1.115. openssl

1.115.1. RHBA-2011:1010: openssl bug fix and enhancement update

Updated openssl packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 5.
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library.
This update fixes the following bugs:
* Prior to this update, the "s_server" command refused to handle connections from clients with an unresolvable IP address and terminated with this error message: "getnameinfo failed". This problem has been fixed: the "s_server" command now does not terminate even if the IP address of the client is not resolvable. (BZ#561260)
* Prior to this update, the openssl packages were not fully compliant with the TLS protocol. As a consequence, the system did not accept a connection from a client indicating that it supports the TLS protocol version 4.1. With this update, the server now accepts connections from such clients, which fixes the problem. (BZ#599112)
* Prior to this update, repeatedly loading and unloading the CHIL engine by a calling program caused the calling program to terminate unexpectedly due to a function pointer not being cleared after the engine was unloaded. This bug has been fixed, and the calling program does not crash anymore. (BZ#622003)
* Prior to this update, a check for a weak public key was missing while the Diffie-Hellman key was computed. With this update, the DH_check_pub_key() function call has been added to the DH_compute_key() function, which solves this low impact problem. (BZ#698175)
* The CHIL Engine is used to access Thales or nCipher hardware devices. Prior to this update, when attempting to load the CHIL engine into the openssl utility, the CHIL engine required thread locking callbacks to be set regardless of whether the calling program was multithreaded. With this update, this unexpected requirement has been removed. (BZ#671484)
* Prior to this update, when running a multithreaded OpenSSL client application that tried to connect to a server simultaneously with multiple threads, a TLS protocol error could have occurred. This bug has been fixed in this update and no longer occurs. (BZ#688901)
In addition, this update provides the following enhancements:
* Prior to this update, manual and help pages for various sub-commands of the openssl utility did not specify all the digest algorithms. With this update, the aforementioned pages have been modified, and users are now pointed to the "openssl dgst -h" command that lists all the available digests. (BZ#608639)
* The StartCom Free SSL Certification Authority and VeriSign Class 3 Public Primary Certification Authority - G5 certificates were added to the /etc/pki/tls/certs/ca-bundle.crt file that contains the certificates of trusted certification authorities. (BZ#675671, BZ#617856)
* The support for peer certificates that use the SHA-256 and SHA-512 hashing algorithms is now enabled by default even if the application calls only the SSL_library_init() function without the OpenSSL_add_all_algorithms() call. (BZ#676384)
All users of OpenSSL should upgrade to these updated packages, which fix these bugs and add these enhancements.