=================================================================== RCS file: /cvsrepo/anoncvs/cvs/www/68.html,v retrieving revision 1.56 retrieving revision 1.57 diff -u -r1.56 -r1.57 --- www/68.html 2020/10/08 15:22:38 1.56 +++ www/68.html 2020/10/08 15:37:13 1.57 @@ -472,19 +472,19 @@
  • API and Documentation Enhancements
  • Compatibility Changes @@ -495,7 +495,7 @@
  • Make SSL_CTX_get_ciphers(NULL) return NULL rather than crash.
  • Improve TLSv1.3 client certificate selection to allow EC certificates instead of only RSA certificates.
  • Add minimal info callback support for TLSv1.3. -
  • Support TLSv1.3 options in the openssl(1) command. +
  • Support TLSv1.3 options in the openssl(1) command.
  • Add support for additional GOST curves from RFC 7836 and draft-deremin-rfc4491-bis.
  • Add OIDs for HMAC using the Streebog hash function.
  • Allow GOST R 34.11-2012 in PBE/PBKDF2/PKCS#5. @@ -519,13 +519,13 @@
  • Improve length checks in the TLSv1.3 record layer and provide appropriate alerts for violations of record layer limits.
  • Enforce that SNI hostnames received by the TLS server are correctly formed as per RFC 5890 and RFC 6066, responding with illegal parameter for a nonconformant host name.
  • Support SSL_MODE_AUTO_RETRY in TLSv1.3 to allow the automatic retry of handshake messages. -
  • Improve the handling of BIO_read()/BIO_write() failures in the TLSv1.3 stack. +
  • Improve the handling of BIO_read(3)/BIO_write(3) failures in the TLSv1.3 stack.
  • Start replacing the existing TLSv1.2 record layer.
  • Simplify SSL method lookups. -
  • Clean up and simplify SSL_get_ciphers(), SSL_set_session(), SSL_set_ssl_method() and several internal functions. +
  • Clean up and simplify SSL_get_ciphers(3), SSL_set_session(3), SSL_set_ssl_method(3) and several internal functions.
  • Refactor dtls1_new(), dtls1_hm_fragment_new(), dtls1_drain_fragments(), dtls1_clear_queues().
  • Make the message type available in the internal TLS extensions API functions. -
  • Numerous openssl(1) subcommands were converted to the new option handling. +
  • Numerous openssl(1) subcommands were converted to the new option handling.
  • Copy the session ID directly in ssl_get_prev_session() instead of handing it through several functions for copying. @@ -541,19 +541,19 @@
  • Enforce in the TLSv1.3 server that that ClientHello messages after a HelloRetryRequest match the original ClientHello as per RFC 8446 section 4.1.2
  • Avoid calling freezero with a negative size if a server sends a malformed plaintext of all zeroes.
  • Correct use of sockaddr_storage instead of sockaddr in openssl(1) s_client, which could lead to using 14 bytes of stack garbage instead of an IPv6 address in DTLS mode. -
  • Fix a longstanding bug in PEM_X509_INFO_read_bio(3) that could cause use-after-free and double-free issues in calling programs. +
  • Fix a longstanding bug in PEM_X509_INFO_read_bio(3) that could cause use-after-free and double-free issues in calling programs.
  • Zero out variable on the stack to avoid leaving garbage in the tail of short session IDs.
  • Ensure that appropriate alerts are sent on various error conditions. -
  • Move state initialization from SSL_clear() to ssl3_clear() to ensure that it gets correctly reinitialized across a SSL_set_ssl_method() call. +
  • Move state initialization from SSL_clear(3) to ssl3_clear() to ensure that it gets correctly reinitialized across a SSL_set_ssl_method(3) call.
  • Add a custom copy handler for AES keywrap to fix a use-after-free. -
  • Avoid an out-of-bounds write in BN_rand(). +
  • Avoid an out-of-bounds write in BN_rand(3).
  • Fix numerous leaks in the UI_dup_* functions. Simplify and tidy up the code in ui_lib.c. -
  • Correctly track selected ALPN length to avoid a potential segmentation fault with SSL_get0_alpn_selected() when alpn_selected is NULL. +
  • Correctly track selected ALPN length to avoid a potential segmentation fault with SSL_get0_alpn_selected(3) when alpn_selected is NULL.
  • Include machine/endian.h gost2814789.c in order to pick up the __STRICT_ALIGNMENT define. -
  • Correctly handle ssl_cert_dup() failure in SSL_set_SSL_CTX(). -
  • Fail on receiving an invalid NID in X509_ATTRIBUTE_create() instead of constructing a broken objects that may cause NULL pointer accesses. -
  • Fix SSL_shutdown behavior in TLSv1.3 to match the legacy stack. The previous behavior could cause a hang. -
  • Modify "openssl x509" to display invalid certificate times as invalid, and correctly deal with the failing return case from X509_cmp_time so that a certificate with an invalid NotAfter does not appear valid. +
  • Correctly handle ssl_cert_dup() failure in SSL_set_SSL_CTX(3). +
  • Fail on receiving an invalid NID in X509_ATTRIBUTE_create(3) instead of constructing a broken objects that may cause NULL pointer accesses. +
  • Fix SSL_shutdown(3) behavior in TLSv1.3 to match the legacy stack. The previous behavior could cause a hang. +
  • Modify "openssl x509" to display invalid certificate times as invalid, and correctly deal with the failing return case from X509_cmp_time(3) so that a certificate with an invalid NotAfter does not appear valid.