File: [local] / www / 61.html (download) (as text)
Revision 1.70, Thu Apr 6 08:11:20 2017 UTC (7 years, 1 month ago) by tb
Branch: MAIN
Changes since 1.69: +6 -10 lines
vmm/vmd are new in 6.1, so tweak some wording to reflect that
input/ok reyk
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>OpenBSD 6.1</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="description" content="OpenBSD 6.1">
<meta name="copyright" content="This document copyright 2016 by OpenBSD.">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" type="text/css" href="openbsd.css">
<link rel="canonical" href="https://www.openbsd.org/61.html">
</head>
<body bgcolor="#ffffff" text="#000000" link="#24248E">
<h2>
<a href="index.html">
<i><font color="#0000ff">Open</font></i><font color="#000084">BSD</font></a>
<font color="#e00000">6.1</font>
</h2>
<a href="images/XXX.jpg">
<img alt="XXX" align="left" width="227" height="343" hspace="24" src="images/XXX.jpg"></a>
To be released somewhere around May 1, 2017 plus or minus a couple months<br>
Copyright 1997-2017, Theo de Raadt.<br>
<br>
<br>
6.1 Song:
<a href="lyrics.html#61">"xxx"</a>.
<br>
<ul>
<li>See the information on <a href="ftp.html">the FTP page</a> for
a list of mirror machines.
<li>Go to the <font color="#e00000">pub/OpenBSD/6.1/</font> directory on
one of the mirror sites.
<li>Have a look at <a href="errata61.html">the 6.1 errata page</a> for a list
of bugs and workarounds.
<li>See a <a href="plus61.html">detailed log of changes</a> between the
6.0 and 6.1 releases.
<p>
<li><a href="http://man.openbsd.org/signify.1">signify(1)</a>
pubkeys for this release:<br>
<pre>
base: RWQEQa33SgQSEsMwwVV1+GjzdcQfRNV2Bgo48Ztd2KiZ9bAodz9c+Maa
fw: RWS91POk0QZXfsqi4aI7MotYz8CPzoHjYg4a1IDi56cftacjsq+ZL/KY
pkg: RWQbTjGFHEvnOckqY7u9iABhXAkEpF/6TQ3Mr6bMrWbT1wOM/HnbV9ov
</pre>
<p>
All applicable copyrights and credits are in the src.tar.gz,
sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the
files fetched via ports.tar.gz.
</ul>
<br clear=all>
<hr>
<h3 id="new"><font color="#0000e0">What's New</font></h3>
This is a partial list of new features and systems included in OpenBSD 6.1.
For a comprehensive list, see the <a href="plus61.html">changelog</a> leading
to 6.1.
<ul>
<li>New/extended platforms:
<ul>
<li>New <a href="https://www.openbsd.org/arm64.html">arm64</a> platform,
using <a href="http://man.openbsd.org/clang-local.1">clang(1)</a>
as the base system compiler.
<li>The <a href="https://www.openbsd.org/loongson.html">loongson</a>
platform now supports systems with Loongson 3A CPU and RS780E chipset.
<li>The following platforms were retired:
<a href="https://www.openbsd.org/armish.html">armish</a>,
<a href="https://www.openbsd.org/sparc.html">sparc</a>,
<a href="https://www.openbsd.org/zaurus.html">zaurus</a>
</ul>
<p>
<li>Improved hardware support, including:
<ul>
<li>New <a href="http://man.openbsd.org/acpials.4">acpials(4)</a>
driver for ACPI ambient light sensor devices.
<li>New <a href="http://man.openbsd.org/acpihve.4">acpihve(4)</a>
driver for feeding Hyper-V entropy into the kernel pool.
<li>New <a href="http://man.openbsd.org/acpisbs.4">acpisbs(4)</a>
driver for ACPI Smart Battery devices.
<li>New <a href="http://man.openbsd.org/dwge.4">dwge(4)</a>
driver for Designware GMAC 10/100/Gigabit Ethernet devices.
<li>New <a href="http://man.openbsd.org/loongson/htb.4">htb(4)</a>
driver for Loongson 3A PCI host bridges.
<li>New <a href="http://man.openbsd.org/hvn.4">hvn(4)</a>
driver for Hyper-V networking interfaces.
<li>New <a href="http://man.openbsd.org/hyperv.4">hyperv(4)</a>
driver for the Hyper-V guest nexus device.
<li>New <a href="http://man.openbsd.org/iatp.4">iatp(4)</a>
driver for the Atmel maXTouch touchpad and touchscreen.
<li>New <a href="http://man.openbsd.org/armv7/imxtemp.4">imxtemp(4)</a>
driver for Freescale i.MX6 temperature sensors.
<li>New <a href="http://man.openbsd.org/loongson/leioc.4">leioc(4)</a>
driver for the Loongson 3A low-end IO controller.
<li>New <a href="http://man.openbsd.org/octeon/octmmc.4">octmmc(4)</a>
driver for the OCTEON MMC host controller.
<li>New <a href="http://man.openbsd.org/armv7/ompinmux.4">ompinmux(4)</a>
driver for OMAP pin multiplexing.
<li>New <a href="http://man.openbsd.org/armv7/omwugen.4">omwugen(4)</a>
driver for OMAP wake-up generators.
<li>New <a href="http://man.openbsd.org/armv7/psci.4">psci(4)</a>
driver for the ARM Power State Coordination Interface.
<li>New <a href="http://man.openbsd.org/simplefb.4">simplefb(4)</a>
driver for the simple frame buffer on systems
using a device tree.
<li>New <a href="http://man.openbsd.org/armv7/sximmc.4">sximmc(4)</a>
driver for Allwinner A1X/A20 MMC/SD/SDIO controllers.
