]>
Commit | Line | Data |
---|---|---|
1 | ||
2 | OpenSSL CHANGES | |
3 | _______________ | |
4 | ||
5 | Changes between 1.0.1c and 1.0.1d [xx XXX xxxx] | |
6 | ||
7 | *) Make openssl verify return errors. | |
8 | [Chris Palmer <palmer@google.com> and Ben Laurie] | |
9 | ||
10 | *) Call OCSP Stapling callback after ciphersuite has been chosen, so | |
11 | the right response is stapled. Also change SSL_get_certificate() | |
12 | so it returns the certificate actually sent. | |
13 | See http://rt.openssl.org/Ticket/Display.html?id=2836. | |
14 | [Rob Stradling <rob.stradling@comodo.com>] | |
15 | ||
16 | *) Fix possible deadlock when decoding public keys. | |
17 | [Steve Henson] | |
18 | ||
19 | *) Don't use TLS 1.0 record version number in initial client hello | |
20 | if renegotiating. | |
21 | [Steve Henson] | |
22 | ||
23 | Changes between 1.0.1b and 1.0.1c [10 May 2012] | |
24 | ||
25 | *) Sanity check record length before skipping explicit IV in TLS | |
26 | 1.2, 1.1 and DTLS to fix DoS attack. | |
27 | ||
28 | Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic | |
29 | fuzzing as a service testing platform. | |
30 | (CVE-2012-2333) | |
31 | [Steve Henson] | |
32 | ||
33 | *) Initialise tkeylen properly when encrypting CMS messages. | |
34 | Thanks to Solar Designer of Openwall for reporting this issue. | |
35 | [Steve Henson] | |
36 | ||
37 | *) In FIPS mode don't try to use composite ciphers as they are not | |
38 | approved. | |
39 | [Steve Henson] | |
40 | ||
41 | Changes between 1.0.1a and 1.0.1b [26 Apr 2012] | |
42 | ||
43 | *) OpenSSL 1.0.0 sets SSL_OP_ALL to 0x80000FFFL and OpenSSL 1.0.1 and | |
44 | 1.0.1a set SSL_OP_NO_TLSv1_1 to 0x00000400L which would unfortunately | |
45 | mean any application compiled against OpenSSL 1.0.0 headers setting | |
46 | SSL_OP_ALL would also set SSL_OP_NO_TLSv1_1, unintentionally disablng | |
47 | TLS 1.1 also. Fix this by changing the value of SSL_OP_NO_TLSv1_1 to | |
48 | 0x10000000L Any application which was previously compiled against | |
49 | OpenSSL 1.0.1 or 1.0.1a headers and which cares about SSL_OP_NO_TLSv1_1 | |
50 | will need to be recompiled as a result. Letting be results in | |
51 | inability to disable specifically TLS 1.1 and in client context, | |
52 | in unlike event, limit maximum offered version to TLS 1.0 [see below]. | |
53 | [Steve Henson] | |
54 | ||
55 | *) In order to ensure interoperabilty SSL_OP_NO_protocolX does not | |
56 | disable just protocol X, but all protocols above X *if* there are | |
57 | protocols *below* X still enabled. In more practical terms it means | |
58 | that if application wants to disable TLS1.0 in favor of TLS1.1 and | |
59 | above, it's not sufficient to pass SSL_OP_NO_TLSv1, one has to pass | |
60 | SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2. This applies to | |
61 | client side. | |
62 | [Andy Polyakov] | |
63 | ||
64 | Changes between 1.0.1 and 1.0.1a [19 Apr 2012] | |
65 | ||
66 | *) Check for potentially exploitable overflows in asn1_d2i_read_bio | |
67 | BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer | |
68 | in CRYPTO_realloc_clean. | |
69 | ||
70 | Thanks to Tavis Ormandy, Google Security Team, for discovering this | |
71 | issue and to Adam Langley <agl@chromium.org> for fixing it. | |
72 | (CVE-2012-2110) | |
73 | [Adam Langley (Google), Tavis Ormandy, Google Security Team] | |
74 | ||
75 | *) Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections. | |
76 | [Adam Langley] | |
77 | ||
78 | *) Workarounds for some broken servers that "hang" if a client hello | |
79 | record length exceeds 255 bytes. | |
80 | ||
81 | 1. Do not use record version number > TLS 1.0 in initial client | |
82 | hello: some (but not all) hanging servers will now work. | |
83 | 2. If we set OPENSSL_MAX_TLS1_2_CIPHER_LENGTH this will truncate | |
84 | the number of ciphers sent in the client hello. This should be | |
