Opened 3 months ago

Closed 3 months ago

#5582 closed enhancement (fixed)

openssl-3.4.0

Reported by: Bruce Dubbs Owned by: lfs-book
Priority: normal Milestone: 12.3
Component: Book Version: git
Severity: normal Keywords:
Cc:

Description

New minor version.

Change History (2)

comment:1 by Bruce Dubbs, 3 months ago

### Major changes between OpenSSL 3.3 and OpenSSL 3.4.0 [22 Oct 2024]

OpenSSL 3.4.0 is a feature release adding significant new functionality to OpenSSL.

This release incorporates the following potentially significant or incompatible changes:

  • Deprecation of TS_VERIFY_CTX_set_* functions and addition of replacement TS_VERIFY_CTX_set0_* functions with improved semantics
  • Redesigned use of OPENSSLDIR/ENGINESDIR/MODULESDIR on Windows such that what were formerly build time locations can now be defined at run time with registry keys
  • The X25519 and X448 key exchange implementation in the FIPS provider is unapproved and has fips=no property.
  • SHAKE-128 and SHAKE-256 implementations have no default digest length anymore. That means these algorithms cannot be used with EVP_DigestFinal/_ex() unless the xoflen param is set before.
  • Setting config_diagnostics=1 in the config file will cause errors to be returned from SSL_CTX_new() and SSL_CTX_new_ex() if there is an error in the ssl module configuration.
  • An empty renegotiate extension will be used in TLS client hellos instead of the empty renegotiation SCSV, for all connections with a minimum TLS version > 1.0.
  • Deprecation of SSL_SESSION_get_time(), SSL_SESSION_set_time() and SSL_CTX_flush_sessions() functions in favor of their respective _ex functions which are Y2038-safe on platforms with Y2038-safe time_t

This release adds the following new features:

  • Support for directly fetched composite signature algorithms such as RSA-SHA2-256 including new API functions
  • FIPS indicators support in the FIPS provider and various updates of the FIPS provider required for future FIPS 140-3 validations
  • Implementation of RFC 9579 (PBMAC1) in PKCS#12
  • An optional additional random seed source RNG JITTER using a statically linked jitterentropy library
  • New options -not_before and -not_after for explicit setting start and end dates of certificates created with the req and x509 apps
  • Support for integrity-only cipher suites TLS_SHA256_SHA256 and TLS_SHA384_SHA384 in TLS 1.3, as defined in RFC 9150
  • Support for requesting CRL in CMP
  • Support for additional X.509v3 extensions related to Attribute Certificates
  • Initial Attribute Certificate (RFC 5755) support
  • Possibility to customize ECC groups initialization to use precomputed values to save CPU time and use of this feature by the P-256 implementation

comment:2 by Bruce Dubbs, 3 months ago

Resolution: fixed
Status: newclosed

Fixed at commit 52104e05f0 :

    Update to iana-etc-20241015.
    Update to vim-9.1.0813.
    Update to xz-5.6.3.
    Update to sysvinit-3.11.
    Update to setuptools-75.2.0.
    Update to Python3-3.13.0.
    Update to openssl-3.4.0.
    Update to meson-1.6.0.
    Update to markupsafe-3.0.2.
    Update to linux-6.11.5.
    Update to less-668.
    Update to elfutils-0.192.
Note: See TracTickets for help on using tickets.