Sidebar
products:openssl:history_3
Table of Contents
YuOpenSSL: Version History
YuOpenSSL-3 v1.2.2 – 6 May 2022
- Fix OpenSSL version reported by
OpenSSL_version…()functions and constants likeOPENSSL_FULL_VERSION_STR.
YuOpenSSL-3 v1.2.1 – 3 May 2022
- Update OpenSSL to 3.0.3.
- Fixed a bug in the function
OCSP_basic_verifythat verifies the signer certificate on an OCSP response. The bug caused the function in the case where the (non-default) flagOCSP_NOCHECKSis used to return a postivie response (meaning a successful verification) even in the case where the response signing certificate fails to verify. - Fixed a bug where the RC4-MD5 ciphersuite incorrectly used the AAD data as the MAC key. This made the MAC key trivially predictable. An attacker could exploit this issue by performing a man-in-the-middle attack to modify data being sent from one endpoint to an OpenSSL 3.0 recipient such that the modified data would still pass the MAC integrity check.
- Fix a bug in the
OPENSSL_LH_flushfunction that breaks reuse of the memory occuppied by the removed hash table entries. This function is used when decoding certificates or keys. If a long lived process periodically decodes certificates or keys its memory usage will expand without bounds and the process might be terminated by the operating system causing a denial of service. Also traversing the empty hash table entries will take increasingly more time.
YuOpenSSL-3 v1.2.0 – 15 Mar 2022
- Update OpenSSL to 3.0.2:
- Fixed a bug in the
BN_mod_sqrtfunction that can cause it to loop forever for non-prime moduli (CVE-2022-0778). Vulnerable situations include:- TLS clients consuming server certificates
- TLS servers consuming client certificates
- Hosting providers taking certificates or private keys from customers
- Certificate authorities parsing certification requests from subscribers
- Anything else which parses ASN.1 elliptic curve parameters
- Also any other applications that use the
BN_mod_sqrtwhere the attacker can control the parameter values are vulnerable to this DoS issue.
- Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK (RFC 5489) to the list of ciphersuites providing Perfect Forward Secrecy as required by SECLEVEL >= 3.
- Fixed
PEM_write_bio_PKCS8PrivateKeyto make it possible to use empty passphrase strings. - The negative return value handling of the certificate verification callback was reverted. The replacement is to set the verification retry state with the
SSL_set_retry_verifyfunction.
- Add OCSP API functions for Internet Component Suite (ICS).
YuOpenSSL-3 v1.1.0 – 4 Feb 2022
- Add HTTP APIs like
OSSL_HTTP_get. They allow to obtain data from HTTP or secure HTTPS using just YuOpenSSL-3 and no additional 3-rd party Internet components. SeeYuOpenSSL_HTTP_get.dprdemo for usage. - Add APIs required for YuXMLSec.
YuOpenSSL-3 v1.0.1 – 14 Dec 2021
- Update to OpenSSL 3.0.1:
- Fixed invalid handling of
X509_verify_certinternal errors (CVE-2021-4044). - Fixed
EVP_PKEY_eqto make it possible to use it with strictly private keys. - Fixed PVK encoder to properly query for the passphrase.
- Multiple fixes in the OSSL_HTTP API functions.
- Allow sign extension in
OSSL_PARAM_allocate_from_textfor theOSSL_PARAM_INTEGER_data type and return error on negative numbers used with theOSSL_PARAM_UNSIGNED_INTEGER_data type. MakeOSSL_PARAM_BLD_push_BNandOSSL_PARAM_BLD_push_BN_padreturn an error on negative numbers. - Allow copying uninitialized digest contexts with
EVP_MD_CTX_copy_ex. - Multiple threading fixes.
- Added NULL digest implementation to keep compatibility with 1.1.1 version.
- Allow fetching an operation from the provider that owns an unexportable key as a fallback if that is still allowed by the property query.
- Update Indy IOHandler with latest new features and bug fixes.
YuOpenSSL-3 v1.0.0 – 17 Nov 2021
- Initial release, based on OpenSSL 3.0.0.
products/openssl/history_3.txt · Last modified: 2022/05/06 16:04 (external edit)