<li>New <a href="http://man.openbsd.org/tpm.4">tpm(4)</a>
driver for Trusted Platform Module devices.
<li>New <a href="http://man.openbsd.org/uwacom.4">uwacom(4)</a>
driver for Wacom USB tablets.
<li>New <a href="http://man.openbsd.org/vmmci.4">vmmci(4)</a>
VMM control interface.
<li>New <a href="http://man.openbsd.org/xbf.4">xbf(4)</a>
driver for Xen Blkfront virtual disks.
<li>New <a href="http://man.openbsd.org/luna88k/xp.4">xp(4)</a>
driver for the LUNA-88K HD647180X I/O processor.
<li>Support for Kaby Lake and Lewisburg PCH Ethernet MACs with I219 PHYs
has been added to the
<a href="http://man.openbsd.org/?query=em">em(4)</a> driver.
<li>Support for RTL8153 USB 3.0 Gigabit Ethernet based devices
has been added to the
<a href="http://man.openbsd.org/?query=ure">ure(4)</a> driver.
<li>Improved ACPI support for modern Apple hardware, including S3 suspend
and resume.
<li>Support for X550 family of 10 Gigabit Ethernet based devices
has been added to the
<a href="http://man.openbsd.org/?query=ix">ix(4)</a> driver.
</ul>
<p>
<li>IEEE 802.11 wireless stack improvements:
<ul>
<li>The <a href="http://man.openbsd.org/ral.4">ral(4)</a> driver
now supports Ralink RT3900E (RT5390, RT3292) devices.
<li>The <a href="http://man.openbsd.org/iwm.4">iwm(4)</a> and
<a href="http://man.openbsd.org/iwn.4">iwn(4)</a> drivers
now support the short guard interval (SGI) in 11n mode.
<li>Added a new implementation of MiRa, a rate adapation algorithm
designed for 802.11n.
<li>The <a href="http://man.openbsd.org/iwm.4">iwm(4)</a> driver
now supports 802.11n MIMO (MCS 0-15).
<li>The <a href="http://man.openbsd.org/athn.4">athn(4)</a> driver
now supports 802.11n, featuring MIMO (MCS 0-15) and hostap mode.
<li>The <a href="http://man.openbsd.org/iwn.4">iwn(4)</a> driver
now receives MIMO frames in monitor mode.
<li>The <a href="http://man.openbsd.org/rtwn.4">rtwn(4)</a> and
<a href="http://man.openbsd.org/urtwn.4">urtwn(4)</a> drivers
now use AMRR rate adaptation (8188EU and 8188CE devices only).
<li>TKIP/WPA1 was disabled by default because of inherent weaknesses
in this protocol.
</ul>
<p>
<li>Generic network stack improvements:
<ul>
<li>New <a href="http://man.openbsd.org/switch.4">switch(4)</a>
pseudo-device together with new
<a href="http://man.openbsd.org/switchd.8">switchd(8)</a> and
<a href="http://man.openbsd.org/switchctl.8">switchctl(8)</a>
programs.
<li>New <a href="http://man.openbsd.org/mobileip.4">mobileip(4)</a>
operation mode for the
<a href="http://man.openbsd.org/gre.4">gre(4)</a>
pseudo-device.
<li>Multipoint-to-multipoint mode in
<a href="http://man.openbsd.org/vxlan.4">vxlan(4)</a>.
<li><a href="http://man.openbsd.org/route.8">route(8)</a>
and netstat -r display all routing flags correctly and they
are completely documented in the
<a href="http://man.openbsd.org/netstat.1">netstat(1)</a>
man page.
<li>When sending TCP streams they are locally stored in large
mbuf clusters to improve memory management.
The maximum TCP send and receive buffer size has been
increased from 256KB to 2MB.
Note that this results in a different
<a href="http://man.openbsd.org/pf.4">pf(4)</a>
OS fingerprint for OpenBSD.
The default limit for mbuf clusters has been increased.
You can check the values with
<a href="http://man.openbsd.org/netstat.1">netstat(1)</a>
-m and adjust them with
<a href="http://man.openbsd.org/sysctl.8">sysctl(8)</a>
kern.maxclusters.
<li>Make the TCP_NOPUSH flag work for
<a href="http://man.openbsd.org/listen.2">listen(2)</a>
sockets.
It is inherited by the socket returned from
<a href="http://man.openbsd.org/accept.2">accept(2)</a>.
<li>A lot of code has been removed or simplified to make the
transition to multi-processor easier.
Redesign the interrupt and multi-processor locks in the
network stack.
<li>When passing packets from the network stack to the
interface layer, make sure that they have no pointers to
<a href="http://man.openbsd.org/pf.4">pf(4)</a>
which could result in a memory free operation at the wrong
protection level.
<li>Fix checksum calculation in
<a href="http://man.openbsd.org/pf.4">pf(4)</a>
af-to ICMP packet conversions.
Simplify af-to processing in and fix path MTU discovery in
some corner cases.
<li>Improve IPv6 fragment processing.
Drop empty atomic fragments early.
Be more paranoid when IPv6 hop-by-hop headers appear after
fragment headers.
Follow RFC 5722 "Handling of Overlapping IPv6 Fragments"
more strictly in
<a href="http://man.openbsd.org/pf.4">pf(4)</a>.
RFC 8021 "IPv6 Atomic Fragments Considered Harmful" deprecates
generating atomic fragments, so do not send them anymore.
<li>Depending on the addresses,
<a href="http://man.openbsd.org/ipsecctl.8">ipsecctl(8)</a>
may automatically group SA bundles together.
To make clear what is going on, the kernel provides this
information and ipsecctl -s sa prints IPsec SA bundles.
