Opened 5 years ago

Closed 5 years ago

#4346 closed task (fixed)


Reported by: Bruce Dubbs Owned by: lfs-book
Priority: normal Milestone: 8.4
Component: Book Version: SVN
Severity: normal Keywords:


New point version.

Change History (2)

comment:1 by Bruce Dubbs, 5 years ago

Major changes between OpenSSL 1.1.0i and OpenSSL 1.1.1 [11 Sep 2018]

  • Support for TLSv1.3 added (see for further important information). The TLSv1.3 implementation includes:
    • Fully compliant implementation of RFC8446 (TLSv1.3) on by default
    • Early data (0-RTT)
    • Post-handshake authentication and key update
    • Middlebox Compatibility Mode
    • TLSv1.3 PSKs
    • Support for all five RFC8446 ciphersuites
    • RSA-PSS signature algorithms (backported to TLSv1.2)
    • Configurable session ticket support
    • Stateless server support
    • Rewrite of the packet construction code for "safer" packet handling
    • Rewrite of the extension handling code
  • Complete rewrite of the OpenSSL random number generator to introduce the following capabilities
    • The default RAND method now utilizes an AES-CTR DRBG according to NIST standard SP 800-90Ar1.
    • Support for multiple DRBG instances with seed chaining.
    • There is a public and private DRBG instance.
    • The DRBG instances are fork-safe.
    • Keep all global DRBG instances on the secure heap if it is enabled.
    • The public and private DRBG instance are per thread for lock free *peration
  • Support for various new cryptographic algorithms including:
    • SHA3
    • SHA512/224 and SHA512/256
    • EdDSA (both Ed25519 and Ed448) including X509 and TLS support
    • X448 (adding to the existing X25519 support in 1.1.0)
    • Multi-prime RSA
    • SM2
    • SM3
    • SM4
    • SipHash
    • ARIA (including TLS support)
  • Significant Side-Channel attack security improvements
  • Add a new ClientHello callback to provide the ability to adjust the SSL *bject at an early stage.
  • Add 'Maximum Fragment Length' TLS extension negotiation and support
  • A new STORE module, which implements a uniform and URI based reader of stores that can contain keys, certificates, CRLs and numerous other *bjects.
  • Move the display of configuration data to
  • Allow GNU style "make variables" to be used with Configure.
  • Claim the namespaces OSSL and OPENSSL, represented as symbol prefixes
  • Rewrite of devcrypto engine

comment:2 by Bruce Dubbs, 5 years ago

Resolution: fixed
Status: newclosed

Fixed at revision 11472.

Note: See TracTickets for help on using tickets.