Otherwise, there is one nonsensical warning on every openssl invocation.
I have seen dozens of recipes for NetBSD setups, and each one cargo-cults
a "touch openssl.cnf" against that noise.
Bump package revision.
** libgnutls: Removed any references to OpenPGP functionality in documentation,
and marked all functions in openpgp.h as deprecated. That functionality
is considered deprecated and should not be used for other reason than
backwards compatibility.
** libgnutls: Improve detection of AVX support. In certain cases when
when the instruction was available on the host, but not on a VM running
gnutls, detection could fail causing illegal instruction usage.
** libgnutls: Added support for IDNA2008 for internationalized DNS names.
If gnutls is compiled using libidn2 (the latest version is recommended),
it will support IDNA2008 instead of the now obsolete IDNA2003 standard.
Resolves gitlab issue 150. Based on patch by Tim Ruehsen.
** p11tool: re-use ID from corresponding objects when writing certificates.
That is, when writing a certificate which has a corresponding public key,
or private key in the token, ensure that we use the same ID for the
certificate.
** API and ABI modifications:
gnutls_idna_map: Added
gnutls_idna_reverse_map: Added
# 20161029
* Argon2id added
* Better documentation
* Dual licensing CC0 / Apache 2.0
* Minor bug fixes (no security issue)
# 20160406
* Version 1.3 of Argon2
* Version number in encoded hash
* Refactored low-level API
* Visibility control for library symbols
* Microsoft Visual Studio solution
* New bindings
* Minor bug and warning fixes (no security issue)
# 20151206
* Python bindings
* Password read from stdin, instead of being an argument
* Compatibility FreeBSD, NetBSD, OpenBSD
* Constant-time verification
* Minor bug and warning fixes (no security issue)
v0.8.0 (14 February 2017)
+++++++++++++++++++++++++
- Added Fitbit compliance fix.
- Fixed an issue where newlines in the response body for the access token
request would cause errors when trying to extract the token.
- Fixed an issue introduced in v0.7.0 where users passing ``auth`` to several
methods would encounter conflicts with the ``client_id`` and
``client_secret``-derived auth. The user-supplied ``auth`` argument is now
used in preference to those options.
- More cleanups, removal of obsolete stuff, and moves towards py3k
compatibility.
- Add support for EC.get_builtin_curves() and use it for testing.
- Enable AES CTR mode
- Bundle-in six module v. 1.10.0
- add rand_file_name and rand_status
- remove all LHASH fiddling
- Extend Travis and GitLab CI configuration to test also py3k (with
allowed_failures) and CentOS6 (on GitLab CI).
- Add CONTRIBUTORS.rst. Thank you!
- Add PEP-484 type hints in comments to all Python files (except for
tests)
- Use context managers for file handling wherever possible instead of
leaking open file descriptors.
- Improve defaults handling for SSL_CTX_new().
- Fix PGP tests to actually run
2.047 2017/02/16
- better fix for problem which 2.046 tried to fix but broke LWP this way
2.046 2017/02/15
- cleanup everything in DESTROY and make sure to start with a fresh %{*self}
in configure_SSL because it can happen that a GLOB gets used again without
calling DESTROY (https://github.com/noxxi/p5-io-socket-ssl/issues/56)
2.045 2017/02/13
- fixed memory leak caused by not destroying CREATED_IN_THIS_THREAD for SSL
objects -> github pull#55
- optimization: don't track SSL objects and CTX in *CREATED_IN_THIS_THREAD
if perl is compiled w/o thread support
- small fix in t/protocol_version.t to use older versions of Net::SSLeay
with openssl build w/o SSLv3 support
- when setting SSL_keepSocketOnError to true the socket will not be closed
on fatal error. This is a modified version of
https://github.com/noxxi/p5-io-socket-ssl/pull/53/
Summary of upstream changelog:
bug fixes
many new ATRs
ATR_analysis: propose to submit the ATR if not known
We propose to submit the ATR at http://smartcard-atr.appspot.com/ when
the ATR is not found in the list.