<li>A new routing socket message type, RTM_PROPOSAL, was added to
facilitate future improvements to the network configuration process.
</ul>
<p>
<li>Installer improvements:
<ul>
<li>The installer now uses privilege separation for fetching and
verifying the install sets.
<li>Install sets are now fetched over an HTTPS connection by default
when using a <a href="ftp.html">mirror</a> that supports it.
<li>The installer now considers all of the DHCP information in filename,
bootfile-name, server-name, tftp-server-name, and next-server when
attempting to do automatic installs or upgrades.
<li>The installer no longer adds a route to an alias IP via 127.0.0.1, due
to improvements in the kernel routing components.
</ul>
<p>
<li>Routing daemons and other userland network improvements:
<ul>
<li><a href="http://man.openbsd.org/ping.8">ping(8)</a> and
<a href="http://man.openbsd.org/ping6.8">ping6(8)</a> are now the same
binary and share the engine.
<li><a href="http://man.openbsd.org/ripd.8">ripd(8)</a> now supports
p2p links with addresses in different subnets.
<li>UDP speakers can specify an IPv4 source address using
<tt>IP_SENDSRCADDR</tt>.
<a href="http://man.openbsd.org/iked.8">iked(8)</a>
and <a href="http://man.openbsd.org/snmpd.8">snmpd(8)</a> now
use the proper source address when sending replies.
<li><a href="http://man.openbsd.org/snmpd.8">snmpd(8)</a> now
supports multiple listening sockets.
<li><a href="http://man.openbsd.org/ospfd.8">ospfd(8)</a> and
<a href="http://man.openbsd.org/ospf6d.8">ospf6d(8)</a> now cope
with interface MTU change at runtime.
<li><a href="http://man.openbsd.org/bgpd.8">bgpd(8)</a> now supports
BGP Large Communities
(<a href="https://www.rfc-editor.org/rfc/rfc8092.txt">RFC 8092</a>).
<li><a href="http://man.openbsd.org/bgpd.8">bgpd(8)</a> now supports
BGP Administrative Shutdown Communication
(<a href="https://www.ietf.org/id/draft-ietf-idr-shutdown.txt">draft-ietf-idr-shutdown</a>).
</ul>
<p>
<li>Security improvements:
<ul>
<li>Enforcement of userland W^X on OCTEON Plus and later.
<li>All shared libraries, all dynamic and static-PIE executables, and
<a href="http://man.openbsd.org/ld.so.1">ld.so(1)</a> itself use
the RELRO ("read-only after relocation") design such that
more of the initial data is protected as read-only.
<li>The size of user virtual address space has been increased
from 2GB to 1TB on mips64.
<li>PIE and -static -pie on arm (XXX someone please explain this better).
<li><a href="http://man.openbsd.org/route6d.8">route6d(8)</a> now
runs with fewer privileges.
<li>For incoming TLS connections
<a href="http://man.openbsd.org/syslogd.8">syslogd(8)</a>
can validate client certificates with a given CA file.
<li>The privileged parent process of
<a href="http://man.openbsd.org/syslogd.8">syslogd(8)</a>
calls
<a href="http://man.openbsd.org/execve.2">exec(2)</a>
to reshuffle its random memory layout.
<li>New function
<a href="http://man.openbsd.org/recallocarray.3">recallocarray(3)</a>
to reduce the risk of incorrect clearing of memory before and after
<a href="http://man.openbsd.org/reallocarray.3">reallocarray(3)</a>.
<li><a href="http://man.openbsd.org/sha2.3">SHA512_256</a> family
of functions added to libc.
<li>arm added to the list of archs where the
<a href="http://man.openbsd.org/setjmp.3">setjmp(3)</a>
family of functions apply XOR cookies to stack and return-address
values in the jmpbuf.
<li><a href="http://man.openbsd.org/printf.3">printf(3)</a> family
of formatting functions now report to syslog when the %s
format is used with a NULL pointer.
<li>Heap buffer overflow detection has been improved when the C
<a href="http://man.openbsd.org/malloc.3">malloc(3)</a> option is used.
The existing S option now includes C.
<li>Support for permitting non-root users to
<a href="http://man.openbsd.org/mount.8">mount(8)</a> filesystems
has been removed.
</ul>
<p>
<li><a href="http://man.openbsd.org/dhclient.8">dhclient(8)</a>/
<a href="http://man.openbsd.org/dhcpd.8">dhcpd(8)</a>/
<a href="http://man.openbsd.org/dhcrelay.8">dhcrelay(8)</a> improvements:
<ul>
<li>Add DHO_BOOTFILE_NAME and DHO_TFTP_SERVER to the options requested by default.
<li>Add support for RFC 6842 (Client Identifier Option in DHCP Server Replies).
<li>Stop leaking option data received on the udp socket.
<li>Stop pretending we use RFC 3046/Option 82/Relay Agent Information.
<li>Stop recording ignored DHO_ROUTERS and DHO_STATIC_ROUTES options in the effective lease.
<li>Use only leases from no SSID or the current SSID when restarting.
<li>Reduce default values for various timeouts to something more
appropriate to modern networks.
<li>Fix issues with redundant dhcpd servers and CARP'd interfaces.
<li>Switch to standard logging functions
<li>Fix vis/unvis of strings in
<a href="http://man.openbsd.org/dhclient.8">dhclient(8)</a> leases files.
