version 1.57, 2017/10/06 14:34:35 |
version 1.58, 2017/10/06 15:59:44 |
|
|
receiving a number of packets. |
receiving a number of packets. |
This allows to send a UDP request, receive a reply and check |
This allows to send a UDP request, receive a reply and check |
the result on the command line. |
the result on the command line. |
|
<li><a href="https://man.openbsd.org/nc.1">nc(1)</a> |
|
now has a -Z option, allowing the peer certificate and chain to be |
|
saved to a file in PEM format. |
|
<li>A new "-T tlscompat" option was added to |
|
<a href="https://man.openbsd.org/nc.1">nc(1)</a>, which enables the use |
|
of all TLS protocols and libtls "compat" ciphers. |
<li>Fix a bunch of races in |
<li>Fix a bunch of races in |
<a href="https://man.openbsd.org/relayd.8">relayd(8)</a> |
<a href="https://man.openbsd.org/relayd.8">relayd(8)</a> |
expecially in HTTP chunked mode. |
expecially in HTTP chunked mode. |
|
|
</ul> |
</ul> |
<p> |
<p> |
|
|
<li>LibreSSL X.X.X |
<li>LibreSSL 2.6.3 |
<ul> |
<ul> |
<li>... |
<li>Reworked TLS certificate name verification code to more strictly |
|
follow RFC 6125. |
|
<li>Cleaned up and simplified server key exchange EC point handling. |
|
<li>Removed inconsistent IPv6 handling from BIO_get_accept_socket(), |
|
simplified BIO_get_host_ip() and BIO_accept(). |
|
<li>Added definitions for three OIDs used in EV certificates. |
|
<li>Relaxed SNI validation to allow non-RFC-compliant clients using literal |
|
IP addresses with SNI to connect to a libtls-based TLS server. |
|
<li>Added tls_peer_cert_chain_pem() to libtls, useful in private certificate |
|
validation callbacks such as those in relayd. |
|
<li>Converted explicit clear/free sequences to use |
|
<a href="https://man.openbsd.org/freezero.3">freezero(3)</a>. |
|
<li>Fixed the |
|
<a href="https://man.openbsd.org/openssl.1">openssl(1)</a> |
|
ca command so that is generates certificates with RFC 5280-conformant time. |
|
<li>Added |
|
<a href="https://man.openbsd.org/ASN1_TIME_set_tm.3">ASN1_TIME_set_tm(3)</a> |
|
to set an ASN.1 time from a struct tm *. |
|
<li>Added |
|
<a href="https://man.openbsd.org/SSL_CTX_set_min_proto_version.3">SSL{,_CTX}_set_{min,max}_proto_version(3)</a> |
|
functions. |
|
<li>Imported HKDF (HMAC Key Derivation Function) from BoringSSL. |
|
<li>Provided a |
|
<a href="https://man.openbsd.org/tls_unload_file.3">tls_unload_file(3)</a> |
|
function that frees the memory returned from a |
|
<a href="https://man.openbsd.org/tls_load_file.3">tls_load_file(3)</a> |
|
call, ensuring that it the contents become inaccessible. |
|
<li>Implemented reference counting for libtls tls_config, allowing |
|
<a href="https://man.openbsd.org/tls_config_free.3">tls_config_free(3)</a> |
|
to be called as soon as it has been passed to the final |
|
<a href="https://man.openbsd.org/tls_configure.3">tls_configure(3)</a> |
|
call, simplifying lifetime tracking for the application. |
|
<li>Dropped cipher suites using DSS authentication. |
|
<li>Removed support for DSS/DSA from libssl. |
|
<li>Distinguish between self-issued certificates and self-signed |
|
certificates. The certificate verification code has special cases |
|
for self-signed certificates and without this change, self-issued |
|
certificates (which it seems are common place with |
|
openvpn/easyrsa) were also being included in this category. |
|
<li>Added a new TLS extension handling framework and converted all |
|
TLS extensions to use it. |
|
<li>Improved and added many new manpages. Updated |
|
<a href="https://man.openbsd.org/SSL_CTX_check_private_key.3">SSL_{CTX_,}check_private_key(3)</a> |
|
manpages with additional cautions regarding their use. |
|
<li>Cleaned up and simplified EC key/curve configuration handling. |
|
<li>Added |
|
<a href="https://man.openbsd.org/tls_config_set_ecdhecurves.3">tls_config_set_ecdhecurves(3)</a> |
|
to libtls, which allows the names of the elliptical curves that may |
|
be used during client and server key exchange to be specified. |
|
<li>Converted more code paths to use CBB/CBS. |
|
<li>Removed NPN support - NPN was never standardised and the last draft |
|
expired in October 2012. |
|
<li>Removed SSL_OP_CRYPTOPRO_TLSEXT_BUG workaround for old/broken |
|
CryptoPro clients. |
|
<li>Removed support for the TLS padding extension, which was added as a |
|
workaround for an old bug in F5's TLS termintation. |
|
<li>Added ability to clamp notafter valies in certificates for systems |
|
with 32-bit time_t. This is necessary to conform to RFC 5280 4.1.2.5. |
|
<li>Removed the original (pre-IETF) chacha20-poly1305 cipher suites. |
|
<li>Reclassified ECDHE-RSA-DES-CBC3-SHA from HIGH to MEDIUM. |
|
<li>Provide a useful error with libtls if there are no OCSP URLs in a |
|
peer certificate. |
|
<li>Keep track of which keypair is in use by a TLS context, fixing a bug |
|
where a TLS server with SNI would only return the OCSP staple for the |
|
default keypair. |
|
<li>If |
|
<a href="https://man.openbsd.org/tls_config_parse_protocols.3">tls_config_parse_protocols(3)</a> |
|
is called with a NULL pointer it now |
|
returns the default protocols. |
</ul> |
</ul> |
<p> |
<p> |
|
|