[openssl-project] Monthly Status Report (April)

Matt Caswell matt at openssl.org
Tue May 1 15:06:30 UTC 2018


As well as normal reviews, responding to user queries, wiki user
requests, OMC business, handling security reports, etc., key activities
this month:

- Performed the 1.1.1 pre-4 release
- Supported the 1.1.1 pre-5 release
- Liason with Billy Bob Brumley and team regarding various EC/constant
time improvements
- Various updates to the TLSv1.3 wiki article
- Fixed a problem with the ordering of when libssl and libcrypto config
was loaded
- Fixed some problems with TLSv1.3 ciphersuite configuration
- Fixed some documentation problems for the mem leak functions
- Overhauled the genpkey documentation
- Fixed the info callback in TLSv1.3 Also added new tests for this.
- Fixed the command line tools to make Ed25519/Ed448 usable
- Fixed logic around the status_request extension so that it is ignored
on a resumption
- Fixed a significant problem with the SRP base64 parsing code
- Fixed an assertion failure in SSL_set_bio()
- Co-ordinated activity around CVE-2018-0737 (Cache timing vulnerability
in RSA Key Generation)
- Investigated the feasibility of using constant time by default for BIGNUMs
- Fixed a mem leak found by Coverity
- Updated the EVP_DigestSignInit() docs to be more explicit about the
algorithms they support
- Fixed a no-ec build break
- Investigated an issue with bad SRP group parameters when
interoperating with tlslite
- Fixed a return code issue with the ocsp command line app
- Fixed return code issue in the DH derive code
- Fixed a crash if X509_STORE_CTX_init() is called with a NULL
X509_STORE and then X509_verify_cert() is called
- Fix an incorrect alert that was being sent if there are no shared sig algs
- Fixed the SSL_get_version() documentation
- Fixed the behaviour of the info callback if SSL_in_init() is called
- Fixed a bug in SSL_pending() when used with DTLS
- Fixed a backwards compat issue with the ECDHParameters config directive
- Fixed a problem in OpenSSL 1.1.0 which prevented intermediate CAs from
using RSA-PSS
- Updated the session docs to cover when a session gets removed from the
cache
- Fixed an issue preventing the use of compressed point EC certs in TLSv1.3
- Fixed a problem where AFALG was incorrectly built on Android
- Fixed a behaviour change between 1.0.2 and 1.1.0 for the client
version in a reneg handshake
- Fixed the documentation for the "-showcerts" s_client option
- Fixed the MAX_CURVELIST definition in libssl
- Fixed a copy&paste error in the TLSv1.3 ciphersuites definition
- Provided some updates for the various *use_certificate* functions
- Created a fix for the SSL_get_shared_ciphers() function
- Investigated a reported problem with PSKs in TLSv1.3
- Investigated a reported problem with DNS nameconstraints
- Investigated a reported problem with the x509 app "-nameopt" option
- Investigated a reported problem with implicit tagging
- Fixed various errors in the CMS documentation
- Clarified the use of BN_mod_exp combined with BN_FLG_CONSTTIME
- Added the X509_PARAM_get_hostflags() function
- Investigated and closed or re-assigned to a later milestone a large
number of other issues (not listed above) that were against the 1.1.1
milestone


Matt


More information about the openssl-project mailing list