</ul>
<p>
<li>New <a href="http://man.openbsd.org/amd64/vmm.4">vmm(4)</a>/
<a href="http://man.openbsd.org/amd64/vmd.8">vmd(8)</a>:
<ul>
<li>Support for amd64 and i386 hosts
<li>BIOS payload provided via vmm-firmware, delivered via
<a href="http://man.openbsd.org/fw_update.1">fw_update(1)</a>
<li>Support for Linux guest VMs
<li>Better interrupt handling and legacy device emulation
<li><a href="http://man.openbsd.org/amd64/vmm.4">vmm(4)</a> no longer
requires VMX unrestricted guest capability (Nehalem and later CPUs
are sufficient)
<li>Removed bounce buffers previously used by
<a href="http://man.openbsd.org/amd64/vmd.8">vmd(8)</a> for
<a href="http://man.openbsd.org/vio.4">vio(4)</a> and
<a href="http://man.openbsd.org/vioblk.4">vioblk(4)</a> devices.
<li>Support VMs with > 2GB RAM
<li><a href="http://man.openbsd.org/amd64/vmd.8">vmd(8)</a> uses
<a href="http://man.openbsd.org/pledge.2">pledge(2)</a> and the
fork+exec model
<li><a href="http://man.openbsd.org/amd64/vm.conf.5">vm.conf(5)</a>
expanded to include VM ownership rules (uid/gid)
<li><a href="http://man.openbsd.org/amd64/vmd.8">vmd(8)</a>/
<a href="http://man.openbsd.org/amd64/vm.conf.5">vm.conf(5)</a>
supports automatic
<a href="http://man.openbsd.org/bridge.4">bridge(4)</a> and
<a href="http://man.openbsd.org/switch.4">switch(4)</a> configuration
for VM network interfaces
<li><a href="http://man.openbsd.org/amd64/vmctl.8">vmctl(8)</a> supports
graceful VM shutdown via
<a href="http://man.openbsd.org/amd64/vmmci.4">vmmci(4)</a>
</ul>
<p>
<li>Assorted improvements:
<ul>
<li>New <a href="http://man.openbsd.org/syspatch.8">syspatch(8)</a>
utility for security and reliability binary updates to the base
system.
<li><a href="http://man.openbsd.org/acme-client.1">acme-client(1)</a>, a
privilege separated Automatic Certificate Management Environment
(ACME) client written by Kristaps Dzonsons has been imported.
<li>New, simplified
<a href="http://man.openbsd.org/xenodm.1">xenodm(1)</a>
X11 display manager forked from
<a href="http://man.openbsd.org/OpenBSD-6.0/xdm.1">xdm(1)</a>.
<li>Unicode version 8 character properties in the C library.
<li>Partial UTF-8 line editing support for
<a href="http://man.openbsd.org/ksh.1">ksh(1)</a> Vi input mode.
<li>UTF-8 support in
<a href="http://man.openbsd.org/column.1">column(1)</a>.
<li>The performance and concurrency of the
<a href="http://man.openbsd.org/malloc.3">malloc(3)</a> family
in multi-threaded processes has been improved.
<li>Estonian keyboard support.
<li><a href="http://man.openbsd.org/read.2">read(2)</a> on
directories now fails instead of returning 0.
<li>Support for the <tt>RES_USE_EDNS0</tt> and <tt>RES_USE_DNSSEC</tt>
flags has been added to the
<a href="http://man.openbsd.org/resolver.3">resolver(3)</a>
implementation.
<li><a href="http://man.openbsd.org/syslogd.8">syslogd(8)</a>
limits the socket buffer for TCP an TLS connections to 64K
to avoid wasting kernel memory.
<li><a href="http://man.openbsd.org/syslogd.8">syslogd(8)</a>
supports the option -Z to print the timestamp in RFC 5424
ISO format.
This logs everything in UTC including the year, timezone
and fractions of seconds.
The default is still RFC 3164 BSD syslog time format.
<li>The
<a href="http://man.openbsd.org/syslogd.8">syslogd(8)</a>
options -a, -T, and -U can be given more than once to specify
multiple input sources.
<li>Improve the
<a href="http://man.openbsd.org/syslogd.8">syslogd(8)</a>
output and diagnostics in case the klog buffer
overflows.
<li>Make SIGHUP handling in
<a href="http://man.openbsd.org/syslogd.8">syslogd(8)</a>
more reliable.
<li>An NMI sends the amd64 kernel into
<a href="http://man.openbsd.org/ddb.4">ddb(4)</a>
more reliably.
<li><a href="http://man.openbsd.org/ld.so.1">ld.so(1)</a> now
supports the DT_PREINITARRAY, DT_INITARRAY, DT_FINIARRAY, DT_FLAGS,
and DT_RUNPATH dynamic tags.
<li><a href="http://man.openbsd.org/kdump.1">kdump(1)</a>
now dumps the fds returned by
<a href="http://man.openbsd.org/pipe.2">pipe(2)</a> and
<a href="http://man.openbsd.org/socketpair.2">socketpair(2)</a>.
<li>Added support to <a href="http://man.openbsd.org/doas.1">doas(1)</a>
for session-locked persistent authentication.
<li>Use a hardware register for the thread pointer on arm for improved
performance in multi-threaded processes.
<li>SGI boot blocks now consult the OpenBSD
<a href="http://man.openbsd.org/disklabel.5">disklabel(5)</a>
to locate the root filesystem.
This reduces constraints on disk partitioning.
<li><a href="http://man.openbsd.org/iec.4">iec(4)</a>
no longer hangs when its transmit ring gets full.
<li><a href="http://man.openbsd.org/sq.4">sq(4)</a>
has been fixed to accept broadcast frames in non-promiscuous mode
when no IP address is configured.
This lets the interface work with DHCP.
<li>Multiprocessor-safe PCI interrupt handlers are run
without the kernel lock on OpenBSD/sgi.
<li><a href="http://man.openbsd.org/fdisk.8">fdisk(8)</a> now unconditionally
sets the size of the protective MBR's EFI GPT partition to UINT32_MAX.
