OpenSSL, SSL is een afkorting voor Secure Socket Layer, is een bekend security programma die encryptie functies aanbied die onder andere op webservers gebruikt kunnen worden. Het ontwikkelteam heeft een aantal bugfixes aangebracht en wat functionaliteiten aangepast. Het changelog bevat de volgende punten:
Changes between 0.9.7e and 0.9.7f:
- Use (SSL_RANDOM_VALUE - 4) bytes of pseudo random data when generating server and client random values. Previously (SSL_RANDOM_VALUE - sizeof(time_t)) would be used which would result in less random data when sizeof(time_t) > 4 (some 64 bit platforms).
This change has negligible security impact because:y
The OpenSSL team would like to thank the UK NISCC for bringing this issue to our attention.
- Server and client random values still have 24 bytes of pseudo random data.
- Server and client random values are sent in the clear in the initial handshake.
- The master secret is derived using the premaster secret (48 bytes in size for static RSA ciphersuites) as well as client server and random values.
[Stephen Henson, reported by UK NISCC]
- Use Windows randomness collection on Cygwin.
- Fix hang in EGD/PRNGD query when communication socket is closed prematurely by EGD/PRNGD.
via Lutz Jänicke, resolves #1014]
- Prompt for pass phrases when appropriate for PKCS12 input format.
- Back-port of selected performance improvements from development branch, as well as improved support for PowerPC platforms.
- Add lots of checks for memory allocation failure, error codes to indicate failure and freeing up memory if a failure occurs.
[Nauticus Networks SSL Team
, Steve Henson]
- Add new -passin argument to dgst.
- Perform some character comparisons of different types in X509_NAME_cmp: this is needed for some certificates that reencode DNs into UTF8Strings (in violation of RFC3280) and can't or wont issue name rollover certificates.
- Make an explicit check during certificate validation to see that the CA setting in each certificate on the chain is correct. As a side effect always do the following basic checks on extensions, not just when there's an associated purpose to the check:
- if there is an unhandled critical extension (unless the user has chosen to ignore this fault)
- if the path length has been exceeded (if one is set at all)
- that certain extensions fit the associated purpose (if one has been given)