Skip to content
  1. May 05, 2016
  3. May 03, 2016
  5. May 02, 2016
  7. Apr 15, 2016
  9. Apr 14, 2016
  11. Apr 13, 2016
  13. Apr 09, 2016
  15. Apr 06, 2016
  17. Apr 02, 2016
  19. Mar 29, 2016
  21. Mar 21, 2016
  23. Mar 20, 2016
  25. Mar 17, 2016
  27. Mar 16, 2016
  29. Mar 11, 2016
  31. Mar 09, 2016
  33. Mar 08, 2016
  35. Mar 07, 2016
    • Emilia Kasper's avatar
      Rework the default cipherlist. · a556f342
      Emilia Kasper authored 
      

 - Always prefer forward-secure handshakes.
 - Consistently order ECDSA above RSA.
 - Next, always prefer AEADs to non-AEADs, irrespective of strength.
 - Within AEADs, prefer GCM > CHACHA > CCM for a given strength.
 - Prefer TLS v1.2 ciphers to legacy ciphers.
 - Remove rarely used DSS, IDEA, SEED, CAMELLIA, CCM from the default
   list to reduce ClientHello bloat.

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      a556f342
  37. Mar 04, 2016
  39. Mar 03, 2016
    • Emilia Kasper's avatar
      Refactor ClientHello extension parsing · 06217867
      Emilia Kasper authored 
      

1) Simplify code with better PACKET methods.

2) Make broken SNI parsing explicit. SNI was intended to be extensible
to new name types but RFC 4366 defined the syntax inextensibly, and
OpenSSL has never parsed SNI in a way that would allow adding a new name
type. RFC 6066 fixed the definition but due to broken implementations
being widespread, it appears impossible to ever extend SNI.

3) Annotate resumption behaviour. OpenSSL doesn't currently handle all
extensions correctly upon resumption. Annotate for further clean-up.

4) Send an alert on ALPN protocol mismatch.

Reviewed-by: default avatarKurt Roeckx <kurt@openssl.org>
      06217867
  41. Mar 01, 2016
  43. Feb 28, 2016
  45. Feb 27, 2016
  47. Feb 26, 2016
  49. Feb 25, 2016
    • Emilia Kasper's avatar
      CVE-2016-0798: avoid memory leak in SRP · 380f18ed
      Emilia Kasper authored 
      

The SRP user database lookup method SRP_VBASE_get_by_user had confusing
memory management semantics; the returned pointer was sometimes newly
allocated, and sometimes owned by the callee. The calling code has no
way of distinguishing these two cases.

Specifically, SRP servers that configure a secret seed to hide valid
login information are vulnerable to a memory leak: an attacker
connecting with an invalid username can cause a memory leak of around
300 bytes per connection.

Servers that do not configure SRP, or configure SRP but do not configure
a seed are not vulnerable.

In Apache, the seed directive is known as SSLSRPUnknownUserSeed.

To mitigate the memory leak, the seed handling in SRP_VBASE_get_by_user
is now disabled even if the user has configured a seed.

Applications are advised to migrate to SRP_VBASE_get1_by_user. However,
note that OpenSSL makes no strong guarantees about the
indistinguishability of valid and invalid logins. In particular,
computations are currently not carried out in constant time.

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      380f18ed
  51. Feb 22, 2016
  53. Feb 20, 2016