33	*) Keep original DTLS digest and encryption contexts in retransmission
	34	structures so we can use the previous session parameters if they need
	35	to be resent. (CVE-2013-6450)
	36	[Steve Henson]
	37
13bca90a RS	38	*) Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which
	39	avoids preferring ECDHE-ECDSA ciphers when the client appears to be
	40	Safari on OS X. Safari on OS X 10.8..10.8.3 advertises support for
	41	several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug
	42	is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing
	43	10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer.
	44	[Rob Stradling, Adam Langley]
3151e328	45
f66db68e	46	Changes between 1.0.1d and 1.0.1e [11 Feb 2013]
41cf07f0	47
625a5532 DSH	48	*) Correct fix for CVE-2013-0169. The original didn't work on AES-NI
	49	supporting platforms or when small records were transferred.
	50	[Andy Polyakov, Steve Henson]
41cf07f0	51
df0d9356	52	Changes between 1.0.1c and 1.0.1d [5 Feb 2013]
d9c34505	53
df0d9356	54	*) Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
f1ca56a6 DSH	55
	56	This addresses the flaw in CBC record processing discovered by
	57	Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
	58	at: http://www.isg.rhul.ac.uk/tls/
	59
	60	Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
	61	Security Group at Royal Holloway, University of London
	62	(www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
	63