version 1.83, 2017/04/09 15:41:29 |
version 1.84, 2017/04/09 15:47:12 |
|
|
<li>libtls now always loads CA, key and certificate files at the time the |
<li>libtls now always loads CA, key and certificate files at the time the |
configuration function is called. This simplifies code and results in |
configuration function is called. This simplifies code and results in |
a single memory based code path being used to provide data to libssl. |
a single memory based code path being used to provide data to libssl. |
<li>Add support for OCSP intermediate certificates. |
<li>Added support for OCSP intermediate certificates. |
<li>Added functions used by stunnel and exim from BoringSSL - this |
<li>Added X509_check_host(), X509_check_email(), X509_check_ip(), and |
brings in X509_check_host, X509_check_email, X509_check_ip, and |
X509_check_ip_asc() functions, via BoringSSL. |
X509_check_ip_asc. |
|
<li>Added initial support for iOS, thanks to Jacob Berkman. |
<li>Added initial support for iOS, thanks to Jacob Berkman. |
<li>Improved behavior of arc4random on Windows when using memory leak |
<li>Improved behavior of arc4random on Windows when using memory leak |
analysis software. |
analysis software. |
<li>Correctly handle an EOF that occurs prior to the TLS handshake |
<li>Correctly handle an EOF that occurs prior to the TLS handshake |
completing. Reported by Vasily Kolobkov, based on a diff from Marko |
completing. Reported by Vasily Kolobkov, based on a diff from Marko |
Kreen. |
Kreen. |
<li>Limit the support of the "backward compatible" ssl2 handshake to |
<li>Limit the support of the "backward compatible" SSLv2 handshake to |
only be used if TLS 1.0 is enabled. |
only be used if TLS 1.0 is enabled. |
<li>Fix incorrect results in certain cases on 64-bit systems when |
<li>Fix incorrect results in certain cases on 64-bit systems when |
BN_mod_word() can return incorrect results. BN_mod_word() now can |
BN_mod_word() can return incorrect results. BN_mod_word() now can |
return an error condition. Thanks to Brian Smith. |
return an error condition. Thanks to Brian Smith. |
<li>Added constant-time updates to address CVE-2016-0702 |
<li>Added constant-time updates to address CVE-2016-0702. |
<li>Fixed undefined behavior in BN_GF2m_mod_arr() |
<li>Fixed undefined behavior in BN_GF2m_mod_arr(). |
<li>Removed unused Cryptographic Message Support (CMS) |
<li>Removed unused Cryptographic Message Support (CMS). |
<li>More conversions of long long idioms to time_t |
<li>More conversions of long long idioms to time_t. |
<li>Improved compatibility by avoiding printing NULL strings with |
<li>Improved compatibility by avoiding printing NULL strings with |
printf. |
printf. |
<li>Reverted change that cleans up the EVP cipher context in |
<li>Reverted change that cleans up the EVP cipher context in |
EVP_EncryptFinal() and EVP_DecryptFinal(). Some software relies on the |
EVP_EncryptFinal() and EVP_DecryptFinal(). Some software relies on the |
previous behaviour. |
previous behaviour. |
<li>Avoid unbounded memory growth in libssl, which can be triggered |
<li>Avoid unbounded memory growth in libssl, which can be triggered |
by a TLS client repeatedly renegotiating and sending OCSP Status |
by a TLS client repeatedly renegotiating and sending OCSP Status |
Request TLS extensions. |
Request TLS extensions. |
|
|
<li>Added EVP interface for MD5+SHA1 hashes. |
<li>Added EVP interface for MD5+SHA1 hashes. |
<li>Improved nc(1) TLS handshake CPU usage and server-side error |
<li>Improved nc(1) TLS handshake CPU usage and server-side error |
reporting. |
reporting. |
<li>Add a constant time version of BN_gcd and use it default for |
<li>Added a constant time version of BN_gcd and use it default for |
BN_gcd to avoid the possibility of sidechannel timing attacks |
BN_gcd to avoid the possibility of sidechannel timing attacks |
against RSA private key generation - Thanks to Alejandro |
against RSA private key generation - Thanks to Alejandro |
Cabrera <aldaya@gmail.com> |
Cabrera <aldaya@gmail.com> |