1 | *** Notes, Please read ***
|
---|
2 |
|
---|
3 | Note 1)
|
---|
4 | wolfSSL as of 3.6.6 no longer enables SSLv3 by default. wolfSSL also no
|
---|
5 | longer supports static key cipher suites with PSK, RSA, or ECDH. This means
|
---|
6 | if you plan to use TLS cipher suites you must enable DH (DH is on by default),
|
---|
7 | or enable ECC (ECC is on by default on 64bit systems), or you must enable static
|
---|
8 | key cipher suites with
|
---|
9 | WOLFSSL_STATIC_DH
|
---|
10 | WOLFSSL_STATIC_RSA
|
---|
11 | or
|
---|
12 | WOLFSSL_STATIC_PSK
|
---|
13 |
|
---|
14 | though static key cipher suites are deprecated and will be removed from future
|
---|
15 | versions of TLS. They also lower your security by removing PFS.
|
---|
16 |
|
---|
17 | When compiling ssl.c wolfSSL will now issue a compiler error if no cipher suites
|
---|
18 | are available. You can remove this error by defining WOLFSSL_ALLOW_NO_SUITES
|
---|
19 | in the event that you desire that, i.e., you're not using TLS cipher suites.
|
---|
20 |
|
---|
21 | Note 2)
|
---|
22 | wolfSSL takes a different approach to certificate verification than OpenSSL
|
---|
23 | does. The default policy for the client is to verify the server, this means
|
---|
24 | that if you don't load CAs to verify the server you'll get a connect error,
|
---|
25 | no signer error to confirm failure (-188).
|
---|
26 | If you want to mimic OpenSSL behavior of having SSL_connect succeed even if
|
---|
27 | verifying the server fails and reducing security you can do this by calling:
|
---|
28 |
|
---|
29 | wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0);
|
---|
30 |
|
---|
31 | before calling wolfSSL_new(); Though it's not recommended.
|
---|
32 |
|
---|
33 | *** end Notes ***
|
---|
34 |
|
---|
35 | ********* wolfSSL (Formerly CyaSSL) Release 3.7.0 (10/26/2015)
|
---|
36 |
|
---|
37 | Release 3.7.0 of wolfSSL has bug fixes and new features including:
|
---|
38 |
|
---|
39 | - ALPN extension support added for HTTP2 connections with --enable-alpn
|
---|
40 | - Change of example/client/client max fragment flag -L -> -F
|
---|
41 | - Throughput benchmarking, added scripts/benchmark.test
|
---|
42 | - Sniffer API ssl_FreeDecodeBuffer added
|
---|
43 | - Addition of AES_GCM to Sniffer
|
---|
44 | - Sniffer change to handle unlimited decrypt buffer size
|
---|
45 | - New option for the sniffer where it will try to pick up decoding after a
|
---|
46 | sequence number acknowldgement fault. Also includes some additional stats.
|
---|
47 | - JNI API setter and getter function for jobject added
|
---|
48 | - User RSA crypto plugin abstraction. An example placed in wolfcrypt/user-crypto
|
---|
49 | - fix to asn configuration bug
|
---|
50 | - AES-GCM/CCM fixes.
|
---|
51 | - Port for Rowley added
|
---|
52 | - Rowley Crossworks bare metal examples added
|
---|
53 | - MDK5-ARM project update
|
---|
54 | - FreeRTOS support updates.
|
---|
55 | - VXWorks support updates.
|
---|
56 | - Added the IDEA cipher and support in wolfSSL.
|
---|
57 | - Update wolfSSL website CA.
|
---|
58 | - CFLAGS is usable when configuring source.
|
---|
59 |
|
---|
60 | - No high level security fixes that requires an update though we always
|
---|
61 | recommend updating to the latest
|
---|
62 |
|
---|
63 | See INSTALL file for build instructions.
|
---|
64 | More info can be found on-line at //http://wolfssl.com/yaSSL/Docs.html
|
---|
65 |
|
---|
66 | ********* wolfSSL (Formerly CyaSSL) Release 3.6.8 (09/17/2015)
|
---|
67 |
|
---|
68 | Release 3.6.8 of wolfSSL fixes two high severity vulnerabilities. It also
|
---|
69 | includes bug fixes and new features including:
|
---|
70 |
|
---|
71 | - Two High level security fixes, all users SHOULD update.
|
---|
72 | a) If using wolfSSL for DTLS on the server side of a publicly accessible
|
---|
73 | machine you MUST update.
|
---|
74 | b) If using wolfSSL for TLS on the server side with private RSA keys allowing
|
---|
75 | ephemeral key exchange without low memory optimizations you MUST update and
|
---|
76 | regenerate the private RSA keys.
|
---|
77 |
|
---|
78 | Please see https://www.wolfssl.com/wolfSSL/Blog/Blog.html for more details
|
---|
79 |
|
---|
80 | - No filesystem build fixes for various configurations
|
---|
81 | - Certificate generation now supports several extensions including KeyUsage,
|
---|
82 | SKID, AKID, and Certificate Policies
|
---|
83 | - CRLs can be loaded from buffers as well as files now
|
---|
84 | - SHA-512 Certificate Signing generation
|
---|
85 | - Fixes for sniffer reassembly processing
|
---|
86 |
|
---|
87 | See INSTALL file for build instructions.
|
---|
88 | More info can be found on-line at //http://wolfssl.com/yaSSL/Docs.html
|
---|
89 |
|
---|
90 | ********* wolfSSL (Formerly CyaSSL) Release 3.6.6 (08/20/2015)
|
---|
91 |
|
---|
92 | Release 3.6.6 of wolfSSL has bug fixes and new features including:
|
---|
93 |
|
---|
94 | - OpenSSH compatibility with --enable-openssh
|
---|
95 | - stunnel compatibility with --enable-stunnel
|
---|
96 | - lighttpd compatibility with --enable-lighty
|
---|
97 | - SSLv3 is now disabled by default, can be enabled with --enable-sslv3
|
---|
98 | - Ephemeral key cipher suites only are now supported by default
|
---|
99 | To enable static ECDH cipher suites define WOLFSSL_STATIC_DH
|
---|
100 | To enable static RSA cipher suites define WOLFSSL_STATIC_RSA
|
---|
101 | To enable static PSK cipher suites define WOLFSSL_STATIC_PSK
|
---|
102 | - Added QSH (quantum-safe handshake) extension with --enable-ntru
|
---|
103 | - SRP is now part of wolfCrypt, enable with --enabe-srp
|
---|
104 | - Certificate handshake messages can now be sent fragmented if the record
|
---|
105 | size is smaller than the total message size, no user action required.
|
---|
106 | - DTLS duplicate message fixes
|
---|
107 | - Visual Studio project files now support DLL and static builds for 32/64bit.
|
---|
108 | - Support for new Freescale I/O
|
---|
109 | - FreeRTOS FIPS support
|
---|
110 |
|
---|
111 | - No high level security fixes that requires an update though we always
|
---|
112 | recommend updating to the latest
|
---|
113 |
|
---|
114 | See INSTALL file for build instructions.
|
---|
115 | More info can be found on-line at //http://wolfssl.com/yaSSL/Docs.html
|
---|
116 |
|
---|
117 | **************** wolfSSL (Formerly CyaSSL) Release 3.6.0 (06/19/2015)
|
---|
118 |
|
---|
119 | Release 3.6.0 of wolfSSL has bug fixes and new features including:
|
---|
120 |
|
---|
121 | - Max Strength build that only allows TLSv1.2, AEAD ciphers, and PFS (Perfect
|
---|
122 | Forward Secrecy). With --enable-maxstrength
|
---|
123 | - Server side session ticket support, the example server and echoserver use the
|
---|
124 | example callback myTicketEncCb(), see wolfSSL_CTX_set_TicketEncCb()
|
---|
125 | - FIPS version submitted for iOS.
