提交 d5f686d8 编写于 作者: B Bodo Möller

- update from current 0.9.6-stable CHANGES file

- update from current 0.9.7-stable CHANGES file:

  Now here we have "CHANGES between 0.9.7e and 0.9.8", and I hope
  that all patches mentioned for 0.9.7d and 0.9.7e actually are
  in the CVS HEAD, i.e. what is to become 0.9.8.

  I have rewritten the 'openssl ca -create_serial' entry (0.9.8)
  so that it explains the earlier change that is now listed (0.9.7e).

  The ENGINE_set_default typo bug entry has been moved from 0.9.8
  to 0.9.7b, which is where it belongs.
上级 08e1cbc6
...@@ -2,20 +2,22 @@ ...@@ -2,20 +2,22 @@
OpenSSL CHANGES OpenSSL CHANGES
_______________ _______________
Changes between 0.9.7c and 0.9.8 [xx XXX xxxx] Changes between 0.9.7e and 0.9.8 [xx XXX xxxx]
*) The new 'RSA_generate_key_ex' function now takes a BIGNUM for the public *) The new 'RSA_generate_key_ex' function now takes a BIGNUM for the public
exponent rather than 'unsigned long'. There is a corresponding change to exponent rather than 'unsigned long'. There is a corresponding change to
the new 'rsa_keygen' element of the RSA_METHOD structure. the new 'rsa_keygen' element of the RSA_METHOD structure.
[Jelte Jansen, Geoff Thorpe] [Jelte Jansen, Geoff Thorpe]
*) Reduce the chances of duplicate issuer name and serial numbers (in *) Functionality for creating the initial serial number file is now
violation of RFC3280) using the OpenSSL certificate creation utilities. moved from CA.pl to the 'ca' utility with a new option -create_serial.
This is done by creating a random 64 bit value for the initial serial
number when a serial number file is created or when a self signed (Before OpenSSL 0.9.7e, CA.pl used to initialize the serial
certificate is created using 'openssl req -x509'. The initial serial number file to 1, which is bound to cause problems. To avoid
number file is now moved from CA.pl to the 'ca' utility with a new the problems while respecting compatibility between different 0.9.7
option -create_serial. patchlevels, 0.9.7e employed 'openssl x509 -next_serial' in
CA.pl for serial number initialization. With the new release 0.9.8,
we can fix the problem directly in the 'ca' utility.)
[Steve Henson] [Steve Henson]
*) Reduced header interdepencies by declaring more opaque objects in *) Reduced header interdepencies by declaring more opaque objects in
...@@ -255,12 +257,6 @@ ...@@ -255,12 +257,6 @@
*) Support for policyMappings certificate extension. *) Support for policyMappings certificate extension.
[Steve Henson] [Steve Henson]
*) Fixed a typo bug that would cause ENGINE_set_default() to set an
ENGINE as defaults for all supported algorithms irrespective of
the 'flags' parameter. 'flags' is now honoured, so applications
should make sure they are passing it correctly.
[Geoff Thorpe]
*) Make sure the default DSA_METHOD implementation only uses its *) Make sure the default DSA_METHOD implementation only uses its
dsa_mod_exp() and/or bn_mod_exp() handlers if they are non-NULL, dsa_mod_exp() and/or bn_mod_exp() handlers if they are non-NULL,
and change its own handlers to be NULL so as to remove unnecessary and change its own handlers to be NULL so as to remove unnecessary
...@@ -704,7 +700,34 @@ ...@@ -704,7 +700,34 @@
differing sizes. differing sizes.
[Richard Levitte] [Richard Levitte]
Changes between 0.9.7c and 0.9.7d [xx XXX XXXX] Changes between 0.9.7d and 0.9.7e [XX xxx XXXX]
*) Reduce the chances of duplicate issuer name and serial numbers (in
violation of RFC3280) using the OpenSSL certificate creation utilities.
This is done by creating a random 64 bit value for the initial serial
number when a serial number file is created or when a self signed
certificate is created using 'openssl req -x509'. The initial serial
number file is created using 'openssl x509 -next_serial' in CA.pl
rather than being initialized to 1.
[Steve Henson]
Changes between 0.9.7c and 0.9.7d [17 Mar 2004]
*) Fix null-pointer assignment in do_change_cipher_spec() revealed
by using the Codenomicon TLS Test Tool (CAN-2004-0079)
[Joe Orton, Steve Henson]
*) Fix flaw in SSL/TLS handshaking when using Kerberos ciphersuites
(CAN-2004-0112)
[Joe Orton, Steve Henson]
*) Make it possible to have multiple active certificates with the same
subject in the CA index file. This is done only if the keyword
'unique_subject' is set to 'no' in the main CA section (default
if 'CA_default') of the configuration file. The value is saved
with the database itself in a separate index attribute file,
named like the index file with '.attr' appended to the name.
[Richard Levitte]
*) X509 verify fixes. Disable broken certificate workarounds when *) X509 verify fixes. Disable broken certificate workarounds when
X509_V_FLAGS_X509_STRICT is set. Check CRL issuer has cRLSign set if X509_V_FLAGS_X509_STRICT is set. Check CRL issuer has cRLSign set if
...@@ -809,6 +832,12 @@ ...@@ -809,6 +832,12 @@
between threads, blinding will still be very fast). between threads, blinding will still be very fast).
[Bodo Moeller] [Bodo Moeller]
*) Fixed a typo bug that would cause ENGINE_set_default() to set an
ENGINE as defaults for all supported algorithms irrespective of
the 'flags' parameter. 'flags' is now honoured, so applications
should make sure they are passing it correctly.
[Geoff Thorpe]
*) Target "mingw" now allows native Windows code to be generated in *) Target "mingw" now allows native Windows code to be generated in
the Cygwin environment as well as with the MinGW compiler. the Cygwin environment as well as with the MinGW compiler.
[Ulf Moeller] [Ulf Moeller]
...@@ -2717,18 +2746,22 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k ...@@ -2717,18 +2746,22 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
*) Clean old EAY MD5 hack from e_os.h. *) Clean old EAY MD5 hack from e_os.h.
[Richard Levitte] [Richard Levitte]
Changes between 0.9.6j and 0.9.6k [30 Sep 2003] Changes between 0.9.6l and 0.9.6m [17 Mar 2004]
*) Fix various bugs revealed by running the NISCC test suite: *) Fix null-pointer assignment in do_change_cipher_spec() revealed
by using the Codenomicon TLS Test Tool (CAN-2004-0079)
[Joe Orton, Steve Henson]
Stop out of bounds reads in the ASN1 code when presented with Changes between 0.9.6k and 0.9.6l [04 Nov 2003]
invalid tags (CAN-2003-0543 and CAN-2003-0544).
*) Fix additional bug revealed by the NISCC test suite:
If verify callback ignores invalid public key errors don't try to check
certificate signature with the NULL public key.
Stop bug triggering large recursion when presented with
certain ASN.1 tags (CAN-2003-0851)
[Steve Henson] [Steve Henson]
Changes between 0.9.6j and 0.9.6k [30 Sep 2003]
*) Fix various bugs revealed by running the NISCC test suite: *) Fix various bugs revealed by running the NISCC test suite:
Stop out of bounds reads in the ASN1 code when presented with Stop out of bounds reads in the ASN1 code when presented with
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册