| version 1.38, 2021/04/15 14:06:07 |
version 1.39, 2021/04/15 15:46:01 |
|
|
| |
|
| </ul> |
</ul> |
| |
|
| <li>LibreSSL 3.2.5 |
<li>LibreSSL 3.3.3 |
| <ul> |
<ul> |
| <li>New Features |
<li>New Features |
| <ul> |
<ul> |
| <li>Support for DTLSv1.2. |
<li>Support for DTLSv1.2. |
| <li>Continued rewrite of the record layer for the legacy stack. |
<li>Continued rewrite of the record layer for the legacy stack. |
| <li>Numerous bugs and interoperability issues were fixed in the new verifier. |
<li>Numerous bugs and interoperability issues were fixed in the new verifier. |
| |
A few bugs and incompatibilities remain, so this release uses the old |
| |
verifier by default. |
| <li>The OpenSSL 1.1 TLSv1.3 API is not yet available. |
<li>The OpenSSL 1.1 TLSv1.3 API is not yet available. |
| </ul> |
</ul> |
| |
|
|
|
| <li>Add a number of RPKI OIDs from RFC 6482, 6484, 6493, 8182, 8360, |
<li>Add a number of RPKI OIDs from RFC 6482, 6484, 6493, 8182, 8360, |
| draft-ietf-sidrops-rpki-rta, and draft-ietf-opsawg-finding-geofeeds. |
draft-ietf-sidrops-rpki-rta, and draft-ietf-opsawg-finding-geofeeds. |
| |
|
| <li>Add support for SSL_get_shared_ciphers() with TLSv1.3. |
<li>Add support for |
| |
<a href="https://man.openbsd.org/SSL_get_shared_ciphers.3">SSL_get_shared_ciphers(3)</a> |
| |
with TLSv1.3. |
| |
|
| <li>Add DTLSv1.2 methods. |
<li>Add DTLSv1.2 methods. |
| |
|
| <li>Implement SSL_is_dtls() and use it internally in place of the |
<li>Implement SSL_is_dtls(3) and use it internally in place of the |
| SSL_IS_DTLS macro. |
SSL_IS_DTLS macro. |
| |
|
| <li>Provide EVP_PKEY_new_CMAC_KEY(3). |
<li>Provide |
| |
<a href="https://man.openbsd.org/EVP_PKEY_new_CMAC_KEY.3">EVP_PKEY_new_CMAC_KEY(3)</a>. |
| |
<li>Add missing prototype for |
| |
<a href="https://man.openbsd.org/d2i_DSAPrivateKey_fp.3">d2i_DSAPrivateKey_fp(3)</a> |
| |
to x509.h. |
| |
|
| <li>Add missing prototype for d2i_DSAPrivateKey_fp(3) to x509.h. |
<li>Add DTLSv1.2 to |
| |
<a href="https://man.openbsd.org/openssl.1">openssl(1)</a> |
| |
s_server and s_client protocol message logging. |
| |
|
| <li>Add DTLSv1.2 to openssl(1) s_server and s_client protocol message |
<li>Provide |
| logging. |
<a href="https://man.openbsd.org/SSL_use_certificate_chain_file.3">SSL_use_certificate_chain_file(3)</a>. |
| |
|
| <li>Provide SSL_use_certificate_chain_file(3). |
<li>Provide |
| |
<a href="https://man.openbsd.org/SSL_set_hostflags.3">SSL_set_hostflags(3)</a> |
| |
and |
| |
<a href="https://man.openbsd.org/SSL_get0_peername.3">SSL_get0_peername(3)</a>. |
| |
|
| <li>Provide SSL_set_hostflags(3) and SSL_get0_peername(3). |
|
| |
|
| <li>Provide various DTLSv1.2 specific functions and defines. |
<li>Provide various DTLSv1.2 specific functions and defines. |
| |
|
| <li>Document meaning of '*' in the genrsa output. |
<li>Document meaning of '*' in the genrsa output. |
| |
|
| <li>Updated documentation for SSL_get_shared_ciphers(3). |
<li>Updated documentation for |
| |
<a href="https://man.openbsd.org/SSL_get_shared_ciphers.3">SSL_get_shared_ciphers(3)</a>. |
| |
|
| <li>Add documentation for SSL_get_finished(3). |
<li>Add documentation for |
| |
<a href="https://man.openbsd.org/SSL_get_finished.3">SSL_get_finished(3)</a>. |
| |
|
| <li>Document EVP_PKEY_new_CMAC_key(3) |
<li>Document |
| |
<a href="https://man.openbsd.org/EVP_PKEY_new_CMAC_key.3">EVP_PKEY_new_CMAC_key(3)</a>. |
