Text only | Text with Images

The Apache Haus Forum

Forum Topics => Announcements => Topic started by: Gregg on September 24, 2020, 09:12:17 PM

Title: Apache 2.4.46 with updated OpenSSL 1.1.1h or LibreSSL 3.1.4 availabe
Post by: Gregg on September 24, 2020, 09:12:17 PM
Without much fanfare, both the OpenSSL and LibreSSL releases have been updated.

I've had the LibreSSL releases a few weeks and lagged on getting them out with all the fires around this area.
Now is as good a time as any to put them up.

Changes:

Changes between OpenSSL 1.1.1g and 1.1.1h [22 Sep 2020]

  *) Certificates with explicit curve parameters are now disallowed in
     verification chains if the X509_V_FLAG_X509_STRICT flag is used.
     [Tomas Mraz]

  *) The 'MinProtocol' and 'MaxProtocol' configuration commands now silently
     ignore TLS protocol version bounds when configuring DTLS-based contexts, and
     conversely, silently ignore DTLS protocol version bounds when configuring
     TLS-based contexts.  The commands can be repeated to set bounds of both
     types.  The same applies with the corresponding "min_protocol" and
     "max_protocol" command-line switches, in case some application uses both TLS
     and DTLS.
 
     SSL_CTX instances that are created for a fixed protocol version (e.g.
     TLSv1_server_method()) also silently ignore version bounds.  Previously
     attempts to apply bounds to these protocol versions would result in an
     error.  Now only the "version-flexible" SSL_CTX instances are subject to
     limits in configuration files in command-line options.
     [Viktor Dukhovni]

  *) Handshake now fails if Extended Master Secret extension is dropped
     on renegotiation.
     [Tomas Mraz]

  *) The Oracle Developer Studio compiler will start reporting deprecated APIs


Changes between LibreSSL 3.1.3 and 3.1.4  [17 Aug 2020]


    * Improve client certificate selection to allow EC certificates
      instead of only RSA certificates.

    * Do not error out if a TLSv1.3 server requests an OCSP response as
      part of a certificate request.

    * Fix SSL_shutdown behavior to match the legacy stack.  The previous
      behaviour could cause a hang.

    * Fix a memory leak and add a missing error check in the handling of
      the key update message.

    * Fix a memory leak in tls13_record_layer_set_traffic_key.

    * Avoid calling freezero with a negative size if a server sends a
      malformed plaintext of all zeroes.

    * Ensure that only PSS may be used with RSA in TLSv1.3 in order
      to avoid using PKCS1-based signatures.

    * Add the P-521 curve to the list of curves supported by default
      in the client.


As always, you can get your copy of the updated Apache HTTP Server from our download page (http://www.apachehaus.com/cgi-bin/download.plx).
Text only | Text with Images