- Update to 3.0.0 Alpha 9

* See also https://www.openssl.org/news/changelog.html
  * Deprecated all the libcrypto and libssl error string loading
    functions. Calling these functions is not necessary since
    OpenSSL 1.1.0, as OpenSSL now loads error strings automatically.
  * The functions SSL_CTX_set_tmp_dh_callback and SSL_set_tmp_dh_callback, as
    well as the macros SSL_CTX_set_tmp_dh() and SSL_set_tmp_dh() have been
    deprecated. These are used to set the Diffie-Hellman (DH) parameters that
    are to be used by servers requiring ephemeral DH keys. Instead applications
    should consider using the built-in DH parameters that are available by
    calling SSL_CTX_set_dh_auto() or SSL_set_dh_auto().
  * The -crypt option to the passwd command line tool has been removed.
  * The -C option to the x509, dhparam, dsaparam, and ecparam commands
    has been removed.
  * Added several checks to X509_verify_cert() according to requirements in
    RFC 5280 in case 'X509_V_FLAG_X509_STRICT' is set (which may be done by
    using the CLI option '-x509_strict'):
    - The basicConstraints of CA certificates must be marked critical.
    - CA certificates must explicitly include the keyUsage extension.
    - If a pathlenConstraint is given the key usage keyCertSign must be allowed.
    - The issuer name of any certificate must not be empty.
    - The subject name of CA certs, certs with keyUsage crlSign,
      and certs without subjectAlternativeName must not be empty.
    - If a subjectAlternativeName extension is given it must not be empty.
    - The signatureAlgorithm field and the cert signature must be consistent.
    - Any given authorityKeyIdentifier and any given subjectKeyIdentifier
      must not be marked critical.
    - The authorityKeyIdentifier must be given for X.509v3 certs
      unless they are self-signed.
    - The subjectKeyIdentifier must be given for all X.509v3 CA certs.

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=22

openssl-3.0.0-alpha8.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:a6c7b618a6a37cf0cebbc583b49e6d22d86e2d777e60173433eada074c32eea4
-size 14011376

openssl-3.0.0-alpha8.tar.gz.asc

@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl+kBlYACgkQ2cTSbQ5g
-RJEo6gf/fZkWKzMPfeQ9u6ZSfWTtHrbS8Iln6tQNDwwK+L5y3knurtbQxvC7ym6i
-fapE7/DijmK0YX7YxoiXaFgm/ZjebtD8Ny8aqQ8qWSvRzSYsarvrBTQ74gwC5ATO
-J5kzwRkVny4xR8sdot332drk4NpVoPNeMPQ0kyNr4PE/9u393+XyE2nMSpD89pnC
-/3l9YZKoDnyEd6fN4BfPwhpzuJxqY9ubshTqy+PKNC81DvIOHN2y7cnRHHrTOYdo
-YOrrLFFNhNGDwuLNFUcS5kzo/Ucobf1WziQsC3QMPfPzvVg45y4pwQW7g40ih5i7
-dmxUUQGliNB8knFs534mhcu8PoaEnQ==
-=xcGS
------END PGP SIGNATURE-----

openssl-3.0.0-alpha9.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5762545c972d5e48783c751d3188ac19f6f9154ee4899433ba15f01c56b3eee6
+size 14058484

openssl-3.0.0-alpha9.tar.gz.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl+/wWAACgkQ2cTSbQ5g
+RJFDvwgAuocCys3M1rapCg2mwusx+Pl64TBgWVEJ3HwINnNu7DYMmvYSkN3YW94K
+6YI7YH1god1/HhWqVxfAatDfctDfNz+k04m+L2v01d13OiHSajTx+J+2QSOltclD
+V/Cswo/abj79YCz24d9785Py++PTkv/bd4wHvQD2i6OkCtK18Z1GNP90gjZ+Nf4a
+1FLCA9W5CiN0yq3SodH6qe61XascIevYABu2o0LhU/tX9morrFsv0bazl3fZIiBL
+DmkNbDn765WFAkhUKRrTRsCs9jJNwEQUYWtuA4Orjni3BDTaNTo6ij0ZjkBUxHfk
+G5gbrIX+CGBPjSe+ROTa4E50SlGFSg==
+=JUas
+-----END PGP SIGNATURE-----

openssl-3.changes

@@ -1,3 +1,39 @@
+-------------------------------------------------------------------
+Thu Dec 17 09:26:56 UTC 2020 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to 3.0.0 Alpha 9
+  * See also https://www.openssl.org/news/changelog.html
+  * Deprecated all the libcrypto and libssl error string loading
+    functions. Calling these functions is not necessary since
+    OpenSSL 1.1.0, as OpenSSL now loads error strings automatically.
+  * The functions SSL_CTX_set_tmp_dh_callback and SSL_set_tmp_dh_callback, as
+    well as the macros SSL_CTX_set_tmp_dh() and SSL_set_tmp_dh() have been
+    deprecated. These are used to set the Diffie-Hellman (DH) parameters that
+    are to be used by servers requiring ephemeral DH keys. Instead applications
+    should consider using the built-in DH parameters that are available by
+    calling SSL_CTX_set_dh_auto() or SSL_set_dh_auto().
+  * The -crypt option to the passwd command line tool has been removed.
+  * The -C option to the x509, dhparam, dsaparam, and ecparam commands
+    has been removed.
+  * Added several checks to X509_verify_cert() according to requirements in
+    RFC 5280 in case 'X509_V_FLAG_X509_STRICT' is set (which may be done by
+    using the CLI option '-x509_strict'):
+    - The basicConstraints of CA certificates must be marked critical.
+    - CA certificates must explicitly include the keyUsage extension.
+    - If a pathlenConstraint is given the key usage keyCertSign must be allowed.
+    - The issuer name of any certificate must not be empty.
+    - The subject name of CA certs, certs with keyUsage crlSign,
+      and certs without subjectAlternativeName must not be empty.
+    - If a subjectAlternativeName extension is given it must not be empty.
+    - The signatureAlgorithm field and the cert signature must be consistent.
+    - Any given authorityKeyIdentifier and any given subjectKeyIdentifier
+      must not be marked critical.
+    - The authorityKeyIdentifier must be given for X.509v3 certs
+      unless they are self-signed.
+    - The subjectKeyIdentifier must be given for all X.509v3 CA certs.
+  * Certificate verification using X509_verify_cert() meanwhile rejects EC keys
+    with explicit curve parameters (specifiedCurve) as required by RFC 5480.
+
 -------------------------------------------------------------------
 Thu Nov  5 18:36:23 UTC 2020 - Pedro Monreal <pmonreal@suse.com>
 

openssl-3.spec

@@ -20,7 +20,7 @@
 %define sover 3
 %define _rname  openssl
 %define vernum 3.0.0
-%define relnum alpha8
+%define relnum alpha9
 %define dash_version %{vernum}-%{relnum}
 Name:           openssl-3
 # Don't forget to update the version in the "openssl" package!