| |
|
| <li>Document SSL_use_certificate_chain_file(3). |
|
| |
|
| <li>Document SSL_set_hostflags(3) and SSL_get0_peername(3). |
<li>Document |
| |
<a href="https://man.openbsd.org/SSL_use_certificate_chain_file.3">SSL_use_certificate_chain_file(3)</a>. |
| |
|
| <li>Update SSL_get_version.3 manual for DTLSv.1.2 support. |
<li>Document |
| |
<a href="https://man.openbsd.org/SSL_set_hostflags.3">SSL_set_hostflags(3)</a> |
| |
and |
| |
<a href="https://man.openbsd.org/SSL_get0_peername.3">SSL_get0_peername(3)</a>. |
| |
|
| |
<li>Update |
| |
<a href="https://man.openbsd.org/SSL_get_version.3">SSL_get_version(3)</a> |
| |
manual for DTLSv.1.2 support. |
| |
|
| <li>Make supported protocols and options for DHE params more prominent |
<li>Make supported protocols and options for DHE params more prominent |
| in tls_config_set_protocols.3. |
in <a href="https://man.openbsd.org/tls_config_set_protocols.3">tls_config_set_protocols(3)</a>. |
| |
|
| <li>Various documentation improvements around TLS methods. |
<li>Various documentation improvements around TLS methods. |
| </ul> |
</ul> |
| |
|
| <li>Compatibility Changes |
<li>Compatibility Changes |
| <ul> |
<ul> |
| <li>Make openssl(1) s_server ignore -4 and -6 for compatibility with |
<li>Make <a href="https://man.openbsd.org/openssl.3">openssl(1)</a> s_server |
| OpenSSL. |
ignore -4 and -6 for compatibility with OpenSSL. |
| |
|
| <li>Set SO_REUSEADDR on the server socket in the openssl(1) ocsp |
<li>Set SO_REUSEADDR on the server socket in the |
| command. |
<a href="https://man.openbsd.org/openssl.1">openssl(1)</a> ocsp command. |
| |
|
| <li>Send a host header with OCSP queries to make openssl(1) ocsp |
<li>Send a host header with OCSP queries to make |
| |
<a href="https://man.openbsd.org/openssl.1">openssl(1)</a> ocsp |
| work with some widely used OCSP responders. |
work with some widely used OCSP responders. |
| |
|
| <li>Add ability to ocspcheck(8) to parse a port in the specified |
<li>Add ability to |
| OCSP URL. |
<a href="https://man.openbsd.org/ocspcheck.8">ocspcheck(8)</a> |
| |
to parse a port in the specified OCSP URL. |
| |
|
| <li>Implement auto chain for the TLSv1.3 server since some software |
<li>Implement auto chain for the TLSv1.3 server since some software |
| relies on this. |
relies on this. |
| |
|
| <li>Implement key exporter for TLSv1.3. |
<li>Implement key exporter for TLSv1.3. |
| <li>Align SSL_get_shared_ciphers() with OpenSSL. This takes into account |
<li>Align <a href="https://man.openbsd.org/SSL_get_shared_ciphers.3">SSL_get_shared_ciphers(3)</a> |
| that it never returned server ciphers, so now it will fail when |
with OpenSSL. This takes into account that it never returned server |
| called from the client side. |
ciphers, so now it will fail when called from the client side. |
| |
|
| <li>Sync cert.pem with Mozilla NSS root CAs except "GeoTrust Global CA". |
<li>Sync cert.pem with Mozilla NSS root CAs except "GeoTrust Global CA". |
| |
|
| <li>Make SSL{_CTX,}_get_{min,max}_proto_version() return a version of |
<li>Make |
| zero if the minimum or maximum has been set to zero to match |
<a href="https://man.openbsd.org/SSL_CTX_get_min_proto_version.3">SSL{_CTX,}_get_{min,max}_proto_version(3)</a> |
| OpenSSL's behavior. |
return a version of zero if the minimum or maximum has been set to |