The message is always displayed for an unknown ATR, not just after the
list has been updated.
ATR_analysis: correctly use wget to store the ATR list
1.4.26 - 7 January 2017, Ludovic Rousseau
- Add support of
. Bit4id Digital DNA Key
. Bit4id tokenME FIPS v3
. INGENICO Leo
. appidkey GmbH ID60-USB
- Add support of
- PowerOn: the default algorithm is now 5V then 1.8V then 3V then fail.
It is still possible to change the initial voltage in the
Info.plist file. Now, in any case, all the values are tried
before failing.
- Negociate maximum baud rate when bNumDataRatesSupported = 0
- Some minor improvements
1.4.25 - 30 September 2016, Ludovic Rousseau
- Add support of
. Aladdin R.D. JaCarta (idProduct: 0x0402)
. Broadcom Corp 5880 (idProduct: 0x5832)
. Broadcom Corp 5880 (idProduct: 0x5833)
. Broadcom Corp 5880 (idProduct: 0x5834)
. ESMART Token GOST X2 ET1020-A
. Feitian VR504 VHBR Contactless & Contact Card Reader
. Feitian bR500
. Gemalto K50
. appidkey GmbH ID100-USB SC Reader
. appidkey GmbH ID50 -USB
- Remove suport of
. Broadcom Corp 5880 (idProduct: 0x5800)
. Broadcom Corp 5880 (idProduct: 0x5805)
. KEBTechnology KONA USB SmartCard
- macOS: Fix composite device enumeration
- Fix crash with GemCore Pos Pro and GemCore Sim Pro
- Some minor improvements
1.4.24 - 22 May 2016, Ludovic Rousseau
- Add support of
. Generic USB Smart Card Reader
. Giesecke & Devrient GmbH StarSign CUT S
. HID AVIATOR Generic
- better support of Elatec TWN4 SmartCard NFC
- better support of SCM SCL011
- betetr support of HID Aviator generic
- fix SCARD_ATTR_VENDOR_IFD_SERIAL_NO attribute size
- fix a race condition on card events with multiple readers
- Some minor improvements
1.4.23 - 20 April 2016, Ludovic Rousseau
- Add support of
. ACS ACR3901U ICC Reader
. Alcor Micro AU9560
. Cherry SmartTerminal XX44
. HID Global OMNIKEY 3x21 Smart Card Reader
. HID Global OMNIKEY 5022 Smart Card Reader
. HID Global OMNIKEY 6121 Smart Card Reader
. IonIDe Smartcard Reader reader
. KACST HSID Reader
. KACST HSID Reader Dual Storage
. KACST HSID Reader Single Storage
- Remove support of
. VMware Virtual USB CCID
- Do NOT add support of
. DUALi DE-ABCM6
- Fix a busy loop consuming 100% of CPU for some composite USB devices
impacted readers: Yubico Yubikey NEO U2F+CCID and Broadcom BCM5880
- Remove support of (unused) option DRIVER_OPTION_RESET_ON_CLOSE
- log libusb error name instead of decimal value
- Some minor improvements
1.4.22 - 10 January 2016, Ludovic Rousseau
- Add support of
. Aktiv Rutoken PINPad 2
. Aladdin R.D. JC-WebPass (JC600)
. Aladdin R.D. JCR-770
. Aladdin R.D. JaCarta
. Aladdin R.D. JaCarta Flash
. Aladdin R.D. JaCarta LT
. Aladdin R.D. JaCarta U2F (JC602)
. Athena ASEDrive IIIe Combo Bio PIV
. Athena ASEDrive IIIe KB Bio PIV
. GEMALTO CT1100
. GEMALTO K1100
. Hitachi, Ltd. Hitachi Biometric Reader
. Hitachi, Ltd. Hitachi Portable Biometric Reader
. Nitrokey Nitrokey Storage
. THURSBY SOFTWARE TSS-PK1
. Thursby Software Systems, Inc. TSS-PK7
. Thursby Software Systems, Inc. TSS-PK8
- Patch for Microchip SEC1110 reader on Mac OS X (card events notification)
- Patch for Cherry KC 1000 SC (problem was with a T=1 card and case 2 APDU)
- Fix support of FEATURE_MCT_READER_DIRECT for the Kobil mIDentity
visual reader
- Set timeout to 90 sec for PPDU (Pseudo APDU) commands. This change
allows the use of a Secure Verify command sent as a PPDU through
SCardTransmit().