<li><a href="http://man.openbsd.org/fdisk.8">fdisk(8)</a> now respects the
current MBR or GPT format when initializing a disk.
<li><a href="http://man.openbsd.org/softraid.4">softraid(4)</a> now uses
sufficient parallel i/o's to efficiently rebuild RAID5 volumes.
<li><a href="http://man.openbsd.org/asr_run.3">asr</a> now accepts UDP
packets of up to 4096 bytes to account for broken DNS servers.
<li><a href="http://man.openbsd.org/umass.4">umass(4)</a> no longer assumes
that ATAPI or UFI devices have only 1 LUN.
<li><a href="http://man.openbsd.org/scsi.4">scsi(4)</a> now correctly
detects end of tape on LTO5 devices.
<li><a href="http://man.openbsd.org/httpd.8">httpd(8)</a> supports
SNI
via <a href="http://man.openbsd.org/tls_config_add_keypair_ocsp_mem.3">libtls</a>
to allow for multiple https sites on a single IP address.
<li><a href="http://man.openbsd.org/ocspcheck.8">ocspheck(8)</a>
has been added, and can be used to check the OCSP status of
certificates. The corresponding responses can be saved for later use in OCSP stapling.
<li><a href="http://man.openbsd.org/httpd.8">httpd(8)</a> supports
OCSP stapling
via <a href="http://man.openbsd.org/tls_config_add_keypair_ocsp_mem.3">libtls</a>
to permit OCSP responses to be stapled to the tls handshake
<li><a href="http://man.openbsd.org/nc.1">nc(1)</a> now also
supports OCSP stapling server side, and will show the stapling information
client side.
<li>Both <a href="http://man.openbsd.org/relayd.8">relayd(8)</a> and
<a href="http://man.openbsd.org/httpd.8">httpd(8)</a> support now
TLS session resumption using TLS session tickets.
See the respective configuration man page for more information.
</ul>
<p>
<li>OpenSMTPD 6.0.0
<ul>
<li>...
</ul>
<p>
<li>OpenSSH 7.4
<ul>
<li>...
</ul>
<p>
<li>LibreSSL 2.5.3
<ul>
<li> libtls now supports ALPN and SNI
<li> libtls adds a new callback interface for integrating custom IO
functions. Thanks to Tobias Pape.
<li> libtls now handles 4 cipher suite groups:
<Ul>
<li> "secure" (TLSv1.2+AEAD+PFS)
<li> "compat" (HIGH:!aNULL)
<li> "legacy" (HIGH:MEDIUM:!aNULL)
<li> "insecure" (ALL:!aNULL:!eNULL)
</ul>
This allows for flexibility and finer grained control, rather than
having two extremes (an issue raised by Marko Kreen some time ago).
<li> Tightened error handling for tls_config_set_ciphers().
<li> libtls now always loads CA, key and certificate files at the time the
configuration function is called. This simplifies code and results in
a single memory based code path being used to provide data to libssl.
<li> Add support for OCSP intermediate certificates.
<li> Added functions used by stunnel and exim from BoringSSL - this
brings in X509_check_host, X509_check_email, X509_check_ip, and
X509_check_ip_asc.
<li> Added initial support for iOS, thanks to Jacob Berkman.
<li> Improved behavior of arc4random on Windows when using memory leak
analysis software.
<li> Correctly handle an EOF that occurs prior to the TLS handshake
completing. Reported by Vasily Kolobkov, based on a diff from Marko
Kreen.
<li> Limit the support of the "backward compatible" ssl2 handshake to
only be used if TLS 1.0 is enabled.
<li> Fix incorrect results in certain cases on 64-bit systems when
BN_mod_word() can return incorrect results. BN_mod_word() now can
return an error condition. Thanks to Brian Smith.
<li> Added constant-time updates to address CVE-2016-0702
<li> Fixed undefined behavior in BN_GF2m_mod_arr()
<li> Removed unused Cryptographic Message Support (CMS)
<li> More conversions of long long idioms to time_t
<li> Improved compatibility by avoiding printing NULL strings with
printf.
<li> Reverted change that cleans up the EVP cipher context in
EVP_EncryptFinal() and EVP_DecryptFinal(). Some software relies on the
previous behaviour.
<li> Avoid unbounded memory growth in libssl, which can be triggered
by a TLS client repeatedly renegotiating and sending OCSP Status
Request TLS extensions.
<li> Avoid falling back to a weak digest for (EC)DH when using SNI
with libssl.
<li> X509_cmp_time() now passes a malformed GeneralizedTime field as
an error. Reported by Theofilos Petsios.
<li> Detect zero-length encrypted session data early, instead of when
malloc(0) fails or the HMAC check fails. Noted independently by
jsing@ and Kurt Cancemi.
<li> Check for and handle failure of HMAC_{Update,Final} or
EVP_DecryptUpdate().
<li> Massive update and normalization of manpages, conversion to
mandoc format. Many pages were rewritten for clarity and accuracy.
Portable doc links are up-to-date with a new conversion tool.
<li> Curve25519 Key Exchange support.
<li> Support for alternate chains for certificate verification.
<li> Code cleanups, CBB conversions, further unification of DTLS/SSL
handshake code, further ASN1 macro expansion and removal.
<li> Private symbols are now hidden in libssl and libcrypto.
<li> Friendly certificate verification error messages in libtls, peer
verification is now always enabled.
<li> Added OCSP stapling support to libtls and nc.
<li> Added ocspcheck utility to validate a certificate against its OCSP
responder and save the reply for stapling
<li> Enhanced regression tests and error handling for libtls.
<li> Added explicit constant and non-constant time BN functions,
defaulting to constant time wherever possible.
<li> Moved many leaked implementation details in public structs behind
opaque pointers.