85 | set to an even number, such as 50, for example by passing: | |
86 | -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure. | |
87 | Most broken servers should now work. | |
88 | 3. If all else fails setting OPENSSL_NO_TLS1_2_CLIENT will disable | |
89 | TLS 1.2 client support entirely. | |
90 | [Steve Henson] | |
91 | ||
92 | *) Fix SEGV in Vector Permutation AES module observed in OpenSSH. | |
93 | [Andy Polyakov] | |
94 | ||
95 | Changes between 1.0.0h and 1.0.1 [14 Mar 2012] | |
96 | ||
97 | *) Add compatibility with old MDC2 signatures which use an ASN1 OCTET | |
98 | STRING form instead of a DigestInfo. | |
99 | [Steve Henson] | |
100 | ||
101 | *) The format used for MDC2 RSA signatures is inconsistent between EVP | |
102 | and the RSA_sign/RSA_verify functions. This was made more apparent when | |
103 | OpenSSL used RSA_sign/RSA_verify for some RSA signatures in particular | |
104 | those which went through EVP_PKEY_METHOD in 1.0.0 and later. Detect | |
105 | the correct format in RSA_verify so both forms transparently work. | |
106 | [Steve Henson] | |
107 | ||
108 | *) Some servers which support TLS 1.0 can choke if we initially indicate | |
109 | support for TLS 1.2 and later renegotiate using TLS 1.0 in the RSA | |
110 | encrypted premaster secret. As a workaround use the maximum pemitted | |
111 | client version in client hello, this should keep such servers happy | |
112 | and still work with previous versions of OpenSSL. | |
113 | [Steve Henson] | |
114 | ||
115 | *) Add support for TLS/DTLS heartbeats. | |
116 | [Robin Seggelmann <seggelmann@fh-muenster.de>] | |
117 | ||
118 | *) Add support for SCTP. | |
119 | [Robin Seggelmann <seggelmann@fh-muenster.de>] | |
120 | ||
121 | *) Improved PRNG seeding for VOS. | |
122 | [Paul Green <Paul.Green@stratus.com>] | |
123 | ||
124 | *) Extensive assembler packs updates, most notably: | |
125 | ||
126 | - x86[_64]: AES-NI, PCLMULQDQ, RDRAND support; | |
127 | - x86[_64]: SSSE3 support (SHA1, vector-permutation AES); | |
128 | - x86_64: bit-sliced AES implementation; | |
129 | - ARM: NEON support, contemporary platforms optimizations; | |
130 | - s390x: z196 support; | |
131 | - *: GHASH and GF(2^m) multiplication implementations; | |
132 | ||
133 | [Andy Polyakov] | |
134 | ||
135 | *) Make TLS-SRP code conformant with RFC 5054 API cleanup | |
136 | (removal of unnecessary code) | |
137 | [Peter Sylvester <peter.sylvester@edelweb.fr>] | |
138 | ||
139 | *) Add TLS key material exporter from RFC 5705. | |
140 | [Eric Rescorla] | |
141 | ||
142 | *) Add DTLS-SRTP negotiation from RFC 5764. | |
143 | [Eric Rescorla] | |
144 | ||
145 | *) Add Next Protocol Negotiation, | |
146 | http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-00. Can be | |
147 | disabled with a no-npn flag to config or Configure. Code donated | |
148 | by Google. | |
149 | [Adam Langley <agl@google.com> and Ben Laurie] | |
150 | ||
151 | *) Add optional 64-bit optimized implementations of elliptic curves NIST-P224, | |
152 | NIST-P256, NIST-P521, with constant-time single point multiplication on | |
153 | typical inputs. Compiler support for the nonstandard type __uint128_t is | |
154 | required to use this (present in gcc 4.4 and later, for 64-bit builds). | |
155 | Code made available under Apache License version 2.0. | |
156 | ||
157 | Specify "enable-ec_nistp_64_gcc_128" on the Configure (or config) command | |
158 | line to include this in your build of OpenSSL, and run "make depend" (or | |
159 | "make update"). This enables the following EC_METHODs: | |
160 | ||
161 | EC_GFp_nistp224_method() | |
162 | EC_GFp_nistp256_method() | |
163 | EC_GFp_nistp521_method() | |
164 | ||
165 | EC_GROUP_new_by_curve_name() will automatically use these (while | |
166 | EC_GROUP_new_curve_GFp() currently prefers the more flexible | |
167 | implementations). | |
168 |