- New Features
- OWL - The Owl Monitoring System uses timed DNS queries
to monitor basic network functionality. The system
consists of a manager host and a set of sensor hosts.
The Owl sensors perform periodic DNS queries and
report to the Owl manager the time taken for each
query. Over time, this shows the responsiveness of
the DNS infrastructure.
- dnssec-nodes - Many new features have been added:
- The validation tree now supports clicking on
boxes to highlight it and the arrows that derive
from it. Great for use when teaching about
DNSSEC.
- An extensive filter/effect editor now lets you
tailor the look of a graph to color-code, set
the alpha levels, etc of nodes based on their
names, status, data types, etc.
- Right clicking on a node lets you center the
graph on that node.
- More data types are collected and shown in the
data view.
- Support for arguments on the command line for
parsing log files, pcap files and domain names.
- The validation view has received a visual clean-up
- Many other bug fixes
- Bloodhound: - A mozilla-based DNSSEC-enabled browser with DANE support
- Added support for validation of SSL certificates
using the DANE protocol.
- curl - Added support for validation of SSL certificates
using the DANE protocol.
- libval - Added support for local DANE validation
- Extended the dt-danechk commandline tool to check
the X509 cert provided over the SSL connection
against the TLSA record.
- Optimized glue record lookup when the only ip
addresses configured for the host are for a single
address family (ipv4 or ipv6)
- fine tune res_io source management
- dnssec-check - dnssec-check now checks DNAME support
- rollerd - A new set of steps for KSK rollover has been
implemented. A cache-expiration wait phase has
been moved after the publication of DS records in
order to allow name caches to reflect the changes.
In addition to rollerd, supporting program have
been modified to recognize this change.
- rollrec files - A new "information rollrec" has been added to the
rollrec files. This will allow infomration to be
specified for the collection of rollrecs. At this
time, the only information stored in this rollrec
is the version number of the rollrec file.
In addition to the rollrec.pm Perl module, programs
which use this module have been modified to recognize
this change.
If you use the rollrec.pm module, you should test
to see if your code is affected. The modifications
for the info rollrec have been made to minimize
affected programs. If you parse the rollrec files
yourself, you will have to account for this change.
- multiple - The perl-based tools can now use either the
ZoneFile::Fast or the Net::DNS zone file parser,
thanks to a patch from Sebastian Schmidt (yath@yath.de).
- ZoneFile:Fast - Support for TLSA
- Made it compatible with newer Net::DNS releases
- Qt5 - A patch to support DNSSEC checks in Qt5 DNS lookups
- Bug Fixes
- zonesigner - Fixed SOA parsing and serial number update issues
- libval - Properly initialize memory in sockaddr structures
before use.
=== 2.7.0 / 11 Sep 2013
* Fix for 'Could not parse PKey: no start line' error on private keys with
passphrases (issue #101) [metametaclass]
* Automatically forward environment variables defined in OpenSSH config files
[fnordfish]
* Guard against socket.gets being nil in Net::SSH::Proxy::HTTP [krishicks]
* Implemented experimental keepalive feature [noric]
=== 2.6.8 / 6 Jul 2013
* Added support for host wildcard substitution [GabKlein]
* Added a wait to the loop in close to help fix possible blocks [Josh
Kalderimis]
* Fixed test file encoding issues with Ruby 2.0 (#87) [voxik]
3.1.0 May 07 2013
- Add BCrypt::Password.valid_hash?(str) to check if a string is a valid
bcrypt password hash
- BCrypt::Password cost should be set to DEFAULT_COST if nil
- Add BCrypt::Engine.cost attribute for getting/setting a default cost
externally
3.1.1 Jul 10 2013
- Remove support for Ruby 1.8 in compiled win32 binaries
3.1.2 Aug 26 2013
- Add support for Ruby 1.8 and 2.0 (in addition to 1.9) in compiled Windows
binaries
- Add support for 64-bit Windows
* liboath: Add new API methods for validating TOTP OTPs
The new methods (oath_totp_validate3 and oath_totp_validate3_callback)
introduce a new parameter *otp_counter, which is set to the actual
counter used to calculate the OTP (unless it is a NULL pointer). This
allows for easier OTP replay detection in applications using liboath.
