Commit 502bed22 authored by Matt Caswell's avatar Matt Caswell
Browse files

CHANGES and NEWS updates for release 



Add details about the latest issues fixed in the forthcoming release.

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
parent e729aac1

CHANGES

+45 −1
Original line number Diff line number Diff line
@@ -2,7 +2,7 @@ 
 OpenSSL CHANGES

 _______________



 Changes between 1.0.2e and 1.1.0  [xx XXX xxxx]

 Changes between 1.0.2f and 1.1.0  [xx XXX xxxx]



  *) Removed many obsolete configuration items, including

        DES_PTR, DES_RISC1, DES_RISC2, DES_INT
@@ -720,6 +720,50 @@ 
     whose return value is often ignored. 

     [Steve Henson]



 Changes between 1.0.2e and 1.0.2f [28 Jan 2016]

  *) DH small subgroups



     Historically OpenSSL only ever generated DH parameters based on "safe"

     primes. More recently (in version 1.0.2) support was provided for

     generating X9.42 style parameter files such as those required for RFC 5114

     support. The primes used in such files may not be "safe". Where an

     application is using DH configured with parameters based on primes that are

     not "safe" then an attacker could use this fact to find a peer's private

     DH exponent. This attack requires that the attacker complete multiple

     handshakes in which the peer uses the same private DH exponent. For example

     this could be used to discover a TLS server's private DH exponent if it's

     reusing the private DH exponent or it's using a static DH ciphersuite.



     OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in

     TLS. It is not on by default. If the option is not set then the server

     reuses the same private DH exponent for the life of the server process and

     would be vulnerable to this attack. It is believed that many popular

     applications do set this option and would therefore not be at risk.



     The fix for this issue adds an additional check where a "q" parameter is

     available (as is the case in X9.42 based parameters). This detects the

     only known attack, and is the only possible defense for static DH

     ciphersuites. This could have some performance impact.



     Additionally the SSL_OP_SINGLE_DH_USE option has been switched on by

     default and cannot be disabled. This could have some performance impact.



     This issue was reported to OpenSSL by Antonio Sanso (Adobe).

     (CVE-2016-0701)

     [Matt Caswell]



  *) SSLv2 doesn't block disabled ciphers



     A malicious client can negotiate SSLv2 ciphers that have been disabled on

     the server and complete SSLv2 handshakes even if all SSLv2 ciphers have

     been disabled, provided that the SSLv2 protocol was not also disabled via

     SSL_OP_NO_SSLv2.



     This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram

     and Sebastian Schinzel.

     (CVE-2015-3197)

     [Viktor Dukhovni]



 Changes between 1.0.2d and 1.0.2e [3 Dec 2015]



  *) BN_mod_exp may produce incorrect results on x86_64

NEWS

+6 −1
Original line number Diff line number Diff line
@@ -5,7 +5,7 @@ 
  This file gives a brief overview of the major changes between each OpenSSL

  release. For more details please read the CHANGES file.



  Major changes between OpenSSL 1.0.2e and OpenSSL 1.1.0 [in pre-release]

  Major changes between OpenSSL 1.0.2f and OpenSSL 1.1.0 [in pre-release]



      o Support for ChaCha20 and Poly1305 added to libcrypto and libssl

      o Support for extended master secret
@@ -33,6 +33,11 @@ 
        directory location rather than --openssldir.  The latter becomes

        the directory for certs, private key and openssl.cnf exclusively.



  Major changes between OpenSSL 1.0.2e and OpenSSL 1.0.2f [28 Jan 2016]



      o DH small subgroups (CVE-2016-0701)

      o SSLv2 doesn't block disabled ciphers (CVE-2015-3197)



  Major changes between OpenSSL 1.0.2d and OpenSSL 1.0.2e [3 Dec 2015]



      o BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193)