• LibreSSL 2.5.5, 2.6.0 released

    From Brent Cook@21:1/5 to All on Thu Jul 13 10:20:02 2017
    Copy: libressl@openbsd.org

    We have released LibreSSL 2.5.5 and 2.6.0, which is available in the
    LibreSSL directory of your local OpenBSD mirror. LibreSSL 2.5.5 is
    derived from the stable branch tracking OpenBSD 6.1. LibreSSL 2.6.0 is
    the first release from the development branch that eventually
    ship with OpenBSD 6.2.

    LibreSSL 2.5.5 includes the following fixes:

    * Distinguish between self-issued certificates and self-signed
    certificates. The certificate verification code has special cases
    for self-signed certificates and without this change, self-issued
    certificates (which it seems are common place with
    openvpn/easyrsa) were also being included in this category.

    * Added getpagesize fallback, needed for Android bionic libc.

    LibreSSL 2.6.0 includes further improvements:

    * Added support for providing CRLs to libtls. Once a CRL is provided we
    enable CRL checking for the full certificate chain. Based on a diff
    from Jack Burton

    * Allow non-compliant clients using IP literal addresses with SNI
    to connect to a server using libtls.

    * Avoid a potential NULL pointer dereference in d2i_ECPrivateKey().
    Reported by Robert Swiecki, who found the issue using honggfuzz.

    * Added definitions for three OIDs used in EV certificates.
    From Kyle J. McKay

    * Added tls_peer_cert_chain_pem to libtls, useful in private
    certificate validation callbacks such as those in relayd.

    * Converted explicit clear/free sequences to use freezero(3).

    * Reworked TLS certificate name verification code to more strictly
    follow RFC 6125.

    * Cleaned up and simplified server key exchange EC point handling.

    * Added tls_keypair_clear_key for clearing key material.

    * Removed inconsistent IPv6 handling from BIO_get_accept_socket,
    simplified BIO_get_host_ip and BIO_accept.

    * Fixed the openssl(1) ca command so that is generates certificates
    with RFC 5280-conformant time. Problem noticed by Harald Dunkel.

    * Added ASN1_TIME_set_tm to set an asn1 from a struct tm *

    * Added SSL{,_CTX}_set_{min,max}_proto_version() functions.

    * Added HKDF (HMAC Key Derivation Function) from BoringSSL

    * Provided a tls_unload_file() function that frees the memory returned
    from a tls_load_file() call, ensuring that it the contents become
    inaccessible. This is specifically needed on platforms where the
    library allocators may be different from the application allocator.

    * Perform reference counting for tls_config. This allows
    tls_config_free() to be called as soon as it has been passed to the
    final tls_configure() call, simplifying lifetime tracking for the
    application.

    * Moved internal state of SSL and other structures to be opaque.

    * Dropped cipher suites with DSS authentication.

    * nc(1) improvements, including:
    nc -W to terminate nc after receiving a number of packets
    nc -Z for saving the peer certificate and chain in a pem file

    Windows binaries are no longer included with LibreSSL 2.6.0.
    The Windows build process has improved substantally, supporting
    multiple compilers, environments, and ABIs. Because of slight variations between these environments, and because it is so easy to build on
    Windows in general, we are releasing source code only for all
    platforms moving forward.

    The LibreSSL project continues improvement of the codebase to reflect
    modern, safe programming practices. We welcome feedback and improvements
    from the broader community. Thanks to all of the contributors who helped
    make this release possible.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)