Patch from Fabian Grünbichler <fabian.gruenbichler@tuwien.ac.at>.
Version 2.2.0 (released 2013-07-07)
* libpskc: Add functions for setting PSKC data.
The new functions are pskc_add_keypackage and all pskc_set_* functions
(see libpskc/include/pskc/keypackage.h). This allow you to write
programs that generate new PSKC structures.
* liboath: Permit different passwords for different tokens for the same user.
Thanks to Christian Hesse <list@eworm.de>.
* build: Improve building from git with most recent automake and gengetopt.
Thanks to Christian Hesse <list@eworm.de>.
* build: Valgrind is not enabled by default.
It causes too much false positives. For developers who want, use
--enable-valgrind-tests. It is still enabled by default when building
from the version controlled sources (see cfg.mk). Thanks to Christian
Hesse <list@eworm.de>.
* liboath: Make header file usable from C++ (extern "C" guard).
Reported by Alan Markus <alan.markus@gmail.com>.
* Fixups of import/export.
Add targetConfig to show in which slot a configuration is intended.
Possible memory leaks on error conditions.
* Add -d switch to ykpersonalize for dry-run.
* Add ykp_clear_config() for clearing configuration flags.
* Add getter functions for all configuration flags.
* Add -V to all tools to output version.
* Add ykp_get_acccode_type() and ykp_set_acccode_type()
Only to do with export, showing where the access code came from
in the ycfg.
* Add -1 and -2 options to ykinfo to show programming state.
- [UTMP input] New input module parsing utmp/wtmp files in Linux
- [SELINUX input] New input module parsing SELinux audit files in Linux
- [l2t_process] Renamed to l2t_process_old, being replaced by l2t_process.py
from l2t-tools.
- [EVTX Library] Fixed a small bug in the code, causing some EVTX file
parsing to fail.
- [Altiris input] Fixed a small bug when the date is malformed.
- [Log2Timeline library] Fixed few bugs:
- Small error in the format sort, caused oxml to sometimes be skipped
in processing.
- [GENERIC_LINUX input] Added a small extra eval sentence.
- [LS_QUARANTINE] Fixed a minor bug in the get_time routine, if a database
occurs it is caught by an eval sentence.
- [TEST] Added few more tests.
- [MOST INPUT MODULES] Changed the line:
my $line = <$fh> or return undef;
in most input modules.
- [WIN library] Added few more transformations of Windows stored time zones
into a "olson" ones understood by DateTime.
- [CHROME input] Fixed a small unicode bug in the "File Downloaded" section.
- [faersluskra2timalina] Added a new frontend to the tool, exact copy of
log2timeline, except all parameters in Icelandic... kinda
Aprils fool joke, except not in April.. so enjoy.
- [timescanner tool] Removed this frontend from the Makefile since it serves
no purpose (as in no longer part of the automatic installation).
also added a netbsd-specific build option
(changes)
2013.58 - Thursday 18 April 2013
- Fix building with Zlib disabled, thanks to Hans Harder and cuma@freetz
- Use % as a separator for ports, fixes scp in multihop mode, from Hans Harder
- Reject logins for other users when running as non-root, from Hans Harder
- Disable client immediate authentication request by default, it prevents
passwordless logins from working
2013.57 - Monday 15 April 2013
- Decreased connection setup time particularly with high latency connections,
the number of round trips has been reduced for both client and server.
CPU time hasn't been changed.
- Client will send an initial key exchange guess to save a round trip.
Dropbear implements an extension kexguess2@matt.ucc.asn.au to allow the first
packet guess to succeed in wider circumstances than the standard behaviour.
When communicating with other implementations the standard behaviour is used.
- Client side: when public key or password authentication with
$DROPBEAR_PASSWORD is used an initial authentication request will
be sent immediately rather than querying the list of available methods.
This behaviour is enabled by CLI_IMMEDIATE_AUTH option (on by default),
please let the Dropbear author know if it causes any interoperability
problems.
