1. Forum
  2. Usenet
  3. COMP.UNIX.BSD.OPENBSD.ANN

  • LibreSSL 2.4.2 and 2.3.7 released

    From Brent Cook@21:1/5 to All on Thu Aug 4 02:50:02 2016
    Copy: tech@openbsd.org

    We have released LibreSSL 2.4.2 and 2.3.7, which will be arriving in the LibreSSL directory of your local OpenBSD mirror soon.

    LibreSSL 2.4.2 is based on the new OpenBSD 6.0 release branch, and is
    now the current stable version. LibreSSL 2.3.7 is based on the previous
    OpenBSD 5.9 release, and will be supported for one more release cycle.
    LibreSSL 2.2.x support has now ended.

    LibreSSL 2.4.2 and 2.3.7 contain the following changes:

    * Fixed several issues in the OCSP code that could result in the
    incorrect generation and parsing of OCSP requests. This remediates
    a lack of error checking on time parsing in these functions, and
    ensures that only GENERALIZEDTIME formats are accepted for OCSP,
    as per RFC 6960.

    Issues reported, and fixes provided by Kazuki Yamaguchi <k@rhe.jp>
    and Kinichiro Inoguchi <kinichiro.inoguchi@gmail.com>

    LibreSSL 2.4.2 contains additional changes:

    * Fixed loading default certificate locations with openssl s_client.

    * Improved behavior of arc4random on Windows to not appear to leak
    memory in debug tools, reduced privileges of allocated memory.

    * Fixed incorrect results from BN_mod_word() when the modulus is too
    large, thanks to Brian Smith from BoringSSL.

    * Correctly handle an EOF prior to completing the TLS handshake in
    libtls.

    * Improved libtls ceritificate loading and cipher string validation.

    * Updated libtls cipher group suites into four categories:
    "secure" (TLSv1.2+AEAD+PFS)
    "compat" (HIGH:!aNULL)
    "legacy" (HIGH:MEDIUM:!aNULL)
    "insecure" (ALL:!aNULL:!eNULL)
    This allows for flexibility and finer grained control, rather than
    having two extremes.

    * Limited support for 'backward compatible' SSLv2 handshake packets to
    when TLS 1.0 is enabled, providing more restricted compatibility
    with TLS 1.0 clients.

    * openssl(1) and other documentation improvements.

    * Removed flags for disabling constant-time operations.
    This removes support for DSA_FLAG_NO_EXP_CONSTTIME,
    DH_FLAG_NO_EXP_CONSTTIME, and RSA_FLAG_NO_CONSTTIME flags, making
    all of these operations unconditionally constant-time.

    The LibreSSL project continues improvement of the codebase to reflect modern, safe programming practices. We welcome feedback and improvements from the broader community. Thanks to all of the contributors who helped make this release possible.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)