===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/69.html,v
retrieving revision 1.38
retrieving revision 1.39
diff -u -r1.38 -r1.39
--- www/69.html 2021/04/15 14:06:07 1.38
+++ www/69.html 2021/04/15 15:46:01 1.39
@@ -1114,13 +1114,15 @@
-LibreSSL 3.2.5
+LibreSSL 3.3.3
- New Features
- Support for DTLSv1.2.
- Continued rewrite of the record layer for the legacy stack.
- Numerous bugs and interoperability issues were fixed in the new verifier.
+ A few bugs and incompatibilities remain, so this release uses the old
+ verifier by default.
- The OpenSSL 1.1 TLSv1.3 API is not yet available.
@@ -1140,75 +1142,98 @@
- Add a number of RPKI OIDs from RFC 6482, 6484, 6493, 8182, 8360,
draft-ietf-sidrops-rpki-rta, and draft-ietf-opsawg-finding-geofeeds.
-
- Add support for SSL_get_shared_ciphers() with TLSv1.3.
+
- Add support for
+ SSL_get_shared_ciphers(3)
+ with TLSv1.3.
- Add DTLSv1.2 methods.
-
- Implement SSL_is_dtls() and use it internally in place of the
+
- Implement SSL_is_dtls(3) and use it internally in place of the
SSL_IS_DTLS macro.
-
- Provide EVP_PKEY_new_CMAC_KEY(3).
+
- Provide
+ EVP_PKEY_new_CMAC_KEY(3).
+
- Add missing prototype for
+ d2i_DSAPrivateKey_fp(3)
+ to x509.h.
-
- Add missing prototype for d2i_DSAPrivateKey_fp(3) to x509.h.
+
- Add DTLSv1.2 to
+ openssl(1)
+ s_server and s_client protocol message logging.
-
- Add DTLSv1.2 to openssl(1) s_server and s_client protocol message
- logging.
+
- Provide
+ SSL_use_certificate_chain_file(3).
-
- Provide SSL_use_certificate_chain_file(3).
+
- Provide
+ SSL_set_hostflags(3)
+ and
+ SSL_get0_peername(3).
-
- Provide SSL_set_hostflags(3) and SSL_get0_peername(3).
-
- Provide various DTLSv1.2 specific functions and defines.
- Document meaning of '*' in the genrsa output.
-
- Updated documentation for SSL_get_shared_ciphers(3).
+
- Updated documentation for
+ SSL_get_shared_ciphers(3).
-
- Add documentation for SSL_get_finished(3).
+
- Add documentation for
+ SSL_get_finished(3).
-
- Document EVP_PKEY_new_CMAC_key(3)
+
- Document
+ EVP_PKEY_new_CMAC_key(3).
-
- Document SSL_use_certificate_chain_file(3).
-
- Document SSL_set_hostflags(3) and SSL_get0_peername(3).
+
- Document
+ SSL_use_certificate_chain_file(3).
-
- Update SSL_get_version.3 manual for DTLSv.1.2 support.
+
- Document
+ SSL_set_hostflags(3)
+ and
+ SSL_get0_peername(3).
+
- Update
+ SSL_get_version(3)
+ manual for DTLSv.1.2 support.
+
- Make supported protocols and options for DHE params more prominent
- in tls_config_set_protocols.3.
+ in tls_config_set_protocols(3).
- Various documentation improvements around TLS methods.
Compatibility Changes
- - Make openssl(1) s_server ignore -4 and -6 for compatibility with
- OpenSSL.
+
- Make openssl(1) s_server
+ ignore -4 and -6 for compatibility with OpenSSL.
-
- Set SO_REUSEADDR on the server socket in the openssl(1) ocsp
- command.
+
- Set SO_REUSEADDR on the server socket in the
+ openssl(1) ocsp command.
-
- Send a host header with OCSP queries to make openssl(1) ocsp
+
- Send a host header with OCSP queries to make
+ openssl(1) ocsp
work with some widely used OCSP responders.
-
- Add ability to ocspcheck(8) to parse a port in the specified
- OCSP URL.
+
- Add ability to
+ ocspcheck(8)
+ to parse a port in the specified OCSP URL.
- Implement auto chain for the TLSv1.3 server since some software
relies on this.
- Implement key exporter for TLSv1.3.
-
- Align SSL_get_shared_ciphers() with OpenSSL. This takes into account
- that it never returned server ciphers, so now it will fail when
- called from the client side.
