Also remove some trailing whitespace.
Signed-off-by: Rich Salz <rsalz@akamai.com>
[LEGAL] Legal questions
* Do I need patent licenses to use OpenSSL?
-* Can I use OpenSSL with GPL software?
+* Can I use OpenSSL with GPL software?
[USER] Questions on using the OpenSSL applications
* How does the versioning scheme work?
-After the release of OpenSSL 1.0.0 the versioning scheme changed. Letter
+After the release of OpenSSL 1.0.0 the versioning scheme changed. Letter
releases (e.g. 1.0.1a) can only contain bug and security fixes and no
-new features. Minor releases change the last number (e.g. 1.0.2) and
+new features. Minor releases change the last number (e.g. 1.0.2) and
can contain new features that retain binary compatibility. Changes to
the middle number are considered major releases and neither source nor
binary compatibility is guaranteed.
test suite (using "make test"). The message returned is "bc: stack empty".
The best way to deal with this is to find another implementation of bc
-and compile/install it. GNU bc (see <URL: http://www.gnu.org/software/software.html>
+and compile/install it. GNU bc (see <URL: https://www.gnu.org/software/software.html>
for download instructions) can be safely used, for example.
level chosen by the configuration process. When the above is done, do the
test and installation and you're set.
-3. Reconfigure the toolkit with no-sha0 option to leave out SHA0. It
+3. Reconfigure the toolkit with no-sha0 option to leave out SHA0. It
should not be used and is not used in SSL/TLS nor any other recognized
protocol in either case.
* I've found a security issue, how do I report it?
If you think your bug has security implications then please send it to
-openssl-security@openssl.org if you don't get a prompt reply at least
+openssl-security@openssl.org if you don't get a prompt reply at least
acknowledging receipt then resend or mail it directly to one of the
more active team members (e.g. Steve). If you wish to use PGP to send
in a report please use one or more of the keys of the team members listed
at <URL: https://www.openssl.org/community/team.html>
Note that bugs only present in the openssl utility are not in general
-considered to be security issues.
+considered to be security issues.
[PROG] ========================================================================
PKCS#12 macros in a program, it is much easier to parse and create
PKCS#12 files using the PKCS12_parse() and PKCS12_create() functions
documented in doc/openssl.txt and with examples in demos/pkcs12. The
-'pkcs12' application has to use the macros because it prints out
+'pkcs12' application has to use the macros because it prints out
debugging information.
TLS.
A patch for 0.9.7 is available from the OpenSSL website
-(http://www.openssl.org/).
+(https://www.openssl.org/).
Servers can disable SSL2, alternatively disable all applications using
SSL or TLS until the patches are applied. Users of 0.9.7 pre-release
References
----------
-http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0655
-http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0656
-http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0657
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0655
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0656
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0657
Acknowledgements
----------------
References
----------
-http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0659
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0659
Acknowledgements
----------------
Combined patches for OpenSSL 0.9.6d:
-http://www.openssl.org/news/patch_20020730_0_9_6d.txt
+https://www.openssl.org/news/patch_20020730_0_9_6d.txt
Combined patches for OpenSSL 0.9.7 beta 2:
-http://www.openssl.org/news/patch_20020730_0_9_7.txt
+https://www.openssl.org/news/patch_20020730_0_9_7.txt
URL for this Security Advisory:
-http://www.openssl.org/news/secadv_20020730.txt
+https://www.openssl.org/news/secadv_20020730.txt
OpenSSL version since 0.9.6c supposedly treat block cipher padding
errors like MAC verification errors during record decryption
-(see http://www.openssl.org/~bodo/tls-cbc.txt), but MAC verification
+(see https://www.openssl.org/~bodo/tls-cbc.txt), but MAC verification
was still skipped after detection of a padding error, which allowed
the timing attack. (Note that it is likely that other SSL/TLS
implementations will have similar problems.)