- Fix a crash when reader reader initialization failed
- Fix initialization bug with Gemalto Pinpad reader on Mac OS X
- Some minor bugs fixed
1.4.21 - 21 October 2015, Ludovic Rousseau
- Add support of
. ACS ACR1252 Dual Reader
. Chicony HP USB Smartcard CCID Keyboard JP
. Chicony HP USB Smartcard CCID Keyboard KR
. FT ePass2003Auto
. Feitian bR301 BLE
. Feitian iR301 (ProductID 0x0619)
. Feitian iR301 (ProductID 0x061C)
. Identiv @MAXX ID-1 Smart Card Reader
. Identiv @MAXX Light2 token
. Identiv CLOUD 2980 F Smart Card Reader
. Identiv Identiv uTrust 4701 F Dual Interface Reader
. Identiv SCR3500 A Contact Reader
. Identiv SCR3500 B Contact Reader
. Identiv SCR35xx USB Smart Card Reader
. Identiv uTrust 2900 R Smart Card Reader
. Identiv uTrust 2910 R Smart Card Reader
. Identiv uTrust 2910 R Taglio SC Reader
. Identiv uTrust 3512 SAM slot Token
. Identiv uTrust 3522 embd SE RFID Token
. Identiv uTrust 3700 F CL Reader
. Identiv uTrust 3701 F CL Reader
. Identive Identive CLOUD 4000 F DTC
. Liteon HP SC Keyboard - Apollo (Liteon)
. Liteon HP SC Keyboard - Apollo JP (Liteon)
. Liteon HP SC Keyboard - Apollo KR (Liteon)
. Nitrokey Nitrokey HSM
. Nitrokey Nitrokey Pro
. Nitrokey Nitrokey Start
. Rocketek RT-SCR1
. VASCO DIGIPASS 875
. WatchCNPC USB CCID Key
- Remove support of
. Crypto Stick Crypto Stick v1.4 is an old version of Nitrokey Nitrokey Pro
. Free Software Initiative of Japan Gnuk Token is an old version
of Nitrokey Nitrokey Start
- Add Feitain R502 dual interface (composite) reader on Mac OS X
- display a human readable version of the error code returned by
libusb
- Mac OS X: wait until libusb/the reader is ready
- some minor bugs fixed
1.8.20: Ludovic Rousseau
30 December 2016
- Fix a crash and potential security issue in pcscd
1.8.19: Ludovic Rousseau
9 December 2016
- SCardGetStatusChange(): Fix a (rare) race condition
- Doxygen:
. SCardGetStatusChange() may return SCARD_E_UNKNOWN_READER
. SCardConnect() and SCardReconnect() will never return SCARD_E_NOT_READY
- pcsc-spy:
. fix display of execution time
. log the thread number in the results
- Some other minor improvements
This is a tiny, auditable script that you can throw on your server to issue and
renew Let's Encrypt certificates. Since it has to be run on your server and
have access to your private Let's Encrypt account key, I tried to make it as
tiny as possible (currently less than 200 lines). The only prerequisites are
python and openssl.
Tested successfully on NetBSD 7.0.2 (i386).
"please import!" wiz@
FEATURES:
- Okta Authentication: A new Okta authentication backend allows you to use
Okta usernames and passwords to authenticate to Vault. If provided with an
appropriate Okta API token, group membership can be queried to assign
policies; users and groups can be defined locally as well.
