Marketgrid Consulting Blog » OpenSSL

OpenSSL version 1.0.0a

Phil Smith — Sat, 05 Jun 2010 15:24:16 +0000

The OpenSSL project team has released version 1.0.0a of the open source toolkit for SSL/TLS. This new OpenSSL version is a security and bugfix release which addresses CVE-2010-1633 and CVE-2010-0742. For a complete list of changes, please see http://www.openssl.org/source/exp/CHANGES.

OpenSSL 1.0.0a is considered to be the best version of OpenSSL available and we strongly recommend that users of older versions upgrade as soon as possible. OpenSSL 1.0.0a is available for

download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html):

OpenSSL version 0.9.8o

Phil Smith — Sat, 05 Jun 2010 15:22:57 +0000

The OpenSSL project team has released version 0.9.8o of the open source toolkit for SSL/TLS. This new OpenSSL version is a security and bugfix release which addresses CVE-2010-0742. For a complete list of changes, please see http://www.openssl.org/source/exp/CHANGES.

OpenSSL 1.0.0a is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html):

OpenSSL version 1.0.0 released

Phil Smith — Wed, 31 Mar 2010 20:24:56 +0000

OpenSSL – The Open Source toolkit for SSL/TLS

http://www.openssl.org/

The OpenSSL project team had announced the release of version 1.0.0 of the open source toolkit for SSL/TLS.

This new OpenSSL version is a major release and incorporates many new features as well as major fixes compared to 0.9.8n. For a complete list of changes, please see http://www.openssl.org/source/exp/CHANGES .

The most significant changes are:

o RFC3280 path validation: sufficient to process PKITS tests.

o Integrated support for PVK files and keyblobs.

o Change default private key format to PKCS#8.

o CMS support: able to process all examples in RFC4134

o Streaming ASN1 encode support for PKCS#7 and CMS.

o Multiple signer and signer add support for PKCS#7 and CMS.

o ASN1 printing support.

o Whirlpool hash algorithm added.

o RFC3161 time stamp support.

o New generalised public key API supporting ENGINE based algorithms.

o New generalised public key API utilities.

o New ENGINE supporting GOST algorithms.

o SSL/TLS GOST ciphersuite support.

o PKCS#7 and CMS GOST support.

o RFC4279 PSK ciphersuite support.

o Supported points format extension for ECC ciphersuites.

o ecdsa-with-SHA224/256/384/512 signature types.

o dsa-with-SHA224 and dsa-with-SHA256 signature types.

o Opaque PRF Input TLS extension support.

o Updated time routines to avoid OS limitations.

We consider OpenSSL 1.0.0 to be the best version of OpenSSL available and we strongly recommend that users of older versions upgrade as soon as possible. OpenSSL 1.0.0 is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html):

* http://www.openssl.org/source/

* ftp://ftp.openssl.org/source/

The distribution file name is:

o openssl-1.0.0.tar.gz

Size: 4010166

MD5 checksum: 89eaa86e25b2845f920ec00ae4c864ed

SHA1 checksum: 3f800ea9fa3da1c0f576d689be7dca3d55a4cb62

The checksums were calculated using the following commands:

openssl md5 openssl-1.0.0.tar.gz

openssl sha1 openssl-1.0.0.tar.gz

OpenSSL version 0.9.8n

Phil Smith — Wed, 24 Mar 2010 23:19:07 +0000

OpenSSL – The Open Source toolkit for SSL/TLS http://www.openssl.org/

The OpenSSL project team has announced the release of version 0.9.8n of the open source toolkit for SSL/TLS.

This new OpenSSL version is a security and bugfix release which addresses CVE-2010-0740.

For a complete list of changes, please see http://www.openssl.org/source/exp/CHANGES.

OpenSSL Security Advisory

Phil Smith — Wed, 24 Mar 2010 23:13:13 +0000

“Record of death” vulnerability in OpenSSL 0.9.8f through 0.9.8m

================================================================

In TLS connections, certain incorrectly formatted records can cause an OpenSSL

client or server to crash due to a read attempt at NULL.

Affected versions depend on the C compiler used with OpenSSL:

- – If ‘short’ is a 16-bit integer, this issue applies only to OpenSSL 0.9.8m.

- – Otherwise, this issue applies to OpenSSL 0.9.8f through 0.9.8m.

Users of OpenSSL should update to the OpenSSL 0.9.8n release, which contains a

patch to correct this issue. If upgrading is not immediately possible, the

source code patch provided in this advisory should be applied.

Bodo Moeller and Adam Langley (Google) have identified the vulnerability

and prepared the fix.

Patch

- —–

- --- ssl/s3_pkt.c      24 Jan 2010 13:52:38 -0000    1.57.2.9

+++ ssl/s3_pkt.c  24 Mar 2010 00:00:00 -0000

@@ -291,9 +291,9 @@

if (version != s->version)

SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);

- -                     /* Send back error using their

- -                      * version number   */

- -                     s->version=version;

+                                if ((s->version & 0xFF00) == (version & 0xFF00))

+                                   /* Send back error using their minor version number   */

+                             s->version = (unsigned short)version;

al=SSL_AD_PROTOCOL_VERSION;

goto f_err;

References

- ———-

This vulnerability is tracked as CVE-2010-0740.

URL for this Security Advisory:

http://www.openssl.org/news/secadv_20100324.txt

OpenSSL 0.9.8m

Phil Smith — Fri, 26 Feb 2010 01:20:20 +0000

The OpenSSL project team has announced the release of version 0.9.8m of the open source toolkit for SSL/TLS. This new OpenSSL version is a security and bugfix release which implements RFC5746 to address renegotiation vulnerabilities mentioned in CVE-2009-3555.

OpenSSL 0.9.8m-beta1

Phil Smith — Thu, 21 Jan 2010 13:26:46 +0000

OpenSSL – The Open Source toolkit for SSL/TLS
http://www.openssl.org/

The OpenSSL project team has announced the release of version 0.9.8m-beta1 of the open source toolkit for SSL/TLS. This new OpenSSL version is a security and bug fix beta release which implements draft-ietf-tls-renegotiation-03.txt to address CVE-2009-3555. For a complete list of changes, please see http://www.openssl.org/source/exp/CHANGES.

They have taken the unusual step of releasing a beta from the stable branch of OpenSSL for two reasons.

Firstly the renegotiation specification may change before they are finalised.

Secondly a large number of changes in OpenSSL 0.9.8 have been made since the last release and a beta release
should encourage testing and help resolve any issues before the final release.

It is expected that this will be the only beta release of OpenSSL 0.9.8m.

OpenSSL version 1.0.0 Beta 5

Phil Smith — Wed, 20 Jan 2010 19:16:02 +0000

OpenSSL – The Open Source toolkit for SSL/TLS

http://www.openssl.org/

OpenSSL is currently in a release cycle. The fifth beta is now released. This is expected be the final beta depending on the number of bugs reported.

The beta release is available for download via HTTP and FTP from the following master locations (the various FTP mirrors you can find under http://www.openssl.org/source/mirror.html):

o http://www.openssl.org/source/

o ftp://ftp.openssl.org/source/

This new OpenSSL version incorporates 122 documented changes and bugfixes to the toolkit (for a complete list see http://www.openssl.org/source/exp/CHANGES).