| |
zero to match OpenSSL's behavior. |
| |
|
| <li>Add DTLSv1.2 support to openssl s_client/s_server. |
<li>Add DTLSv1.2 support to |
| |
<a href="https://man.openbsd.org/openssl.1">openssl(1)</a> s_client/s_server. |
| </ul> |
</ul> |
| |
|
| <li>Testing and Proactive Security |
<li>Testing and Proactive Security |
|
|
| <li>Malformed ASN.1 in a certificate revocation list or a timestamp |
<li>Malformed ASN.1 in a certificate revocation list or a timestamp |
| response token can lead to a NULL pointer dereference. |
response token can lead to a NULL pointer dereference. |
| |
|
| <li>Pull in fix for EVP_CipherUpdate() overflow from OpenSSL. |
<li>Pull in fix for |
| |
<a href="https://man.openbsd.org/EVP_CipherUpdate.3">EVP_CipherUpdate(3)</a> |
| |
overflow from OpenSSL. |
| |
|
| <li>Use EXFLAG_INVALID to handle out of memory and parse errors in |
<li>Use EXFLAG_INVALID to handle out of memory and parse errors in |
| x509v3_cache_extensions(). |
x509v3_cache_extensions(). |
| |
|
| <li>Refactor and clean up ocspcheck(8) and add regression tests. |
<li>Refactor and clean up |
| |
<a href="https://man.openbsd.org/ocspcheck.8">ocspcheck(8)</a> |
| |
and add regression tests. |
| </ul> |
</ul> |
| |
|
| <li>Internal Improvements |
<li>Internal Improvements |
|
|
| <li>Add tls12_record_protection_unused() and call it from CCS functions. |
<li>Add tls12_record_protection_unused() and call it from CCS functions. |
| |
|
| <li>Move key/IV length checks closer to usage sites. Also add explicit |
<li>Move key/IV length checks closer to usage sites. Also add explicit |
| checks against EVP_CIPHER_{iv,key}_length(). |
checks against |
| |
<a href="https://man.openbsd.org/EVP_CIPHER_iv_length.3">EVP_CIPHER_{iv,key}_length()</a>. |
| |
|
| <li>Replace two handrolled tls12_record_protection_engaged(). |
<li>Replace two handrolled tls12_record_protection_engaged(). |
| |
|
|
|
| <li>Move point-on-curve check to set_affine_coordinates to avoid |
<li>Move point-on-curve check to set_affine_coordinates to avoid |
| verifying ECDSA signatures with unchecked public keys. |
verifying ECDSA signatures with unchecked public keys. |
| |
|
| <li>Fix SSL_is_server() to behave as documented by re-introducing the |
<li>Fix |
| client-specific methods. |
<a href="https://man.openbsd.org/SSL_is_server.3">SSL_is_server(3)</a> |
| |
to behave as documented by re-introducing the client-specific |
| |
methods. |
| |
|
| <li>Avoid undefined behavior due to memcpy(NULL, NULL, 0). |
<li>Avoid undefined behavior due to memcpy(NULL, NULL, 0). |
| |
|
|
|
| <li>Destroy the mutex in a tls_config object on tls_config_free(). |
<li>Destroy the mutex in a tls_config object on tls_config_free(). |
| |
|
| <li>Free alert_data and phh_data in tls13_record_layer_free() |
<li>Free alert_data and phh_data in tls13_record_layer_free() |
| these could leak if SSL_shutdown() or tls_close() were called |
these could leak if |
| after closing the underlying socket(). |
<a href="https://man.openbsd.org/SSL_shutdown.3">SSL_shutdown(3)</a> |
| |
or <a href="https://man.openbsd.org/tls_close.3">tls_close(3)</a> |
| |
were called after closing the underlying socket(). |
| |
|
| <li>Gracefully handle root certificates being both trusted and |
<li>Gracefully handle root certificates being both trusted and |
| untrusted. |
untrusted. |
|
|
