OpenSSL CHANGES
_______________
- Changes between 1.0.2h and 1.1.0 [xx XXX xxxx]
+ Changes between 1.1.0 and 1.1.1 [xx XXX xxxx]
+
+ *)
+
+ Changes between 1.0.2h and 1.1.0 [25 Aug 2016]
+
+ *) Windows command-line tool supports UTF-8 opt-in option for arguments
+ and console input. Setting OPENSSL_WIN32_UTF8 environment variable
+ (to any value) allows Windows user to access PKCS#12 file generated
+ with Windows CryptoAPI and protected with non-ASCII password, as well
+ as files generated under UTF-8 locale on Linux also protected with
+ non-ASCII password.
+ [Andy Polyakov]
+
+ *) To mitigate the SWEET32 attack (CVE-2016-2183), 3DES cipher suites
+ have been disabled by default and removed from DEFAULT, just like RC4.
+ See the RC4 item below to re-enable both.
+ [Rich Salz]
*) The method for finding the storage location for the Windows RAND seed file
has changed. First we check %RANDFILE%. If that is not set then we check
[Emilia Käsper]
*) Add X25519 support.
- Integrate support for X25519 into EC library. This includes support
+ Add ASN.1 and EVP_PKEY methods for X25519. This includes support
for public and private key encoding using the format documented in
- draft-josefsson-pkix-newcurves-01: specifically X25519 uses the
- OID from that draft, encodes public keys using little endian
- format in the ECPoint structure and private keys using
- little endian form in the privateKey field of the ECPrivateKey
- structure. TLS support complies with draft-ietf-tls-rfc4492bis-06
- and uses X25519(29).
+ draft-ietf-curdle-pkix-02. The coresponding EVP_PKEY method supports
+ key generation and key derivation.
- Note: the current version supports key generation, public and
- private key encoding and ECDH key agreement using the EC API.
- Low level point operations such as EC_POINT_add(), EC_POINT_mul()
- are NOT supported.
+ TLS support complies with draft-ietf-tls-rfc4492bis-08 and uses
+ X25519(29).
[Steve Henson]
*) Deprecate SRP_VBASE_get_by_user.
combination: call this in fips_test_suite.
[Steve Henson]
- *) Add support for Dual EC DRBG from SP800-90. Update DRBG algorithm test
- and POST to handle Dual EC cases.
- [Steve Henson]
-
*) Add support for canonical generation of DSA parameter 'g'. See
FIPS 186-3 A.2.3.
*) An attacker can force an error condition which causes openssl to crash
whilst processing DTLS packets due to memory being freed twice. This
can be exploited through a Denial of Service attack.
- Thanks to Adam Langley and Wan-The Chang for discovering and researching
+ Thanks to Adam Langley and Wan-Teh Chang for discovering and researching
this issue.
(CVE-2014-3505)
[Adam Langley]
projects / openssl.git / blobdiff