|
---|
126 | - TI Crypto Hardware Acceleration
|
---|
127 | - DTLS fragmentation fixes
|
---|
128 | - ECC key check validation with wc_ecc_check_key()
|
---|
129 | - 32bit code options to reduce memory for Curve25519 and Ed25519
|
---|
130 | - wolfSSL JNI build switch with --enable-jni
|
---|
131 | - PicoTCP support improvements
|
---|
132 | - DH min ephemeral key size enforcement with wolfSSL_CTX_SetMinDhKey_Sz()
|
---|
133 | - KEEP_PEER_CERT and AltNames can now be used together
|
---|
134 | - ChaCha20 big endian fix
|
---|
135 | - SHA-512 signature algorithm support for key exchange and verify messages
|
---|
136 | - ECC make key crash fix on RNG failure, ECC users must update.
|
---|
137 | - Improvements to usage of time code.
|
---|
138 | - Improvements to VS solution files.
|
---|
139 | - GNU Binutils 2.24 ld has problems with some debug builds, to fix an ld error
|
---|
140 | add -fdebug-types-section to C_EXTRA_FLAGS
|
---|
141 |
|
---|
142 | - No high level security fixes that requires an update though we always
|
---|
143 | recommend updating to the latest (except note 14, ecc RNG failure)
|
---|
144 |
|
---|
145 | See INSTALL file for build instructions.
|
---|
146 | More info can be found on-line at //http://wolfssl.com/yaSSL/Docs.html
|
---|
147 |
|
---|
148 |
|
---|
149 | *****************wolfSSL (Formerly CyaSSL) Release 3.4.6 (03/30/2015)
|
---|
150 |
|
---|
151 | Release 3.4.6 of wolfSSL has bug fixes and new features including:
|
---|
152 |
|
---|
153 | - Intel Assembly Speedups using instructions rdrand, rdseed, aesni, avx1/2,
|
---|
154 | rorx, mulx, adox, adcx . They can be enabled with --enable-intelasm.
|
---|
155 | These speedup the use of RNG, SHA2, and public key algorithms.
|
---|
156 | - Ed25519 support at the crypto level. Turn on with --enable-ed25519. Examples
|
---|
157 | in wolcrypt/test/test.c ed25519_test().
|
---|
158 | - Post Handshake Memory reductions. wolfSSL can now hold less than 1,000 bytes
|
---|
159 | of memory per secure connection including cipher state.
|
---|
160 | - wolfSSL API and wolfCrypt API fixes, you can still include the cyassl and
|
---|
161 | ctaocrypt headers which will enable the compatibility APIs for the
|
---|
162 | foreseeable future
|
---|
163 | - INSTALL file to help direct users to build instructions for their environment
|
---|
164 | - For ECC users with the normal math library a fix that prevents a crash when
|
---|
165 | verify signature fails. Users of 3.4.0 with ECC and the normal math library
|
---|
166 | must update
|
---|
167 | - RC4 is now disabled by default in autoconf mode
|
---|
168 | - AES-GCM and ChaCha20/Poly1305 are now enabled by default to make AEAD ciphers
|
---|
169 | available without a switch
|
---|
170 | - External ChaCha-Poly AEAD API, thanks to Andrew Burks for the contribution
|
---|
171 | - DHE-PSK cipher suites can now be built without ASN or Cert support
|
---|
172 | - Fix some NO MD5 build issues with optional features
|
---|
173 | - Freescale CodeWarrior project updates
|
---|
174 | - ECC curves can be individually turned on/off at build time.
|
---|
175 | - Sniffer handles Cert Status message and other minor fixes
|
---|
176 | - SetMinVersion() at the wolfSSL Context level instead of just SSL session level
|
---|
177 | to allow minimum protocol version allowed at runtime
|
---|
178 | - RNG failure resource cleanup fix
|
---|
179 |
|
---|
180 | - No high level security fixes that requires an update though we always
|
---|
181 | recommend updating to the latest (except note 6 use case of ecc/normal math)
|
---|
182 |
|
---|
183 | See INSTALL file for build instructions.
|
---|
184 | More info can be found on-line at //http://wolfssl.com/yaSSL/Docs.html
|
---|
185 |
|
---|
186 |
|
---|
187 | *****************wolfSSL (Formerly CyaSSL) Release 3.4.0 (02/23/2015)
|
---|
188 |
|
---|
189 | Release 3.4.0 wolfSSL has bug fixes and new features including:
|
---|
190 |
|
---|
191 | - wolfSSL API and wolfCrypt API, you can still include the cyassl and ctaocrypt
|
---|
192 | headers which will enable the compatibility APIs for the foreseeable future
|
---|
193 | - Example use of the wolfCrypt API can be found in wolfcrypt/test/test.c
|
---|
194 | - Example use of the wolfSSL API can be found in examples/client/client.c
|
---|
195 | - Curve25519 now supported at the wolfCrypt level, wolfSSL layer coming soon
|
---|
196 | - Improvements in the build configuration under AIX
|
---|
197 | - Microchip Pic32 MZ updates
|
---|
198 | - TIRTOS updates
|
---|
199 | - PowerPC updates
|
---|
200 | - Xcode project update
|
---|
201 | - Bidirectional shutdown examples in client/server with -w (wait for full
|
---|
202 | shutdown) option
|
---|
203 | - Cycle counts on benchmarks for x86_64, more coming soon
|
---|
204 | - ALT_ECC_SIZE for reducing ecc heap use with fastmath when also using large RSA
|
---|
205 | keys
|
---|
206 | - Various compile warnings
|
---|
207 | - Scan-build warning fixes
|
---|
208 | - Changed a memcpy to memmove in the sniffer (if using sniffer please update)
|
---|
209 | - No high level security fixes that requires an update though we always
|
---|
210 | recommend updating to the latest
|
---|
211 |
|
---|
212 |
|
---|
213 | ***********CyaSSL Release 3.3.0 (12/05/2014)
|
---|
214 |
|
---|
215 | - Countermeasuers for Handshake message duplicates, CHANGE CIPHER without
|
---|
216 | FINISHED, and fast forward attempts. Thanks to Karthikeyan Bhargavan from
|
---|
217 | the Prosecco team at INRIA Paris-Rocquencourt for the report.
|
---|
218 | - FIPS version submitted
|
---|
219 | - Removes SSLv2 Client Hello processing, can be enabled with OLD_HELLO_ALLOWED
|
---|
220 | - User can set minimum downgrade version with CyaSSL_SetMinVersion()
|
---|
221 | - Small stack improvements at TLS/SSL layer
|
---|
222 | - TLS Master Secret generation and Key Expansion are now exposed
|
---|
223 | - Adds client side Secure Renegotiation, * not recommended *
|
---|
224 | - Client side session ticket support, not fully tested with Secure Renegotiation
|
---|
225 | - Allows up to 4096bit DHE at TLS Key Exchange layer
|
---|
226 | - Handles non standard SessionID sizes in Hello Messages
|
---|
227 | - PicoTCP Support
|
---|
228 | - Sniffer now supports SNI Virtual Hosts
|
---|
229 | - Sniffer now handles non HTTPS protocols using STARTTLS
|
---|
230 | - Sniffer can now parse records with multiple messages
|
---|
231 | - TI-RTOS updates
|
---|
232 | - Fix for ColdFire optimized fp_digit read only in explicit 32bit case
|
---|
233 | - ADH Cipher Suite ADH-AES128-SHA for EAP-FAST
|
---|
234 |
|
---|
235 | The CyaSSL manual is available at:
|
---|
236 | http://www.wolfssl.com/documentation/CyaSSL-Manual.pdf. For build instructions
|
---|
237 | and comments about the new features please check the manual.
