Page MenuHomeSolus

Update openssl-11 to 1.1.1h
ClosedPublic

Authored by kyrios123 on Sep 23 2020, 6:11 PM.

Details

Summary
  • Certificates with explicit curve parameters are now disallowed in verification chains if the X509_V_FLAG_X509_STRICT flag is used.
  • The 'MinProtocol' and 'MaxProtocol' configuration commands now silently ignore TLS protocol version bounds when configuring DTLS-based contexts, and conversely, silently ignore DTLS protocol version bounds when configuring TLS-based contexts. The commands can be repeated to set bounds of both types. The same applies with the corresponding "min_protocol" and "max_protocol" command-line switches, in case some application uses both TLS and DTLS.
  • SSL_CTX instances that are created for a fixed protocol version (e.g. TLSv1_server_method()) also silently ignore version bounds. Previously attempts to apply bounds to these protocol versions would result in an error. Now only the "version-flexible" SSL_CTX instances are subject to limits in configuration files in command-line options.
  • Handshake now fails if Extended Master Secret extension is dropped on renegotiation.

Signed-off-by: Pierre-Yves <pyu@riseup.net>

Test Plan

Can still submit this patch, do ssh connection to my NAS, update packages with eopkg up, ...

Diff Detail

Repository
R5007 openssl-11
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

kyrios123 created this revision.Sep 23 2020, 6:11 PM
kyrios123 requested review of this revision.Sep 23 2020, 6:11 PM
JoshStrobl accepted this revision.Sep 23 2020, 8:43 PM
JoshStrobl added a subscriber: JoshStrobl.

LGTM!

This revision is now accepted and ready to land.Sep 23 2020, 8:43 PM
This revision was automatically updated to reflect the committed changes.