The major changes and known issues for the 1.1.0 branch of the OpenSSL toolkit are summarised below. The contents reflect the current state of the NEWS file inside the git repository.
More details can be found in the ChangeLog.
Major changes between OpenSSL 1.0.2h and OpenSSL 1.1.0 [25 Aug 2016]
Copyright text was shrunk to a boilerplate that points to the license
"shared" builds are now the default when possible
Added support for "pipelining"
Added the AFALG engine
New threading API implemented
Support for ChaCha20 and Poly1305 added to libcrypto and libssl
Support for extended master secret
CCM ciphersuites
Reworked test suite, now based on perl, Test::Harness and Test::More
*Most* libcrypto and libssl public structures were made opaque, including: BIGNUM and associated types, EC_KEY and EC_KEY_METHOD, DH and DH_METHOD, DSA and DSA_METHOD, RSA and RSA_METHOD, BIO and BIO_METHOD, EVP_MD_CTX, EVP_MD, EVP_CIPHER_CTX, EVP_CIPHER, EVP_PKEY and associated types, HMAC_CTX, X509, X509_CRL, X509_OBJECT, X509_STORE_CTX, X509_STORE, X509_LOOKUP, X509_LOOKUP_METHOD
libssl internal structures made opaque
SSLv2 support removed
Kerberos ciphersuite support removed
RC4 removed from DEFAULT ciphersuites in libssl
40 and 56 bit cipher support removed from libssl
All public header files moved to include/openssl, no more symlinking
SSL/TLS state machine, version negotiation and record layer rewritten
EC revision: now operations use new EC_KEY_METHOD.
Support for OCB mode added to libcrypto
Support for asynchronous crypto operations added to libcrypto and libssl
Deprecated interfaces can now be disabled at build time either relative to the latest release via the "no-deprecated" Configure argument, or via the "--api=1.1.0|1.0.0|0.9.8" option.
Application software can be compiled with -DOPENSSL_API_COMPAT=version to ensure that features deprecated in that version are not exposed.
Support for RFC6698/RFC7671 DANE TLSA peer authentication
Change of Configure to use --prefix as the main installation directory location rather than --openssldir. The latter becomes the directory for certs, private key and openssl.cnf exclusively.
Reworked BIO networking library, with full support for IPv6.
New "unified" build system
New security levels
Support for scrypt algorithm
Support for X25519
Extended SSL_CONF support using configuration files
KDF algorithm support. Implement TLS PRF as a KDF.
Support for Certificate Transparency
HKDF support.
'취약점 정보2' 카테고리의 다른 글
| Adobe Releases Security Updates for ColdFusion 업데이트 안내 (0) | 2016.09.01 |
|---|---|
| LG 안드로이드 업데이트 권고 (0) | 2016.09.01 |
| IOS 9.3.5 업데이트 권고 (0) | 2016.08.26 |
| 한컴오피스 업데이트 권고 (0) | 2016.08.26 |
| M2Soft Report Desinger 5.0 / Crownix ERS & Report 6.0 보안 업데이트 권고 (0) | 2016.08.06 |