|
---|
238 |
|
---|
239 |
|
---|
240 | ***********CyaSSL Release 3.2.0 (09/10/2014)
|
---|
241 |
|
---|
242 | Release 3.2.0 CyaSSL has bug fixes and new features including:
|
---|
243 |
|
---|
244 | - ChaCha20 and Poly1305 crypto and suites
|
---|
245 | - Small stack improvements for OCSP, CRL, TLS, DTLS
|
---|
246 | - NTRU Encrypt and Decrypt benchmarks
|
---|
247 | - Updated Visual Studio project files
|
---|
248 | - Updated Keil MDK5 project files
|
---|
249 | - Fix for DTLS sequence numbers with GCM/CCM
|
---|
250 | - Updated HashDRBG with more secure struct declaration
|
---|
251 | - TI-RTOS support and example Code Composer Studio project files
|
---|
252 | - Ability to get enabled cipher suites, CyaSSL_get_ciphers()
|
---|
253 | - AES-GCM/CCM/Direct support for Freescale mmCAU and CAU
|
---|
254 | - Sniffer improvement checking for decrypt key setup
|
---|
255 | - Support for raw ECC key import
|
---|
256 | - Ability to convert ecc_key to DER, EccKeyToDer()
|
---|
257 | - Security fix for RSA Padding check vulnerability reported by Intel Security
|
---|
258 | Advanced Threat Research team
|
---|
259 |
|
---|
260 | The CyaSSL manual is available at:
|
---|
261 | http://www.wolfssl.com/documentation/CyaSSL-Manual.pdf. For build instructions
|
---|
262 | and comments about the new features please check the manual.
|
---|
263 |
|
---|
264 |
|
---|
265 | ************ CyaSSL Release 3.1.0 (07/14/2014)
|
---|
266 |
|
---|
267 | Release 3.1.0 CyaSSL has bug fixes and new features including:
|
---|
268 |
|
---|
269 | - Fix for older versions of icc without 128-bit type
|
---|
270 | - Intel ASM syntax for AES-NI
|
---|
271 | - Updated NTRU support, keygen benchmark
|
---|
272 | - FIPS check for minimum required HMAC key length
|
---|
273 | - Small stack (--enable-smallstack) improvements for PKCS#7, ASN
|
---|
274 | - TLS extension support for DTLS
|
---|
275 | - Default I/O callbacks external to user
|
---|
276 | - Updated example client with bad clock test
|
---|
277 | - Ability to set optional ECC context info
|
---|
278 | - Ability to enable/disable DH separate from opensslextra
|
---|
279 | - Additional test key/cert buffers for CA and server
|
---|
280 | - Updated example certificates
|
---|
281 |
|
---|
282 | The CyaSSL manual is available at:
|
---|
283 | http://www.wolfssl.com/documentation/CyaSSL-Manual.pdf. For build instructions
|
---|
284 | and comments about the new features please check the manual.
|
---|
285 |
|
---|
286 |
|
---|
287 | ************ CyaSSL Release 3.0.2 (05/30/2014)
|
---|
288 |
|
---|
289 | Release 3.0.2 CyaSSL has bug fixes and new features including:
|
---|
290 |
|
---|
291 | - Added the following cipher suites:
|
---|
292 | * TLS_PSK_WITH_AES_128_GCM_SHA256
|
---|
293 | * TLS_PSK_WITH_AES_256_GCM_SHA384
|
---|
294 | * TLS_PSK_WITH_AES_256_CBC_SHA384
|
---|
295 | * TLS_PSK_WITH_NULL_SHA384
|
---|
296 | * TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
|
---|
297 | * TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
|
---|
298 | * TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
|
---|
299 | * TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
|
---|
300 | * TLS_DHE_PSK_WITH_NULL_SHA256
|
---|
301 | * TLS_DHE_PSK_WITH_NULL_SHA384
|
---|
302 | * TLS_DHE_PSK_WITH_AES_128_CCM
|
---|
303 | * TLS_DHE_PSK_WITH_AES_256_CCM
|
---|
304 | - Added AES-NI support for Microsoft Visual Studio builds.
|
---|
305 | - Changed small stack build to be disabled by default.
|
---|
306 | - Updated the Hash DRBG and provided a configure option to enable.
|
---|
307 |
|
---|
308 | The CyaSSL manual is available at:
|
---|
309 | http://www.wolfssl.com/documentation/CyaSSL-Manual.pdf. For build instructions
|
---|
310 | and comments about the new features please check the manual.
|
---|
311 |
|
---|
312 |
|
---|
313 | ************ CyaSSL Release 3.0.0 (04/29/2014)
|
---|
314 |
|
---|
315 | Release 3.0.0 CyaSSL has bug fixes and new features including:
|
---|
316 |
|
---|
317 | - FIPS release candidate
|
---|
318 | - X.509 improvements that address items reported by Suman Jana with security
|
---|
319 | researchers at UT Austin and UC Davis
|
---|
320 | - Small stack size improvements, --enable-smallstack. Offloads large local
|
---|
321 | variables to the heap. (Note this is not complete.)
|
---|
322 | - Updated AES-CCM-8 cipher suites to use approved suite numbers.
|
---|
323 |
|
---|
324 | The CyaSSL manual is available at:
|
---|
325 | http://www.wolfssl.com/documentation/CyaSSL-Manual.pdf. For build instructions
|
---|
326 | and comments about the new features please check the manual.
|
---|
327 |
|
---|
328 |
|
---|
329 | ************ CyaSSL Release 2.9.4 (04/09/2014)
|
---|
330 |
|
---|
331 | Release 2.9.4 CyaSSL has bug fixes and new features including:
|
---|
332 |
|
---|
333 | - Security fixes that address items reported by Ivan Fratric of the Google
|
---|
334 | Security Team
|
---|
335 | - X.509 Unknown critical extensions treated as errors, report by Suman Jana with
|
---|
336 | security researchers at UT Austin and UC Davis
|
---|
337 | - Sniffer fixes for corrupted packet length and Jumbo frames
|
---|
338 | - ARM thumb mode assembly fixes
|
---|
339 | - Xcode 5.1 support including new clang
|
---|
340 | - PIC32 MZ hardware support
|
---|
341 | - CyaSSL Object has enough room to read the Record Header now w/o allocs
|
---|
342 | - FIPS wrappers for AES, 3DES, SHA1, SHA256, SHA384, HMAC, and RSA.
|
---|
343 | - A sample I/O pool is demonstrated with --enable-iopool to overtake memory
|
---|
344 | handling and reduce memory fragmentation on I/O large sizes
|
---|
345 |
|
---|
346 | The CyaSSL manual is available at:
|
---|
347 | http://www.wolfssl.com/documentation/CyaSSL-Manual.pdf. For build instructions
|
---|
348 | and comments about the new features please check the manual.
|
---|
349 |
|
---|
350 |
|
---|
351 | ************ CyaSSL Release 2.9.0 (02/07/2014)
|
---|
352 |
|
---|
353 | Release 2.9.0 CyaSSL has bug fixes and new features including:
|
---|
354 | - Freescale Kinetis RNGB support
|
---|
355 | - Freescale Kinetis mmCAU support
|
---|
356 | - TLS Hello extensions
|
---|
357 | - ECC
|
---|
358 | - Secure Renegotiation (null)
|
---|
359 | - Truncated HMAC
|
---|
360 | - SCEP support
|
---|
361 | - PKCS #7 Enveloped data and signed data
|
---|
362 | - PKCS #10 Certificate Signing Request generation
|
---|
363 | - DTLS sliding window
|
---|
364 | - OCSP Improvements
|
---|
365 | - API change to integrate into Certificate Manager
|
---|
366 | - IPv4/IPv6 agnostic
|
---|
367 | - example client/server support for OCSP
|
---|
368 | - OCSP nonces are optional
|
---|
369 | - GMAC hashing
|
---|
370 | - Windows build additions
|
---|
371 | - Windows CYGWIN build fixes
|
---|
372 | - Updated test certificates
|
---|
373 | - Microchip MPLAB Harmony support
|
---|
374 | - Update autoconf scripts
|
---|
375 | - Additional X.509 inspection functions
|
---|
376 | - ECC encrypt/decrypt primitives
|
---|
377 | - ECC Certificate generation
|
---|
378 |
|
---|
379 | The Freescale Kinetis K53 RNGB documentation can be found in Chapter 33 of the
|
---|
380 | K53 Sub-Family Reference Manual:
|
---|
381 | http://cache.freescale.com/files/32bit/doc/ref_manual/K53P144M100SF2RM.pdf
|
---|
382 |
|
---|
383 | Freescale Kinetis K60 mmCAU (AES, DES, 3DES, MD5, SHA, SHA256) documentation
|
---|
384 | can be found in the "ColdFire/ColdFire+ CAU and Kinetis mmCAU Software Library
|
---|
385 | User Guide":
|
---|
386 | http://cache.freescale.com/files/32bit/doc/user_guide/CAUAPIUG.pdf
|
---|
387 |
|
---|
388 |
|
---|
389 | *****************CyaSSL Release 2.8.0 (8/30/2013)
|
---|
390 |
|
---|
391 | Release 2.8.0 CyaSSL has bug fixes and new features including:
|
---|
392 | - AES-GCM and AES-CCM use AES-NI
|
---|
393 | - NetX default IO callback handlers
|
---|
394 | - IPv6 fixes for DTLS Hello Cookies
|
---|
395 | - The ability to unload Certs/Keys after the handshake, CyaSSL_UnloadCertsKeys()
|
---|
396 | - SEP certificate extensions
|
---|
397 | - Callback getters for easier resource freeing
|
---|
398 | - External CYASSL_MAX_ERROR_SZ for correct error buffer sizing
|
---|
399 | - MacEncrypt and DecryptVerify Callbacks for User Atomic Record Layer Processing
|
---|
400 | - Public Key Callbacks for ECC and RSA
|
---|
401 | - Client now sends blank cert upon request if doesn't have one with TLS <= 1.2
|
---|
402 |
|
---|
403 |
|
---|
404 | The CyaSSL manual is available at:
|
---|
405 | http://www.wolfssl.com/documentation/CyaSSL-Manual.pdf. For build instructions
|
---|
406 | and comments about the new features please check the manual.