<li> Added ticket support to libtls.
<li> Added support for setting the supported EC curves via
SSL{_CTX}_set1_groups{_list}() - also provide defines for the
previous SSL{_CTX}_set1_curves{_list} names. This also changes
the default list of curves to be X25519, P-256 and P-384. All
other curves must be manually enabled.
<li> Added -groups option to openssl(1) s_client for specifying the
curves to be used in a colon-separated list.
<li> Merged client/server version negotiation code paths into one,
reducing much duplicate code.
<li> Removed error function codes from libssl and libcrypto.
<li> Fixed an issue where a truncated packet could crash via an OOB
read.
<li> Added SSL_OP_NO_CLIENT_RENEGOTIATION option that disallows
client-initiated renegotiation. This is the default for libtls
servers.
<li> Avoid a side-channel cache-timing attack that can leak the ECDSA
private keys when signing. This is due to BN_mod_inverse() being
used without the constant time flag being set. Reported by Cesar
Pereida Garcia and Billy Brumley (Tampere University of
Technology). The fix was developed by Cesar Pereida Garcia.
<li> iOS and MacOS compatibility updates from Simone Basso and Jacob
Berkman.
<li> Added the recallocarray(3) memory allocation function, and
converted various places in the library to use it, such as CBB
and BUF_MEM_grow. recallocarray(3) is similar to
reallocarray. Newly allocated memory is cleared similar to
calloc(3). Memory that becomes unallocated while shrinking or
moving existing allocations is explicitly discarded by unmapping
or clearing to 0.
<li> Added new root CAs from SECOM Trust Systems / Security
Communication of Japan.
<li> Added EVP interface for MD5+SHA1 hashes.
<li> Fixed DTLS client failures when the server sends a certificate
request.
<li> Correct handling of padding when upgrading an SSLv2 challenge
into an SSLv3/TLS connection.
<li> Allow protocols and ciphers to be set on a TLS config object in
libtls.
<li> Improved nc(1) TLS handshake CPU usage and server-side error
reporting.
<li> Add a constant time version of BN_gcd and use it default for
BN_gcd to avoid the possibility of sidechannel timing attacks
against RSA private key generation - Thanks to Alejandro
Cabrera <aldaya@gmail.com>
</ul>
<p>
<li>mandoc 1.14.1
<ul>
<li>New <a href="http://man.openbsd.org/mandoc.db.5">mandoc.db(5)</a>
file format: <a href="http://man.openbsd.org/man.1">man(1)</a>,
<a href="http://man.openbsd.org/apropos.1">apropos(1)</a>, and
<a href="http://man.openbsd.org/makewhatis.8">makewhatis(8)</a>
no longer need SQLite3.
<li>Much improved HTML output and CSS.
<li>In <a href="http://man.openbsd.org/man.1">man(1)</a>, internal
searching with <a href="http://man.openbsd.org/less.1">less(1)</a>
<code>:t</code> has been improved.
<li>New <a href="http://man.openbsd.org/mandoc.1">mandoc(1)</a>
<code>-mdoc -T markdown</code> output mode
(already a post-1.14.1 feature).
</ul>
<p>
<li>Ports and packages:
<dl>
<dt>Many pre-built packages for each architecture:
</dl>
<!-- number of FTP packages minus SHA256, SHA256.sig, index.txt -->
<table border=0 cellspacing=0 cellpadding=2 width="95%">
<tr>
<td valign="top" width="25%">
<ul>
<li>alpha: XXXX
<li>amd64: XXXX
<li>arm: XXXX
</ul></td><td valign=top width="25%"><ul>
<li>hppa: XXXX
<li>i386: XXXX
<li>mips64: XXXX
</ul></td><td valign=top width="25%"><ul>
<li>mips64el: XXXX
<li>powerpc: XXXX
<li>sparc64: XXXX
</ul></td></tr></table>
<p>
<dl>
<dt>Some highlights:
</dl>
<table border=0 cellspacing=0 cellpadding=2 width="95%">
<tr>
<td valign="top" width="50%"><ul>
<li>AFL 2.39b
<li>Chromium 57.0.2987.133
<li>Emacs 21.4 and 25.1
<li>GCC 4.9.4
<li>GHC 7.10.3
<li>Gimp 2.8.18
<li>GNOME 3.22.2
<li>Go 1.8
<li>Groff 1.22.3
<li>JDK 7u80 and 8u121
<li>KDE 3.5.10 and 4.14.3 (plus KDE4 core updates)
<li>LLVM/Clang 4.0.0
<li>LibreOffice 5.2.4.2
<li>Lua 5.1.5, 5.2.4, and 5.3.4
<li>MariaDB 10.0.30
<li>Mono 4.6.2.6
<li>Mozilla Firefox 52.0.2esr and 52.0.2
<li>Mozilla Thunderbird 45.8.0
</ul></td><td valign=top width="50%"><ul>
<li>Mutt 1.8.0
<li>Node.js 6.10.1
<li>Ocaml 4.03.0
<li>OpenLDAP 2.3.43 and 2.4.44
<li>PHP 5.5.38, 5.6.30, and 7.0.16
<li>Postfix 3.2.0 and 3.3-20170218
<li>PostgreSQL 9.6.2
<li>Python 2.7.13, 3.4.5, 3.5.2 and 3.6.0
<li>R 3.3.3
<li>Ruby 1.8.7.374, 2.1.9, 2.2.6, 2.3.3 and 2.4.1
<li>Rust 1.16.0
<li>Sendmail 8.15.2
<li>SQLite3 3.17.0
<li>Sudo 1.8.19.2
<li>Tcl/Tk 8.5.18 and 8.6.4
<li>TeX Live 2015
<li>Vim 8.0.0388
<li>Xfce 4.12
</ul></td></tr></table>
<p>
<li>As usual, steady improvements in manual pages and other documentation.