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2003-0078 to this issue:
-http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0078
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0078
URL for this Security Advisory:
-http://www.openssl.org/news/secadv_20030219.txt
+https://www.openssl.org/news/secadv_20030219.txt
+ /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */
+
+ /* The Klima-Pokorny-Rosa extension of Bleichenbacher's attack
-+ * (http://eprint.iacr.org/2003/052/) exploits the version
++ * (https://eprint.iacr.org/2003/052/) exploits the version
+ * number check as a "bad version oracle" -- an alert would
+ * reveal that the plaintext corresponding to some ciphertext
+ * made up by the adversary is properly formatted except
Report "Attacking RSA-based Sessions in SSL/TLS" by V. Klima, O. Pokorny,
and T. Rosa:
-http://eprint.iacr.org/2003/052/
+https://eprint.iacr.org/2003/052/
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2003-0131 to this issue.
-http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0131
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0131
URL for this Security Advisory:
-http://www.openssl.org/news/secadv_20030319.txt
+https://www.openssl.org/news/secadv_20030319.txt
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2003-0545 for issue 1:
-http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0545
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0545
and CAN-2003-0543 and CAN-2003-0544 for issue 2:
-http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0543
-http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0544
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0543
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0544
URL for this Security Advisory:
-http://www.openssl.org/news/secadv_20030930.txt
+https://www.openssl.org/news/secadv_20030930.txt
OpenSSL 0.9.6l is available for download via HTTP and FTP from the
following master locations (you can find the various FTP mirrors under
-http://www.openssl.org/source/mirror.html):
+https://www.openssl.org/source/mirror.html):
- o http://www.openssl.org/source/
+ o https://www.openssl.org/source/
o ftp://ftp.openssl.org/source/
The distribution file name is:
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2003-0851 to this issue.
-http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0851
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0851
URL for this Security Advisory:
-http://www.openssl.org/news/secadv_20031104.txt
+https://www.openssl.org/news/secadv_20031104.txt
OpenSSL 0.9.7d and OpenSSL 0.9.6m are available for download via HTTP and
FTP from the following master locations (you can find the various FTP
-mirrors under http://www.openssl.org/source/mirror.html):
+mirrors under https://www.openssl.org/source/mirror.html):
ftp://ftp.openssl.org/source/
----------
http://www.codenomicon.com/testtools/tls/
-http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0079
-http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0112
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0079
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0112
URL for this Security Advisory:
-http://www.openssl.org/news/secadv_20040317.txt
+https://www.openssl.org/news/secadv_20040317.txt
OpenSSL 0.9.8a and OpenSSL 0.9.7h are available for download via
HTTP and FTP from the following master locations (you can find the
- various FTP mirrors under http://www.openssl.org/source/mirror.html):
+ various FTP mirrors under https://www.openssl.org/source/mirror.html):
- o http://www.openssl.org/source/
+ o https://www.openssl.org/source/
o ftp://ftp.openssl.org/source/
The distribution file names are:
source code to resolve the problem. The patch is compatible with
the 0.9.6, 0.9.7, and 0.9.8 branches of OpenSSL.
- o http://www.openssl.org/news/patch-CAN-2005-2969.txt
+ o https://www.openssl.org/news/patch-CAN-2005-2969.txt
Whether you choose to upgrade to a new version or to apply the
patch, make sure to recompile any applications statically linked
References
----------
-http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2969
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2969
URL for this Security Advisory:
-http://www.openssl.org/news/secadv_20051011.txt
+https://www.openssl.org/news/secadv_20051011.txt
OpenSSL 0.9.8c and OpenSSL 0.9.7k are available for download via
HTTP and FTP from the following master locations (you can find the
- various FTP mirrors under http://www.openssl.org/source/mirror.html):
+ various FTP mirrors under https://www.openssl.org/source/mirror.html):
- o http://www.openssl.org/source/
+ o https://www.openssl.org/source/
o ftp://ftp.openssl.org/source/
The distribution file names are:
source code to resolve the problem. The patch is compatible with
the 0.9.6, 0.9.7, 0.9.8, and 0.9.9 branches of OpenSSL.
