Changes between 1.0.1 and 1.1.0 [xx XXX xxxx]
+ *) Enhance SSL/TLS certificate chain handling to support different
+ chains for each certificate instead of one chain in the parent SSL_CTX.
+ [Steve Henson]
+
+ *) Support for fixed DH ciphersuite client authentication: where both
+ server and client use DH certificates with common parameters.
+ [Steve Henson]
+
*) Support for fixed DH ciphersuites: those requiring DH server
certificates.
[Steve Henson]
Changes between 1.0.0f and 1.0.1 [xx XXX xxxx]
+ *) Some servers which support TLS 1.0 can choke if we initially indicate
+ support for TLS 1.2 and later renegotiate using TLS 1.0 in the RSA
+ encrypted premaster secret. As a workaround use the maximum pemitted
+ client version in client hello, this should keep such servers happy
+ and still work with previous versions of OpenSSL.
+ [Steve Henson]
+
*) Add support for TLS/DTLS heartbeats.
[Robin Seggelmann <seggelmann@fh-muenster.de>]
Add command line options to s_client/s_server.
[Steve Henson]
+ Changes between 1.0.0f and 1.0.0g [18 Jan 2012]
+
+ *) Fix for DTLS DoS issue introduced by fix for CVE-2011-4109.
+ Thanks to Antonio Martin, Enterprise Secure Access Research and
+ Development, Cisco Systems, Inc. for discovering this bug and
+ preparing a fix. (CVE-2012-0050)
+ [Antonio Martin]
+
Changes between 1.0.0e and 1.0.0f [4 Jan 2012]
*) Nadhem Alfardan and Kenny Paterson have discovered an extension
(CVE-2011-4576)
[Adam Langley (Google)]
- *) Only allow one SGC handshake restart for SSL/TLS. (CVE-2011-4619)
+ *) Only allow one SGC handshake restart for SSL/TLS. Thanks to George
+ Kadianakis <desnacked@gmail.com> for discovering this issue and
+ Adam Langley for preparing the fix. (CVE-2011-4619)
[Adam Langley (Google)]
*) Check parameters are not NULL in GOST ENGINE. (CVE-2012-0027)
*) Change 'Configure' script to enable Camellia by default.
[NTT]
+
+ Changes between 0.9.8s and 0.9.8t [18 Jan 2012]
+
+ *) Fix for DTLS DoS issue introduced by fix for CVE-2011-4109.
+ Thanks to Antonio Martin, Enterprise Secure Access Research and
+ Development, Cisco Systems, Inc. for discovering this bug and
+ preparing a fix. (CVE-2012-0050)
+ [Antonio Martin]
Changes between 0.9.8r and 0.9.8s [4 Jan 2012]
(CVE-2011-4576)
[Adam Langley (Google)]
- *) Only allow one SGC handshake restart for SSL/TLS. (CVE-2011-4619)
+ *) Only allow one SGC handshake restart for SSL/TLS. Thanks to George
+ Kadianakis <desnacked@gmail.com> for discovering this issue and
+ Adam Langley for preparing the fix. (CVE-2011-4619)
[Adam Langley (Google)]
*) Prevent malformed RFC3779 data triggering an assertion failure.