<p>
<li>The system includes the following major components from outside suppliers:
<ul>
<li>Xenocara (based on X.Org 7.7 with xserver 1.18.3 + patches,
freetype 2.7.1, fontconfig 2.12.1, Mesa 13.0.6, xterm 327,
xkeyboard-config 2.20 and more)
<li>LLVM/Clang 4.0.0 (+ patches)
<li>GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
<li>Perl 5.24.1 (+ patches)
<li>NSD 4.1.15
<li>Unbound 1.6.1
<li>Ncurses 5.7
<li>Binutils 2.17 (+ patches)
<li>Gdb 6.3 (+ patches)
<li>Awk Aug 10, 2011 version
<li>Expat 2.1.1
</ul>
</ul>
<hr>
<h3 id="install"><font color="#0000e0">How to install</font></h3>
Please refer to the following files on the mirror site for
extensive details on how to install OpenBSD 6.1 on your machine:
<ul>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/alpha/INSTALL.alpha">
.../OpenBSD/6.1/alpha/INSTALL.alpha</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/amd64/INSTALL.amd64">
.../OpenBSD/6.1/amd64/INSTALL.amd64</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/arm64/INSTALL.arm64">
.../OpenBSD/6.1/arm64/INSTALL.arm64</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/armv7/INSTALL.armv7">
.../OpenBSD/6.1/armv7/INSTALL.armv7</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/hppa/INSTALL.hppa">
.../OpenBSD/6.1/hppa/INSTALL.hppa</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/i386/INSTALL.i386">
.../OpenBSD/6.1/i386/INSTALL.i386</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/landisk/INSTALL.landisk">
.../OpenBSD/6.1/landisk/INSTALL.landisk</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/loongson/INSTALL.loongson">
.../OpenBSD/6.1/loongson/INSTALL.loongson</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/luna88k/INSTALL.luna88k">
.../OpenBSD/6.1/luna88k/INSTALL.luna88k</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/macppc/INSTALL.macppc">
.../OpenBSD/6.1/macppc/INSTALL.macppc</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/octeon/INSTALL.octeon">
.../OpenBSD/6.1/octeon/INSTALL.octeon</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/sgi/INSTALL.sgi">
.../OpenBSD/6.1/sgi/INSTALL.sgi</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/sparc64/INSTALL.sparc64">
.../OpenBSD/6.1/sparc64/INSTALL.sparc64</a>
</ul>
<hr>
<p>
Quick installer information for people familiar with OpenBSD, and the use of
the "<a href="http://man.openbsd.org/disklabel.8">disklabel</a> -E" command.
If you are at all confused when installing OpenBSD, read the relevant
INSTALL.* file as listed above!
<h3><font color="#e00000">OpenBSD/alpha:</font></h3>
<ul style="list-style-type: none">
<li>
Write <i>floppy61.fs</i> or <i>floppyB61.fs</i> (depending on your machine)
to a diskette and enter <i>boot dva0</i>.
Refer to INSTALL.alpha for more details.
<p>
<li>
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
will most likely fail.
</ul>
<h3><font color="#e00000">OpenBSD/amd64:</font></h3>
<ul style="list-style-type: none">
<li>
If your machine can boot from CD, you can write <i>install61.iso</i> or
<i>cd61.iso</i> to a CD and boot from it.
You may need to adjust your BIOS options first.
<p>
<li>
If your machine can boot from USB, you can write <i>install61.fs</i> or
<i>miniroot61.fs</i> to a USB stick and boot from it.
<p>
<li>
If you can't boot from a CD, floppy disk, or USB,
you can install across the network using PXE as described in the included
INSTALL.amd64 document.
<p>
<li>
If you are planning to dual boot OpenBSD with another OS, you will need to
read INSTALL.amd64.
</ul>
<h3><font color="#e00000">OpenBSD/arm64:</font></h3>
<ul style="list-style-type: none">
<li>
Write <i>miniroot61.fs</i> to a disk and boot from it after connecting
to the serial console. Refer to INSTALL.arm64 for more details.
<p>
</ul>
<h3><font color="#e00000">OpenBSD/armv7:</font></h3>
<ul style="list-style-type: none">
<li>
Write a system specific miniroot to an SD card and boot from it after connecting
to the serial console. Refer to INSTALL.armv7 for more details.
<p>
</ul>
<h3><font color="#e00000">OpenBSD/hppa:</font></h3>
<ul style="list-style-type: none">
<li>
Boot over the network by following the instructions in INSTALL.hppa or the
<a href="hppa.html#install">hppa platform page</a>.
</ul>
<h3><font color="#e00000">OpenBSD/i386:</font></h3>
<ul style="list-style-type: none">
<li>
If your machine can boot from CD, you can write <i>install61.iso</i> or
<i>cd61.iso</i> to a CD and boot from it.
You may need to adjust your BIOS options first.
<p>
<li>
If your machine can boot from USB, you can write <i>install61.fs</i> or
<i>miniroot61.fs</i> to a USB stick and boot from it.
<p>
<li>
If you can't boot from a CD, floppy disk, or USB,
you can install across the network using PXE as described in
the included INSTALL.i386 document.
<p>
<li>
If you are planning on dual booting OpenBSD with another OS, you will need to
read INSTALL.i386.
</ul>
<h3><font color="#e00000">OpenBSD/landisk:</font></h3>
<ul style="list-style-type: none">
<li>
Write <i>miniroot61.fs</i> to the start of the CF
or disk, and boot normally.