- o http://www.openssl.org/news/patch-CVE-2006-4339.txt
+ o https://www.openssl.org/news/patch-CVE-2006-4339.txt
Whether you choose to upgrade to a new version or to apply the patch,
make sure to recompile any applications statically linked to OpenSSL
References
----------
-http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339
http://www.imc.org/ietf-openpgp/mail-archive/msg14307.html
URL for this Security Advisory:
-http://www.openssl.org/news/secadv_20060905.txt
+https://www.openssl.org/news/secadv_20060905.txt
OpenSSL 0.9.8d and OpenSSL 0.9.7l are available for download via
HTTP and FTP from the following master locations (you can find the
-various FTP mirrors under http://www.openssl.org/source/mirror.html):
+various FTP mirrors under https://www.openssl.org/source/mirror.html):
- o http://www.openssl.org/source/
+ o https://www.openssl.org/source/
o ftp://ftp.openssl.org/source/
The distribution file names are:
==========
URL for this Security Advisory:
-http://www.openssl.org/news/secadv_20060928.txt
+https://www.openssl.org/news/secadv_20060928.txt
------------------------------------------
A significant flaw in the PRNG implementation for the OpenSSL FIPS Object
-Module v1.1.1 (http://openssl.org/source/openssl-fips-1.1.1.tar.gz, FIPS
+Module v1.1.1 (https://www.openssl.org/source/openssl-fips-1.1.1.tar.gz, FIPS
140-2 validation certificate #733,
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#733) has
been reported by Geoff Lowe of Secure Computing Corporation. Due to a coding
For reference purposes the patches
- http://www.openssl.org/news/patch-CVE-2007-5502-1.txt
+ https://www.openssl.org/news/patch-CVE-2007-5502-1.txt
(the simplest direct fix) and:
- http://www.openssl.org/news/patch-CVE-2007-5502-2.txt
+ https://www.openssl.org/news/patch-CVE-2007-5502-2.txt
(a workaround which avoids touching the PRNG code directly) demonstrate two
different fixes that independently address the vulnerability. However, for
update request based on the latter of these two patches to the FIPS 140-2
test lab to be submitted for official approval. Once (and if) approved the
new distribution containing this patch will be posted as
-http://openssl.org/source/openssl-fips-1.1.2.tar.gz. The timeline for this
+https://www.openssl.org/source/openssl-fips-1.1.2.tar.gz. The timeline for this
approval is presently unknown.
===========
URL for this Security Advisory:
-http://www.openssl.org/news/secadv_20090107.txt
+https://www.openssl.org/news/secadv_20090107.txt
diff -ur openssl-0.9.8i-ORIG/apps/speed.c openssl-0.9.8i/apps/speed.c
===========
URL for this Security Advisory:
-http://www.openssl.org/news/secadv_20090325.txt
+https://www.openssl.org/news/secadv_20090325.txt
===========
CVE-2009-3555:
-http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
TLS extension:
https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegotiate.txt
URL for this Security Advisory:
-http://www.openssl.org/news/secadv_20091111.txt
+https://www.openssl.org/news/secadv_20091111.txt
This vulnerability is tracked as CVE-2010-0740.
URL for this Security Advisory:
-http://www.openssl.org/news/secadv_20100324.txt
+https://www.openssl.org/news/secadv_20100324.txt
===========
URL for this Security Advisory:
-http://www.openssl.org/news/secadv_20100601.txt
+https://www.openssl.org/news/secadv_20100601.txt
===========
URL for this Security Advisory:
-http://www.openssl.org/news/secadv_20101116-2.txt
+https://www.openssl.org/news/secadv_20101116-2.txt
===========
URL for this Security Advisory:
-http://www.openssl.org/news/secadv_20101116.txt
+https://www.openssl.org/news/secadv_20101116.txt
===========
URL for this Security Advisory:
-http://www.openssl.org/news/secadv_20101202.txt
+https://www.openssl.org/news/secadv_20101202.txt
URL for updated CVS-2010-3864 Security Advisory:
-http://www.openssl.org/news/secadv_20101116-2.txt
+https://www.openssl.org/news/secadv_20101116-2.txt
This vulnerability is tracked as CVE-2011-0014.
