From 037d3fe84fbdc89e569a53d612961abebf6405fe19190eeee6fd64e11cd1ca81 Mon Sep 17 00:00:00 2001 From: Pedro Monreal Gonzalez Date: Thu, 17 Dec 2020 11:11:02 +0000 Subject: [PATCH] - Update to 3.0.0 Alpha 9 * See also https://www.openssl.org/news/changelog.html * Deprecated all the libcrypto and libssl error string loading functions. Calling these functions is not necessary since OpenSSL 1.1.0, as OpenSSL now loads error strings automatically. * The functions SSL_CTX_set_tmp_dh_callback and SSL_set_tmp_dh_callback, as well as the macros SSL_CTX_set_tmp_dh() and SSL_set_tmp_dh() have been deprecated. These are used to set the Diffie-Hellman (DH) parameters that are to be used by servers requiring ephemeral DH keys. Instead applications should consider using the built-in DH parameters that are available by calling SSL_CTX_set_dh_auto() or SSL_set_dh_auto(). * The -crypt option to the passwd command line tool has been removed. * The -C option to the x509, dhparam, dsaparam, and ecparam commands has been removed. * Added several checks to X509_verify_cert() according to requirements in RFC 5280 in case 'X509_V_FLAG_X509_STRICT' is set (which may be done by using the CLI option '-x509_strict'): - The basicConstraints of CA certificates must be marked critical. - CA certificates must explicitly include the keyUsage extension. - If a pathlenConstraint is given the key usage keyCertSign must be allowed. - The issuer name of any certificate must not be empty. - The subject name of CA certs, certs with keyUsage crlSign, and certs without subjectAlternativeName must not be empty. - If a subjectAlternativeName extension is given it must not be empty. - The signatureAlgorithm field and the cert signature must be consistent. - Any given authorityKeyIdentifier and any given subjectKeyIdentifier must not be marked critical. - The authorityKeyIdentifier must be given for X.509v3 certs unless they are self-signed. - The subjectKeyIdentifier must be given for all X.509v3 CA certs. OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=22 --- openssl-3.0.0-alpha8.tar.gz | 3 --- openssl-3.0.0-alpha8.tar.gz.asc | 11 ---------- openssl-3.0.0-alpha9.tar.gz | 3 +++ openssl-3.0.0-alpha9.tar.gz.asc | 11 ++++++++++ openssl-3.changes | 36 +++++++++++++++++++++++++++++++++ openssl-3.spec | 2 +- 6 files changed, 51 insertions(+), 15 deletions(-) delete mode 100644 openssl-3.0.0-alpha8.tar.gz delete mode 100644 openssl-3.0.0-alpha8.tar.gz.asc create mode 100644 openssl-3.0.0-alpha9.tar.gz create mode 100644 openssl-3.0.0-alpha9.tar.gz.asc diff --git a/openssl-3.0.0-alpha8.tar.gz b/openssl-3.0.0-alpha8.tar.gz deleted file mode 100644 index f600fc9..0000000 --- a/openssl-3.0.0-alpha8.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:a6c7b618a6a37cf0cebbc583b49e6d22d86e2d777e60173433eada074c32eea4 -size 14011376 diff --git a/openssl-3.0.0-alpha8.tar.gz.asc b/openssl-3.0.0-alpha8.tar.gz.asc deleted file mode 100644 index 8d3c0b1..0000000 --- a/openssl-3.0.0-alpha8.tar.gz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl+kBlYACgkQ2cTSbQ5g -RJEo6gf/fZkWKzMPfeQ9u6ZSfWTtHrbS8Iln6tQNDwwK+L5y3knurtbQxvC7ym6i -fapE7/DijmK0YX7YxoiXaFgm/ZjebtD8Ny8aqQ8qWSvRzSYsarvrBTQ74gwC5ATO -J5kzwRkVny4xR8sdot332drk4NpVoPNeMPQ0kyNr4PE/9u393+XyE2nMSpD89pnC -/3l9YZKoDnyEd6fN4BfPwhpzuJxqY9ubshTqy+PKNC81DvIOHN2y7cnRHHrTOYdo -YOrrLFFNhNGDwuLNFUcS5kzo/Ucobf1WziQsC3QMPfPzvVg45y4pwQW7g40ih5i7 -dmxUUQGliNB8knFs534mhcu8PoaEnQ== -=xcGS ------END PGP SIGNATURE----- diff --git a/openssl-3.0.0-alpha9.tar.gz b/openssl-3.0.0-alpha9.tar.gz new file mode 100644 index 0000000..c05375b --- /dev/null +++ b/openssl-3.0.0-alpha9.