</ul>
<h3><font color="#e00000">OpenBSD/loongson:</font></h3>
<ul style="list-style-type: none">
<li>
Write <i>miniroot61.fs</i> to a USB stick and boot bsd.rd from it
or boot bsd.rd via tftp.
Refer to the instructions in INSTALL.loongson for more details.
</ul>
<h3><font color="#e00000">OpenBSD/luna88k:</font></h3>
<ul style="list-style-type: none">
<li>
Copy `boot' and `bsd.rd' to a Mach or UniOS partition, and boot the bootloader
from the PROM, and then bsd.rd from the bootloader.
Refer to the instructions in INSTALL.luna88k for more details.
</ul>
<h3><font color="#e00000">OpenBSD/macppc:</font></h3>
<ul style="list-style-type: none">
<li>
Burn the image from a mirror site to a CDROM, and power on your machine
while holding down the <i>C</i> key until the display turns on and
shows <i>OpenBSD/macppc boot</i>.
<p>
<li>
Alternatively, at the Open Firmware prompt, enter <i>boot cd:,ofwboot
/6.1/macppc/bsd.rd</i>
</ul>
<h3><font color="#e00000">OpenBSD/octeon:</font></h3>
<ul style="list-style-type: none">
<li>
After connecting a serial port, boot bsd.rd over the network via DHCP/tftp.
Refer to the instructions in INSTALL.octeon for more details.
</ul>
<h3><font color="#e00000">OpenBSD/sgi:</font></h3>
<ul style="list-style-type: none">
<li>
To install, burn cd61.iso on a CD-R, put it in the CD drive of your
machine and select <i>Install System Software</i> from the System Maintenance
menu. Indigo/Indy/Indigo2 (R4000) systems will not boot automatically from
CD-ROM, and need a proper invocation from the PROM prompt.
Refer to the instructions in INSTALL.sgi for more details.
<p>
<li>
If your machine doesn't have a CD drive, you can setup a DHCP/tftp network
server, and boot using "bootp()/bsd.rd.IP##" using the kernel matching your
system type. Refer to the instructions in INSTALL.sgi for more details.
</ul>
<h3><font color="#e00000">OpenBSD/sparc64:</font></h3>
<ul style="list-style-type: none">
<li>
Burn the image from a mirror site to a CDROM, boot from it, and type
<i>boot cdrom</i>.
<p>
<li>
If this doesn't work, or if you don't have a CDROM drive, you can write
<i>floppy61.fs</i> or <i>floppyB61.fs</i>
(depending on your machine) to a floppy and boot it with <i>boot
floppy</i>. Refer to INSTALL.sparc64 for details.
<p>
<li>
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
will most likely fail.
<p>
<li>
You can also write <i>miniroot61.fs</i> to the swap partition on
the disk and boot with <i>boot disk:b</i>.
<p>
<li>
If nothing works, you can boot over the network as described in INSTALL.sparc64.
</ul>
<hr>
<h3 id="upgrade"><font color="#0000e0">How to upgrade</font></h3>
If you already have an OpenBSD 6.0 system, and do not want to reinstall,
upgrade instructions and advice can be found in the
<a href="faq/upgrade61.html">Upgrade Guide</a>.
<p>
<hr>
<h3 id="sourcecode"><font color="#0000e0">Notes about the source code</font></h3>
<tt>src.tar.gz</tt> contains a source archive starting at <tt>/usr/src</tt>.
This file contains everything you need except for the kernel sources,
which are in a separate archive.
To extract:
<blockquote><pre>
# <b>mkdir -p /usr/src</b>
# <b>cd /usr/src</b>
# <b>tar xvfz /tmp/src.tar.gz</b>
</pre></blockquote>
<tt>sys.tar.gz</tt> contains a source archive starting at <tt>/usr/src/sys</tt>.
This file contains all the kernel sources you need to rebuild kernels.
To extract:
<blockquote><pre>
# <b>mkdir -p /usr/src/sys</b>
# <b>cd /usr/src</b>
# <b>tar xvfz /tmp/sys.tar.gz</b>
</pre></blockquote>
Both of these trees are a regular CVS checkout. Using these trees it
is possible to get a head-start on using the anoncvs servers as
described <a href="anoncvs.html">here</a>.
Using these files
results in a much faster initial CVS update than you could expect from
a fresh checkout of the full OpenBSD source tree.
<p>
<hr>
<h3 id="ports"><font color="#0000e0">Ports Tree</font></h3>
A ports tree archive is also provided. To extract:
<blockquote><pre>
# <b>cd /usr</b>
# <b>tar xvfz /tmp/ports.tar.gz</b>
</pre></blockquote>
Go read the <a href="faq/ports/index.html">ports</a> page
if you know nothing about ports
at this point. This text is not a manual of how to use ports.
Rather, it is a set of notes meant to kickstart the user on the
OpenBSD ports system.
<p>
The <i>ports/</i> directory represents a CVS checkout of our ports.
As with our complete source tree, our ports tree is available via
<a href="anoncvs.html">AnonCVS</a>.
So, in order to keep up to date with the <i>-stable</i> branch, you must make
the <i>ports/</i> tree available on a read-write medium and update the tree
with a command like:
<blockquote><pre>
# <b>cd /usr/ports</b>
# <b>cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_6_1</b>
</pre></blockquote>
[Of course, you must replace the server name here with a nearby anoncvs
server.]
<p>
Note that most ports are available as packages on our mirrors. Updated
ports for the 6.1 release will be made available if problems arise.
<p>
If you're interested in seeing a port added, would like to help out, or just
would like to know more, the mailing list
<a href="mail.html">ports@openbsd.org</a> is a good place to know.
<p>
</body>
</html>
![[BACK]](/icons/back.gif){kind=icon}
Return to 61.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www