Skip to content
  1. Feb 03, 2016
    • Emilia Kasper's avatar
      RT3234: disable compression · dc5744cb
      Emilia Kasper authored
      
      
      CRIME protection: disable compression by default, even if OpenSSL is
      compiled with zlib enabled. Applications can still enable compression by
      calling SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION), or by using
      the SSL_CONF library to configure compression. SSL_CONF continues to
      work as before:
      
      SSL_CONF_cmd(ctx, "Options", "Compression") enables compression.
      
      SSL_CONF_cmd(ctx, "Options", "-Compression") disables compression (now
      no-op by default).
      
      The command-line switch has changed from -no_comp to -comp.
      
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      dc5744cb
  2. Feb 01, 2016
  3. Jan 30, 2016
  4. Jan 29, 2016
  5. Jan 28, 2016
    • Matt Caswell's avatar
      CHANGES and NEWS updates for release · 502bed22
      Matt Caswell authored
      
      
      Add details about the latest issues fixed in the forthcoming release.
      
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      502bed22
    • Rich Salz's avatar
      Remove outdated legacy crypto options · 3e9e810f
      Rich Salz authored
      
      
      Many options for supporting optimizations for legacy crypto on legacy
      platforms have been removed.  This simplifies the source code and
      does not really penalize anyone.
              DES_PTR (always on)
              DES_RISC1, DES_RISC2 (always off)
              DES_INT (always 'unsigned int')
              DES_UNROLL (always on)
              BF_PTR (always on) BF_PTR2 (removed)
              MD2_CHAR, MD2_LONG (always 'unsigned char')
              IDEA_SHORT, IDEA_LONG (always 'unsigned int')
              RC2_SHORT, RC2_LONG (always 'unsigned int')
              RC4_LONG (only int and char (for assembler) are supported)
              RC4_CHUNK (always long), RC_CHUNK_LL (removed)
              RC4_INDEX (always on)
      And also make D_ENCRYPT macro more clear (@appro)
      
      This is done in consultation with Andy.
      
      Reviewed-by: default avatarAndy Polyakov <appro@openssl.org>
      3e9e810f
  6. Jan 25, 2016
  7. Jan 21, 2016
    • Richard Levitte's avatar
      Refresh the thinking of --prefix and --openssldir · d74dfafd
      Richard Levitte authored
      
      
      --prefix is now exclusively used for software and manual installation.
      --openssldir is not exclusively used as a default location for certs,
      keys and the default openssl.cnf.
      
      This change is made to bring clarity, to have the two less
      intertwined, and to be more compatible with the usual ways of software
      installation.
      
      Please change your habits and scripts to use --prefix rather than
      --openssldir for installation location now.
      
      Reviewed-by: default avatarViktor Dukhovni <viktor@openssl.org>
      d74dfafd
  8. Jan 19, 2016
  9. Jan 15, 2016
  10. Jan 14, 2016
  11. Jan 12, 2016
  12. Jan 11, 2016
  13. Jan 08, 2016
  14. Jan 07, 2016
    • Rich Salz's avatar
      mem functions cleanup · bbd86bf5
      Rich Salz authored
      
      
      Only two macros CRYPTO_MDEBUG and CRYPTO_MDEBUG_ABORT to control this.
      If CRYPTO_MDEBUG is not set, #ifdef out the whole debug machinery.
              (Thanks to Jakob Bohm for the suggestion!)
      Make the "change wrapper functions" be the only paradigm.
      Wrote documentation!
      Format the 'set func' functions so their paramlists are legible.
      Format some multi-line comments.
      Remove ability to get/set the "memory debug" functions at runtme.
      Remove MemCheck_* and CRYPTO_malloc_debug_init macros.
      Add CRYPTO_mem_debug(int flag) function.
      Add test/memleaktest.
      Rename CRYPTO_malloc_init to OPENSSL_malloc_init; remove needless calls.
      
      Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
      bbd86bf5
  15. Jan 02, 2016
    • Viktor Dukhovni's avatar
      Protocol version selection and negotiation rewrite · 4fa52141
      Viktor Dukhovni authored
      
      
      The protocol selection code is now consolidated in a few consecutive
      short functions in a single file and is table driven.  Protocol-specific
      constraints that influence negotiation are moved into the flags
      field of the method structure.  The same protocol version constraints
      are now applied in all code paths.  It is now much easier to add
      new protocol versions without reworking the protocol selection
      logic.
      
      In the presence of "holes" in the list of enabled client protocols
      we no longer select client protocols below the hole based on a
      subset of the constraints and then fail shortly after when it is
      found that these don't meet the remaining constraints (suiteb, FIPS,
      security level, ...).  Ideally, with the new min/max controls users
      will be less likely to create "holes" in the first place.
      
      Reviewed-by: default avatarKurt Roeckx <kurt@openssl.org>
      4fa52141
    • Kurt Roeckx's avatar
  16. Dec 15, 2015
  17. Dec 13, 2015
  18. Dec 11, 2015
  19. Dec 10, 2015
  20. Dec 09, 2015
  21. Dec 07, 2015
  22. Dec 05, 2015
  23. Dec 04, 2015
  24. Dec 01, 2015
  25. Nov 20, 2015
  26. Nov 17, 2015
  27. Oct 30, 2015