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5762545c972d5e48783c751d3188ac19f6f9154ee4899433ba15f01c56b3eee6 +size 14058484 diff --git a/openssl-3.0.0-alpha9.tar.gz.asc b/openssl-3.0.0-alpha9.tar.gz.asc new file mode 100644 index 0000000..23b7395 --- /dev/null +++ b/openssl-3.0.0-alpha9.tar.gz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl+/wWAACgkQ2cTSbQ5g +RJFDvwgAuocCys3M1rapCg2mwusx+Pl64TBgWVEJ3HwINnNu7DYMmvYSkN3YW94K +6YI7YH1god1/HhWqVxfAatDfctDfNz+k04m+L2v01d13OiHSajTx+J+2QSOltclD +V/Cswo/abj79YCz24d9785Py++PTkv/bd4wHvQD2i6OkCtK18Z1GNP90gjZ+Nf4a +1FLCA9W5CiN0yq3SodH6qe61XascIevYABu2o0LhU/tX9morrFsv0bazl3fZIiBL +DmkNbDn765WFAkhUKRrTRsCs9jJNwEQUYWtuA4Orjni3BDTaNTo6ij0ZjkBUxHfk +G5gbrIX+CGBPjSe+ROTa4E50SlGFSg== +=JUas +-----END PGP SIGNATURE----- diff --git a/openssl-3.changes b/openssl-3.changes index a57057f..7c3a7fe 100644 --- a/openssl-3.changes +++ b/openssl-3.changes @@ -1,3 +1,39 @@ +------------------------------------------------------------------- +Thu Dec 17 09:26:56 UTC 2020 - Pedro Monreal + +- Update to 3.0.0 Alpha 9 + * See also https://www.openssl.org/news/changelog.html + * Deprecated all the libcrypto and libssl error string loading + functions. Calling these functions is not necessary since + OpenSSL 1.1.0, as OpenSSL now loads error strings automatically. + * The functions SSL_CTX_set_tmp_dh_callback and SSL_set_tmp_dh_callback, as + well as the macros SSL_CTX_set_tmp_dh() and SSL_set_tmp_dh() have been + deprecated. These are used to set the Diffie-Hellman (DH) parameters that + are to be used by servers requiring ephemeral DH keys. Instead applications + should consider using the built-in DH parameters that are available by + calling SSL_CTX_set_dh_auto() or SSL_set_dh_auto(). + * The -crypt option to the passwd command line tool has been removed. + * The -C option to the x509, dhparam, dsaparam, and ecparam commands + has been removed. + * Added several checks to X509_verify_cert() according to requirements in + RFC 5280 in case 'X509_V_FLAG_X509_STRICT' is set (which may be done by + using the CLI option '-x509_strict'): + - The basicConstraints of CA certificates must be marked critical. + - CA certificates must explicitly include the keyUsage extension. + - If a pathlenConstraint is given the key usage keyCertSign must be allowed. + - The issuer name of any certificate must not be empty. + - The subject name of CA certs, certs with keyUsage crlSign, + and certs without subjectAlternativeName must not be empty. + - If a subjectAlternativeName extension is given it must not be empty. + - The signatureAlgorithm field and the cert signature must be consistent. + - Any given authorityKeyIdentifier and any given subjectKeyIdentifier + must not be marked critical. + - The authorityKeyIdentifier must be given for X.509v3 certs + unless they are self-signed. + - The subjectKeyIdentifier must be given for all X.509v3 CA certs. + * Certificate verification using X509_verify_cert() meanwhile rejects EC keys + with explicit curve parameters (specifiedCurve) as required by RFC 5480. + ------------------------------------------------------------------- Thu Nov 5 18:36:23 UTC 2020 - Pedro Monreal diff --git a/openssl-3.spec b/openssl-3.spec index 9bf1fb6..c03b4c9 100644 --- a/openssl-3.spec +++ b/openssl-3.spec @@ -20,7 +20,7 @@ %define sover 3 %define _rname openssl %define vernum 3.0.0 -%define relnum alpha8 +%define relnum alpha9 %define dash_version %{vernum}-%{relnum} Name: openssl-3 # Don't forget to update the version in the "openssl" package!