Pedro Monreal Gonzalez
037d3fe84f
* See also https://www.openssl.org/news/changelog.html * Deprecated all the libcrypto and libssl error string loading functions. Calling these functions is not necessary since OpenSSL 1.1.0, as OpenSSL now loads error strings automatically. * The functions SSL_CTX_set_tmp_dh_callback and SSL_set_tmp_dh_callback, as well as the macros SSL_CTX_set_tmp_dh() and SSL_set_tmp_dh() have been deprecated. These are used to set the Diffie-Hellman (DH) parameters that are to be used by servers requiring ephemeral DH keys. Instead applications should consider using the built-in DH parameters that are available by calling SSL_CTX_set_dh_auto() or SSL_set_dh_auto(). * The -crypt option to the passwd command line tool has been removed. * The -C option to the x509, dhparam, dsaparam, and ecparam commands has been removed. * Added several checks to X509_verify_cert() according to requirements in RFC 5280 in case 'X509_V_FLAG_X509_STRICT' is set (which may be done by using the CLI option '-x509_strict'): - The basicConstraints of CA certificates must be marked critical. - CA certificates must explicitly include the keyUsage extension. - If a pathlenConstraint is given the key usage keyCertSign must be allowed. - The issuer name of any certificate must not be empty. - The subject name of CA certs, certs with keyUsage crlSign, and certs without subjectAlternativeName must not be empty. - If a subjectAlternativeName extension is given it must not be empty. - The signatureAlgorithm field and the cert signature must be consistent. - Any given authorityKeyIdentifier and any given subjectKeyIdentifier must not be marked critical. - The authorityKeyIdentifier must be given for X.509v3 certs unless they are self-signed. - The subjectKeyIdentifier must be given for all X.509v3 CA certs. OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=22