- Implement client escape characters ~. (terminate session) and
~^Z (background session)
- Server will more reliably clean up utmp when connection is closed, reported by
Mattias Walstr<C3><B6>m
- Don't crash if /dev/urandom isn't writable (RHEL5), thanks to Scott Case
- Add "-y -y" client option to skip host key checking, thanks to Hans Harder
- scp didn't work properly on systems using vfork(), thanks to Frank Van Uffelen
- Added IUTF8 terminal mode support (Linux and Mac OS). Not standardised yet
though probably will be soon
- Some verbose DROPBEAR_TRACE output is now hidden unless $DROPBEAR_TRACE2
enviroment variable is set
- Fix using asymmetric MAC algorithms (broke in )
- Renamed configure.in to configure.ac to quieten autoconf, from Mike Frysinger
2013.56 - Thursday 21 March 2013
- Allow specifying cipher (-c) and MAC (-m) lists for dbclient
- Allow using 'none' cipher or MAC (off by default, use options.h). Encryption
is used during authentication then disabled, similar to OpenSSH HPN mode
- Allow a user in immediately if the account has a blank password and blank
passwords are enabled
- Include a few extra sources of entropy from /proc on Linux, hash private keys
as well. Dropbear will also write gathered entropy back into /dev/urandom
- Added hmac-sha2-256 and hmac-sha2-512 support (off by default, use options.h)
- Don't sent bad address "localhost" for -R forward connections,
reported by Denis Bider
- Add "-B" runtime option to allow blank passwords
- Allow using IPv6 bracket notation for addresses in server "-p" option, from Ben Jencks
- A few improvements for Android from Reimar D<C3><B6>ffinger
- Fix memory leak for TCP forwarded connections to hosts that timed out,
reported by Norbert Bencz<C3><BA>r. Appears to be a very long-standing bug.
- Fix "make clean" for out of tree builds
- Fix compilation when ENABLE_{SVR,CLI}_AGENTFWD are unset
* OPENDNSSEC-428: ods-ksmutil: Add option for 'ods-ksmutil key generate' to
take number of zones as a parameter
Bugfixes:
* SUPPORT-66: Signer Engine: Fix file descriptor leak in case of TCP write
error [OPENDNSSEC-427].
* SUPPORT-71: Signer Engine: Fix double free crash in case of HSM connection
error during signing [OPENDNSSEC-444].
* OPENDNSSEC-401: 'ods-signer sign <zone> --serial <nr>' command produces seg
fault when run directly on command line (i.e. not via interactive mode)
* OPENDNSSEC-440: 'ods-ksmutil key generate' and the enforcer can create
too many keys if there are keys already available and the KSK and ZSK use
same algorithm and length
* OPENDNSSEC-424: Signer Engine: Respond to SOA queries from file instead
of memory. Makes response non-blocking.
* OPENDNSSEC-425 Change "hsmutil list" output so that the table header goes
to stdout not stderr
* OPENDNSSEC-438: 'ods-ksmutil key generate' and the enforcer can create
too many keys for <SharedKeys/> policies when KSK and ZSK use same
algorithm and length
* OPENDNSSEC-443: ods-ksmutil: Clean up of hsm connection handling
* Signer Engine: Improved Inbound XFR checking.
* Signer Engine: Fix double free corruption in case of adding zone with
DNS Outbound Adapters and NotifyCommand enabled.
Bugfixes
[CPPOST-83] - Compile error with boost 1.53
[CPPOST-86] - samlsign core dumps when -dig option is used
2.5.2:
(none)
2.5.1:
Bugfixes
[CPPOST-79] - Typo in "metadata intance failed manual validation checking"
log message
[CPPOST-80] - SAMLTIME_MAX constant breaks for universal Mac builds
Improvement
[CPPOST-78] - Add metadata:rpi schema to OpenSAML
2.5.0:
Bugfixes
[CPPOST-65] - Remove compile time version output where possible.
[CPPOST-70] - Problem calling virtual functions from base class constructors
[CPPOST-71] - Various clone methods are broken.