+
- Align SSL_get_shared_ciphers(3)
+ with OpenSSL. This takes into account that it never returned server
+ ciphers, so now it will fail when called from the client side.
- Sync cert.pem with Mozilla NSS root CAs except "GeoTrust Global CA".
-
- Make SSL{_CTX,}_get_{min,max}_proto_version() return a version of
- zero if the minimum or maximum has been set to zero to match
- OpenSSL's behavior.
+
- Make
+ SSL{_CTX,}_get_{min,max}_proto_version(3)
+ return a version of zero if the minimum or maximum has been set to
+ zero to match OpenSSL's behavior.
-
- Add DTLSv1.2 support to openssl s_client/s_server.
+
- Add DTLSv1.2 support to
+ openssl(1) s_client/s_server.
Testing and Proactive Security
@@ -1216,12 +1241,16 @@
Malformed ASN.1 in a certificate revocation list or a timestamp
response token can lead to a NULL pointer dereference.
- Pull in fix for EVP_CipherUpdate() overflow from OpenSSL.
+ Pull in fix for
+ EVP_CipherUpdate(3)
+ overflow from OpenSSL.
Use EXFLAG_INVALID to handle out of memory and parse errors in
x509v3_cache_extensions().
- Refactor and clean up ocspcheck(8) and add regression tests.
+ Refactor and clean up
+ ocspcheck(8)
+ and add regression tests.
Internal Improvements
@@ -1356,7 +1385,8 @@
Add tls12_record_protection_unused() and call it from CCS functions.
Move key/IV length checks closer to usage sites. Also add explicit
- checks against EVP_CIPHER_{iv,key}_length().
+ checks against
+ EVP_CIPHER_{iv,key}_length().
Replace two handrolled tls12_record_protection_engaged().
@@ -1409,8 +1439,10 @@
Move point-on-curve check to set_affine_coordinates to avoid
verifying ECDSA signatures with unchecked public keys.
- Fix SSL_is_server() to behave as documented by re-introducing the
- client-specific methods.
+ Fix
+ SSL_is_server(3)
+ to behave as documented by re-introducing the client-specific
+ methods.
Avoid undefined behavior due to memcpy(NULL, NULL, 0).
@@ -1425,8 +1457,10 @@
Destroy the mutex in a tls_config object on tls_config_free().
Free alert_data and phh_data in tls13_record_layer_free()
- these could leak if SSL_shutdown() or tls_close() were called
- after closing the underlying socket().
+ these could leak if
+ SSL_shutdown(3)
+ or tls_close(3)
+ were called after closing the underlying socket().
Gracefully handle root certificates being both trusted and
untrusted.
@@ -1462,9 +1496,11 @@
Avoid passing last and depth to x509_verify_cert_error() on ENOMEM.
Fix two bugs in the legacy verifier that resulted from refactoring
- of X509_verify_cert() for the new verifier: a return value was
- incorrectly treated as boolean, making it insufficient to decide
- whether validation should carry on or not.
+ of
+ X509_verify_cert(3)
+ for the new verifier: a return value was incorrectly treated as
+ boolean, making it insufficient to decide whether validation should
+ carry on or not.
Fix checks for memory caps of constraints names. There are internal
caps on the number of name constraints and other names, that the new
@@ -1514,14 +1550,22 @@
Use the X509_STORE_CTX get_issuer() callback from the new X.509
verifier to fix hashed certificate directories.
- Only check BIO_should_read() on read and BIO_should_write() on
- write. Previously, BIO_should_write() was also checked after read
- and BIO_should_read() after write which could cause stalls in
- software that uses the same BIO for read and write.
+ Only check
+ BIO_should_read(3)
+ on read and
+ BIO_should_write(3)
+ on write. Previously,
+ BIO_should_write(3)
+ was also checked after read and
+ BIO_should_read(3)
+ after write which could cause stalls in software that uses the same
+ BIO for read and write.
- In openssl(1) verify, also check for error on the store context
- since the return value of X509_verify_cert() is unreliable in
- presence of a callback that returns 1 too often.
+ In openssl(1)
+ verify, also check for error on the store context since the return
+ value of
+ X509_verify_cert(3)
+ is unreliable in presence of a callback that returns 1 too often.
Handle additional certificate error cases in the new X.509 verifier.
Keep track of the errors encountered if a verify callback tells the
@@ -1534,7 +1578,7 @@
error code.
Plug a large memory leak in the new verifier caused by calling
- X509_policy_check() repeatedly.
+ X509_policy_check(3) repeatedly.
Avoid leaking memory in x509_verify_chain_dup().