- RADIUS Authentication: A new RADIUS authentication backend allows using
a RADIUS server to authenticate to Vault. Policies can be configured for
specific users or for any authenticated user.
- Exportable Transit Keys: Keys in `transit` can now be marked as
`exportable` at creation time. This allows a properly ACL'd user to retrieve
the associated signing key, encryption key, or HMAC key. The `exportable`
value is returned on a key policy read and cannot be changed, so if a key is
marked `exportable` it will always be exportable, and if it is not it will
never be exportable.
- Batch Transit Operations: `encrypt`, `decrypt` and `rewrap` operations
in the transit backend now support processing multiple input items in one
call, returning the output of each item in the response.
- Configurable Audited HTTP Headers: You can now specify headers that you
want to have included in each audit entry, along with whether each header
should be HMAC'd or kept plaintext. This can be useful for adding additional
client or network metadata to the audit logs.
- Transit Backend UI (Enterprise): Vault Enterprise UI now supports the transit
backend, allowing creation, viewing and editing of named keys as well as using
those keys to perform supported transit operations directly in the UI.
- Socket Audit Backend A new socket audit backend allows audit logs to be sent
through TCP, UDP, or UNIX Sockets.
IMPROVEMENTS:
- auth/aws-ec2: Add support for cross-account auth using STS
- auth/aws-ec2: Support issuing periodic tokens
- auth/github: Support listing teams and users
- auth/ldap: Support adding policies to local users directly, in addition to
local groups
- command/server: Add ability to select and prefer server cipher suites
- core: Add a nonce to unseal operations as a check (useful mostly for
support, not as a security principle)
- duo: Added ability to supply extra context to Duo pushes
- physical/consul: Add option for setting consistency mode on Consul gets
- physical/etcd: Full v3 API support; code will autodetect which API version
to use. The v3 code path is significantly less complicated and may be much
more stable.
- secret/pki: Allow specifying OU entries in generated certificate subjects
- secret mount ui (Enterprise): the secret mount list now shows all mounted
backends even if the UI cannot browse them. Additional backends can now be
mounted from the UI as well.
BUG FIXES:
- auth/token: Fix regression in 0.6.4 where using token store roles as a
blacklist (with only `disallowed_policies` set) would not work in most
circumstances
- physical/s3: Page responses in client so list doesn't truncate
- secret/cassandra: Stop a connection leak that could occur on active node
failover
- secret/pki: When using `sign-verbatim`, don't require a role and use the
CSR's common name
2.044 2017/01/26
- protect various 'eval'-based capability detections at startup with a localized
__DIE__ handler. This way dynamically requiring IO::Socket::SSL as done by
various third party software should cause less problems even if there is a
global __DIE__ handler which does not properly deal with 'eval'.
python-oath is a package implementing the three main OATH specifications:
- HOTP, an event based one-time password standard (RFC 4226)
- TOTP, a time based OTP (6238)
- OCRA, a mixed OTP / signature system based on HOTP for complex use cases
(RFC 6287)
Upstream changelog :
* Misleading add resp. enable of (already available) jail in database, that
induced a subsequent error: last position of log file will be never retrieved (gh-795)
* Fixed a distribution related bug within testReadStockJailConfForceEnabled
(e.g. test-cases faults on Fedora, see gh-1353)
* Fixed pythonic filters and test scripts (running via wrong python version,
uses "fail2ban-python" now);
* Fixed test case "testSetupInstallRoot" for not default python version (also
using direct call, out of virtualenv);
* Fixed ambiguous wrong recognized date pattern resp. its optional parts (see gh-1512);
* FIPS compliant, use sha1 instead of md5 if it not allowed (see gh-1540)
* Monit config: scripting is not supported in path (gh-1556)
