BSDSec

deadsimple BSD Security Advisories and Announcements

LibreSSL 3.1.4 Released

We have released LibreSSL 3.1.4, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon.

It includes the following interoperability and bug fixes for the
TLSv1.3 client:

    * Improve client certificate selection to allow EC certificates
      instead of only RSA certificates.

    * Do not error out if a TLSv1.3 server requests an OCSP response as
      part of a certificate request.

    * Fix SSL_shutdown behavior to match the legacy stack.  The previous
      behaviour could cause a hang.

    * Fix a memory leak and add a missing error check in the handling of
      the key update message.

    * Fix a memory leak in tls13_record_layer_set_traffic_key.

    * Avoid calling freezero with a negative size if a server sends a
      malformed plaintext of all zeroes.

    * Ensure that only PSS may be used with RSA in TLSv1.3 in order
      to avoid using PKCS1-based signatures.

    * Add the P-521 curve to the list of curves supported by default
      in the client.


The LibreSSL project continues improvement of the codebase to reflect modern,
safe programming practices. We welcome feedback and improvements from the
broader community. Thanks to all of the contributors who helped make this
release possible.