| version 1.57, 2017/10/06 14:34:35 |
version 1.58, 2017/10/06 15:59:44 |
|
|
| receiving a number of packets. |
receiving a number of packets. |
| This allows to send a UDP request, receive a reply and check |
This allows to send a UDP request, receive a reply and check |
| the result on the command line. |
the result on the command line. |
| |
<li><a href="https://man.openbsd.org/nc.1">nc(1)</a> |
| |
now has a -Z option, allowing the peer certificate and chain to be |
| |
saved to a file in PEM format. |
| |
<li>A new "-T tlscompat" option was added to |
| |
<a href="https://man.openbsd.org/nc.1">nc(1)</a>, which enables the use |
| |
of all TLS protocols and libtls "compat" ciphers. |
| <li>Fix a bunch of races in |
<li>Fix a bunch of races in |
| <a href="https://man.openbsd.org/relayd.8">relayd(8)</a> |
<a href="https://man.openbsd.org/relayd.8">relayd(8)</a> |
| expecially in HTTP chunked mode. |
expecially in HTTP chunked mode. |
|
|
| </ul> |
</ul> |
| <p> |
<p> |
| |
|
| <li>LibreSSL X.X.X |
<li>LibreSSL 2.6.3 |
| <ul> |
<ul> |
| <li>... |
<li>Reworked TLS certificate name verification code to more strictly |
| |
follow RFC 6125. |
| |
<li>Cleaned up and simplified server key exchange EC point handling. |
| |
<li>Removed inconsistent IPv6 handling from BIO_get_accept_socket(), |
| |
simplified BIO_get_host_ip() and BIO_accept(). |
| |
<li>Added definitions for three OIDs used in EV certificates. |
| |
<li>Relaxed SNI validation to allow non-RFC-compliant clients using literal |
| |
IP addresses with SNI to connect to a libtls-based TLS server. |
| |
<li>Added tls_peer_cert_chain_pem() to libtls, useful in private certificate |
| |
validation callbacks such as those in relayd. |
| |
<li>Converted explicit clear/free sequences to use |
| |
<a href="https://man.openbsd.org/freezero.3">freezero(3)</a>. |
| |
<li>Fixed the |
| |
<a href="https://man.openbsd.org/openssl.1">openssl(1)</a> |
| |
ca command so that is generates certificates with RFC 5280-conformant time. |
| |
<li>Added |
| |
<a href="https://man.openbsd.org/ASN1_TIME_set_tm.3">ASN1_TIME_set_tm(3)</a> |
| |
to set an ASN.1 time from a struct tm *. |
| |
<li>Added |
| |
<a href="https://man.openbsd.org/SSL_CTX_set_min_proto_version.3">SSL{,_CTX}_set_{min,max}_proto_version(3)</a> |
| |
functions. |
| |
<li>Imported HKDF (HMAC Key Derivation Function) from BoringSSL. |
| |
<li>Provided a |
| |
<a href="https://man.openbsd.org/tls_unload_file.3">tls_unload_file(3)</a> |
| |
function that frees the memory returned from a |
| |
<a href="https://man.openbsd.org/tls_load_file.3">tls_load_file(3)</a> |
| |
call, ensuring that it the contents become inaccessible. |
| |
<li>Implemented reference counting for libtls tls_config, allowing |
| |
<a href="https://man.openbsd.org/tls_config_free.3">tls_config_free(3)</a> |
| |
to be called as soon as it has been passed to the final |
| |
<a href="https://man.openbsd.org/tls_configure.3">tls_configure(3)</a> |
| |
call, simplifying lifetime tracking for the application. |
| |
<li>Dropped cipher suites using DSS authentication. |
| |
<li>Removed support for DSS/DSA from libssl. |
| |
<li>Distinguish between self-issued certificates and self-signed |
| |
certificates. The certificate verification code has special cases |
| |
for self-signed certificates and without this change, self-issued |
| |
certificates (which it seems are common place with |
| |
openvpn/easyrsa) were also being included in this category. |
| |
<li>Added a new TLS extension handling framework and converted all |
| |
TLS extensions to use it. |
| |
<li>Improved and added many new manpages. Updated |
| |
<a href="https://man.openbsd.org/SSL_CTX_check_private_key.3">SSL_{CTX_,}check_private_key(3)</a> |
| |
manpages with additional cautions regarding their use. |
| |
<li>Cleaned up and simplified EC key/curve configuration handling. |
| |
<li>Added |
| |
<a href="https://man.openbsd.org/tls_config_set_ecdhecurves.3">tls_config_set_ecdhecurves(3)</a> |
| |
to libtls, which allows the names of the elliptical curves that may |
| |
be used during client and server key exchange to be specified. |
| |
<li>Converted more code paths to use CBB/CBS. |
| |
<li>Removed NPN support - NPN was never standardised and the last draft |
| |
expired in October 2012. |
| |
<li>Removed SSL_OP_CRYPTOPRO_TLSEXT_BUG workaround for old/broken |
| |
CryptoPro clients. |
| |
<li>Removed support for the TLS padding extension, which was added as a |
| |
workaround for an old bug in F5's TLS termintation. |
| |
<li>Added ability to clamp notafter valies in certificates for systems |
| |
with 32-bit time_t. This is necessary to conform to RFC 5280 4.1.2.5. |
| |
<li>Removed the original (pre-IETF) chacha20-poly1305 cipher suites. |
| |
<li>Reclassified ECDHE-RSA-DES-CBC3-SHA from HIGH to MEDIUM. |
| |
<li>Provide a useful error with libtls if there are no OCSP URLs in a |
| |
peer certificate. |
| |
<li>Keep track of which keypair is in use by a TLS context, fixing a bug |
| |
where a TLS server with SNI would only return the OCSP staple for the |
| |
default keypair. |
| |
<li>If |
| |
<a href="https://man.openbsd.org/tls_config_parse_protocols.3">tls_config_parse_protocols(3)</a> |
| |
is called with a NULL pointer it now |
| |
returns the default protocols. |
| </ul> |
</ul> |
| <p> |
<p> |
| |
|
![[BACK]](/icons/back.gif){kind=icon}
Return to 62.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www