* `filter.d/apache-modsecurity.conf`
- Fixed for newer version (one space, gh-1626), optimized: non-greedy catch-all
replaced for safer match, unneeded catch-all anchoring removed, non-capturing
* `filter.d/asterisk.conf`
- Fixed to match different asterisk log prefix (source file: method:)
* `filter.d/dovecot.conf`
- Fixed failregex ignores failures through some not relevant info (gh-1623)
* `filter.d/ignorecommands/apache-fakegooglebot`
- Fixed error within apache-fakegooglebot, that will be called
with wrong python version (gh-1506)
* `filter.d/assp.conf`
- Extended failregex and test cases to handle ASSP V1 and V2 (gh-1494)
* `filter.d/postfix-sasl.conf`
- Allow for having no trailing space after 'failed:' (gh-1497)
* `filter.d/vsftpd.conf`
- Optional reason part in message after FAIL LOGIN (gh-1543)
* `filter.d/sendmail-reject.conf`
- removed mandatory double space (if dns-host available, gh-1579)
* filter.d/sshd.conf
- recognized "Failed publickey for" (gh-1477);
- optimized failregex to match all of "Failed any-method for ... from <HOST>" (gh-1479)
- eliminated possible complex injections (on user-name resp. auth-info, see gh-1479)
- optional port part after host (see gh-1533, gh-1581)
* New Actions:
- `action.d/npf.conf` for NPF, the latest packet filter for NetBSD
* New Filters:
- `filter.d/mongodb-auth.conf` for MongoDB (document-oriented NoSQL database engine)
(gh-1586, gh-1606 and gh-1607)
* DateTemplate regexp extended with the word-end boundary, additionally to
word-start boundary
* Introduces new command "fail2ban-python", as automatically created symlink to
python executable, where fail2ban currently installed (resp. its modules are located):
- allows to use the same version, fail2ban currently running, e.g. in
external scripts just via replace python with fail2ban-python:
```diff
-#!/usr/bin/env python
+#!/usr/bin/env fail2ban-python
```
- always the same pickle protocol
- the same (and also guaranteed available) fail2ban modules
- simplified stand-alone install, resp. stand-alone installation possibility
via setup (like gh-1487) is getting closer
* Several test cases rewritten using new methods assertIn, assertNotIn
* New forward compatibility method assertRaisesRegexp (normally python >= 2.7).
Methods assertIn, assertNotIn, assertRaisesRegexp, assertLogged, assertNotLogged
are test covered now
* Jail configuration extended with new syntax to pass options to the backend (see gh-1408),
examples:
- `backend = systemd[journalpath=/run/log/journal/machine-1]`
- `backend = systemd[journalfiles="/run/log/journal/machine-1/system.journal, /run/log/journal/machine-1/user.journal"]`
- `backend = systemd[journalflags=2]`
2.5.1 - Bug and security fixes, new features, documentation updates
* X509_cmp_time() now passes a malformed GeneralizedTime field as an
error. Reported by Theofilos Petsios.
* Detect zero-length encrypted session data early, instead of when
malloc(0) fails or the HMAC check fails. Noted independently by
jsing@ and Kurt Cancemi.
* Check for and handle failure of HMAC_{Update,Final} or
EVP_DecryptUpdate().
* Massive update and normalization of manpages, conversion to
mandoc format. Many pages were rewritten for clarity and accuracy.
Portable doc links are up-to-date with a new conversion tool.
* Curve25519 Key Exchange support.
* Support for alternate chains for certificate verification.
* Code cleanups, CBS conversions, further unification of DTLS/SSL
handshake code, further ASN1 macro expansion and removal.
* Private symbol are now hidden in libssl and libcryto.
* Friendly certificate verification error messages in libtls, peer
verification is now always enabled.
* Added OCSP stapling support to libtls and netcat.
* Added ocspcheck utility to validate a certificate against its OCSP
responder and save the reply for stapling
* Enhanced regression tests and error handling for libtls.
* Added explicit constant and non-constant time BN functions,
defaulting to constant time wherever possible.
* Moved many leaked implementation details in public structs behind
opaque pointers.
* Added ticket support to libtls.
