]>
Commit | Line | Data |
---|---|---|
81a6c781 | 1 | |
f1c236f8 | 2 | OpenSSL CHANGES |
651d0aff RE |
3 | _______________ |
4 | ||
b9115239 DSH |
5 | Changes between 1.0.1 and 1.0.2 [xx XXX xxxx] |
6 | ||
e27711cf T |
7 | *) Add callbacks for arbitrary TLS extensions. |
8 | [Trevor Perrin <trevp@trevp.net> and Ben Laurie] | |
9 | ||
57912ed3 DSH |
10 | *) New option -crl_download in several openssl utilities to download CRLs |
11 | from CRLDP extension in certificates. | |
12 | [Steve Henson] | |
13 | ||
e318431e DSH |
14 | *) New options -CRL and -CRLform for s_client and s_server for CRLs. |
15 | [Steve Henson] | |
16 | ||
6a10f38d DSH |
17 | *) New function X509_CRL_diff to generate a delta CRL from the difference |
18 | of two full CRLs. Add support to "crl" utility. | |
19 | [Steve Henson] | |
20 | ||
75f53531 DSH |
21 | *) New functions to set lookup_crls function and to retrieve |
22 | X509_STORE from X509_STORE_CTX. | |
23 | [Steve Henson] | |
24 | ||
2aa3ef78 DSH |
25 | *) Print out deprecated issuer and subject unique ID fields in |
26 | certificates. | |
27 | [Steve Henson] | |
28 | ||
5c8d41be DSH |
29 | *) Extend OCSP I/O functions so they can be used for simple general purpose |
30 | HTTP as well as OCSP. New wrapper function which can be used to download | |
31 | CRLs using the OCSP API. | |
32 | [Steve Henson] | |
33 | ||
15387e4c DSH |
34 | *) Delegate command line handling in s_client/s_server to SSL_CONF APIs. |
35 | [Steve Henson] | |
36 | ||
49ef33fa DSH |
37 | *) SSL_CONF* functions. These provide a common framework for application |
38 | configuration using configuration files or command lines. | |
39 | [Steve Henson] | |
40 | ||
bc200e69 DSH |
41 | *) SSL/TLS tracing code. This parses out SSL/TLS records using the |
42 | message callback and prints the results. Needs compile time option | |
43 | "enable-ssl-trace". New options to s_client and s_server to enable | |
44 | tracing. | |
45 | [Steve Henson] | |
46 | ||
78b5d89d DSH |
47 | *) New ctrl and macro to retrieve supported points extensions. |
48 | Print out extension in s_server. | |
49 | [Steve Henson] | |
50 | ||
bd9fc1d6 DSH |
51 | *) New functions to retrieve certificate signature and signature |
52 | OID NID. | |
53 | [Steve Henson] | |
54 | ||
1520e6c0 DSH |
55 | *) Add functions to retrieve and manipulate the raw cipherlist sent by a |
56 | client to OpenSSL. | |
57 | [Steve Henson] | |
58 | ||
ccf6a19e DSH |
59 | *) New Suite B modes for TLS code. These use and enforce the requirements |
60 | of RFC6460: restrict ciphersuites, only permit Suite B algorithms and | |
61 | only use Suite B curves. The Suite B modes can be set by using the | |
62 | strings "SUITEB128", "SUITEB192" or "SUITEB128ONLY" for the cipherstring. | |
63 | [Steve Henson] | |
64 | ||
ba8bdea7 DSH |
65 | *) New chain verification flags for Suite B levels of security. Check |
66 | algorithms are acceptable when flags are set in X509_verify_cert. | |
67 | [Steve Henson] | |
68 | ||
6660baee DSH |
69 | *) Make tls1_check_chain return a set of flags indicating checks passed |
70 | by a certificate chain. Add additional tests to handle client | |
71 | certificates: checks for matching certificate type and issuer name | |
72 | comparison. | |
73 | [Steve Henson] | |
74 | ||
25d4c925 DSH |
75 | *) If an attempt is made to use a signature algorithm not in the peer |
76 | preference list abort the handshake. If client has no suitable | |
77 | signature algorithms in response to a certificate request do not | |
78 | use the certificate. | |
79 | [Steve Henson] | |
80 | ||
44adfeb6 DSH |
81 | *) If server EC tmp key is not in client preference list abort handshake. |
82 | [Steve Henson] | |
83 | ||
b762acad DSH |
84 | *) Add support for certificate stores in CERT structure. This makes it |
85 | possible to have different stores per SSL structure or one store in | |
86 | the parent SSL_CTX. Include distint stores for certificate chain | |
87 | verification and chain building. New ctrl SSL_CTRL_BUILD_CERT_CHAIN | |
