=================================================================== RCS file: /cvsrepo/anoncvs/cvs/www/61.html,v retrieving revision 1.60 retrieving revision 1.61 diff -c -r1.60 -r1.61 *** www/61.html 2017/04/01 23:35:12 1.60 --- www/61.html 2017/04/01 23:48:07 1.61 *************** *** 465,474 ****

LibreSSL 2.5.1 !

... !

mandoc 1.14.1 --- 465,634 ----

LibreSSL 2.5.3 !

libtls now supports ALPN and SNI ! !
libtls adds a new callback interface for integrating custom IO ! functions. Thanks to Tobias Pape. ! !
libtls now handles 4 cipher suite groups: !
- "secure" (TLSv1.2+AEAD+PFS) !
- "compat" (HIGH:!aNULL) !
- "legacy" (HIGH:MEDIUM:!aNULL) !
- "insecure" (ALL:!aNULL:!eNULL) !
! This allows for flexibility and finer grained control, rather than ! having two extremes (an issue raised by Marko Kreen some time ago). ! !
Tightened error handling for tls_config_set_ciphers(). ! !
libtls now always loads CA, key and certificate files at the time the ! configuration function is called. This simplifies code and results in ! a single memory based code path being used to provide data to libssl. ! !
Add support for OCSP intermediate certificates. ! !
Added functions used by stunnel and exim from BoringSSL - this ! brings in X509_check_host, X509_check_email, X509_check_ip, and ! X509_check_ip_asc. ! !
Added initial support for iOS, thanks to Jacob Berkman. ! !
Improved behavior of arc4random on Windows when using memory leak ! analysis software. ! !
Correctly handle an EOF that occurs prior to the TLS handshake ! completing. Reported by Vasily Kolobkov, based on a diff from Marko ! Kreen. ! !
Limit the support of the "backward compatible" ssl2 handshake to ! only be used if TLS 1.0 is enabled. ! !
Fix incorrect results in certain cases on 64-bit systems when ! BN_mod_word() can return incorrect results. BN_mod_word() now can ! return an error condition. Thanks to Brian Smith. ! !
Added constant-time updates to address CVE-2016-0702 ! !
Fixed undefined behavior in BN_GF2m_mod_arr() ! !
Removed unused Cryptographic Message Support (CMS) ! !
More conversions of long long idioms to time_t ! !
Improved compatibility by avoiding printing NULL strings with ! printf. ! !
Reverted change that cleans up the EVP cipher context in ! EVP_EncryptFinal() and EVP_DecryptFinal(). Some software relies on the ! previous behaviour. ! !
Avoid unbounded memory growth in libssl, which can be triggered ! by a TLS client repeatedly renegotiating and sending OCSP Status ! Request TLS extensions. ! !
Avoid falling back to a weak digest for (EC)DH when using SNI ! with libssl. ! !
X509_cmp_time() now passes a malformed GeneralizedTime field as ! an error. Reported by Theofilos Petsios. ! !
Detect zero-length encrypted session data early, instead of when ! malloc(0) fails or the HMAC check fails. Noted independently by ! jsing@ and Kurt Cancemi. ! !
Check for and handle failure of HMAC_{Update,Final} or ! EVP_DecryptUpdate(). ! !
Massive update and normalization of manpages, conversion to ! mandoc format. Many pages were rewritten for clarity and accuracy. ! Portable doc links are up-to-date with a new conversion tool. ! !
Curve25519 Key Exchange support. ! !
Support for alternate chains for certificate verification. ! !
Code cleanups, CBB conversions, further unification of DTLS/SSL ! handshake code, further ASN1 macro expansion and removal. ! !
Private symbol are now hidden in libssl and libcryto. ! !
Friendly certificate verification error messages in libtls, peer ! verification is now always enabled. ! !
Added OCSP stapling support to libtls and netcat. ! !
Added ocspcheck utility to validate a certificate against its OCSP ! responder and save the reply for stapling ! !
Enhanced regression tests and error handling for libtls. ! !
Added explicit constant and non-constant time BN functions, ! defaulting to constant time wherever possible. ! !
Moved many leaked implementation details in public structs behind ! opaque pointers. ! !
Added ticket support to libtls. ! !
Added support for setting the supported EC curves via ! SSL{_CTX}_set1_groups{_list}() - also provide defines for the ! previous SSL{_CTX}_set1_curves{_list} names. This also changes ! the default list of curves to be X25519, P-256 and P-384. All ! other curves must be manually enabled. ! !
Added -groups option to openssl(1) s_client for specifying the ! curves to be used in a colon-separated list. ! !
Merged client/server version negotiation code paths into one, ! reducing much duplicate code. ! !
Removed error function codes from libssl and libcrypto. ! !
Fixed an issue where a truncated packet could crash via an OOB ! read. ! !
Added SSL_OP_NO_CLIENT_RENEGOTIATION option that disallows ! client-initiated renegotiation. This is the default for libtls ! servers. ! !
Avoid a side-channel cache-timing attack that can leak the ECDSA ! private keys when signing. This is due to BN_mod_inverse() being ! used without the constant time flag being set. Reported by Cesar ! Pereida Garcia and Billy Brumley (Tampere University of ! Technology). The fix was developed by Cesar Pereida Garcia. ! !
iOS and MacOS compatibility updates from Simone Basso and Jacob ! Berkman. ! !
Added the recallocarray(3) memory allocation function, and ! converted various places in the library to use it, such as CBB ! and BUF_MEM_grow. recallocarray(3) is similar to ! reallocarray. Newly allocated memory is cleared similar to ! calloc(3). Memory that becomes unallocated while shrinking or ! moving existing allocations is explicitly discarded by unmapping ! or clearing to 0. ! !
Added new root CAs from SECOM Trust Systems / Security ! Communication of Japan. ! !
Added EVP interface for MD5+SHA1 hashes. ! !
Fixed DTLS client failures when the server sends a certificate ! request. ! !
Correct handling of padding when upgrading an SSLv2 challenge ! into an SSLv3/TLS connection. ! !
Allow protocols and ciphers to be set on a TLS config object in ! libtls. ! !
Improved nc(1) TLS handshake CPU usage and server-side error ! reporting. !

mandoc 1.14.1