|
---|
407 |
|
---|
408 |
|
---|
409 | *****************CyaSSL Release 2.7.0 (6/17/2013)
|
---|
410 |
|
---|
411 | Release 2.7.0 CyaSSL has bug fixes and new features including:
|
---|
412 | - SNI support for client and server
|
---|
413 | - KEIL MDK-ARM projects
|
---|
414 | - Wildcard check to domain name match, and Subject altnames are checked too
|
---|
415 | - Better error messages for certificate verification errors
|
---|
416 | - Ability to discard session during handshake verify
|
---|
417 | - More consistent error returns across all APIs
|
---|
418 | - Ability to unload CAs at the CTX or CertManager level
|
---|
419 | - Authority subject id support for Certificate matching
|
---|
420 | - Persistent session cache functionality
|
---|
421 | - Persistent CA cache functionality
|
---|
422 | - Client session table lookups to push serverID table to library level
|
---|
423 | - Camellia support to sniffer
|
---|
424 | - User controllable settings for DTLS timeout values
|
---|
425 | - Sniffer fixes for caching long lived sessions
|
---|
426 | - DTLS reliability enhancements for the handshake
|
---|
427 | - Better ThreadX support
|
---|
428 |
|
---|
429 | When compiling with Mingw, libtool may give the following warning due to
|
---|
430 | path conversion errors:
|
---|
431 |
|
---|
432 | libtool: link: Could not determine host file name corresponding to **
|
---|
433 | libtool: link: Continuing, but uninstalled executables may not work.
|
---|
434 |
|
---|
435 | If so, examples and testsuite will have problems when run, showing an
|
---|
436 | error while loading shared libraries. To resolve, please run "make install".
|
---|
437 |
|
---|
438 | The CyaSSL manual is available at:
|
---|
439 | http://www.wolfssl.com/documentation/CyaSSL-Manual.pdf. For build instructions
|
---|
440 | and comments about the new features please check the manual.
|
---|
441 |
|
---|
442 |
|
---|
443 | ************** CyaSSL Release 2.6.0 (04/15/2013)
|
---|
444 |
|
---|
445 | Release 2.6.0 CyaSSL has bug fixes and new features including:
|
---|
446 | - DTLS 1.2 support including AEAD ciphers
|
---|
447 | - SHA-3 finalist Blake2 support, it's fast and uses little resources
|
---|
448 | - SHA-384 cipher suites including ECC ones
|
---|
449 | - HMAC now supports SHA-512
|
---|
450 | - Track memory use for example client/server with -t option
|
---|
451 | - Better IPv6 examples with --enable-ipv6, before if ipv6 examples/tests were
|
---|
452 | turned on, localhost only was used. Now link-local (with scope ids) and ipv6
|
---|
453 | hosts can be used as well.
|
---|
454 | - Xcode v4.6 project for iOS v6.1 update
|
---|
455 | - settings.h is now checked in all *.c files for true one file setting detection
|
---|
456 | - Better alignment at SSL layer for hardware crypto alignment needs
|
---|
457 | * Note, SSL itself isn't friendly to alignment with 5 byte TLS headers and
|
---|
458 | 13 bytes DTLS headers, but every effort is now made to align with the
|
---|
459 | CYASSL_GENERAL_ALIGNMENT flag which sets desired alignment requirement
|
---|
460 | - NO_64BIT flag to turn off 64bit data type accumulators in public key code
|
---|
461 | * Note, some systems are faster with 32bit accumulators
|
---|
462 | - --enable-stacksize for example client/server stack use
|
---|
463 | * Note, modern desktop Operating Systems may add bytes to each stack frame
|
---|
464 | - Updated compression/decompression with direct crypto access
|
---|
465 | - All ./configure options are now lowercase only for consistency
|
---|
466 | - ./configure builds default to fastmath option
|
---|
467 | * Note, if on ia32 and building in shared mode this may produce a problem
|
---|
468 | with a missing register being available because of PIC, there are at least
|
---|
469 | 6 solutions to this:
|
---|
470 | 1) --disable-fastmath , don't use fastmath
|
---|
471 | 2) --disable-shared, don't build a shared library
|
---|
472 | 3) C_EXTRA_FLAGS=-DTFM_NO_ASM , turn off assembly use
|
---|
473 | 4) use clang, it just seems to work
|
---|
474 | 5) play around with no PIC options to force all registers being open,
|
---|
475 | e.g, --without-pic
|
---|
476 | 6) if static lib is still a problem try removing fPIE
|
---|
477 | - Many new ./configure switches for option enable/disable for example
|
---|
478 | * rsa
|
---|
479 | * dh
|
---|
480 | * dsa
|
---|
481 | * md5
|
---|
482 | * sha
|
---|
483 | * arc4
|
---|
484 | * null (allow NULL ciphers)
|
---|
485 | * oldtls (only use TLS 1.2)
|
---|
486 | * asn (no certs or public keys allowed)
|
---|
487 | - ./configure generates cyassl/options.h which allows a header the user can
|
---|
488 | include in their app to make sure the same options are set at the app and
|
---|
489 | CyaSSL level.
|
---|
490 | - autoconf no longer needs serial-tests which lowers version requirements of
|
---|
491 | automake to 1.11 and autoconf to 2.63
|
---|
492 |
|
---|
493 | The CyaSSL manual is available at:
|
---|
494 | http://www.wolfssl.com/documentation/CyaSSL-Manual.pdf. For build instructions
|
---|
495 | and comments about the new features please check the manual.
|
---|
496 |
|
---|
497 |
|
---|
498 |
|
---|
499 | ************** CyaSSL Release 2.5.0 (02/04/2013)
|
---|
500 |
|
---|
501 | Release 2.5.0 CyaSSL has bug fixes and new features including:
|
---|
502 | - Fix for TLS CBC padding timing attack identified by Nadhem Alfardan and
|
---|
503 | Kenny Paterson: http://www.isg.rhul.ac.uk/tls/
|
---|
504 | - Microchip PIC32 (MIPS16, MIPS32) support
|
---|
505 | - Microchip MPLAB X example projects for PIC32 Ethernet Starter Kit
|
---|
506 | - Updated CTaoCrypt benchmark app for embedded systems
|
---|
507 | - 1024-bit test certs/keys and cert/key buffers
|
---|
508 | - AES-CCM-8 crypto and cipher suites
|
---|
509 | - Camellia crypto and cipher suites
|
---|
510 | - Bumped minimum autoconf version to 2.65, automake version to 1.12
|
---|
511 | - Addition of OCSP callbacks
|
---|
512 | - STM32F2 support with hardware crypto and RNG
|
---|
513 | - Cavium NITROX support
|
---|
514 |
|
---|
515 | CTaoCrypt now has support for the Microchip PIC32 and has been tested with
|
---|
516 | the Microchip PIC32 Ethernet Starter Kit, the XC32 compiler and
|
---|
517 | MPLAB X IDE in both MIPS16 and MIPS32 instruction set modes. See the README
|
---|
518 | located under the <cyassl_root>/mplabx directory for more details.