88 | to build and store a certificate chain in CERT structure: returing | |
89 | an error if the chain cannot be built: this will allow applications | |
90 | to test if a chain is correctly configured. | |
91 | ||
92 | Note: if the CERT based stores are not set then the parent SSL_CTX | |
93 | store is used to retain compatibility with existing behaviour. | |
94 | ||
95 | [Steve Henson] | |
96 | ||
b28fbdfa DSH |
97 | *) New function ssl_set_client_disabled to set a ciphersuite disabled |
98 | mask based on the current session, check mask when sending client | |
99 | hello and checking the requested ciphersuite. | |
100 | [Steve Henson] | |
101 | ||
a897502c DSH |
102 | *) New ctrls to retrieve and set certificate types in a certificate |
103 | request message. Print out received values in s_client. If certificate | |
104 | types is not set with custom values set sensible values based on | |
105 | supported signature algorithms. | |
106 | [Steve Henson] | |
107 | ||
04c32cdd DSH |
108 | *) Support for distinct client and server supported signature algorithms. |
109 | [Steve Henson] | |
110 | ||
623a5e24 DSH |
111 | *) Add certificate callback. If set this is called whenever a certificate |
112 | is required by client or server. An application can decide which | |
113 | certificate chain to present based on arbitrary criteria: for example | |
114 | supported signature algorithms. Add very simple example to s_server. | |
115 | This fixes many of the problems and restrictions of the existing client | |
116 | certificate callback: for example you can now clear an existing | |
117 | certificate and specify the whole chain. | |
118 | [Steve Henson] | |
119 | ||
484f8762 DSH |
120 | *) Add new "valid_flags" field to CERT_PKEY structure which determines what |
121 | the certificate can be used for (if anything). Set valid_flags field | |
122 | in new tls1_check_chain function. Simplify ssl_set_cert_masks which used | |
123 | to have similar checks in it. | |
124 | ||
125 | Add new "cert_flags" field to CERT structure and include a "strict mode". | |
126 | This enforces some TLS certificate requirements (such as only permitting | |
127 | certificate signature algorithms contained in the supported algorithms | |
128 | extension) which some implementations ignore: this option should be used | |
129 | with caution as it could cause interoperability issues. | |
130 | [Steve Henson] | |
131 | ||
c70a1fee DSH |
132 | *) Update and tidy signature algorithm extension processing. Work out |
133 | shared signature algorithms based on preferences and peer algorithms | |
134 | and print them out in s_client and s_server. Abort handshake if no | |
135 | shared signature algorithms. | |
136 | [Steve Henson] | |
137 | ||
0b362de5 DSH |
138 | *) Add new functions to allow customised supported signature algorithms |
139 | for SSL and SSL_CTX structures. Add options to s_client and s_server | |
140 | to support them. | |
141 | [Steve Henson] | |
142 | ||
d312f7be DSH |
143 | *) New function SSL_certs_clear() to delete all references to certificates |
144 | from an SSL structure. Before this once a certificate had been added | |
145 | it couldn't be removed. | |
146 | [Steve Henson] | |
147 | ||
70cd3c6b DSH |
148 | *) Integrate hostname, email address and IP address checking with certificate |
149 | verification. New verify options supporting checking in opensl utility. | |
150 | [Steve Henson] | |
151 | ||
45da1efc DSH |
152 | *) Fixes and wildcard matching support to hostname and email checking |
153 | functions. Add manual page. | |
154 | [Florian Weimer (Red Hat Product Security Team)] | |
155 | ||
156 | *) New functions to check a hostname email or IP address against a | |
157 | certificate. Add options x509 utility to print results of checks against | |
158 | a certificate. | |
159 | [Steve Henson] | |
160 | ||
d65b8b21 BL |
161 | *) Fix OCSP checking. |
162 | [Rob Stradling <rob.stradling@comodo.com> and Ben Laurie] | |
163 | ||
164 | *) Backport support for partial chain verification: if an intermediate | |