[CPPOST-75] - ChainingTrustEngine resets SOAP/TLS-based null peer entity name,
forces TrustEngine name matching
Improvements
[CPPOST-74] - metadata provider should check validity before replacing
old metadata
[CPPOST-76] - filter IdPs somehow that don't declare themselves "ready"
New Features
[CPPOST-69] - Load Folders of Metadata
[CPPOST-73] - Metadata filter that can add EntityAttribute tags
Changes since 0.4:
- SSL options updated --- based on OpenSSL 1.0.0d.
- Activate SSL_MODE_RELEASE_BUFFERS by default if it is available.
(thanks Prosody project)
OAuth is an authorization protocol built on top of HTTP which allows
applications to securely access data without having to store usernames
and passwords.
= Version 1.2.8 released 2013-06-19
Features
* Parsing of PKCS#8 encrypted private key files
* PKCS#12 PBE and derivation functions
* Centralized module option values in config.h to allow user-defined
settings without editing header files by using POLARSSL_CONFIG_OPTIONS
Changes
* HAVEGE random generator disabled by default
* Internally split up x509parse_key() into a (PEM) handler function
and specific DER parser functions for the PKCS#1 and unencrypted
PKCS#8 private key formats
* Added mechanism to provide alternative implementations for all
symmetric cipher and hash algorithms (e.g. POLARSSL_AES_ALT in
config.h)
* PKCS#5 module added. Moved PBKDF2 functionality inside and deprecated
old PBKDF2 module
Bugfix
* Secure renegotiation extension should only be sent in case client
supports secure renegotiation
* Fixed offset for cert_type list in ssl_parse_certificate_request()
* Fixed const correctness issues that have no impact on the ABI
* x509parse_crt() now better handles PEM error situations
* ssl_parse_certificate() now calls x509parse_crt_der() directly
instead of the x509parse_crt() wrapper that can also parse PEM
certificates
* x509parse_crtpath() is now reentrant and uses more portable stat()
* Fixed bignum.c and bn_mul.h to support Thumb2 and LLVM compiler
* Fixed values for 2-key Triple DES in cipher layer
* ssl_write_certificate_request() can handle empty ca_chain
Security
* A possible DoS during the SSL Handshake, due to faulty parsing of
PEM-encoded certificates has been fixed (found by Jack Lloyd)
= Version 1.2.7 released 2013-04-13
Features
* Ability to specify allowed ciphersuites based on the protocol version.
Changes
* Default Blowfish keysize is now 128-bits
* Test suites made smaller to accommodate Raspberry Pi
Bugfix
* Fix for MPI assembly for ARM
* GCM adapted to support sizes > 2^29
= Version 1.2.6 released 2013-03-11
Bugfix
* Fixed memory leak in ssl_free() and ssl_reset() for active session
* Corrected GCM counter incrementation to use only 32-bits instead of
128-bits (found by Yawning Angel)
* Fixes for 64-bit compilation with MS Visual Studio
* Fixed net_bind() for specified IP addresses on little endian systems
* Fixed assembly code for ARM (Thumb and regular) for some compilers
Changes
* Internally split up rsa_pkcs1_encrypt(), rsa_pkcs1_decrypt(),
rsa_pkcs1_sign() and rsa_pkcs1_verify() to separate PKCS#1 v1.5 and
PKCS#1 v2.1 functions
* Added support for custom labels when using rsa_rsaes_oaep_encrypt()
or rsa_rsaes_oaep_decrypt()
* Re-added handling for SSLv2 Client Hello when the define
POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO is set
* The SSL session cache module (ssl_cache) now also retains peer_cert
information (not the entire chain)
Security
* Removed further timing differences during SSL message decryption in
ssl_decrypt_buf()
* Removed timing differences due to bad padding from
rsa_rsaes_pkcs1_v15_decrypt() and rsa_pkcs1_decrypt() for PKCS#1 v1.5
operations
= Version 1.2.5 released 2013-02-02
Changes
* Allow enabling of dummy error_strerror() to support some use-cases
* Debug messages about padding errors during SSL message decryption are
disabled by default and can be enabled with POLARSSL_SSL_DEBUG_ALL
* Sending of security-relevant alert messages that do not break