|
---|
519 |
|
---|
520 | To add Cavium NITROX support do:
|
---|
521 |
|
---|
522 | ./configure --with-cavium=/home/user/cavium/software
|
---|
523 |
|
---|
524 | pointing to your licensed cavium/software directory. Since Cavium doesn't
|
---|
525 | build a library we pull in the cavium_common.o file which gives a libtool
|
---|
526 | warning about the portability of this. Also, if you're using the github source
|
---|
527 | tree you'll need to remove the -Wredundant-decls warning from the generated
|
---|
528 | Makefile because the cavium headers don't conform to this warning. Currently
|
---|
529 | CyaSSL supports Cavium RNG, AES, 3DES, RC4, HMAC, and RSA directly at the crypto
|
---|
530 | layer. Support at the SSL level is partial and currently just does AES, 3DES,
|
---|
531 | and RC4. RSA and HMAC are slower until the Cavium calls can be utilized in non
|
---|
532 | blocking mode. The example client turns on cavium support as does the crypto
|
---|
533 | test and benchmark. Please see the HAVE_CAVIUM define.
|
---|
534 |
|
---|
535 | CyaSSL is able to use the STM32F2 hardware-based cryptography and random number
|
---|
536 | generator through the STM32F2 Standard Peripheral Library. For necessary
|
---|
537 | defines, see the CYASSL_STM32F2 define in settings.h. Documentation for the
|
---|
538 | STM32F2 Standard Peripheral Library can be found in the following document:
|
---|
539 | http://www.st.com/internet/com/TECHNICAL_RESOURCES/TECHNICAL_LITERATURE/USER_MANUAL/DM00023896.pdf
|
---|
540 |
|
---|
541 | The CyaSSL manual is available at:
|
---|
542 | http://www.wolfssl.com/documentation/CyaSSL-Manual.pdf. For build instructions
|
---|
543 | and comments about the new features please check the manual.
|
---|
544 |
|
---|
545 |
|
---|
546 |
|
---|
547 | *************** CyaSSL Release 2.4.6 (12/20/2012)
|
---|
548 |
|
---|
549 | Release 2.4.6 CyaSSL has bug fixes and a few new features including:
|
---|
550 | - ECC into main version
|
---|
551 | - Lean PSK build (reduced code size, RAM usage, and stack usage)
|
---|
552 | - FreeBSD CRL monitor support
|
---|
553 | - CyaSSL_peek()
|
---|
554 | - CyaSSL_send() and CyaSSL_recv() for I/O flag setting
|
---|
555 | - CodeWarrior Support
|
---|
556 | - MQX Support
|
---|
557 | - Freescale Kinetis support including Hardware RNG
|
---|
558 | - autoconf builds use jobserver
|
---|
559 | - cyassl-config
|
---|
560 | - Sniffer memory reductions
|
---|
561 |
|
---|
562 | Thanks to Brian Aker for the improved autoconf system, make rpm, cyassl-config,
|
---|
563 | warning system, and general good ideas for improving CyaSSL!
|
---|
564 |
|
---|
565 | The Freescale Kinetis K70 RNGA documentation can be found in Chapter 37 of the
|
---|
566 | K70 Sub-Family Reference Manual:
|
---|
567 | http://cache.freescale.com/files/microcontrollers/doc/ref_manual/K70P256M150SF3RM.pdf
|
---|
568 |
|
---|
569 | The CyaSSL manual is available at:
|
---|
570 | http://www.wolfssl.com/documentation/CyaSSL-Manual.pdf. For build instructions
|
---|
571 | and comments about the new features please check the manual.
|
---|
572 |
|
---|
573 |
|
---|
574 | *************** CyaSSL Release 2.4.0 (10/10/2012)
|
---|
575 |
|
---|
576 | Release 2.4.0 CyaSSL has bug fixes and a few new features including:
|
---|
577 | - DTLS reliability
|
---|
578 | - Reduced memory usage after handshake
|
---|
579 | - Updated build process
|
---|
580 |
|
---|
581 | The CyaSSL manual is available at:
|
---|
582 | http://www.wolfssl.com/documentation/CyaSSL-Manual.pdf. For build instructions
|
---|
583 | and comments about the new features please check the manual.
|
---|
584 |
|
---|
585 |
|
---|
586 |
|
---|
587 | *************** CyaSSL Release 2.3.0 (8/10/2012)
|
---|
588 |
|
---|
589 | Release 2.3.0 CyaSSL has bug fixes and a few new features including:
|
---|
590 | - AES-GCM crypto and cipher suites
|
---|
591 | - make test cipher suite checks
|
---|
592 | - Subject AltName processing
|
---|
593 | - Command line support for client/server examples
|
---|
594 | - Sniffer SessionTicket support
|
---|
595 | - SHA-384 cipher suites
|
---|
596 | - Verify cipher suite validity when user overrides
|
---|
597 | - CRL dir monitoring
|
---|
598 | - DTLS Cookie support, reliability coming soon
|
---|
599 |
|
---|
600 | The CyaSSL manual is available at:
|
---|
601 | http://www.wolfssl.com/documentation/CyaSSL-Manual.pdf. For build instructions
|
---|
602 | and comments about the new features please check the manual.
|
---|
603 |
|
---|
604 |
|
---|
605 |
|
---|
606 | ***************CyaSSL Release 2.2.0 (5/18/2012)
|
---|
607 |
|
---|
608 | Release 2.2.0 CyaSSL has bug fixes and a few new features including:
|
---|
609 | - Initial CRL support (--enable-crl)
|
---|
610 | - Initial OCSP support (--enable-ocsp)
|
---|
611 | - Add static ECDH suites
|
---|
612 | - SHA-384 support
|
---|
613 | - ECC client certificate support
|
---|
614 | - Add medium session cache size (1055 sessions)
|
---|
615 | - Updated unit tests
|
---|
616 | - Protection against mutex reinitialization
|
---|
617 |
|
---|
618 |
|
---|
619 | The CyaSSL manual is available at:
|
---|
620 | http://www.wolfssl.com/documentation/CyaSSL-Manual.pdf. For build instructions
|
---|
621 | and comments about the new features please check the manual.
|
---|
622 |
|
---|
623 |
|
---|
624 |
|
---|
625 | ***************CyaSSL Release 2.0.8 (2/24/2012)
|
---|
626 |
|
---|
627 | Release 2.0.8 CyaSSL has bug fixes and a few new features including:
|
---|
628 | - A fix for malicious certificates pointed out by Remi Gacogne (thanks)
|
---|
629 | resulting in NULL pointer use.
|
---|
630 | - Respond to renegotiation attempt with no_renegoatation alert
|
---|
631 | - Add basic path support for load_verify_locations()
|
---|
632 | - Add set Temp EC-DHE key size
|
---|
633 | - Extra checks on rsa test when porting into
|
---|
634 |
|
---|
635 |
|
---|
636 | The CyaSSL manual is available at:
|
---|
637 | http://www.wolfssl.com/documentation/CyaSSL-Manual.pdf. For build instructions
|
---|
638 | and comments about the new features please check the manual.
|
---|
639 |
|
---|
640 |
|
---|
641 |
|
---|
642 | ************* CyaSSL Release 2.0.6 (1/27/2012)
|
---|
643 |
|
---|
644 | Release 2.0.6 CyaSSL has bug fixes and a few new features including:
|
---|
645 | - Fixes for CA basis constraint check
|
---|
646 | - CTX reference counting
|
---|
647 | - Initial unit test additions
|
---|
648 | - Lean and Mean Windows fix
|
---|
649 | - ECC benchmarking
|
---|
650 | - SSMTP build support
|
---|
651 | - Ability to group handshake messages with set_group_messages(ctx/ssl)
|
---|
652 | - CA cache addition callback
|
---|
653 | - Export Base64_Encode for general use
|
---|
654 |
|
---|
655 | The CyaSSL manual is available at:
|
---|
656 | http://www.wolfssl.com/documentation/CyaSSL-Manual.pdf. For build instructions
|
---|
657 | and comments about the new features please check the manual.