165 | certificate is explicitly trusted (using -addtrust option to x509 | |
166 | utility for example) the verification is sucessful even if the chain | |
167 | is not complete. | |
168 | The OCSP checking fix depends on this backport. | |
169 | [Steve Henson and Rob Stradling <rob.stradling@comodo.com>] | |
170 | ||
9d2006d8 DSH |
171 | *) Add -trusted_first option which attempts to find certificates in the |
172 | trusted store even if an untrusted chain is also supplied. | |
173 | [Steve Henson] | |
174 | ||
988037fe AP |
175 | *) MIPS assembly pack updates: support for MIPS32r2 and SmartMIPS ASE, |
176 | platform support for Linux and Android. | |
177 | [Andy Polyakov] | |
178 | ||
da8512aa | 179 | *) Call OCSP Stapling callback after ciphersuite has been chosen, so |
dc144417 DSH |
180 | the right response is stapled. Also change current certificate to |
181 | the certificate actually sent. | |
da8512aa BL |
182 | See http://rt.openssl.org/Ticket/Display.html?id=2836. |
183 | [Rob Stradling <rob.stradling@comodo.com>] | |
184 | ||
0e05b51f AP |
185 | *) Support for linux-x32, ILP32 environment in x86_64 framework. |
186 | [Andy Polyakov] | |
187 | ||
4e14996e BL |
188 | *) RFC 5878 support. |
189 | [Emilia Kasper, Adam Langley, Ben Laurie (Google)] | |
190 | ||
1dded7f7 DSH |
191 | *) Experimental multi-implementation support for FIPS capable OpenSSL. |
192 | When in FIPS mode the approved implementations are used as normal, | |
193 | when not in FIPS mode the internal unapproved versions are used instead. | |
194 | This means that the FIPS capable OpenSSL isn't forced to use the | |
195 | (often lower perfomance) FIPS implementations outside FIPS mode. | |
196 | [Steve Henson] | |
197 | ||
c3cb0691 DSH |
198 | *) Transparently support X9.42 DH parameters when calling |
199 | PEM_read_bio_DHparameters. This means existing applications can handle | |
200 | the new parameter format automatically. | |
201 | [Steve Henson] | |
202 | ||
491734eb DSH |
203 | *) Initial experimental support for X9.42 DH parameter format: mainly |
204 | to support use of 'q' parameter for RFC5114 parameters. | |
205 | [Steve Henson] | |
206 | ||
e811eff5 DSH |
207 | *) Add DH parameters from RFC5114 including test data to dhtest. |
208 | [Steve Henson] | |
209 | ||
e46c807e DSH |
210 | *) Support for automatic EC temporary key parameter selection. If enabled |
211 | the most preferred EC parameters are automatically used instead of | |
212 | hardcoded fixed parameters. Now a server just has to call: | |
213 | SSL_CTX_set_ecdh_auto(ctx, 1) and the server will automatically | |
214 | support ECDH and use the most appropriate parameters. | |
215 | [Steve Henson] | |
216 | ||
6b870763 DSH |
217 | *) Enhance and tidy EC curve and point format TLS extension code. Use |
218 | static structures instead of allocation if default values are used. | |
219 | New ctrls to set curves we wish to support and to retrieve shared curves. | |
220 | Print out shared curves in s_server. New options to s_server and s_client | |
221 | to set list of supported curves. | |
222 | [Steve Henson] | |
223 | ||
55058181 DSH |
224 | *) New ctrls to retrieve supported signature algorithms and |
225 | supported curve values as an array of NIDs. Extend openssl utility | |
226 | to print out received values. | |
227 | [Steve Henson] | |
228 | ||
a068a1d0 DSH |
229 | *) Add new APIs EC_curve_nist2nid and EC_curve_nid2nist which convert |
230 | between NIDs and the more common NIST names such as "P-256". Enhance | |
231 | ecparam utility and ECC method to recognise the NIST names for curves. | |
232 | [Steve Henson] | |
233 | ||
37b16c84 DSH |
234 | *) Enhance SSL/TLS certificate chain handling to support different |
235 | chains for each certificate instead of one chain in the parent SSL_CTX. | |
236 | [Steve Henson] | |
237 | ||
c523eb98 DSH |
238 | *) Support for fixed DH ciphersuite client authentication: where both |
239 | server and client use DH certificates with common parameters. | |
240 | [Steve Henson] | |
241 | ||
0ffa4997 DSH |