| <li>Avoid passing last and depth to x509_verify_cert_error() on ENOMEM. |
<li>Avoid passing last and depth to x509_verify_cert_error() on ENOMEM. |
| |
|
| <li>Fix two bugs in the legacy verifier that resulted from refactoring |
<li>Fix two bugs in the legacy verifier that resulted from refactoring |
| of X509_verify_cert() for the new verifier: a return value was |
of |
| incorrectly treated as boolean, making it insufficient to decide |
<a href="https://man.openbsd.org/X509_verify_cert.3">X509_verify_cert(3)</a> |
| whether validation should carry on or not. |
for the new verifier: a return value was incorrectly treated as |
| |
boolean, making it insufficient to decide whether validation should |
| |
carry on or not. |
| |
|
| <li>Fix checks for memory caps of constraints names. There are internal |
<li>Fix checks for memory caps of constraints names. There are internal |
| caps on the number of name constraints and other names, that the new |
caps on the number of name constraints and other names, that the new |
|
|
| <li>Use the X509_STORE_CTX get_issuer() callback from the new X.509 |
<li>Use the X509_STORE_CTX get_issuer() callback from the new X.509 |
| verifier to fix hashed certificate directories. |
verifier to fix hashed certificate directories. |
| |
|
| <li>Only check BIO_should_read() on read and BIO_should_write() on |
<li>Only check |
| write. Previously, BIO_should_write() was also checked after read |
<a href="https://man.openbsd.org/BIO_should_read.3">BIO_should_read(3)</a> |
| and BIO_should_read() after write which could cause stalls in |
on read and |
| software that uses the same BIO for read and write. |
<a href="https://man.openbsd.org/BIO_should_write.3">BIO_should_write(3)</a> |
| |
on write. Previously, |
| |
<a href="https://man.openbsd.org/BIO_should_write.3">BIO_should_write(3)</a> |
| |
was also checked after read and |
| |
<a href="https://man.openbsd.org/BIO_should_read.3">BIO_should_read(3)</a> |
| |
after write which could cause stalls in software that uses the same |
| |
BIO for read and write. |
| |
|
| <li>In openssl(1) verify, also check for error on the store context |
<li>In <a href="https://man.openbsd.org/openssl.1">openssl(1)</a> |
| since the return value of X509_verify_cert() is unreliable in |
verify, also check for error on the store context since the return |
| presence of a callback that returns 1 too often. |
value of |
| |
<a href="https://man.openbsd.org/X509_verify_cert.3">X509_verify_cert(3)</a> |
| |
is unreliable in presence of a callback that returns 1 too often. |
| |
|
| <li>Handle additional certificate error cases in the new X.509 verifier. |
<li>Handle additional certificate error cases in the new X.509 verifier. |
| Keep track of the errors encountered if a verify callback tells the |
Keep track of the errors encountered if a verify callback tells the |
|
|
| error code. |
error code. |
| |
|
| <li>Plug a large memory leak in the new verifier caused by calling |
<li>Plug a large memory leak in the new verifier caused by calling |
| X509_policy_check() repeatedly. |
X509_policy_check(3) repeatedly. |
| |
|
| <li>Avoid leaking memory in x509_verify_chain_dup(). |
<li>Avoid leaking memory in x509_verify_chain_dup(). |
| </ul> |
</ul> |
![[BACK]](/icons/back.gif){kind=icon}
Return to 69.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www