version 1.38, 2021/04/15 14:06:07 |
version 1.39, 2021/04/15 15:46:01 |
|
|
|
|
</ul> |
</ul> |
|
|
<li>LibreSSL 3.2.5 |
<li>LibreSSL 3.3.3 |
<ul> |
<ul> |
<li>New Features |
<li>New Features |
<ul> |
<ul> |
<li>Support for DTLSv1.2. |
<li>Support for DTLSv1.2. |
<li>Continued rewrite of the record layer for the legacy stack. |
<li>Continued rewrite of the record layer for the legacy stack. |
<li>Numerous bugs and interoperability issues were fixed in the new verifier. |
<li>Numerous bugs and interoperability issues were fixed in the new verifier. |
|
A few bugs and incompatibilities remain, so this release uses the old |
|
verifier by default. |
<li>The OpenSSL 1.1 TLSv1.3 API is not yet available. |
<li>The OpenSSL 1.1 TLSv1.3 API is not yet available. |
</ul> |
</ul> |
|
|
|
|
<li>Add a number of RPKI OIDs from RFC 6482, 6484, 6493, 8182, 8360, |
<li>Add a number of RPKI OIDs from RFC 6482, 6484, 6493, 8182, 8360, |
draft-ietf-sidrops-rpki-rta, and draft-ietf-opsawg-finding-geofeeds. |
draft-ietf-sidrops-rpki-rta, and draft-ietf-opsawg-finding-geofeeds. |
|
|
<li>Add support for SSL_get_shared_ciphers() with TLSv1.3. |
<li>Add support for |
|
<a href="https://man.openbsd.org/SSL_get_shared_ciphers.3">SSL_get_shared_ciphers(3)</a> |
|
with TLSv1.3. |
|
|
<li>Add DTLSv1.2 methods. |
<li>Add DTLSv1.2 methods. |
|
|
<li>Implement SSL_is_dtls() and use it internally in place of the |
<li>Implement SSL_is_dtls(3) and use it internally in place of the |
SSL_IS_DTLS macro. |
SSL_IS_DTLS macro. |
|
|
<li>Provide EVP_PKEY_new_CMAC_KEY(3). |
<li>Provide |
|
<a href="https://man.openbsd.org/EVP_PKEY_new_CMAC_KEY.3">EVP_PKEY_new_CMAC_KEY(3)</a>. |
|
<li>Add missing prototype for |
|
<a href="https://man.openbsd.org/d2i_DSAPrivateKey_fp.3">d2i_DSAPrivateKey_fp(3)</a> |
|
to x509.h. |
|
|
<li>Add missing prototype for d2i_DSAPrivateKey_fp(3) to x509.h. |
<li>Add DTLSv1.2 to |
|
<a href="https://man.openbsd.org/openssl.1">openssl(1)</a> |
|
s_server and s_client protocol message logging. |
|
|
<li>Add DTLSv1.2 to openssl(1) s_server and s_client protocol message |
<li>Provide |
logging. |
<a href="https://man.openbsd.org/SSL_use_certificate_chain_file.3">SSL_use_certificate_chain_file(3)</a>. |
|
|
<li>Provide SSL_use_certificate_chain_file(3). |
<li>Provide |
|
<a href="https://man.openbsd.org/SSL_set_hostflags.3">SSL_set_hostflags(3)</a> |
|
and |
|
<a href="https://man.openbsd.org/SSL_get0_peername.3">SSL_get0_peername(3)</a>. |
|
|
<li>Provide SSL_set_hostflags(3) and SSL_get0_peername(3). |
|
|
|
<li>Provide various DTLSv1.2 specific functions and defines. |
<li>Provide various DTLSv1.2 specific functions and defines. |
|
|
<li>Document meaning of '*' in the genrsa output. |
<li>Document meaning of '*' in the genrsa output. |
|
|
<li>Updated documentation for SSL_get_shared_ciphers(3). |
<li>Updated documentation for |
|
<a href="https://man.openbsd.org/SSL_get_shared_ciphers.3">SSL_get_shared_ciphers(3)</a>. |
|
|
<li>Add documentation for SSL_get_finished(3). |
<li>Add documentation for |
|
<a href="https://man.openbsd.org/SSL_get_finished.3">SSL_get_finished(3)</a>. |
|
|
<li>Document EVP_PKEY_new_CMAC_key(3) |
<li>Document |
|
<a href="https://man.openbsd.org/EVP_PKEY_new_CMAC_key.3">EVP_PKEY_new_CMAC_key(3)</a>. |
|
|
<li>Document SSL_use_certificate_chain_file(3). |
|
|
|
<li>Document SSL_set_hostflags(3) and SSL_get0_peername(3). |
<li>Document |
|
<a href="https://man.openbsd.org/SSL_use_certificate_chain_file.3">SSL_use_certificate_chain_file(3)</a>. |
|
|
<li>Update SSL_get_version.3 manual for DTLSv.1.2 support. |
<li>Document |
|
<a href="https://man.openbsd.org/SSL_set_hostflags.3">SSL_set_hostflags(3)</a> |
|
and |
|
<a href="https://man.openbsd.org/SSL_get0_peername.3">SSL_get0_peername(3)</a>. |
|
|
|
<li>Update |
|
<a href="https://man.openbsd.org/SSL_get_version.3">SSL_get_version(3)</a> |
|
manual for DTLSv.1.2 support. |
|
|
<li>Make supported protocols and options for DHE params more prominent |
<li>Make supported protocols and options for DHE params more prominent |
in tls_config_set_protocols.3. |
in <a href="https://man.openbsd.org/tls_config_set_protocols.3">tls_config_set_protocols(3)</a>. |
|
|
<li>Various documentation improvements around TLS methods. |
<li>Various documentation improvements around TLS methods. |