URL for this Security Advisory:
-http://www.openssl.org/news/secadv_20110208.txt
+https://www.openssl.org/news/secadv_20110208.txt
OCSP stapling is defined in RFC 6066 (previously RFC 3546), section
"Certificate Status Request".
==========
URL for this Security Advisory:
-http://www.openssl.org/news/secadv_20110906.txt
+https://www.openssl.org/news/secadv_20110906.txt
==========
URL for this Security Advisory:
-http://www.openssl.org/news/secadv_20120104.txt
+https://www.openssl.org/news/secadv_20120104.txt
==========
URL for this Security Advisory:
-http://www.openssl.org/news/secadv_20120118.txt
+https://www.openssl.org/news/secadv_20120118.txt
RFC3218
URL for this Security Advisory:
-http://www.openssl.org/news/secadv_20120312.txt
+https://www.openssl.org/news/secadv_20120312.txt
==========
URL for this Security Advisory:
-http://www.openssl.org/news/secadv_20120419.txt
+https://www.openssl.org/news/secadv_20120419.txt
It was discovered that the fix for CVE-2012-2110 released on 19 Apr
2012 was not sufficient to correct the issue for OpenSSL 0.9.8.
-Please see http://www.openssl.org/news/secadv_20120419.txt for details
+Please see https://www.openssl.org/news/secadv_20120419.txt for details
of that vulnerability.
This issue only affects OpenSSL 0.9.8v. OpenSSL 1.0.1a and 1.0.0i
==========
URL for this Security Advisory:
-http://www.openssl.org/news/secadv_20120424.txt
+https://www.openssl.org/news/secadv_20120424.txt
==========
URL for this Security Advisory:
-http://www.openssl.org/news/secadv_20120510.txt
+https://www.openssl.org/news/secadv_20120510.txt
References
==========
URL for this Security Advisory:
-http://www.openssl.org/news/secadv_20130204.txt
+https://www.openssl.org/news/secadv_20130204.txt
Wikipedia AES-NI description:
https://en.wikipedia.org/wiki/AES-NI
==========
URL for this Security Advisory:
-http://www.openssl.org/news/secadv_20140605.txt
+https://www.openssl.org/news/secadv_20140605.txt
Note: the online version of the advisory may be updated with additional
details over time.
==========
URL for this Security Advisory:
-http://www.openssl.org/news/secadv_20140806.txt
+https://www.openssl.org/news/secadv_20140806.txt
Note: the online version of the advisory may be updated with additional
details over time.
Google. The final fix was developed by Andy Polyakov of the OpenSSL
core team.
-[1] http://css.csail.mit.edu/6.858/2013/readings/rsa-bug-attacks.pdf
+[1] https://css.csail.mit.edu/6.858/2013/readings/rsa-bug-attacks.pdf
Note
====
For details of OpenSSL severity classifications please see:
https://www.openssl.org/about/secpolicy.html
-
openssl-engine-0.9.6b.tar.gz ab5ca5b157459c49bdab06a7db8a5a47
OpenSSL source code can also be obtained from a number of mirror sites.
-For a list, see <URL: http://www.openssl.org/source/mirror.html>.
+For a list, see <URL: https://www.openssl.org/source/mirror.html>.
If you are using a pre-compiled OpenSSL package, please look for update
information from the respective software distributor. The OpenSSL
URL for this Security Advisory:
-http://www.openssl.org/news/secadv_prng.txt
+https://www.openssl.org/news/secadv_prng.txt
<hr noshade size=1>
<p>Exceptional support:</p>
- <a href="http://www.linux-foundation.org/"><img src="/img/lf-logo-med.png"></a>
+ <a href="http://www.linuxfoundation.org/"><img src="/img/lf-logo-med.png"></a>
<a href="http://www.linuxfoundation.org/programs/core-infrastructure-initiative"><img src="/img/cii-logo-med.png"></a>
<a href="http://www.smartisan.com/"><img src="/img/smartisan-logo-med.png"></a>