提交 502bed22 编写于 作者: M Matt Caswell

CHANGES and NEWS updates for release

Add details about the latest issues fixed in the forthcoming release.
Reviewed-by: NRich Salz <rsalz@openssl.org>
上级 e729aac1
...@@ -2,7 +2,7 @@ ...@@ -2,7 +2,7 @@
OpenSSL CHANGES OpenSSL CHANGES
_______________ _______________
Changes between 1.0.2e and 1.1.0 [xx XXX xxxx] Changes between 1.0.2f and 1.1.0 [xx XXX xxxx]
*) Removed many obsolete configuration items, including *) Removed many obsolete configuration items, including
DES_PTR, DES_RISC1, DES_RISC2, DES_INT DES_PTR, DES_RISC1, DES_RISC2, DES_INT
...@@ -720,6 +720,50 @@ ...@@ -720,6 +720,50 @@
whose return value is often ignored. whose return value is often ignored.
[Steve Henson] [Steve Henson]
Changes between 1.0.2e and 1.0.2f [28 Jan 2016]
*) DH small subgroups
Historically OpenSSL only ever generated DH parameters based on "safe"
primes. More recently (in version 1.0.2) support was provided for
generating X9.42 style parameter files such as those required for RFC 5114
support. The primes used in such files may not be "safe". Where an
application is using DH configured with parameters based on primes that are
not "safe" then an attacker could use this fact to find a peer's private
DH exponent. This attack requires that the attacker complete multiple
handshakes in which the peer uses the same private DH exponent. For example
this could be used to discover a TLS server's private DH exponent if it's
reusing the private DH exponent or it's using a static DH ciphersuite.
OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in
TLS. It is not on by default. If the option is not set then the server
reuses the same private DH exponent for the life of the server process and
would be vulnerable to this attack. It is believed that many popular
applications do set this option and would therefore not be at risk.
The fix for this issue adds an additional check where a "q" parameter is
available (as is the case in X9.42 based parameters). This detects the
only known attack, and is the only possible defense for static DH
ciphersuites. This could have some performance impact.
Additionally the SSL_OP_SINGLE_DH_USE option has been switched on by
default and cannot be disabled. This could have some performance impact.
This issue was reported to OpenSSL by Antonio Sanso (Adobe).
(CVE-2016-0701)
[Matt Caswell]
*) SSLv2 doesn't block disabled ciphers
A malicious client can negotiate SSLv2 ciphers that have been disabled on
the server and complete SSLv2 handshakes even if all SSLv2 ciphers have
been disabled, provided that the SSLv2 protocol was not also disabled via
SSL_OP_NO_SSLv2.
This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram
and Sebastian Schinzel.
(CVE-2015-3197)
[Viktor Dukhovni]
Changes between 1.0.2d and 1.0.2e [3 Dec 2015] Changes between 1.0.2d and 1.0.2e [3 Dec 2015]
*) BN_mod_exp may produce incorrect results on x86_64 *) BN_mod_exp may produce incorrect results on x86_64
......
...@@ -5,7 +5,7 @@ ...@@ -5,7 +5,7 @@
This file gives a brief overview of the major changes between each OpenSSL This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file. release. For more details please read the CHANGES file.
Major changes between OpenSSL 1.0.2e and OpenSSL 1.1.0 [in pre-release] Major changes between OpenSSL 1.0.2f and OpenSSL 1.1.0 [in pre-release]
o Support for ChaCha20 and Poly1305 added to libcrypto and libssl o Support for ChaCha20 and Poly1305 added to libcrypto and libssl
o Support for extended master secret o Support for extended master secret
...@@ -33,6 +33,11 @@ ...@@ -33,6 +33,11 @@
directory location rather than --openssldir. The latter becomes directory location rather than --openssldir. The latter becomes
the directory for certs, private key and openssl.cnf exclusively. the directory for certs, private key and openssl.cnf exclusively.
Major changes between OpenSSL 1.0.2e and OpenSSL 1.0.2f [28 Jan 2016]
o DH small subgroups (CVE-2016-0701)
o SSLv2 doesn't block disabled ciphers (CVE-2015-3197)
Major changes between OpenSSL 1.0.2d and OpenSSL 1.0.2e [3 Dec 2015] Major changes between OpenSSL 1.0.2d and OpenSSL 1.0.2e [3 Dec 2015]
o BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193) o BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193)
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册