LibreSSL 3.2.2 Released

Previous Topic Next Topic
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

LibreSSL 3.2.2 Released

Brent Cook
We have released LibreSSL 3.2.2, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon.

This is the first stable release from the 3.2 series, which is included
with OpenBSD 6.8. It includes the following changes from LibreSSL 3.2.1:

    * This is the first stable release with the new TLSv1.3
      implementation enabled by default for both client and server. The
      OpenSSL 1.1 TLSv1.3 API is not yet available and will be provided
      in an upcoming release.

    * New X509 certificate chain validator that correctly handles
      multiple paths through intermediate certificates. Loosely based on
      Go's X509 validator.

    * New name constraints verification implementation which passes the certificate validation check suite.

    * Improve the handling of BIO_read()/BIO_write() failures in the
      TLSv1.3 stack.

    * Start replacing the existing TLSv1.2 record layer.

    * Define OPENSSL_NO_SSL_TRACE in opensslfeatures.h.

    * Make SSL_CTX_get_ciphers(NULL) return NULL rather than crash.

    * Send alert on ssl_get_prev_session() failure.

    * Zero out variable on the stack to avoid leaving garbage in the tail
      of short session IDs.

    * Move state initialization from SSL_clear() to ssl3_clear() to ensure
      that it gets correctly reinitialized across a SSL_set_ssl_method()

    * Avoid an out-of-bounds write in BN_rand().

    * Fix numerous leaks in the UI_dup_* functions. Simplify and tidy up
      the code in ui_lib.c.

    * Correctly track selected ALPN length to avoid a potential segmentation
      fault with SSL_get0_alpn_selected() when alpn_selected is NULL.

    * Include machine/endian.h gost2814789.c in order to pick up the
      __STRICT_ALIGNMENT define.

    * Simplify SSL method lookups.

    * Clean up and simplify SSL_get_ciphers(), SSL_set_session(),
      SSL_set_ssl_method() and several internal functions.

    * Correctly handle ssl_cert_dup() failure in SSL_set_SSL_CTX().

    * Refactor dtls1_new(), dtls1_hm_fragment_new(),
      dtls1_drain_fragments(), dtls1_clear_queues().

    * Copy the session ID directly in ssl_get_prev_session() instead of
      handing it through several functions for copying.

    * Clean up and refactor ssl_get_prev_session(); simplify
      tls_decrypt_ticket() and tls1_process_ticket() exit paths.

    * Avoid memset() before memcpy() in CBS_add_bytes().

    * Rewrite X509_INFO_{new,free}() more idiomatically.

    * Remove unnecessary zeroing after recallocarray() in

    * Convert openssl(1) ocsp new option handling.

    * Document SSL_set1_host(3), SSL_set_SSL_CTX(3).

    * Document return value from EC_KEY_get0_public_key(3).

    * Greatly expanded test coverage via the tlsfuzzer test scripts.

    * Expanded test coverage via the bettertls certificate test suite.

    * Test interoperability with the Botan TLS client.

    * Make pthread_mutex static initialisation work on Windows.

    * Get __STRICT_ALIGNMENT from machine/endian.h with portable build.

The LibreSSL project continues improvement of the codebase to reflect modern,
safe programming practices. We welcome feedback and improvements from the
broader community. Thanks to all of the contributors who helped make this
release possible.