interoperability can be switched on/off with the flag
POLARSSL_SSL_ALL_ALERT_MESSAGES
Security
* Removed timing differences during SSL message decryption in
ssl_decrypt_buf() due to badly formatted padding
= Version 1.2.4 released 2013-01-25
Changes
* Added ssl_handshake_step() to allow single stepping the handshake process
Bugfix
* Memory leak when using RSA_PKCS_V21 operations fixed
* Handle future version properly in ssl_write_certificate_request()
* Correctly handle CertificateRequest message in client for <= TLS 1.1
without DN list
= Version 1.2.3 released 2012-11-26
Bugfix
* Server not always sending correct CertificateRequest message
= Version 1.2.2 released 2012-11-24
Changes
* Added p_hw_data to ssl_context for context specific hardware acceleration
data
* During verify trust-CA is only checked for expiration and CRL presence
Bugfixes
* Fixed client authentication compatibility
* Fixed dependency on POLARSSL_SHA4_C in SSL modules
= Version 1.2.1 released 2012-11-20
Changes
* Depth that the certificate verify callback receives is now numbered
bottom-up (Peer cert depth is 0)
Bugfixes
* Fixes for MSVC6
* Moved mpi_inv_mod() outside POLARSSL_GENPRIME
* Allow R and A to point to same mpi in mpi_div_mpi (found by Manuel
Pégourié-Gonnard)
* Fixed possible segfault in mpi_shift_r() (found by Manuel
Pégourié-Gonnard)
* Added max length check for rsa_pkcs1_sign with PKCS#1 v2.1
Changes since 1.7.0
=====================================
* Fixes for CVE-2013-2153, CVE-2013-2154, CVE-2013-2155, CVE-2013-2156
* Reduced entity expansion limits when parsing
Changes since 1.6.1
=====================================
* [SANTUARIO-314] - AES-GCM support
* [SANTUARIO-315] - XML Encryption 1.1 OAEP enhancements
Changes since 1.6.0
=====================================
* [SANTUARIO-268] - TXFMXPathFilter->evaluateExpr crashes on Windows
* [SANTUARIO-270] - DSIGObject::load method crashes for ds:Object without Id attribute
* [SANTUARIO-271] - Bug when signing files with big RSA keys
* [SANTUARIO-272] - Memory bug inside XENCCipherImpl::deSerialise
* [SANTUARIO-274] - Function cleanURIEscapes always throws XSECException, when any escape sequence occurs
* [SANTUARIO-275] - Function isHexDigit doesn't recognize invalid escape sequences.
* [SANTUARIO-276] - Percent-encoded multibyte (UTF-8) sequences unrecognized
* [SANTUARIO-280] - RSA-OAEP handler only allows SHA-1 digests
Changes since 1.5.1
=====================================
* Fix for bug#43964, wrong namespace in encryption DigestMethod (SC)
* Fix for bug#48676, RetrievalMethod handler (SC)
* Fix for bug#45867, support for >1 CRL per KeyInfo (SC)
* Fix for bug#49148, buffer initialization issue (SC)
* Fix for bug#49255, vector index bug (SC)
* Fix for bug#49257, stylesheet append bug (SC)
* Fix for bug#49260, header guard in XPath transform header (SC)
* Fix for bug#49264, string release crash (SC)
* Fix for bug#44983, improper c14n of XSLT (SC)
* Fix for bug#49289, setters for Reference Type/Id (SC)
* Fix for bug#49371, skip comments in X509Certificate elements (SC)
* Fix for bug#49459, more header guards (SC)
* Fix for bug#49660, NSS verification of RSA broken (SC)
* Expose algorithm URI on Signature and Reference objects (SC)
* White/blacklisting of otherwise registered algorithms (SC)
* Add selected XML Signature 1.1 KeyInfo extensions (SC)
* Add elliptic curve keys and signatures via ECDSA (SC)
* Support debugging of Reference/SignedInfo data (SC)
* Clean up tests for SHA2 algorithms in OpenSSL (SC)
* Updated autoconf script, added NSS support, removed pre-automake material (SC)
* Add methods for Reference removal to DSIGSignature/DSIGSignedInfo classes (SC)
Changes between 1.5 and 1.5.1
=====================================
* Fix for bug#47353 in c14n of default namespaces (SC)
* Fix Sparc compilation bug (SC)
* Fix for CVE-2009-0217 (SC)
Changes between version 1.4 and 1.5
=====================================