|
---|
658 |
|
---|
659 |
|
---|
660 |
|
---|
661 | ************* CyaSSL Release 2.0.2 (12/05/2011)
|
---|
662 |
|
---|
663 | Release 2.0.2 CyaSSL has bug fixes and a few new features including:
|
---|
664 | - CTaoCrypt Runtime library detection settings when directly using the crypto
|
---|
665 | library
|
---|
666 | - Default certificate generation now uses SHAwRSA and adds SHA256wRSA generation
|
---|
667 | - All test certificates now use 2048bit and SHA-1 for better modern browser
|
---|
668 | support
|
---|
669 | - Direct AES block access and AES-CTR (counter) mode
|
---|
670 | - Microchip pic32 support
|
---|
671 |
|
---|
672 | The CyaSSL manual is available at:
|
---|
673 | http://www.wolfssl.com/documentation/CyaSSL-Manual.pdf. For build instructions
|
---|
674 | and comments about the new features please check the manual.
|
---|
675 |
|
---|
676 |
|
---|
677 |
|
---|
678 | ************* CyaSSL Release 2.0.0rc3 (9/28/2011)
|
---|
679 |
|
---|
680 | Release 2.0.0rc3 for CyaSSL has bug fixes and a few new features including:
|
---|
681 | - updated autoconf support
|
---|
682 | - better make install and uninstall (uses system directories)
|
---|
683 | - make test / make check
|
---|
684 | - CyaSSL headers now in <cyassl/*.h>
|
---|
685 | - CTaocrypt headers now in <cyassl/ctaocrypt/*.h>
|
---|
686 | - OpenSSL compatibility headers now in <cyassl/openssl/*.h>
|
---|
687 | - examples and tests all run from home directory so can use certs in ./certs
|
---|
688 | (see note 1)
|
---|
689 |
|
---|
690 | So previous applications that used the OpenSSL compatibility header
|
---|
691 | <openssl/ssl.h> now need to include <cyassl/openssl/ssl.h> instead, no other
|
---|
692 | changes are required.
|
---|
693 |
|
---|
694 | Special Thanks to Brian Aker for his autoconf, install, and header patches.
|
---|
695 |
|
---|
696 | The CyaSSL manual is available at:
|
---|
697 | http://www.wolfssl.com/documentation/CyaSSL-Manual.pdf. For build instructions
|
---|
698 | and comments about the new features please check the manual.
|
---|
699 |
|
---|
700 | ************CyaSSL Release 2.0.0rc2 (6/6/2011)
|
---|
701 |
|
---|
702 | Release 2.0.0rc2 for CyaSSL has bug fixes and a few new features including:
|
---|
703 | - bug fixes (Alerts, DTLS with DHE)
|
---|
704 | - FreeRTOS support
|
---|
705 | - lwIP support
|
---|
706 | - Wshadow warnings removed
|
---|
707 | - asn public header
|
---|
708 | - CTaoCrypt public headers now all have ctc_ prefix (the manual is still being
|
---|
709 | updated to reflect this change)
|
---|
710 | - and more.
|
---|
711 |
|
---|
712 | This is the 2nd and perhaps final release candidate for version 2.
|
---|
713 | Please send any comments or questions to support@wolfssl.com.
|
---|
714 |
|
---|
715 | The CyaSSL manual is available at:
|
---|
716 | http://www.wolfssl.com/documentation/CyaSSL-Manual.pdf. For build instructions
|
---|
717 | and comments about the new features please check the manual.
|
---|
718 |
|
---|
719 | ***********CyaSSL Release 2.0.0rc1 (5/2/2011)
|
---|
720 |
|
---|
721 | Release 2.0.0rc1 for CyaSSL has many new features including:
|
---|
722 | - bug fixes
|
---|
723 | - SHA-256 cipher suites
|
---|
724 | - Root Certificate Verification (instead of needing all certs in the chain)
|
---|
725 | - PKCS #8 private key encryption (supports PKCS #5 v1-v2 and PKCS #12)
|
---|
726 | - Serial number retrieval for x509
|
---|
727 | - PBKDF2 and PKCS #12 PBKDF
|
---|
728 | - UID parsing for x509
|
---|
729 | - SHA-256 certificate signatures
|
---|
730 | - Client and server can send chains (SSL_CTX_use_certificate_chain_file)
|
---|
731 | - CA loading can now parse multiple certificates per file
|
---|
732 | - Dynamic memory runtime hooks
|
---|
733 | - Runtime hooks for logging
|
---|
734 | - EDH on server side
|
---|
735 | - More informative error codes
|
---|
736 | - More informative logging messages
|
---|
737 | - Version downgrade more robust (use SSL_v23*)
|
---|
738 | - Shared build only by default through ./configure
|
---|
739 | - Compiler visibility is now used, internal functions not polluting namespace
|
---|
740 | - Single Makefile, no recursion, for faster and simpler building
|
---|
741 | - Turn on all warnings possible build option, warning fixes
|
---|
742 | - and more.
|
---|
743 |
|
---|
744 | Because of all the new features and the multiple OS, compiler, feature-set
|
---|
745 | options that CyaSSL allows, there may be some configuration fixes needed.
|
---|
746 | Please send any comments or questions to support@wolfssl.com.
|
---|
747 |
|
---|
748 | The CyaSSL manual is available at:
|
---|
749 | http://www.wolfssl.com/documentation/CyaSSL-Manual.pdf. For build instructions
|
---|
750 | and comments about the new features please check the manual.
|
---|
751 |
|
---|
752 | ****************** CyaSSL Release 1.9.0 (3/2/2011)
|
---|
753 |
|
---|
754 | Release 1.9.0 for CyaSSL adds bug fixes, improved TLSv1.2 through testing and
|
---|
755 | better hash/sig algo ids, --enable-webServer for the yaSSL embedded web server,
|
---|
756 | improper AES key setup detection, user cert verify callback improvements, and
|
---|
757 | more.
|
---|
758 |
|
---|
759 | The CyaSSL manual offering is included in the doc/ directory. For build
|
---|
760 | instructions and comments about the new features please check the manual.
|
---|
761 |
|
---|
762 | Please send any comments or questions to support@wolfssl.com.
|
---|
763 |
|
---|
764 | ****************** CyaSSL Release 1.8.0 (12/23/2010)
|
---|
765 |
|
---|
766 | Release 1.8.0 for CyaSSL adds bug fixes, x509 v3 CA signed certificate
|
---|
767 | generation, a C standard library abstraction layer, lower memory use, increased
|
---|
768 | portability through the os_settings.h file, and the ability to use NTRU cipher
|
---|
769 | suites when used in conjunction with an NTRU license and library.
|
---|
770 |
|
---|
771 | The initial CyaSSL manual offering is included in the doc/ directory. For
|
---|
772 | build instructions and comments about the new features please check the manual.
|
---|
773 |
|
---|
774 | Please send any comments or questions to support@wolfssl.com.
|
---|
775 |
|
---|
776 | Happy Holidays.
|
---|
777 |
|
---|
778 |
|
---|
779 | ********************* CyaSSL Release 1.6.5 (9/9/2010)
|
---|
780 |
|
---|
781 | Release 1.6.5 for CyaSSL adds bug fixes and x509 v3 self signed certificate
|
---|
782 | generation.
|
---|
783 |
|
---|
784 | For general build instructions see doc/Building_CyaSSL.pdf.
|
---|
785 |
|
---|
786 | To enable certificate generation support add this option to ./configure
|
---|
787 | ./configure --enable-certgen
|
---|
788 |
|
---|
789 | An example is included in ctaocrypt/test/test.c and documentation is provided
|
---|
790 | in doc/CyaSSL_Extensions_Reference.pdf item 11.
|
---|
791 |
|
---|
792 | ********************** CyaSSL Release 1.6.0 (8/27/2010)
|
---|
793 |
|
---|
794 | Release 1.6.0 for CyaSSL adds bug fixes, RIPEMD-160, SHA-512, and RSA key
|
---|
795 | generation.
|
---|
796 |
|
---|
797 | For general build instructions see doc/Building_CyaSSL.pdf.