* Added support for setting the supported EC curves via
SSL{_CTX}_set1_groups{_list}() - also provide defines for the previous
SSL{_CTX}_set1_curves{_list} names. This also changes the default
list of curves to be X25519, P-256 and P-384. All other curves must
be manually enabled.
* Added -groups option to openssl(1) s_client for specifying the curves
to be used in a colon-separated list.
* Merged client/server version negotiation code paths into one,
reducing much duplicate code.
* Removed error function codes from libssl and libcrypto.
* Fixed an issue where a truncated packet could crash via an OOB read.
* Added SSL_OP_NO_CLIENT_RENEGOTIATION option that disallows
client-initiated renegotiation. This is the default for libtls
servers.
* Avoid a side-channel cache-timing attack that can leak the ECDSA
private keys when signing. This is due to BN_mod_inverse() being
used without the constant time flag being set. Reported by Cesar
Pereida Garcia and Billy Brumley (Tampere University of Technology).
The fix was developed by Cesar Pereida Garcia.
* iOS and MacOS compatibility updates from Simone Basso and Jacob
Berkman.
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.2k.
https://www.openssl.org/news/secadv/20170126.txt
* New features
- DH ciphersuites are now disabled by default.
- The daily server DH parameter regeneration is only performed if
DH ciphersuites are enabled in the configuration file.
- "checkHost" and "checkEmail" were modified to require either
"verifyChain" or "verifyPeer" (thx to Małorzata Olszówka).
* Bugfixes
- Fixed setting default ciphers.
Add patch that makes tests on NetBSD progress further.
But then there's a segfault. See
https://github.com/pyca/pyopenssl/issues/596
16.2.0 (2016-10-15)
-------------------
Changes:
^^^^^^^^
- Fixed compatibility errors with OpenSSL 1.1.0.
- Fixed an issue that caused failures with subinterpreters and embedded Pythons.
`#552 <https://github.com/pyca/pyopenssl/pull/552>`_
16.1.0 (2016-08-26)
-------------------
Deprecations:
^^^^^^^^^^^^^
- Dropped support for OpenSSL 0.9.8.
Changes:
^^^^^^^^
- Fix memory leak in ``OpenSSL.crypto.dump_privatekey()`` with ``FILETYPE_TEXT``.
`#496 <https://github.com/pyca/pyopenssl/pull/496>`_
- Enable use of CRL (and more) in verify context.
`#483 <https://github.com/pyca/pyopenssl/pull/483>`_
- ``OpenSSL.crypto.PKey`` can now be constructed from ``cryptography`` objects and also exported as such.
`#439 <https://github.com/pyca/pyopenssl/pull/439>`_
- Support newer versions of ``cryptography`` which use opaque structs for OpenSSL 1.1.0 compatibility.
Add more test dependencies.
Self tests cause a python core dump, see
https://github.com/pyca/cryptography/issues/3372
1.7.2 - 2017-01-27
~~~~~~~~~~~~~~~~~~
* Updated Windows and macOS wheels to be compiled against OpenSSL 1.0.2k.
Changes between 1.0.2j and 1.0.2k [26 Jan 2017]
*) Truncated packet could crash via OOB read
If one side of an SSL/TLS path is running on a 32-bit host and a specific
cipher is being used, then a truncated packet can cause that host to
perform an out-of-bounds read, usually resulting in a crash.
This issue was reported to OpenSSL by Robert Święcki of Google.
(CVE-2017-3731)
[Andy Polyakov]
*) BN_mod_exp may produce incorrect results on x86_64
There is a carry propagating bug in the x86_64 Montgomery squaring
procedure. No EC algorithms are affected. Analysis suggests that attacks
against RSA and DSA as a result of this defect would be very difficult to
perform and are not believed likely. Attacks against DH are considered just
feasible (although very difficult) because most of the work necessary to
deduce information about a private key may be performed offline. The amount
of resources required for such an attack would be very significant and
likely only accessible to a limited number of attackers. An attacker would
additionally need online access to an unpatched system using the target
private key in a scenario with persistent DH parameters and a private
key that is shared between multiple clients. For example this can occur by
default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very
similar to CVE-2015-3193 but must be treated as a separate problem.
