LibreSSL 2.4.2 and 2.3.7 released
1 August, 2016 by firstname.lastname@example.org | openbsd
We have released LibreSSL 2.4.2 and 2.3.7, which will be arriving in the LibreSSL directory of your local OpenBSD mirror soon. LibreSSL 2.4.2 is based on the new OpenBSD 6.0 release branch, and is now the current stable version. LibreSSL 2.3.7 is based on the previous OpenBSD 5.9 release, and will be supported for one more release cycle. LibreSSL 2.2.x support has now ended. LibreSSL 2.4.2 and 2.3.7 contain the following changes: * Fixed several issues in the OCSP code that could result in the incorrect generation and parsing of OCSP requests. This remediates a lack of error checking on time parsing in these functions, and ensures that only GENERALIZEDTIME formats are accepted for OCSP, as per RFC 6960. Issues reported, and fixes provided by Kazuki Yamaguchi <email@example.com> and Kinichiro Inoguchi <firstname.lastname@example.org> LibreSSL 2.4.2 contains additional changes: * Fixed loading default certificate locations with openssl s_client. * Improved behavior of arc4random on Windows to not appear to leak memory in debug tools, reduced privileges of allocated memory. * Fixed incorrect results from BN_mod_word() when the modulus is too large, thanks to Brian Smith from BoringSSL. * Correctly handle an EOF prior to completing the TLS handshake in libtls. * Improved libtls ceritificate loading and cipher string validation. * Updated libtls cipher group suites into four categories: "secure" (TLSv1.2+AEAD+PFS) "compat" (HIGH:!aNULL) "legacy" (HIGH:MEDIUM:!aNULL) "insecure" (ALL:!aNULL:!eNULL) This allows for flexibility and finer grained control, rather than having two extremes. * Limited support for 'backward compatible' SSLv2 handshake packets to when TLS 1.0 is enabled, providing more restricted compatibility with TLS 1.0 clients. * openssl(1) and other documentation improvements. * Removed flags for disabling constant-time operations. This removes support for DSA_FLAG_NO_EXP_CONSTTIME, DH_FLAG_NO_EXP_CONSTTIME, and RSA_FLAG_NO_CONSTTIME flags, making all of these operations unconditionally constant-time. The LibreSSL project continues improvement of the codebase to reflect modern, safe programming practices. We welcome feedback and improvements from the broader community. Thanks to all of the contributors who helped make this release possible.