mirror of https://github.com/openssl/openssl
Update CHANGES and NEWS for new release
Reviewed-by: Richard Levitte <levitte@openssl.org>
This commit is contained in:
Matt Caswell
parent
32a3b9b766
commit
5eef9e1deb
26
CHANGES.md
26
CHANGES.md
|
|
@ -72,13 +72,37 @@ OpenSSL 3.1
|
|||
|
||||
### Changes between 3.0.0 and 3.0.1 [xx XXX xxxx]
|
||||
|
||||
* Fixed invalid handling of X509_verify_cert() internal errors in libssl
|
||||
Internally libssl in OpenSSL calls X509_verify_cert() on the client side to
|
||||
verify a certificate supplied by a server. That function may return a
|
||||
negative return value to indicate an internal error (for example out of
|
||||
memory). Such a negative return value is mishandled by OpenSSL and will cause
|
||||
an IO function (such as SSL_connect() or SSL_do_handshake()) to not indicate
|
||||
success and a subsequent call to SSL_get_error() to return the value
|
||||
SSL_ERROR_WANT_RETRY_VERIFY. This return value is only supposed to be
|
||||
returned by OpenSSL if the application has previously called
|
||||
SSL_CTX_set_cert_verify_callback(). Since most applications do not do this
|
||||
the SSL_ERROR_WANT_RETRY_VERIFY return value from SSL_get_error() will be
|
||||
totally unexpected and applications may not behave correctly as a result. The
|
||||
exact behaviour will depend on the application but it could result in
|
||||
crashes, infinite loops or other similar incorrect responses.
|
||||
|
||||
This issue is made more serious in combination with a separate bug in OpenSSL
|
||||
3.0 that will cause X509_verify_cert() to indicate an internal error when
|
||||
processing a certificate chain. This will occur where a certificate does not
|
||||
include the Subject Alternative Name extension but where a Certificate
|
||||
Authority has enforced name constraints. This issue can occur even with valid
|
||||
chains.
|
||||
([CVE-2021-4044])
|
||||
|
||||
*Matt Caswell*
|
||||
|
||||
* Corrected a few file name and file reference bugs in the build,
|
||||
installation and setup scripts, which lead to installation verification
|
||||
failures. Slightly enhanced the installation verification script.
|
||||
|
||||
*Richard Levitte*
|
||||
|
||||
|
||||
OpenSSL 3.0
|
||||
-----------
|
||||
|
||||
|
|
|
|||
12
NEWS.md
12
NEWS.md
|
|
@ -21,13 +21,19 @@ OpenSSL 3.1
|
|||
|
||||
### Major changes between OpenSSL 3.0 and OpenSSL 3.1 [under development]
|
||||
|
||||
* Subject or issuer names in X.509 objects are now displayed as UTF-8 strings
|
||||
by default.
|
||||
* Subject or issuer names in X.509 objects are now displayed as UTF-8 strings
|
||||
by default.
|
||||
|
||||
OpenSSL 3.0
|
||||
-----------
|
||||
|
||||
### Major changes between OpenSSL 1.1.1 and OpenSSL 3.0
|
||||
### Major changes between OpenSSL 3.0.0 and OpenSSL 3.0.1
|
||||
* Fixed invalid handling of X509_verify_cert() internal errors in libssl
|
||||
([CVE-2021-4044])
|
||||
* Allow fetching an operation from the provider that owns an unexportable key
|
||||
as a fallback if that is still allowed by the property query.
|
||||
|
||||
### Major changes between OpenSSL 1.1.1 and OpenSSL 3.0.0
|
||||
|
||||
* Enhanced 'openssl list' with many new options.
|
||||
* Added migration guide to man7.
|
||||
|
|
|
|||
Loading…
Reference in New Issue