Updated openssl packages that fix two bugs and add one enhancement are now available for Red Hat Enterprise Linux 6.
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library.
- Previously, the ciphers(1) manual page did not describe the following Elliptic Curve Cryptography (ECC) cipher suite groups: Elliptic Curve Diffie–Hellman (ECDH) and Elliptic Curve Digital Signature Algorithm (ECDSA), or TLS version 1.2 (TLSv1.2) specific features. This update adds the missing description of the ECDH and ECDSA cipher groups and TLSv1.2 features to ciphers(1), and the documentation is now complete.
- The server-side renegotiation support did previously not work as expected under certain circumstances. A PostgreSQL failure of database dumps through TLS connection could occur when the size of the dumped data was larger than the value defined in the ssl_renegotiation_limit setting. The regression that caused this bug has been fixed, and the PostgreSQL database dumps through TLS connection no longer fail in the described situation.
- This update adds the "-keytab" option to the "openssl s_server" command and the "-krb5svc" option to the "openssl s_server" and "openssl s_client" commands. The "-keytab" option allows the user to specify a custom keytab location; if the user does not add "-keytab", the openssl utility assumes the default keytab location. The "-krb5svc" option enables selecting a service other than the "host" service; this allows unprivileged users without keys to the host principal to use "openssl s_server" and "open s_client" with Kerberos.
Users of openssl are advised to upgrade to these updated packages, which fix these bugs and add this enhancement. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.