|
---|
798 |
|
---|
799 | To add RIPEMD-160 support add this option to ./configure
|
---|
800 | ./configure --enable-ripemd
|
---|
801 |
|
---|
802 | To add SHA-512 support add this option to ./configure
|
---|
803 | ./configure --enable-sha512
|
---|
804 |
|
---|
805 | To add RSA key generation support add this option to ./configure
|
---|
806 | ./configure --enable-keygen
|
---|
807 |
|
---|
808 | Please see ctaocrypt/test/test.c for examples and usage.
|
---|
809 |
|
---|
810 | For Windows, RIPEMD-160 and SHA-512 are enabled by default but key generation is
|
---|
811 | off by default. To turn key generation on add the define CYASSL_KEY_GEN to
|
---|
812 | CyaSSL.
|
---|
813 |
|
---|
814 |
|
---|
815 | ************* CyaSSL Release 1.5.6 (7/28/2010)
|
---|
816 |
|
---|
817 | Release 1.5.6 for CyaSSL adds bug fixes, compatibility for our JSSE provider,
|
---|
818 | and a fix for GCC builds on some systems.
|
---|
819 |
|
---|
820 | For general build instructions see doc/Building_CyaSSL.pdf.
|
---|
821 |
|
---|
822 | To add AES-NI support add this option to ./configure
|
---|
823 | ./configure --enable-aesni
|
---|
824 |
|
---|
825 | You'll need GCC 4.4.3 or later to make use of the assembly.
|
---|
826 |
|
---|
827 | ************** CyaSSL Release 1.5.4 (7/7/2010)
|
---|
828 |
|
---|
829 | Release 1.5.4 for CyaSSL adds bug fixes, support for AES-NI, SHA1 speed
|
---|
830 | improvements from loop unrolling, and support for the Mongoose Web Server.
|
---|
831 |
|
---|
832 | For general build instructions see doc/Building_CyaSSL.pdf.
|
---|
833 |
|
---|
834 | To add AES-NI support add this option to ./configure
|
---|
835 | ./configure --enable-aesni
|
---|
836 |
|
---|
837 | You'll need GCC 4.4.3 or later to make use of the assembly.
|
---|
838 |
|
---|
839 | *************** CyaSSL Release 1.5.0 (5/11/2010)
|
---|
840 |
|
---|
841 | Release 1.5.0 for CyaSSL adds bug fixes, GoAhead WebServer support, sniffer
|
---|
842 | support, and initial swig interface support.
|
---|
843 |
|
---|
844 | For general build instructions see doc/Building_CyaSSL.pdf.
|
---|
845 |
|
---|
846 | To add support for GoAhead WebServer either --enable-opensslExtra or if you
|
---|
847 | don't want all the features of opensslExtra you can just define GOAHEAD_WS
|
---|
848 | instead. GOAHEAD_WS can be added to ./configure with CFLAGS=-DGOAHEAD_WS or
|
---|
849 | you can define it yourself.
|
---|
850 |
|
---|
851 | To look at the sniffer support please see the sniffertest app in
|
---|
852 | sslSniffer/sslSnifferTest. Build with --enable-sniffer on *nix or use the
|
---|
853 | vcproj files on windows. You'll need to have pcap installed on *nix and
|
---|
854 | WinPcap on windows.
|
---|
855 |
|
---|
856 | A swig interface file is now located in the swig directory for using Python,
|
---|
857 | Java, Perl, and others with CyaSSL. This is initial support and experimental,
|
---|
858 | please send questions or comments to support@wolfssl.com.
|
---|
859 |
|
---|
860 | When doing load testing with CyaSSL, on the echoserver example say, the client
|
---|
861 | machine may run out of tcp ephemeral ports, they will end up in the TIME_WAIT
|
---|
862 | queue, and can't be reused by default. There are generally two ways to fix
|
---|
863 | this. 1) Reduce the length sockets remain on the TIME_WAIT queue or 2) Allow
|
---|
864 | items on the TIME_WAIT queue to be reused.
|
---|
865 |
|
---|
866 |
|
---|
867 | To reduce the TIME_WAIT length in OS X to 3 seconds (3000 milliseconds)
|
---|
868 |
|
---|
869 | sudo sysctl -w net.inet.tcp.msl=3000
|
---|
870 |
|
---|
871 | In Linux
|
---|
872 |
|
---|
873 | sudo sysctl -w net.ipv4.tcp_tw_reuse=1
|
---|
874 |
|
---|
875 | allows reuse of sockets in TIME_WAIT
|
---|
876 |
|
---|
877 | sudo sysctl -w net.ipv4.tcp_tw_recycle=1
|
---|
878 |
|
---|
879 | works but seems to remove sockets from TIME_WAIT entirely?
|
---|
880 |
|
---|
881 | sudo sysctl -w net.ipv4.tcp_fin_timeout=1
|
---|
882 |
|
---|
883 | doen't control TIME_WAIT, it controls FIN_WAIT(2) contrary to some posts
|
---|
884 |
|
---|
885 |
|
---|
886 | ******************** CyaSSL Release 1.4.0 (2/18/2010)
|
---|
887 |
|
---|
888 | Release 1.3.0 for CyaSSL adds bug fixes, better multi TLS/SSL version support
|
---|
889 | through SSLv23_server_method(), and improved documentation in the doc/ folder.
|
---|
890 |
|
---|
891 | For general build instructions doc/Building_CyaSSL.pdf.
|
---|
892 |
|
---|
893 | ******************** CyaSSL Release 1.3.0 (1/21/2010)
|
---|
894 |
|
---|
895 | Release 1.3.0 for CyaSSL adds bug fixes, a potential security problem fix,
|
---|
896 | better porting support, removal of assert()s, and a complete THREADX port.
|
---|
897 |
|
---|
898 | For general build instructions see rc1 below.
|
---|
899 |
|
---|
900 | ******************** CyaSSL Release 1.2.0 (11/2/2009)
|
---|
901 |
|
---|
902 | Release 1.2.0 for CyaSSL adds bug fixes and session negotiation if first use is
|
---|
903 | read or write.
|
---|
904 |
|
---|
905 | For general build instructions see rc1 below.
|
---|
906 |
|
---|
907 | ******************** CyaSSL Release 1.1.0 (9/2/2009)
|
---|
908 |
|
---|
909 | Release 1.1.0 for CyaSSL adds bug fixes, a check against malicious session
|
---|
910 | cache use, support for lighttpd, and TLS 1.2.
|
---|
911 |
|
---|
912 | To get TLS 1.2 support please use the client and server functions:
|
---|
913 |
|
---|
914 | SSL_METHOD *TLSv1_2_server_method(void);
|
---|
915 | SSL_METHOD *TLSv1_2_client_method(void);
|
---|
916 |
|
---|
917 | CyaSSL was tested against lighttpd 1.4.23. To build CyaSSL for use with
|
---|
918 | lighttpd use the following commands from the CyaSSL install dir <CyaSSLDir>:
|
---|
919 |
|
---|
920 | ./configure --disable-shared --enable-opensslExtra --enable-fastmath --without-zlib
|
---|
921 |
|
---|
922 | make
|
---|
923 | make openssl-links
|
---|
924 |
|
---|
925 | Then to build lighttpd with CyaSSL use the following commands from the
|
---|
926 | lighttpd install dir:
|
---|
927 |
|
---|
928 | ./configure --with-openssl --with-openssl-includes=<CyaSSLDir>/include --with-openssl-libs=<CyaSSLDir>/lib LDFLAGS=-lm
|
---|
929 |
|
---|
930 | make
|
---|
931 |
|
---|
932 | On some systems you may get a linker error about a duplicate symbol for
|
---|
933 | MD5_Init or other MD5 calls. This seems to be caused by the lighttpd src file
|
---|
934 | md5.c, which defines MD5_Init(), and is included in liblightcomp_la-md5.o.
