1. Forum
  2. Usenet
  3. COMP.UNIX.BSD.OPENBSD.ANN

  • LibreSSL 2.6.1 released

    From Brent Cook@21:1/5 to All on Wed Sep 6 20:35:02 2017
    Copy: libressl@openbsd.org

    We have released LibreSSL 2.6.1, which will be arriving in the
    LibreSSL directory of your local OpenBSD mirror soon. This is the second development release from the 2.6 series, which will eventually be part of OpenBSD 6.2. It includes the following changes:

    * Added a "-T tlscompat" option to nc(1), which enables the use of all
    TLS protocols and "compat" ciphers. This allows for TLS connections
    to TLS servers that are using less than ideal cipher suites, without
    having to resort to "-T tlsall" which enables all known cipher
    suites. Diff from Kyle J. McKay.

    * Added a new TLS extension handling framework, somewhat analogous to
    BoringSSL, and converted all TLS extensions to use it. Added new TLS
    extension regression tests.

    * Improved and added many new manpages. Updated *check_private_key
    manpages with additional cautions regarding their use.

    * Cleaned up the EC key/curve configuration handling.

    * Added tls_config_set_ecdhecurves() to libtls, which allows the names
    of the eliptical curves that may be used during client and server
    key exchange to be specified.

    * Converted more code paths to use CBB/CBS.

    * Removed support for DSS/DSA, since we removed the cipher suites a
    while back.

    * Removed NPN support. NPN was never standardised and the last draft
    expired in October 2012. ALPN was standardised in July 2014 and has
    been supported in LibreSSL since December 2014. NPN has also been
    removed from Chromium in May 2016.

    * Removed SSL_OP_CRYPTOPRO_TLSEXT_BUG workaround for old/broken
    CryptoPro clients.

    * Removed support for the TLS padding extension, which was added as a
    workaround for an old bug in F5's TLS termination handling.

    * Worked around another bug in F5's TLS termination handling of the
    elliptical curves extension. RFC 4492 only defines elliptic_curves
    for ClientHello. However, F5 is sending it in ServerHello. We need
    to skip over it since our TLS extension parsing code is now more
    strict. Thanks to Armin Wolfermann and WJ Liu for reporting.

    * Added ability to clamp notafter valies in certificates for systems
    with 32-bit time_t. This is necessary to conform to RFC 5280
    4.1.2.5.

    * Implemented the SSL_CTX_set_min_proto_version(3) API.

    * Removed the original (pre-IETF) chacha20-poly1305 cipher suites.

    * Reclassified ECDHE-RSA-DES-CBC3-SHA from HIGH to MEDIUM.

    The LibreSSL project continues improvement of the codebase to reflect modern, safe programming practices. We welcome feedback and improvements from the broader community. Thanks to all of the contributors who helped make this release possible.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)