8.135. openssl

Bug Fixes

BZ#830109

Previously, an incorrect variable size was passed to the getsockopt() function. As a consequence, using the BIO (OpenSSL I/O) layer in datagram mode caused termination with a segmentation fault. More specifically, the openssl s_client command terminated unexpectedly on IBM System z with the "-dtls1" option enabled. After this update, a correctly-sized variable is used, and the datagram BIO functions no longer terminate with a segmentation fault on System z.

BZ#919404

Prior to this update, the getaddrinfo() function returned an error that was handled incorrectly in the openssl s_server command implementation. Consequently, the OpenSSL s_server did not work on IPv4-only systems. With this update, when getaddrinfo() fails on IPv6 addresses, the code has been modified to fall back to the IPv4 address lookup. As a result, the openssl s_server now correctly starts up on a computer with only IPv4 addresses configured.

Enhancements

BZ#818446

The Intel RDRAND instruction is now used, when available, to generate random numbers and has replaced the default OpenSSL random number generator. The instruction is not used when OpenSSL runs in FIPS mode.

BZ#929291

The performance of OpenSSL on current IBM PowerPC processors has been improved.

BZ#951690

The elliptic curve digital signature algorithm (ECDSA) and elliptic curve Diffie–Hellman (ECDH) algorithms are now enabled in OpenSSL. These algorithms support only elliptic curves listed in the national institute of standards and technology (NIST) Suite B specification.

BZ#951701

The new "-trusted_first" option has been added to OpenSSL. This enables preferring locally stored intermediate certificates instead of the intermediate certificates sent by the TLS server.

BZ#969562

Versions 1.1 and 1.2 of the transport layer security (TLS) protocol are now supported by the OpenSSL library.

BZ#969564

With this update, the "%{_prefix}" macro is used instead of the hardcoded /usr/ directory in the openssl.spec file when configuring OpenSSL before building.

BZ#987411

The next protocol negotiation (NPN) extension of the TLS protocol is now supported by OpenSSL. This extension allows for negotiation of the application protocol, which is used by the application, during the TLS handshake.

BZ#993584, BZ#999867

Due to the FIPS validation requirements, the FIPS Power-on self-tests (POST) always have to run when the FIPS module is installed. For libraries, this is ensured by running the self-tests from the dynamic library constructor function. If the dracut-fips package is installed, OpenSSL now treats it as an indicator that the OpenSSL FIPS module is installed and complete, and the self-tests run whenever the OpenSSL dynamic library is loaded.

Bug Fixes

BZ#1025597

Previously, the OpenSSL code incorrectly used RDRAND instruction when running on Cyrix CPU, which does not support it. Consequently, the applications that use the OpenSSL utility terminated unexpectedly on startup. The detection of CPU features on Cyrix CPU has been fixed, and the applications using OpenSSL no longer crash in the described scenario.

BZ#1025598

Prior to this update, the Transport Layer Security (TLS) client advertised support for some elliptic curves that are not supported by it. As a consequence, server could choose unsupported elliptic curve and client would not be able to communicate with the server over the TLS. With this update, OpenSSL TLS client advertises only the curves that are supported by it, and TLS communication with server (using also curves not supported by the Red Hat Enterprise Linux OpenSSL TLS client) can now be established.