このコンテンツは選択した言語では利用できません。

8.160. openssl


Updated openssl packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL), Transport Layer Security (TLS), and Datagram Transport Layer Security (DTLS) protocols, as well as a full-strength, general purpose cryptography library.

Bug Fixes

BZ#1057520
Previously, cipher suites based on the single-DES and RC2 algorithms were on the default list of cipher suites used by the SSL or TLS client and by the server in the OpenSSL library. This allowed for suboptimal cipher suites to be negotiated between the OpenSSL client or server and a third party client or server. In addition, a higher amount of supported cipher suites in the TLS ClientHello request impaired the inter-operability of the OpenSSL TLS client. This update removes single-DES-based and RC2-based cipher suites from the default list of cipher suites, improving the security and compatibility of the OpenSSL TLS client.
BZ#1056608
Cipher suites based on the Triple DES (3DES) algorithm had their bit strengths erroneously set to 168 bits when running under the SSL or TLS protocols. As a consequence, they were incorrectly sorted before cipher suites based on the AES-128 algorithm. This update sets the bit strength of 3DES-based cipher suites to 128 bits, and they will now be sorted after AES-128-based cipher suites as expected.
BZ#1090952
In TLS client applications that use the SSLv2 protocol, the TLS extension giving the list of supported Elliptic Curve Cryptography (ECC)-based cipher suites could not be sent. This caused a TLS connection to a server which used an ECC-based cipher suite not supported by the OpenSSL client to abort. With this update, the ECC-based cipher suites are not sent in the SSLv2 ClientHello request, and TLS connections are no longer aborted in the above circumstances.
BZ#1119800
The TLS extensions that were sent in the Datagram TLS (DTLS) ClientHello requests did not previously contain the list of the supported ECC-based cipher suites. As a consequence, the DTLS connections to servers using ECC cipher suites not supported by the OpenSSL client were aborted. With this update, the ECC-based cipher suite list is properly sent in the DTLS ClientHello requests, and DTLS connections are no longer aborted in the above circumstances.
In addition, this update adds the following

Enhancements

BZ#1002926, BZ#1039105, BZ#1002930, BZ#1015056
The openssl packages have been enhanced to allow for FIPS-140-2 validation of the OpenSSL library as a FIPS cryptographic module.
BZ#1057715
When connecting to a server using ECDHE-based or DHE-based cipher suites, the s_client utility now reports the size of ECDHE and DHE parameters selected by the server. This allows for easy verification whether the used configuration set is secure.
Users of openssl are advised to upgrade to these updated packages, which fix these bugs and add these enhancements. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.
Red Hat logoGithubRedditYoutubeTwitter

詳細情報

試用、購入および販売

コミュニティー

Red Hat ドキュメントについて

Red Hat をお使いのお客様が、信頼できるコンテンツが含まれている製品やサービスを活用することで、イノベーションを行い、目標を達成できるようにします。

多様性を受け入れるオープンソースの強化

Red Hat では、コード、ドキュメント、Web プロパティーにおける配慮に欠ける用語の置き換えに取り組んでいます。このような変更は、段階的に実施される予定です。詳細情報: Red Hat ブログ.

会社概要

Red Hat は、企業がコアとなるデータセンターからネットワークエッジに至るまで、各種プラットフォームや環境全体で作業を簡素化できるように、強化されたソリューションを提供しています。

© 2024 Red Hat, Inc.