</ul> |
</ul> |
|
|
<li>Compatibility Changes |
<li>Compatibility Changes |
<ul> |
<ul> |
<li>Make openssl(1) s_server ignore -4 and -6 for compatibility with |
<li>Make <a href="https://man.openbsd.org/openssl.3">openssl(1)</a> s_server |
OpenSSL. |
ignore -4 and -6 for compatibility with OpenSSL. |
|
|
<li>Set SO_REUSEADDR on the server socket in the openssl(1) ocsp |
<li>Set SO_REUSEADDR on the server socket in the |
command. |
<a href="https://man.openbsd.org/openssl.1">openssl(1)</a> ocsp command. |
|
|
<li>Send a host header with OCSP queries to make openssl(1) ocsp |
<li>Send a host header with OCSP queries to make |
|
<a href="https://man.openbsd.org/openssl.1">openssl(1)</a> ocsp |
work with some widely used OCSP responders. |
work with some widely used OCSP responders. |
|
|
<li>Add ability to ocspcheck(8) to parse a port in the specified |
<li>Add ability to |
OCSP URL. |
<a href="https://man.openbsd.org/ocspcheck.8">ocspcheck(8)</a> |
|
to parse a port in the specified OCSP URL. |
|
|
<li>Implement auto chain for the TLSv1.3 server since some software |
<li>Implement auto chain for the TLSv1.3 server since some software |
relies on this. |
relies on this. |
|
|
<li>Implement key exporter for TLSv1.3. |
<li>Implement key exporter for TLSv1.3. |
<li>Align SSL_get_shared_ciphers() with OpenSSL. This takes into account |
<li>Align <a href="https://man.openbsd.org/SSL_get_shared_ciphers.3">SSL_get_shared_ciphers(3)</a> |
that it never returned server ciphers, so now it will fail when |
with OpenSSL. This takes into account that it never returned server |
called from the client side. |
ciphers, so now it will fail when called from the client side. |
|
|
<li>Sync cert.pem with Mozilla NSS root CAs except "GeoTrust Global CA". |
<li>Sync cert.pem with Mozilla NSS root CAs except "GeoTrust Global CA". |
|
|
<li>Make SSL{_CTX,}_get_{min,max}_proto_version() return a version of |
<li>Make |
zero if the minimum or maximum has been set to zero to match |
<a href="https://man.openbsd.org/SSL_CTX_get_min_proto_version.3">SSL{_CTX,}_get_{min,max}_proto_version(3)</a> |
OpenSSL's behavior. |
return a version of zero if the minimum or maximum has been set to |
|
zero to match OpenSSL's behavior. |
|
|
<li>Add DTLSv1.2 support to openssl s_client/s_server. |
<li>Add DTLSv1.2 support to |
|
<a href="https://man.openbsd.org/openssl.1">openssl(1)</a> s_client/s_server. |
</ul> |
</ul> |
|
|
<li>Testing and Proactive Security |
<li>Testing and Proactive Security |
|
|
<li>Malformed ASN.1 in a certificate revocation list or a timestamp |
<li>Malformed ASN.1 in a certificate revocation list or a timestamp |
response token can lead to a NULL pointer dereference. |
response token can lead to a NULL pointer dereference. |
|
|
<li>Pull in fix for EVP_CipherUpdate() overflow from OpenSSL. |
<li>Pull in fix for |
|
<a href="https://man.openbsd.org/EVP_CipherUpdate.3">EVP_CipherUpdate(3)</a> |
|
overflow from OpenSSL. |
|
|
<li>Use EXFLAG_INVALID to handle out of memory and parse errors in |
<li>Use EXFLAG_INVALID to handle out of memory and parse errors in |
x509v3_cache_extensions(). |
x509v3_cache_extensions(). |
|
|
<li>Refactor and clean up ocspcheck(8) and add regression tests. |
<li>Refactor and clean up |
|
<a href="https://man.openbsd.org/ocspcheck.8">ocspcheck(8)</a> |
|
and add regression tests. |
</ul> |
</ul> |
|
|
<li>Internal Improvements |
<li>Internal Improvements |
|
|
<li>Add tls12_record_protection_unused() and call it from CCS functions. |
<li>Add tls12_record_protection_unused() and call it from CCS functions. |
|
|
<li>Move key/IV length checks closer to usage sites. Also add explicit |
<li>Move key/IV length checks closer to usage sites. Also add explicit |
checks against EVP_CIPHER_{iv,key}_length(). |
checks against |
|
<a href="https://man.openbsd.org/EVP_CIPHER_iv_length.3">EVP_CIPHER_{iv,key}_length()</a>. |
|
|
<li>Replace two handrolled tls12_record_protection_engaged(). |
<li>Replace two handrolled tls12_record_protection_engaged(). |
|
|
|
|
<li>Move point-on-curve check to set_affine_coordinates to avoid |
<li>Move point-on-curve check to set_affine_coordinates to avoid |
verifying ECDSA signatures with unchecked public keys. |
verifying ECDSA signatures with unchecked public keys. |
|
|