* Make SHA-1 the implicit default DigestMethod for RSA-OAEP
key transport, allowing for interop until broken impls are fixed (SC)
* Fix memory leak in OpenSSL RSA/DSA key cloning (SC)
* Expose KeyInfo extensions via DOM (SC)
* Fix c14n to omit standard xmlns:xml declarations (SC)
* Add partial support for Inclusive C14N 1.1 with regard to xml:id but not xml:base (SC)
* Finish port to Xerces 3.0 (SC)
* 64-bit API changes (SC)
* Add VC9 build files (SC)
Changes between version 1.3.1 and 1.4
=====================================
* Fix exclusive c14n namespace bug (rev. 526939) (BL)
* Add const specifiers and methods to various classes (SC)
* Add better extraction of openssl build settings using pkg-config (SC)
* Fix XSECnew macro to stop catching arbitrary errors and report
crypto exceptions instead of turning them into allocation errors (SC)
* Add various missing files to dist target (SC)
Changes between version 1.3 and 1.3.1
=====================================
* Refactor NIX build to use automake and libtool
* Initial support for API changes in Xerces 3.0
* Fix bug in autconf that would stop proper detection of Xerces
ability to set Id attributes
* Fix bug 40085 - incorrect OIDs on non SHA1 based RSA signatures.
* Update support for non SHA1 based RSA signatures
* Remove redundant code from SignedInfo that was preventing the
library from loading signatures it did not have an algorithm hard
wired for
* Fix bug in envelope transform when input nodeset is a document
fragment rather than the entire document and the canonicalisation
uses a namespace that was not defined directly in the fragment
* Fix bug in DSIGXPathFilterExpr where m_loaded was not initialised
potentially causing an exception when an XPath expression was loaded
reported by Ralf "Sabo" Saborowski.
Changes between version 1.2.1 and 1.3
=====================================
* Performance improvements in canonicalisation
* Implemented algorithm handlers for the digital signature classes,
to provide algorithm extensibility
* Update signature classes to pass in requested algorithms as URIs
rather than enums. Enum based methods are now deprecated.
* Fix memory leaks in OpenSSL wrapping code
* Provide ability for calling application to define whether
references are interlocking.
* Provide some stability if the Apache keystore is corrupted under Windows.
* Initial import of beta NSS crypto support
* Complete implementation of XKMS message set
* Methods to allow loading of encrypted data without doing decrypt
and to process a decrypt/encrypt operation without replacing the
original nodes
* Provide MS VC++ 2005 project files
* Fix bug when encrypting small input docs
* Implement checks for broken OpenSSL support under Solaris 10
* Add --with-xalan, --with-openssl, --with-xerces and
--enable-warnerror flags in configure
* Configure now detects if Xalan is installed rather than having
XALANCROOT being a pointer to the compile directory
- Reorder hashing in DSIGReference.cpp as per suggestion by Peter Gubis
- Update microsoft project files to reflect new version as per Scott Cantor
- Replace setAttribute with setAttributeNS calls
- Add methods to OpenSSL classes to extract OpenSSL objects
- Fix handling of libcrypto on Solaris platform
- Fix bug in Canoncicalisation courtesy of Scott Cantor
Changes between version 1.2 and 1.2.1
=====================================
* Fixed library versions in Windows builds (were being generated as 1.1)
* Added "No Xalan" builds for xklient under Windows VC6.0
* Added "No Xalan" builds for all projects in VC 7.0
Changes between version 1.1 and 1.2
===================================
* Started a changelog :>
* Remove MFC dependency and clean up memory debugging
* Remove dynamic_casts and RTTI requirement
* Implemented XKMS Message generation and processing
* Implemented command line XKMS tool for generating and dumping XKMS messages
* Support for DESTDIR as provided by ville.skytta@iki.fi in Bugzilla 28520
* Update to Apache licence 2.0.
