8.135. openssl

Updated openssl packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The openssl packages provide a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library.

Note

The openssl packages have been upgraded to upstream version 1.0.1e, which provides a number of bug fixes and enhancements over the previous version, including support for multiple new cryptographic algorithms and support for the new versions (1.1, 1.2) of the transport layer security (TLS) protocol. This update adds the following ciphers needed for transparent encryption and authentication support in GlusterFS: Cipher-based MAC (CMAC), XEX Tweakable Block Cipher with Ciphertext Stealing (AES-XTS), and Galous Counter Mode (AES-GCM). The following new additional algorithms are now supported: ECDH, ECDSA, and AES-CCM. (BZ#924250)

Bug Fixes

BZ#830109
Previously, an incorrect variable size was passed to the getsockopt() function. As a consequence, using the BIO (OpenSSL I/O) layer in datagram mode caused termination with a segmentation fault. More specifically, the openssl s_client command terminated unexpectedly on IBM System z with the "-dtls1" option enabled. After this update, a correctly-sized variable is used, and the datagram BIO functions no longer terminate with a segmentation fault on System z.
BZ#919404
Prior to this update, the getaddrinfo() function returned an error that was handled incorrectly in the openssl s_server command implementation. Consequently, the OpenSSL s_server did not work on IPv4-only systems. With this update, when getaddrinfo() fails on IPv6 addresses, the code has been modified to fall back to the IPv4 address lookup. As a result, the openssl s_server now correctly starts up on a computer with only IPv4 addresses configured.

Enhancements

BZ#818446
The Intel RDRAND instruction is now used, when available, to generate random numbers and has replaced the default OpenSSL random number generator. The instruction is not used when OpenSSL runs in FIPS mode.
BZ#929291
The performance of OpenSSL on current IBM PowerPC processors has been improved.
BZ#951690
The elliptic curve digital signature algorithm (ECDSA) and elliptic curve Diffie–Hellman (ECDH) algorithms are now enabled in OpenSSL. These algorithms support only elliptic curves listed in the national institute of standards and technology (NIST) Suite B specification.
BZ#951701
The new "-trusted_first" option has been added to OpenSSL. This enables preferring locally stored intermediate certificates instead of the intermediate certificates sent by the TLS server.
BZ#969562
Versions 1.1 and 1.2 of the transport layer security (TLS) protocol are now supported by the OpenSSL library.
BZ#969564
With this update, the "%{_prefix}" macro is used instead of the hardcoded /usr/ directory in the openssl.spec file when configuring OpenSSL before building.
BZ#987411
The next protocol negotiation (NPN) extension of the TLS protocol is now supported by OpenSSL. This extension allows for negotiation of the application protocol, which is used by the application, during the TLS handshake.
BZ#993584, BZ#999867
Due to the FIPS validation requirements, the FIPS Power-on self-tests (POST) always have to run when the FIPS module is installed. For libraries, this is ensured by running the self-tests from the dynamic library constructor function. If the dracut-fips package is installed, OpenSSL now treats it as an indicator that the OpenSSL FIPS module is installed and complete, and the self-tests run whenever the OpenSSL dynamic library is loaded.
Users of openssl are advised to upgrade to these updated packages, which fix these bugs and add these enhancements. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.
Updated openssl packages that fix two bugs are now available for Red Hat Enterprise Linux 6.
The openssl packages provide a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library.

Bug Fixes

BZ#1025597
Previously, the OpenSSL code incorrectly used RDRAND instruction when running on Cyrix CPU, which does not support it. Consequently, the applications that use the OpenSSL utility terminated unexpectedly on startup. The detection of CPU features on Cyrix CPU has been fixed, and the applications using OpenSSL no longer crash in the described scenario.
BZ#1025598
Prior to this update, the Transport Layer Security (TLS) client advertised support for some elliptic curves that are not supported by it. As a consequence, server could choose unsupported elliptic curve and client would not be able to communicate with the server over the TLS. With this update, OpenSSL TLS client advertises only the curves that are supported by it, and TLS communication with server (using also curves not supported by the Red Hat Enterprise Linux OpenSSL TLS client) can now be established.
Users of openssl are advised to upgrade to these updated packages, which fix these bugs. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.