Skip to content
  1. Mar 11, 2016
  2. Mar 09, 2016
  3. Mar 08, 2016
  4. Mar 07, 2016
    • Emilia Kasper's avatar
      Rework the default cipherlist. · a556f342
      Emilia Kasper authored
      
      
       - Always prefer forward-secure handshakes.
       - Consistently order ECDSA above RSA.
       - Next, always prefer AEADs to non-AEADs, irrespective of strength.
       - Within AEADs, prefer GCM > CHACHA > CCM for a given strength.
       - Prefer TLS v1.2 ciphers to legacy ciphers.
       - Remove rarely used DSS, IDEA, SEED, CAMELLIA, CCM from the default
         list to reduce ClientHello bloat.
      
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      a556f342
  5. Mar 04, 2016
  6. Mar 03, 2016
    • Emilia Kasper's avatar
      Refactor ClientHello extension parsing · 06217867
      Emilia Kasper authored
      
      
      1) Simplify code with better PACKET methods.
      
      2) Make broken SNI parsing explicit. SNI was intended to be extensible
      to new name types but RFC 4366 defined the syntax inextensibly, and
      OpenSSL has never parsed SNI in a way that would allow adding a new name
      type. RFC 6066 fixed the definition but due to broken implementations
      being widespread, it appears impossible to ever extend SNI.
      
      3) Annotate resumption behaviour. OpenSSL doesn't currently handle all
      extensions correctly upon resumption. Annotate for further clean-up.
      
      4) Send an alert on ALPN protocol mismatch.
      
      Reviewed-by: default avatarKurt Roeckx <kurt@openssl.org>
      06217867
  7. Mar 01, 2016
  8. Feb 28, 2016
  9. Feb 27, 2016
  10. Feb 26, 2016
  11. Feb 25, 2016
    • Emilia Kasper's avatar
      CVE-2016-0798: avoid memory leak in SRP · 380f18ed
      Emilia Kasper authored
      
      
      The SRP user database lookup method SRP_VBASE_get_by_user had confusing
      memory management semantics; the returned pointer was sometimes newly
      allocated, and sometimes owned by the callee. The calling code has no
      way of distinguishing these two cases.
      
      Specifically, SRP servers that configure a secret seed to hide valid
      login information are vulnerable to a memory leak: an attacker
      connecting with an invalid username can cause a memory leak of around
      300 bytes per connection.
      
      Servers that do not configure SRP, or configure SRP but do not configure
      a seed are not vulnerable.
      
      In Apache, the seed directive is known as SSLSRPUnknownUserSeed.
      
      To mitigate the memory leak, the seed handling in SRP_VBASE_get_by_user
      is now disabled even if the user has configured a seed.
      
      Applications are advised to migrate to SRP_VBASE_get1_by_user. However,
      note that OpenSSL makes no strong guarantees about the
      indistinguishability of valid and invalid logins. In particular,
      computations are currently not carried out in constant time.
      
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      380f18ed
  12. Feb 22, 2016
  13. Feb 20, 2016
  14. Feb 17, 2016
  15. Feb 12, 2016
    • Richard Levitte's avatar
      Rename INSTALL_PREFIX to DESTDIR, remove option --install_prefix · 3c65577f
      Richard Levitte authored
      
      
      INSTALL_PREFIX is a confusing name, as there's also --prefix.
      Instead, tag along with the rest of the open source world and adopt
      the Makefile variable DESTDIR to designate the desired staging
      directory.
      
      The Configure option --install_prefix is removed, the only way to
      designate a staging directory is with the Makefile variable (this is
      also implemented for VMS' descrip.mms et al).
      
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      3c65577f
  16. Feb 11, 2016
  17. Feb 10, 2016
  18. Feb 09, 2016
  19. Feb 05, 2016
  20. Feb 03, 2016
    • Richard Levitte's avatar
      0f45c26f
    • Emilia Kasper's avatar
      RT4148 · ba2de73b
      Emilia Kasper authored
      
      
      Accept leading 0-byte in PKCS1 type 1 padding. Internally, the byte is
      stripped by BN_bn2bin but external callers may have other expectations.
      
      Reviewed-by: default avatarKurt <Roeckx&lt;kurt@openssl.org>
      ba2de73b
    • Emilia Kasper's avatar
      RT3234: disable compression · dc5744cb
      Emilia Kasper authored
      
      
      CRIME protection: disable compression by default, even if OpenSSL is
      compiled with zlib enabled. Applications can still enable compression by
      calling SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION), or by using
      the SSL_CONF library to configure compression. SSL_CONF continues to
      work as before:
      
      SSL_CONF_cmd(ctx, "Options", "Compression") enables compression.
      
      SSL_CONF_cmd(ctx, "Options", "-Compression") disables compression (now
      no-op by default).
      
      The command-line switch has changed from -no_comp to -comp.
      
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      dc5744cb
  21. Feb 01, 2016
  22. Jan 30, 2016
  23. Jan 29, 2016
  24. Jan 28, 2016
    • Matt Caswell's avatar
      CHANGES and NEWS updates for release · 502bed22
      Matt Caswell authored
      
      
      Add details about the latest issues fixed in the forthcoming release.
      
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      502bed22
    • Rich Salz's avatar
      Remove outdated legacy crypto options · 3e9e810f
      Rich Salz authored
      
      
      Many options for supporting optimizations for legacy crypto on legacy
      platforms have been removed.  This simplifies the source code and
      does not really penalize anyone.
              DES_PTR (always on)
              DES_RISC1, DES_RISC2 (always off)
              DES_INT (always 'unsigned int')
              DES_UNROLL (always on)
              BF_PTR (always on) BF_PTR2 (removed)
              MD2_CHAR, MD2_LONG (always 'unsigned char')
              IDEA_SHORT, IDEA_LONG (always 'unsigned int')
              RC2_SHORT, RC2_LONG (always 'unsigned int')
              RC4_LONG (only int and char (for assembler) are supported)
              RC4_CHUNK (always long), RC_CHUNK_LL (removed)
              RC4_INDEX (always on)
      And also make D_ENCRYPT macro more clear (@appro)
      
      This is done in consultation with Andy.
      
      Reviewed-by: default avatarAndy Polyakov <appro@openssl.org>
      3e9e810f
  25. Jan 25, 2016
  26. Jan 21, 2016
    • Richard Levitte's avatar
      Refresh the thinking of --prefix and --openssldir · d74dfafd
      Richard Levitte authored
      
      
      --prefix is now exclusively used for software and manual installation.
      --openssldir is not exclusively used as a default location for certs,
      keys and the default openssl.cnf.
      
      This change is made to bring clarity, to have the two less
      intertwined, and to be more compatible with the usual ways of software
      installation.
      
      Please change your habits and scripts to use --prefix rather than
      --openssldir for installation location now.
      
      Reviewed-by: default avatarViktor Dukhovni <viktor@openssl.org>
      d74dfafd
  27. Jan 19, 2016