<li>Fix SSL_is_server() to behave as documented by re-introducing the |
<li>Fix |
client-specific methods. |
<a href="https://man.openbsd.org/SSL_is_server.3">SSL_is_server(3)</a> |
|
to behave as documented by re-introducing the client-specific |
|
methods. |
|
|
<li>Avoid undefined behavior due to memcpy(NULL, NULL, 0). |
<li>Avoid undefined behavior due to memcpy(NULL, NULL, 0). |
|
|
|
|
<li>Destroy the mutex in a tls_config object on tls_config_free(). |
<li>Destroy the mutex in a tls_config object on tls_config_free(). |
|
|
<li>Free alert_data and phh_data in tls13_record_layer_free() |
<li>Free alert_data and phh_data in tls13_record_layer_free() |
these could leak if SSL_shutdown() or tls_close() were called |
these could leak if |
after closing the underlying socket(). |
<a href="https://man.openbsd.org/SSL_shutdown.3">SSL_shutdown(3)</a> |
|
or <a href="https://man.openbsd.org/tls_close.3">tls_close(3)</a> |
|
were called after closing the underlying socket(). |
|
|
<li>Gracefully handle root certificates being both trusted and |
<li>Gracefully handle root certificates being both trusted and |
untrusted. |
untrusted. |
|
|
<li>Avoid passing last and depth to x509_verify_cert_error() on ENOMEM. |
<li>Avoid passing last and depth to x509_verify_cert_error() on ENOMEM. |
|
|
<li>Fix two bugs in the legacy verifier that resulted from refactoring |
<li>Fix two bugs in the legacy verifier that resulted from refactoring |
of X509_verify_cert() for the new verifier: a return value was |
of |
incorrectly treated as boolean, making it insufficient to decide |
<a href="https://man.openbsd.org/X509_verify_cert.3">X509_verify_cert(3)</a> |
whether validation should carry on or not. |
for the new verifier: a return value was incorrectly treated as |
|
boolean, making it insufficient to decide whether validation should |
|
carry on or not. |
|
|
<li>Fix checks for memory caps of constraints names. There are internal |
<li>Fix checks for memory caps of constraints names. There are internal |
caps on the number of name constraints and other names, that the new |
caps on the number of name constraints and other names, that the new |
|
|
<li>Use the X509_STORE_CTX get_issuer() callback from the new X.509 |
<li>Use the X509_STORE_CTX get_issuer() callback from the new X.509 |
verifier to fix hashed certificate directories. |
verifier to fix hashed certificate directories. |
|
|
<li>Only check BIO_should_read() on read and BIO_should_write() on |
<li>Only check |
write. Previously, BIO_should_write() was also checked after read |
<a href="https://man.openbsd.org/BIO_should_read.3">BIO_should_read(3)</a> |
and BIO_should_read() after write which could cause stalls in |
on read and |
software that uses the same BIO for read and write. |
<a href="https://man.openbsd.org/BIO_should_write.3">BIO_should_write(3)</a> |
|
on write. Previously, |
|
<a href="https://man.openbsd.org/BIO_should_write.3">BIO_should_write(3)</a> |
|
was also checked after read and |
|
<a href="https://man.openbsd.org/BIO_should_read.3">BIO_should_read(3)</a> |
|
after write which could cause stalls in software that uses the same |
|
BIO for read and write. |
|
|
<li>In openssl(1) verify, also check for error on the store context |
<li>In <a href="https://man.openbsd.org/openssl.1">openssl(1)</a> |
since the return value of X509_verify_cert() is unreliable in |
verify, also check for error on the store context since the return |
presence of a callback that returns 1 too often. |
value of |
|
<a href="https://man.openbsd.org/X509_verify_cert.3">X509_verify_cert(3)</a> |
|
is unreliable in presence of a callback that returns 1 too often. |
|
|
<li>Handle additional certificate error cases in the new X.509 verifier. |
<li>Handle additional certificate error cases in the new X.509 verifier. |
Keep track of the errors encountered if a verify callback tells the |
Keep track of the errors encountered if a verify callback tells the |
|
|
error code. |
error code. |
|
|
<li>Plug a large memory leak in the new verifier caused by calling |
<li>Plug a large memory leak in the new verifier caused by calling |
X509_policy_check() repeatedly. |
X509_policy_check(3) repeatedly. |
|
|
<li>Avoid leaking memory in x509_verify_chain_dup(). |
<li>Avoid leaking memory in x509_verify_chain_dup(). |
</ul> |
</ul> |