242 | *) Support for fixed DH ciphersuites: those requiring DH server |
243 | certificates. | |
244 | [Steve Henson] | |
b9115239 | 245 | |
5e145e54 DSH |
246 | Changes between 1.0.1c and 1.0.1d [xx XXX xxxx] |
247 | ||
5f4cf088 BL |
248 | *) Make openssl verify return errors. |
249 | [Chris Palmer <palmer@google.com> and Ben Laurie] | |
250 | ||
482f2380 DSH |
251 | *) Fix possible deadlock when decoding public keys. |
252 | [Steve Henson] | |
253 | ||
5e145e54 DSH |
254 | *) Don't use TLS 1.0 record version number in initial client hello |
255 | if renegotiating. | |
256 | [Steve Henson] | |
257 | ||
258 | Changes between 1.0.1b and 1.0.1c [10 May 2012] | |
a56f9a61 | 259 | |
e7c84838 DSH |
260 | *) Sanity check record length before skipping explicit IV in TLS |
261 | 1.2, 1.1 and DTLS to avoid DoS attack. | |
262 | ||
263 | Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic | |
264 | fuzzing as a service testing platform. | |
265 | (CVE-2012-2333) | |
266 | [Steve Henson] | |
267 | ||
24547c23 DSH |
268 | *) Initialise tkeylen properly when encrypting CMS messages. |
269 | Thanks to Solar Designer of Openwall for reporting this issue. | |
270 | [Steve Henson] | |
271 | ||
a56f9a61 DSH |
272 | *) In FIPS mode don't try to use composite ciphers as they are not |
273 | approved. | |
274 | [Steve Henson] | |
275 | ||
276 | Changes between 1.0.1a and 1.0.1b [26 Apr 2012] | |
f69abd53 | 277 | |
7e0c9630 | 278 | *) OpenSSL 1.0.0 sets SSL_OP_ALL to 0x80000FFFL and OpenSSL 1.0.1 and |
a6df6702 DSH |
279 | 1.0.1a set SSL_OP_NO_TLSv1_1 to 0x00000400L which would unfortunately |
280 | mean any application compiled against OpenSSL 1.0.0 headers setting | |
281 | SSL_OP_ALL would also set SSL_OP_NO_TLSv1_1, unintentionally disablng | |
7e0c9630 | 282 | TLS 1.1 also. Fix this by changing the value of SSL_OP_NO_TLSv1_1 to |
a6df6702 DSH |
283 | 0x10000000L Any application which was previously compiled against |
284 | OpenSSL 1.0.1 or 1.0.1a headers and which cares about SSL_OP_NO_TLSv1_1 | |
7e0c9630 AP |
285 | will need to be recompiled as a result. Letting be results in |
286 | inability to disable specifically TLS 1.1 and in client context, | |
287 | in unlike event, limit maximum offered version to TLS 1.0 [see below]. | |
a6df6702 DSH |
288 | [Steve Henson] |
289 | ||
f69abd53 AP |
290 | *) In order to ensure interoperabilty SSL_OP_NO_protocolX does not |
291 | disable just protocol X, but all protocols above X *if* there are | |
292 | protocols *below* X still enabled. In more practical terms it means | |
293 | that if application wants to disable TLS1.0 in favor of TLS1.1 and | |
294 | above, it's not sufficient to pass SSL_OP_NO_TLSv1, one has to pass | |
0ae89cf3 AP |
295 | SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2. This applies to |
296 | client side. | |
f69abd53 AP |
297 | [Andy Polyakov] |
298 | ||
d6ef8165 | 299 | Changes between 1.0.1 and 1.0.1a [19 Apr 2012] |
54543b95 | 300 | |
564a503b DSH |
301 | *) Check for potentially exploitable overflows in asn1_d2i_read_bio |
302 | BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer | |
303 | in CRYPTO_realloc_clean. | |
304 | ||
305 | Thanks to Tavis Ormandy, Google Security Team, for discovering this | |
306 | issue and to Adam Langley <agl@chromium.org> for fixing it. | |
307 | (CVE-2012-2110) | |
308 | [Adam Langley (Google), Tavis Ormandy, Google Security Team] | |
309 | ||
bb3add20 BM |
310 | *) Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections. |
311 | [Adam Langley] | |
312 | ||
48e0f666 DSH |
313 | *) Workarounds for some broken servers that "hang" if a client hello |
314 | record length exceeds 255 bytes: | |
315 | ||
316 | 1. Do not use record version number > TLS 1.0 in initial client | |
317 | hello: some (but not all) hanging servers will now work. | |
318 | 2. If we set OPENSSL_MAX_TLS1_2_CIPHER_LENGTH this will truncate | |
319 | the number of ciphers sent in the client hello. This should be | |
320 | set to an even number, such as 50, for example by passing: | |
