Changes between 0.9.8b and 0.9.9 [xx XXX xxxx]
+ *) Various modifications and fixes to SSL/TLS cipher string
+ handling. For ECC, the code now distinguishes between fixed ECDH
+ with RSA certificates on the one hand and with ECDSA certificates
+ on the other hand, since these are separate ciphersuites. The
+ unused code for Fortezza ciphersuites has been removed.
+
+ For consistency with EDH, ephemeral ECDH is now called "EECDH"
+ (not "ECDHE"). For consistency with the code for DH
+ certificates, use of ECDH certificates is now considered ECDH
+ authentication, not RSA or ECDSA authentication (the latter is
+ merely the CA's signing algorithm and not actively used in the
+ protocol).
+
+ The temporary ciphersuite alias "ECCdraft" is no longer
+ available, and ECC ciphersuites are no longer excluded from "ALL"
+ and "DEFAULT". The following aliases now exist for RFC 4492
+ ciphersuites, most of these by analogy with the DH case:
+
+ kECDHr - ECDH cert, signed with RSA
+ kECDHe - ECDH cert, signed with ECDSA
+ kECDH - ECDH cert (signed with either RSA or ECDSA)
+ kEECDH - ephemeral ECDH
+ ECDH - ECDH cert or ephemeral ECDH
+
+ aECDH - ECDH cert
+ aECDSA - ECDSA cert
+ ECDSA - ECDSA cert
+
+ AECDH - anonymous ECDH
+ EECDH - non-anonymous ephemeral ECDH (equivalent to "kEECDH:-AECDH")
+
+ [Bodo Moeller]
+
*) Add additional S/MIME capabilities for AES and GOST ciphers if supported.
Use correct micalg parameters depending on digest(s) in signed message.
[Steve Henson]
implementations, between 32- and 64-bit builds without hassle.
[Andy Polyakov]
- *) Disable rogue ciphersuites:
-
- - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
- - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
- - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")
-
- The latter two were purportedly from
- draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really
- appear there.
-
- Other ciphersuites from draft-ietf-tls-56-bit-ciphersuites-01.txt
- remain enabled for now, but are just as unofficial, and the ID
- has long expired; these will probably disappear soon.
- [Bodo Moeller]
-
*) Move code previously exiled into file crypto/ec/ec2_smpt.c
to ec2_smpl.c, and no longer require the OPENSSL_EC_BIN_PT_COMP
macro.
Changes between 0.9.8b and 0.9.8c [xx XXX xxxx]
+ *) Disable rogue ciphersuites:
+
+ - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
+ - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
+ - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")
+
+ The latter two were purportedly from
+ draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really
+ appear there.
+
+ Also deactive the remaining ciphersuites from
+ draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as
+ unofficial, and the ID has long expired.
+ [Bodo Moeller]
+
*) Fix RSA blinding Heisenbug (problems sometimes occured on
dual-core machines) and other potential thread-safety issues.
[Bodo Moeller]
Changes between 0.9.7j and 0.9.7k [xx XXX xxxx]
+ *) Disable rogue ciphersuites:
+
+ - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
+ - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
+ - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")
+
+ The latter two were purportedly from
+ draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really
+ appear there.
+
+ Also deactive the remaining ciphersuites from
+ draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as
+ unofficial, and the ID has long expired.
+ [Bodo Moeller]
+
*) Fix RSA blinding Heisenbug (problems sometimes occured on
dual-core machines) and other potential thread-safety issues.
[Bodo Moeller]