* Add support for SHA224/256/384/512 (requires OpenSSL 0.9.8 Beta)
* Patch for Mac OS X compile - provided by Scott Cantor - cantor.2@osu.edu - See Bugzilla #34920
* Updates to compile against Xalan 1.9
* Backport to compile with Xerces 2.1
* Fix bug with NULL pointer when validating or signing empty reference lists - fix as suggested by Jesse Pelton <jsp@PKC.com> on 23 March 2005 on security-dev@xml
* Provided support for nominating namespace based Id attributes
* Change to allow apps to calculate and obtain signed info hash - from Eckehard.Hermann@softwareag.com - see email of 2 March 2005 on security-dev@xml
* Patch for long RSA keys provided by Michael Braunoeder - michael@mib.priv.at to security-dev@xml on 16 Nov 2005
* Memory leak in OpenSSLCryptoBase64 reported by Jesse Pelton fixed.
* Move to internal Base64 decoder in a number of methods to handle non-wrapping data
* Resize buffer in OpenSSLCryptoKeyRSA for larger RSA keys - as submitted by Vadim Ismailov <worndown@gmail.com> 3 December 2005
* Remove redundant m_keyType class variable from OpenSSLCryptoKeyRSA as reported by Jesse Pelton (jsp@pkc.com) on security-dev@xml
* Don't throw an exception when an RSA decrypt fails during sig validation - this is a failed validate, not an error
* Shutdown OpenSSL properly - as suggested by Jesse Pelton <jsp@PKC.com> in e-mail to security-dev@xml on 9 March 2005
* Changed scope of WinCapiCryptoKey::importKey() from private to public. It returns key now, instead of void.
* Fix problem in Windows CAPI where XSEC doesn't work if user doesn't have admin rights.
* Bug fix in Windows CAPI code for some W2K machines - reported by Andrzej Matejko 4/5/2004
* Fix build on non WINCAPI systems, as reported by Milan Tomic on 22/4/2004
* New constructor added to WinCapiX509
* Fixed Bug in encode() XSCryptCryptoBase64.
* Fix bug in XPathFilter transform when checking if an attribute is in the input node set.
* Fix bug in in UTF transcoder for counting of transcoded characters (count characters not bytes) reported by Milan Tomic
* Move function definitions in the Windows BinInput stream class to static to avoid conflicts with Xerces. As suggested by Jesse Pelton <jsp@PKC.com> on 2 Feb 2005 in security-dev@xml
* Added complete KeyInfo handling for XENCEncryptedType
* Fix to stop re-use of derived key encrypting key when decrypting multiple elements in a document
* Fix to ignore encryption exceptions during a private key decrypt
* Add code to detect ASN.1 encoded DSA signatures and validate accordingly
Changes since previous version:
SI6 Networks' IPv6 Toolkit v1.4.1
* frag6: Fixed bug that prevented Ethernet header from being filled
A bug in the code caused Ethernet frames to go on te wire without any of
their header fields completed.
* All: Use of library to avoid code replication
An "libipv6" library was created, such that common functions do not need
to be replicated for each tool. ni6, ns6, rs6, and tcp6 now employ such
library.
pkgsrc changes:
* address6 and its man page are no longer installed
* extend the Makefile changes to include the correct linkage for rs6 and tcp6
i.e. include the libipv6 object mentioned above
1.11 - Sat Jul 28 16:09:37 2012
* Clarify the license as LGPL v3 (29 June 2007) (RT 78629)
1.10 - Wed Jul 11 19:25:12 2012
* Add MirBSD support. It's the same options as Sun stuff.
1.953 2013/7/22
- fixes to IO::Socket::SSL::Utils, thanks to rurban[AT]x-ray[DOT]at,
RT#87052
1.952 2013/7/11
- fix t/acceptSSL-timeout.t on Win32, RT#86862
1.951 2013/7/3
- better document builtin defaults for key,cert,CA and how they are depreceated
- use Net::SSLeay::SSL_CTX_set_default_verify_paths to use openssl's builtin
defaults for CA unless CA path/file was given (or IO::Socket::SSL builtins
used)
1.950 2013/7/3
- MAJOR BEHAVIOR CHANGE:
ssl_verify_mode now defaults to verify_peer for client.
Until now it used verify_none, but loudly complained since 1.79 about it.
It will not complain any longer, but the connection might probably fail.