321 | -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure. | |
322 | Most broken servers should now work. | |
323 | 3. If all else fails setting OPENSSL_NO_TLS1_2_CLIENT will disable | |
324 | TLS 1.2 client support entirely. | |
a6df6702 | 325 | [Steve Henson] |
48e0f666 | 326 | |
54543b95 AP |
327 | *) Fix SEGV in Vector Permutation AES module observed in OpenSSH. |
328 | [Andy Polyakov] | |
329 | ||
f3dcae15 | 330 | Changes between 1.0.0h and 1.0.1 [14 Mar 2012] |
9472baae | 331 | |
0cd7a032 DSH |
332 | *) Add compatibility with old MDC2 signatures which use an ASN1 OCTET |
333 | STRING form instead of a DigestInfo. | |
334 | [Steve Henson] | |
335 | ||
16b7c81d DSH |
336 | *) The format used for MDC2 RSA signatures is inconsistent between EVP |
337 | and the RSA_sign/RSA_verify functions. This was made more apparent when | |
338 | OpenSSL used RSA_sign/RSA_verify for some RSA signatures in particular | |
339 | those which went through EVP_PKEY_METHOD in 1.0.0 and later. Detect | |
340 | the correct format in RSA_verify so both forms transparently work. | |
341 | [Steve Henson] | |
342 | ||
fc6800d1 DSH |
343 | *) Some servers which support TLS 1.0 can choke if we initially indicate |
344 | support for TLS 1.2 and later renegotiate using TLS 1.0 in the RSA | |
345 | encrypted premaster secret. As a workaround use the maximum pemitted | |
346 | client version in client hello, this should keep such servers happy | |
347 | and still work with previous versions of OpenSSL. | |
348 | [Steve Henson] | |
349 | ||
bd6941cf DSH |
350 | *) Add support for TLS/DTLS heartbeats. |
351 | [Robin Seggelmann <seggelmann@fh-muenster.de>] | |
352 | ||
6e750fcb DSH |
353 | *) Add support for SCTP. |
354 | [Robin Seggelmann <seggelmann@fh-muenster.de>] | |
355 | ||
62308f3f DSH |
356 | *) Improved PRNG seeding for VOS. |
357 | [Paul Green <Paul.Green@stratus.com>] | |
358 | ||
cecafcce AP |
359 | *) Extensive assembler packs updates, most notably: |
360 | ||
361 | - x86[_64]: AES-NI, PCLMULQDQ, RDRAND support; | |
362 | - x86[_64]: SSSE3 support (SHA1, vector-permutation AES); | |
363 | - x86_64: bit-sliced AES implementation; | |
364 | - ARM: NEON support, contemporary platforms optimizations; | |
365 | - s390x: z196 support; | |
366 | - *: GHASH and GF(2^m) multiplication implementations; | |
367 | ||
368 | [Andy Polyakov] | |
369 | ||
ca0efb75 DSH |
370 | *) Make TLS-SRP code conformant with RFC 5054 API cleanup |
371 | (removal of unnecessary code) | |
372 | [Peter Sylvester <peter.sylvester@edelweb.fr>] | |
373 | ||
b1d74291 BL |
374 | *) Add TLS key material exporter from RFC 5705. |
375 | [Eric Rescorla] | |
376 | ||
060a38a2 BL |
377 | *) Add DTLS-SRTP negotiation from RFC 5764. |
378 | [Eric Rescorla] | |
379 | ||
e2809bfb BL |
380 | *) Add Next Protocol Negotiation, |
381 | http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-00. Can be | |
382 | disabled with a no-npn flag to config or Configure. Code donated | |
383 | by Google. | |
384 | [Adam Langley <agl@google.com> and Ben Laurie] | |
385 | ||
9c37519b BM |
386 | *) Add optional 64-bit optimized implementations of elliptic curves NIST-P224, |
387 | NIST-P256, NIST-P521, with constant-time single point multiplication on | |
388 | typical inputs. Compiler support for the nonstandard type __uint128_t is | |
3d520f7c BM |
389 | required to use this (present in gcc 4.4 and later, for 64-bit builds). |
390 | Code made available under Apache License version 2.0. | |
9c37519b | 391 | |
3d520f7c BM |
392 | Specify "enable-ec_nistp_64_gcc_128" on the Configure (or config) command |
393 | line to include this in your build of OpenSSL, and run "make depend" (or | |
394 | "make update"). This enables the following EC_METHODs: | |
9c37519b BM |
395 | |
396 | EC_GFp_nistp224_method() | |
397 | EC_GFp_nistp256_method() | |
398 | EC_GFp_nistp521_method() | |
399 | ||
400 | EC_GROUP_new_by_curve_name() will automatically use these (while | |
401 | EC_GROUP_new_curve_GFp() currently prefers the more flexible | |
402 | implementations). | |
403 |