2012年3月15日

[installer 3150] OpenSSL 1.0.1

OpenSSL 1.0.1 出ています。

いろいろありますが、TLS v1.1, 1.2 サポートが目玉でしょうか。

☆ openssl-1.0.1
http://www.openssl.org/
ftp://ftp.openssl.org/source/openssl-1.0.1.tar.gz
http://www.openssl.org/source/openssl-1.0.1.tar.gz


Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.1:

o TLS/DTLS heartbeat support.
o SCTP support.
o RFC 5705 TLS key material exporter.
o RFC 5764 DTLS-SRTP negotiation.
o Next Protocol Negotiation.
o PSS signatures in certificates, requests and CRLs.
o Support for password based recipient info for CMS.
o Support TLS v1.2 and TLS v1.1.
o Preliminary FIPS capability for unvalidated 2.0 FIPS module.
o SRP support.

Changes between 1.0.0h and 1.0.1 [14 Mar 2012]

*) Add compatibility with old MDC2 signatures which use an ASN1 OCTET
STRING form instead of a DigestInfo.
[Steve Henson]

*) The format used for MDC2 RSA signatures is inconsistent between EVP
and the RSA_sign/RSA_verify functions. This was made more apparent when
OpenSSL used RSA_sign/RSA_verify for some RSA signatures in particular
those which went through EVP_PKEY_METHOD in 1.0.0 and later. Detect
the correct format in RSA_verify so both forms transparently work.
[Steve Henson]

*) Some servers which support TLS 1.0 can choke if we initially indicate
support for TLS 1.2 and later renegotiate using TLS 1.0 in the RSA
encrypted premaster secret. As a workaround use the maximum pemitted
client version in client hello, this should keep such servers happy
and still work with previous versions of OpenSSL.
[Steve Henson]

*) Add support for TLS/DTLS heartbeats.
[Robin Seggelmann <seggelmann@xxxxx>]

*) Add support for SCTP.
[Robin Seggelmann <seggelmann@xxxxx>]

*) Improved PRNG seeding for VOS.
[Paul Green <Paul.Green@xxxxx>]

*) Extensive assembler packs updates, most notably:

- x86[_64]: AES-NI, PCLMULQDQ, RDRAND support;
- x86[_64]: SSSE3 support (SHA1, vector-permutation AES);
- x86_64: bit-sliced AES implementation;
- ARM: NEON support, contemporary platforms optimizations;
- s390x: z196 support;
- *: GHASH and GF(2^m) multiplication implementations;

[Andy Polyakov]

*) Make TLS-SRP code conformant with RFC 5054 API cleanup
(removal of unnecessary code)
[Peter Sylvester <peter.sylvester@xxxxx>]

*) Add TLS key material exporter from RFC 5705.
[Eric Rescorla]

*) Add DTLS-SRTP negotiation from RFC 5764.
[Eric Rescorla]

*) Add Next Protocol Negotiation,
http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-00. Can be
disabled with a no-npn flag to config or Configure. Code donated
by Google.
[Adam Langley <agl@xxxxx> and Ben Laurie]

*) Add optional 64-bit optimized implementations of elliptic curves NIST-P224,
NIST-P256, NIST-P521, with constant-time single point multiplication on
typical inputs. Compiler support for the nonstandard type __uint128_t is
required to use this (present in gcc 4.4 and later, for 64-bit builds).
Code made available under Apache License version 2.0.

Specify "enable-ec_nistp_64_gcc_128" on the Configure (or config) command
line to include this in your build of OpenSSL, and run "make depend" (or
"make update"). This enables the following EC_METHODs:

EC_GFp_nistp224_method()
EC_GFp_nistp256_method()
EC_GFp_nistp521_method()

EC_GROUP_new_by_curve_name() will automatically use these (while
EC_GROUP_new_curve_GFp() currently prefers the more flexible
implementations).

投稿者 xml-rpc : 2012年3月15日 11:08
役に立ちました?:
過去のフィードバック 平均:(0) 総合:(0) 投票回数:(0)
本記事へのTrackback: http://hoop.euqset.org/blog/mt-tb2006.cgi/108787
トラックバック
コメント
コメントする




画像の中に見える文字を入力してください。