BSDSec

deadsimple BSD Security Advisories and Announcements

LibreSSL 3.2.0 Released

We have released LibreSSL 3.2.0, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon.

This is the first development release from the 3.2.x series, which will
eventually be part of OpenBSD 6.8.  It includes the following changes:

    * Enable TLS 1.3 server side in addition to client by default.
      With this change TLS 1.3 is handled entirely on the new stack
      and state machine, with fallback to the legacy stack and
      state machine for older versions. Note that the OpenSSL TLS 1.3
      API is not yet visible/available.

    * Improve length checks in the TLS 1.3 record layer and provide
      appropriate alerts for violations of record layer limits.

    * Enforce that SNI hostnames received by the TLS server are correctly
      formed as per RFC 5890 and RFC 6066, responding with illegal parameter
      for a nonconformant host name.

    * Support SSL_MODE_AUTO_RETRY in TLS 1.3 to allow the automatic
      retry of handshake messages.

    * Modify I/O behavior so that SSL_MODE_AUTO_RETRY is the default
      similar to new OpenSSL releases.

    * Modify openssl(1) to clear SSL_MODE_AUTO_RETRY appropriately in
      various commands.

    * Add tlsfuzzer based regression tests.

    * Support sending certificate status requests from the TLS 1.3
      client to request OCSP staples for leaf certificates.

    * Support sending certificate status replies from the TLS 1.3 server
      in order to send OCSP staples for leaf certificates.

    * Send correct alerts when handling failed key share extensions
      on the TLS 1.3 server.

    * Various compatibility fixes for TLS 1.3 to 1.2 fallback for
      switching from the new to legacy stacks.

    * Support TLS 1.3 options in the openssl(1) command.

    * Many alert cleanups in TLS 1.3 to provide expected alerts in failure
      conditions.

    * Modify "openssl x509" to display invalid certificate times as
      invalid, and correctly deal with the failing return case from
      X509_cmp_time so that a certificate with an invalid NotAfter does
      not appear valid.

    * Support sending dummy change_cipher_spec records for TLS 1.3 middlebox
      compatibility.

    * Ensure only PSS signatures are used with RSA in TLS 1.3.

    * Ensure that TLS 1.3 clients advertise exactly the "null" compression
      method in its legacy_compression_methods.

    * Correct use of sockaddr_storage instead of sockaddr in openssl(1)
      s_client, which could lead to using 14 bytes of stack garbage instead
      of an IPv6 address in DTLS mode.

    * Use non-expired certificates first when building a certificate chain.

The LibreSSL project continues improvement of the codebase to reflect modern,
safe programming practices. We welcome feedback and improvements from the
broader community. Thanks to all of the contributors who helped make this
release possible.