Please don't simply disable ssl verification, but instead set SSL_ca_file
etc so that verification succeeds!
- MAJOR BEHAVIOR CHANGE:
it will now complain if the builtin defaults of certs/my-ca.pem or ca/
for CA and certs/{server,client}-{key,cert}.pem for cert and key are used,
e.g. no certificates are specified explicitly.
In the future these insecure (relative path!) defaults will be removed
and the CA replaced with the system defaults.
v1.94 2013.06.01
- Makefile.PL reported wrong version of openssl, if Net::SSLeay was not
installed instead of reporting missing dependency to Net::SSLeay.
v1.93 2013.05.31
- need at least OpenSSL version 0.9.8 now, since last 0.9.7 was released 6
years ago. Remove code to work around older releases.
- changed AUTHOR in Makefile.PL from array back to string, because the
array feature is not available in MakeMaker shipped with 5.8.9 (RT#85739)
v1.92 2013.05.30
- Intercept: use sha1-fingerprint of original cert for id into cache unless
otherwise given
- Fix pod error in IO::Socket::SSL::Utils RT#85733
v1.91 2013.05.30
- added IO::Socket::SSL::Utils for easier manipulation of certificates and keys
- moved SSL interception into IO::Socket::SSL::Intercept and simplified it
using IO::Socket::SSL::Utils
- enhance meta information in Makefile.PL
v1.90 2013.05.27
- RT#85290, support more digest, especially SHA-2.
Thanks to ujvari[AT]microsec[DOT]hu
- added support for easy SSL interception (man in the middle) based
on ideas found in mojo-mitm proxy (which was written by Karel Miko)
- make 1.46 the minimal required version for Net::SSLeay, because it
introduced lots of useful functions.
v1.89 2013.05.14
- if IO::Socket::IP is used it should be at least version 0.20, otherwise
we get problems with HTTP::Daemon::SSL and maybe others (RT#81932)
- Spelling corrections, thanks to dsteinbrunner
v1.88 2013.05.02
- consider a value of '' the same as undef for SSL_ca_(path|file), SSL_key*
and SSL_cert* - some apps like Net::LDAP use it that way.
Thanks to alexander[AT]kuehn[AT]nagilum[DOT]de for reporting the problem.
v1.87 2013.04.24
- RT#84829 - complain if given SSL_(key|cert|ca)_(file|path) do not exist or
if they are not readable. Thanks to perl[AT]minty[DOT]org
- fix use of SSL_key|SSL_file objects instead of files, broken with 1.83
1.55 2013-06-08
Added support for TLSV1_1 and TLSV1_2 methods with SSL_CTX_tlsv1_1_new(),
SSL_CTX_tlsv1_2_new(), TLSv1_1_method() and TLSv1_2_method(), where
available in the underlying openssl.
Added CRL support functions X509_CRL_get_ext(), X509_CRL_get_ext_by_NID(),
X509_CRL_get_ext_count(). Patch from Franck Youssef.
Fixed a problem which could cause content with a value of '0' to not be
correctly encoded by do_httpx3 and friends. Reported by Victor Efimov via
RT.
Added support for SSL_get_tlsa_record_byname() required for DANE support in
openssl-1.0.2 and later. SSL_get_tlsa_record_byname() was added to
OpenSSL with the financial assistance of .SE.
Testing with openssl-1.0.2-stable-SNAP-20130521.
Added X509_NAME_new and X509_NAME_hash, patched by Franck Youssef.
Noteworthy changes in version 2.0.21 (2013-08-19)
-------------------------------------------------
* gpg-agent: By default the users are now asked via the Pinentry
whether they trust an X.509 root key. To prohibit interactive
marking of such keys, the new option --no-allow-mark-trusted may
be used.
* gpg-agent: The command KEYINFO has options to add info from
sshcontrol.
* The included ssh agent does now support ECDSA keys.
* The new option --enable-putty-support allows gpg-agent to act on
Windows as a Pageant replacement with full smartcard support.
* Support installation as portable application under Windows.
code was added to fix the compiler uninitialised warning (thanks!),
but the distfile name didn't change since it was packaged originally,
so do the DIST_SUBDIR dance, and bump package version to nb1
