===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/68.html,v
retrieving revision 1.56
retrieving revision 1.57
diff -u -r1.56 -r1.57
--- www/68.html 2020/10/08 15:22:38 1.56
+++ www/68.html 2020/10/08 15:37:13 1.57
@@ -472,19 +472,19 @@
API and Documentation Enhancements
Compatibility Changes
@@ -495,7 +495,7 @@
Make SSL_CTX_get_ciphers(NULL) return NULL rather than crash.
Improve TLSv1.3 client certificate selection to allow EC certificates instead of only RSA certificates.
Add minimal info callback support for TLSv1.3.
- Support TLSv1.3 options in the openssl(1) command.
+ Support TLSv1.3 options in the openssl(1) command.
Add support for additional GOST curves from RFC 7836 and draft-deremin-rfc4491-bis.
Add OIDs for HMAC using the Streebog hash function.
Allow GOST R 34.11-2012 in PBE/PBKDF2/PKCS#5.
@@ -519,13 +519,13 @@
Improve length checks in the TLSv1.3 record layer and provide appropriate alerts for violations of record layer limits.
Enforce that SNI hostnames received by the TLS server are correctly formed as per RFC 5890 and RFC 6066, responding with illegal parameter for a nonconformant host name.
Support SSL_MODE_AUTO_RETRY in TLSv1.3 to allow the automatic retry of handshake messages.
- Improve the handling of BIO_read()/BIO_write() failures in the TLSv1.3 stack.
+ Improve the handling of BIO_read(3)/BIO_write(3) failures in the TLSv1.3 stack.
Start replacing the existing TLSv1.2 record layer.
Simplify SSL method lookups.
- Clean up and simplify SSL_get_ciphers(), SSL_set_session(), SSL_set_ssl_method() and several internal functions.
+ Clean up and simplify SSL_get_ciphers(3), SSL_set_session(3), SSL_set_ssl_method(3) and several internal functions.
Refactor dtls1_new(), dtls1_hm_fragment_new(), dtls1_drain_fragments(), dtls1_clear_queues().
Make the message type available in the internal TLS extensions API functions.
- Numerous openssl(1) subcommands were converted to the new option handling.
+ Numerous openssl(1) subcommands were converted to the new option handling.
Copy the session ID directly in ssl_get_prev_session() instead of handing it through several functions for copying.
@@ -541,19 +541,19 @@
Enforce in the TLSv1.3 server that that ClientHello messages after a HelloRetryRequest match the original ClientHello as per RFC 8446 section 4.1.2
Avoid calling freezero with a negative size if a server sends a malformed plaintext of all zeroes.
Correct use of sockaddr_storage instead of sockaddr in openssl(1) s_client, which could lead to using 14 bytes of stack garbage instead of an IPv6 address in DTLS mode.
- Fix a longstanding bug in PEM_X509_INFO_read_bio(3) that could cause use-after-free and double-free issues in calling programs.
+ Fix a longstanding bug in PEM_X509_INFO_read_bio(3) that could cause use-after-free and double-free issues in calling programs.
Zero out variable on the stack to avoid leaving garbage in the tail of short session IDs.
Ensure that appropriate alerts are sent on various error conditions.
- Move state initialization from SSL_clear() to ssl3_clear() to ensure that it gets correctly reinitialized across a SSL_set_ssl_method() call.
+ Move state initialization from SSL_clear(3) to ssl3_clear() to ensure that it gets correctly reinitialized across a SSL_set_ssl_method(3) call.
Add a custom copy handler for AES keywrap to fix a use-after-free.
- Avoid an out-of-bounds write in BN_rand().
+ Avoid an out-of-bounds write in BN_rand(3).
Fix numerous leaks in the UI_dup_* functions. Simplify and tidy up the code in ui_lib.c.
- Correctly track selected ALPN length to avoid a potential segmentation fault with SSL_get0_alpn_selected() when alpn_selected is NULL.
+ Correctly track selected ALPN length to avoid a potential segmentation fault with SSL_get0_alpn_selected(3) when alpn_selected is NULL.
Include machine/endian.h gost2814789.c in order to pick up the __STRICT_ALIGNMENT define.
- Correctly handle ssl_cert_dup() failure in SSL_set_SSL_CTX().
- Fail on receiving an invalid NID in X509_ATTRIBUTE_create() instead of constructing a broken objects that may cause NULL pointer accesses.
- Fix SSL_shutdown behavior in TLSv1.3 to match the legacy stack. The previous behavior could cause a hang.
- Modify "openssl x509" to display invalid certificate times as invalid, and correctly deal with the failing return case from X509_cmp_time so that a certificate with an invalid NotAfter does not appear valid.
+ Correctly handle ssl_cert_dup() failure in SSL_set_SSL_CTX(3).
+ Fail on receiving an invalid NID in X509_ATTRIBUTE_create(3) instead of constructing a broken objects that may cause NULL pointer accesses.
+ Fix SSL_shutdown(3) behavior in TLSv1.3 to match the legacy stack. The previous behavior could cause a hang.
+ Modify "openssl x509" to display invalid certificate times as invalid, and correctly deal with the failing return case from X509_cmp_time(3) so that a certificate with an invalid NotAfter does not appear valid.