===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/61.html,v
retrieving revision 1.60
retrieving revision 1.61
diff -c -r1.60 -r1.61
*** www/61.html 2017/04/01 23:35:12 1.60
--- www/61.html 2017/04/01 23:48:07 1.61
***************
*** 465,474 ****
!
LibreSSL 2.5.1
!
mandoc 1.14.1
--- 465,634 ----
!
LibreSSL 2.5.3
!
!
! - libtls now supports ALPN and SNI
!
!
- libtls adds a new callback interface for integrating custom IO
! functions. Thanks to Tobias Pape.
!
!
- libtls now handles 4 cipher suite groups:
!
! - "secure" (TLSv1.2+AEAD+PFS)
!
- "compat" (HIGH:!aNULL)
!
- "legacy" (HIGH:MEDIUM:!aNULL)
!
- "insecure" (ALL:!aNULL:!eNULL)
!
! This allows for flexibility and finer grained control, rather than
! having two extremes (an issue raised by Marko Kreen some time ago).
!
! - Tightened error handling for tls_config_set_ciphers().
!
!
- libtls now always loads CA, key and certificate files at the time the
! configuration function is called. This simplifies code and results in
! a single memory based code path being used to provide data to libssl.
!
!
- Add support for OCSP intermediate certificates.
!
!
- Added functions used by stunnel and exim from BoringSSL - this
! brings in X509_check_host, X509_check_email, X509_check_ip, and
! X509_check_ip_asc.
!
!
- Added initial support for iOS, thanks to Jacob Berkman.
!
!
- Improved behavior of arc4random on Windows when using memory leak
! analysis software.
!
!
- Correctly handle an EOF that occurs prior to the TLS handshake
! completing. Reported by Vasily Kolobkov, based on a diff from Marko
! Kreen.
!
!
- Limit the support of the "backward compatible" ssl2 handshake to
! only be used if TLS 1.0 is enabled.
!
!
- Fix incorrect results in certain cases on 64-bit systems when
! BN_mod_word() can return incorrect results. BN_mod_word() now can
! return an error condition. Thanks to Brian Smith.
!
!
- Added constant-time updates to address CVE-2016-0702
!
!
- Fixed undefined behavior in BN_GF2m_mod_arr()
!
!
- Removed unused Cryptographic Message Support (CMS)
!
!
- More conversions of long long idioms to time_t
!
!
- Improved compatibility by avoiding printing NULL strings with
! printf.
!
!
- Reverted change that cleans up the EVP cipher context in
! EVP_EncryptFinal() and EVP_DecryptFinal(). Some software relies on the
! previous behaviour.
!
!
- Avoid unbounded memory growth in libssl, which can be triggered
! by a TLS client repeatedly renegotiating and sending OCSP Status
! Request TLS extensions.
!
!
- Avoid falling back to a weak digest for (EC)DH when using SNI
! with libssl.
!
!
- X509_cmp_time() now passes a malformed GeneralizedTime field as
! an error. Reported by Theofilos Petsios.
!
!
- Detect zero-length encrypted session data early, instead of when
! malloc(0) fails or the HMAC check fails. Noted independently by
! jsing@ and Kurt Cancemi.
!
!
- Check for and handle failure of HMAC_{Update,Final} or
! EVP_DecryptUpdate().
!
!
- Massive update and normalization of manpages, conversion to
! mandoc format. Many pages were rewritten for clarity and accuracy.
! Portable doc links are up-to-date with a new conversion tool.
!
!
- Curve25519 Key Exchange support.
!
!
- Support for alternate chains for certificate verification.
!
!
- Code cleanups, CBB conversions, further unification of DTLS/SSL
! handshake code, further ASN1 macro expansion and removal.
!
!
- Private symbol are now hidden in libssl and libcryto.
!
!
- Friendly certificate verification error messages in libtls, peer
! verification is now always enabled.
!
!
- Added OCSP stapling support to libtls and netcat.
!
!
- Added ocspcheck utility to validate a certificate against its OCSP
! responder and save the reply for stapling
!
!
- Enhanced regression tests and error handling for libtls.
!
!
- Added explicit constant and non-constant time BN functions,
! defaulting to constant time wherever possible.
!
!
- Moved many leaked implementation details in public structs behind
! opaque pointers.
!
!
- Added ticket support to libtls.
!
!
- Added support for setting the supported EC curves via
! SSL{_CTX}_set1_groups{_list}() - also provide defines for the
! previous SSL{_CTX}_set1_curves{_list} names. This also changes
! the default list of curves to be X25519, P-256 and P-384. All
! other curves must be manually enabled.
!
!
- Added -groups option to openssl(1) s_client for specifying the
! curves to be used in a colon-separated list.
!
!
- Merged client/server version negotiation code paths into one,
! reducing much duplicate code.
!
!
- Removed error function codes from libssl and libcrypto.
!
!
- Fixed an issue where a truncated packet could crash via an OOB
! read.
!
!
- Added SSL_OP_NO_CLIENT_RENEGOTIATION option that disallows
! client-initiated renegotiation. This is the default for libtls
! servers.
!
!
- Avoid a side-channel cache-timing attack that can leak the ECDSA
! private keys when signing. This is due to BN_mod_inverse() being
! used without the constant time flag being set. Reported by Cesar
! Pereida Garcia and Billy Brumley (Tampere University of
! Technology). The fix was developed by Cesar Pereida Garcia.
!
!
- iOS and MacOS compatibility updates from Simone Basso and Jacob
! Berkman.
!
!
- Added the recallocarray(3) memory allocation function, and
! converted various places in the library to use it, such as CBB
! and BUF_MEM_grow. recallocarray(3) is similar to
! reallocarray. Newly allocated memory is cleared similar to
! calloc(3). Memory that becomes unallocated while shrinking or
! moving existing allocations is explicitly discarded by unmapping
! or clearing to 0.
!
!
- Added new root CAs from SECOM Trust Systems / Security
! Communication of Japan.
!
!
- Added EVP interface for MD5+SHA1 hashes.
!
!
- Fixed DTLS client failures when the server sends a certificate
! request.
!
!
- Correct handling of padding when upgrading an SSLv2 challenge
! into an SSLv3/TLS connection.
!
!
- Allow protocols and ciphers to be set on a TLS config object in
! libtls.
!
!
- Improved nc(1) TLS handshake CPU usage and server-side error
! reporting.
!
mandoc 1.14.1