deadsimple BSD Security Advisories and Announcements

LibreSSL 3.1.0 Released

We have released LibreSSL 3.1.0, which will be arriving in the LibreSSL
directory of your local OpenBSD mirror soon.

The signify signing key has been rotated this time around, and the public key
for future releases should appear as follows, while the GPG key remains the
same (releases are verifiable with either or both):

untrusted comment: LibreSSL portable signify key, April 8 2020 public key

This is the first development release from the 3.1.x series, which will
eventually be part of OpenBSD 6.7. It includes the following changes:

  * Completed initial TLS 1.3 implementation with a completely new state
    machine and record layer. TLS 1.3 is now enabled by default for the
    client side, with the server side to be enabled in a future release.
    Note that the OpenSSL TLS 1.3 API is not yet visible/available.

  * Many more code cleanups, fixes, and improvements to memory handling
    and protocol parsing.

  * Added RSA-PSS and RSA-OAEP methods from OpenSSL 1.1.1.

  * Ported Cryptographic Message Syntax (CMS) implementation from OpenSSL
    1.1.1 and enabled by default.

  * Improved compatibility by backporting functionality and documentation
    from OpenSSL 1.1.1.

  * Added many new additional crypto test vectors.

  * Adjusted EVP_chacha20()'s behavior to match OpenSSL's semantics.

  * Default CA bundle location is now configurable in portable builds.

  * Added cms subcommand to openssl(1).

  * Added -addext option to openssl(1) req subcommand.

The LibreSSL project continues improvement of the codebase to reflect modern,
safe programming practices. We welcome feedback and improvements from the
broader community. Thanks to all of the contributors who helped make this
release possible.