This issue was reported to OpenSSL by the OSS-Fuzz project.
(CVE-2017-3732)
[Andy Polyakov]
*) Montgomery multiplication may produce incorrect results
There is a carry propagating bug in the Broadwell-specific Montgomery
multiplication procedure that handles input lengths divisible by, but
longer than 256 bits. Analysis suggests that attacks against RSA, DSA
and DH private keys are impossible. This is because the subroutine in
question is not used in operations with the private key itself and an input
of the attacker's direct choice. Otherwise the bug can manifest itself as
transient authentication and key negotiation failures or reproducible
erroneous outcome of public-key operations with specially crafted input.
Among EC algorithms only Brainpool P-512 curves are affected and one
presumably can attack ECDH key negotiation. Impact was not analyzed in
detail, because pre-requisites for attack are considered unlikely. Namely
multiple clients have to choose the curve in question and the server has to
share the private key among them, neither of which is default behaviour.
Even then only clients that chose the curve will be affected.
This issue was publicly reported as transient failures and was not
initially recognized as a security issue. Thanks to Richard Morgan for
providing reproducible case.
(CVE-2016-7055)
[Andy Polyakov]
*) OpenSSL now fails if it receives an unrecognised record type in TLS1.0
or TLS1.1. Previously this only happened in SSLv3 and TLS1.2. This is to
prevent issues where no progress is being made and the peer continually
sends unrecognised record types, using up resources processing them.
[Matt Caswell]
All py-certbot self tests pass.
39 self test failures in py-acme (running py.test), one core dump
in openssl (running make test).
Changes:
Test bug fixes
Changelog:
Version 5.39, 2017.01.01, urgency: LOW
* New features
- PKCS#11 engine (pkcs11.dll) added to the Win32 build.
- Per-destination TLS session cache added for the client mode.
- The new "logId" parameter "process" added to log PID values.
- Added support for the new SSL_set_options() values.
- Updated the manual page.
- Obsolete references to "SSL" replaced with "TLS".
* Bugfixes
- Fixed "logId" parameter to also work in inetd mode.
- "delay = yes" properly enforces "failover = prio".
- Fixed fd_set allocation size on Win64.
- Fixed reloading invalid configuration file on Win32.
- Fixed resolving addresses with unconfigured network interfaces.
Version 5.38, 2016.11.26, urgency: MEDIUM
* New features
- "sni=" can be used to prevent sending the SNI extension.
- The AI_ADDRCONFIG resolver flag is used when available.
- Merged Debian 06-lfs.patch (thx Peter Pentchev).
* Bugfixes
- Fixed a memory allocation bug causing crashes with OpenSSL 1.1.0.
- Fixed error handling for mixed IPv4/IPv6 destinations.
- Merged Debian 08-typos.patch (thx Peter Pentchev).
Version 5.37, 2016.11.06, urgency: MEDIUM
* Bugfixes
- OpenSSL DLLs updated to version 1.0.2j (stops crashes).
- The default SNI target (not handled by any slave service)
is handled by the master service rather than rejected.
- Removed thread synchronization in the FORK threading model.
Version 5.36, 2016.09.22, urgency: HIGH
* Security bugfixes
- OpenSSL DLLs updated to version 1.0.2i.
https://www.openssl.org/news/secadv_20160922.txt
* New features
- Added support for OpenSSL 1.1.0 built with "no-deprecated".
- Removed direct zlib dependency.
All tests pass.
Noteworthy changes in version 1.7.6 (2017-01-18) [C21/A1/R6]
------------------------------------------------
* Bug fixes:
- Fix AES CTR self-check detected failure in the SSSE3 based
implementation.
- Remove gratuitous select before the getrandom syscall.