|
---|
935 | When liblightcomp is linked with the SSL_LIBs the linker may complain about
|
---|
936 | the duplicate symbol. This can be fixed by editing the lighttpd src file md5.c
|
---|
937 | and adding this line to the beginning of the file:
|
---|
938 |
|
---|
939 | #if 0
|
---|
940 |
|
---|
941 | and this line to the end of the file
|
---|
942 |
|
---|
943 | #endif
|
---|
944 |
|
---|
945 | Then from the lighttpd src dir do a:
|
---|
946 |
|
---|
947 | make clean
|
---|
948 | make
|
---|
949 |
|
---|
950 |
|
---|
951 | If you get link errors about undefined symbols more than likely the actual
|
---|
952 | OpenSSL libraries are found by the linker before the CyaSSL openssl-links that
|
---|
953 | point to the CyaSSL library, causing the linker confusion. This can be fixed
|
---|
954 | by editing the Makefile in the lighttpd src directory and changing the line:
|
---|
955 |
|
---|
956 | SSL_LIB = -lssl -lcrypto
|
---|
957 |
|
---|
958 | to
|
---|
959 |
|
---|
960 | SSL_LIB = -lcyassl
|
---|
961 |
|
---|
962 | Then from the lighttpd src dir do a:
|
---|
963 |
|
---|
964 | make clean
|
---|
965 | make
|
---|
966 |
|
---|
967 | This should remove any confusion the linker may be having with missing symbols.
|
---|
968 |
|
---|
969 | For any questions or concerns please contact support@wolfssl.com .
|
---|
970 |
|
---|
971 | For general build instructions see rc1 below.
|
---|
972 |
|
---|
973 | ******************CyaSSL Release 1.0.6 (8/03/2009)
|
---|
974 |
|
---|
975 | Release 1.0.6 for CyaSSL adds bug fixes, an improved session cache, and faster
|
---|
976 | math with a huge code option.
|
---|
977 |
|
---|
978 | The session cache now defaults to a client mode, also good for embedded servers.
|
---|
979 | For servers not under heavy load (less than 200 new sessions per minute), define
|
---|
980 | BIG_SESSION_CACHE. If the server will be under heavy load, define
|
---|
981 | HUGE_SESSION_CACHE.
|
---|
982 |
|
---|
983 | There is now a fasthugemath option for configure. This enables fastmath plus
|
---|
984 | even faster math by greatly increasing the code size of the math library. Use
|
---|
985 | the benchmark utility to compare public key operations.
|
---|
986 |
|
---|
987 |
|
---|
988 | For general build instructions see rc1 below.
|
---|
989 |
|
---|
990 | ******************CyaSSL Release 1.0.3 (5/10/2009)
|
---|
991 |
|
---|
992 | Release 1.0.3 for CyaSSL adds bug fixes and add increased support for OpenSSL
|
---|
993 | compatibility when building other applications.
|
---|
994 |
|
---|
995 | Release 1.0.3 includes an alpha release of DTLS for both client and servers.
|
---|
996 | This is only for testing purposes at this time. Rebroadcast and reordering
|
---|
997 | aren't fully implemented at this time but will be for the next release.
|
---|
998 |
|
---|
999 | For general build instructions see rc1 below.
|
---|
1000 |
|
---|
1001 | ******************CyaSSL Release 1.0.2 (4/3/2009)
|
---|
1002 |
|
---|
1003 | Release 1.0.2 for CyaSSL adds bug fixes for a couple I/O issues. Some systems
|
---|
1004 | will send a SIGPIPE on socket recv() at any time and this should be handled by
|
---|
1005 | the application by turning off SIGPIPE through setsockopt() or returning from
|
---|
1006 | the handler.
|
---|
1007 |
|
---|
1008 | Release 1.0.2 includes an alpha release of DTLS for both client and servers.
|
---|
1009 | This is only for testing purposes at this time. Rebroadcast and reordering
|
---|
1010 | aren't fully implemented at this time but will be for the next release.
|
---|
1011 |
|
---|
1012 | For general build instructions see rc1 below.
|
---|
1013 |
|
---|
1014 | *****************CyaSSL Release Candidate 3 rc3-1.0.0 (2/25/2009)
|
---|
1015 |
|
---|
1016 |
|
---|
1017 | Release Candidate 3 for CyaSSL 1.0.0 adds bug fixes and adds a project file for
|
---|
1018 | iPhone development with Xcode. cyassl-iphone.xcodeproj is located in the root
|
---|
1019 | directory. This release also includes a fix for supporting other
|
---|
1020 | implementations that bundle multiple messages at the record layer, this was
|
---|
1021 | lost when cyassl i/o was re-implemented but is now fixed.
|
---|
1022 |
|
---|
1023 | For general build instructions see rc1 below.
|
---|
1024 |
|
---|
1025 | *****************CyaSSL Release Candidate 2 rc2-1.0.0 (1/21/2009)
|
---|
1026 |
|
---|
1027 |
|
---|
1028 | Release Candidate 2 for CyaSSL 1.0.0 adds bug fixes and adds two new stream
|
---|
1029 | ciphers along with their respective cipher suites. CyaSSL adds support for
|
---|
1030 | HC-128 and RABBIT stream ciphers. The new suites are:
|
---|
1031 |
|
---|
1032 | TLS_RSA_WITH_HC_128_SHA
|
---|
1033 | TLS_RSA_WITH_RABBIT_SHA
|
---|
1034 |
|
---|
1035 | And the corresponding cipher names are
|
---|
1036 |
|
---|
1037 | HC128-SHA
|
---|
1038 | RABBIT-SHA
|
---|
1039 |
|
---|
1040 | CyaSSL also adds support for building with devkitPro for PPC by changing the
|
---|
1041 | library proper to use libogc. The examples haven't been changed yet but if
|
---|
1042 | there's interest they can be. Here's an example ./configure to build CyaSSL
|
---|
1043 | for devkitPro:
|
---|
1044 |
|
---|
1045 | ./configure --disable-shared CC=/pathTo/devkitpro/devkitPPC/bin/powerpc-gekko-gcc --host=ppc --without-zlib --enable-singleThreaded RANLIB=/pathTo/devkitpro/devkitPPC/bin/powerpc-gekko-ranlib CFLAGS="-DDEVKITPRO -DGEKKO"
|
---|
1046 |
|
---|
1047 | For linking purposes you'll need
|
---|
1048 |
|
---|
1049 | LDFLAGS="-g -mrvl -mcpu=750 -meabi -mhard-float -Wl,-Map,$(notdir $@).map"
|
---|
1050 |
|
---|
1051 | For general build instructions see rc1 below.
|
---|
1052 |
|
---|
1053 |
|
---|
1054 | ********************CyaSSL Release Candidate 1 rc1-1.0.0 (12/17/2008)
|
---|
1055 |
|
---|
1056 |
|
---|
1057 | Release Candidate 1 for CyaSSL 1.0.0 contains major internal changes. Several
|
---|
1058 | areas have optimization improvements, less dynamic memory use, and the I/O
|
---|
1059 | strategy has been refactored to allow alternate I/O handling or Library use.
|
---|
1060 | Many thanks to Thierry Fournier for providing these ideas and most of the work.
|
---|
1061 |
|
---|
1062 | Because of these changes, this release is only a candidate since some problems
|
---|
1063 | are probably inevitable on some platform with some I/O use. Please report any
|
---|
1064 | problems and we'll try to resolve them as soon as possible. You can contact us
|
---|
1065 | at support@wolfssl.com or todd@wolfssl.com.
|
---|
1066 |
|
---|
1067 | Using TomsFastMath by passing --enable-fastmath to ./configure now uses assembly
|
---|
1068 | on some platforms. This is new so please report any problems as every compiler,
|
---|
1069 | mode, OS combination hasn't been tested. On ia32 all of the registers need to
|
---|
1070 | be available so be sure to pass these options to CFLAGS:
|
---|
1071 |
|
---|
1072 | CFLAGS="-O3 -fomit-frame-pointer"
|
---|
1073 |
|
---|
1074 | OS X will also need -mdynamic-no-pic added to CFLAGS
|
---|
1075 |
|
---|
1076 | Also if you're building in shared mode for ia32 you'll need to pass options to
|
---|
1077 | LDFLAGS as well on OS X:
|
---|
1078 |
|
---|
1079 | LDFLAGS=-Wl,-read_only_relocs,warning
|
---|
1080 |
|
---|
1081 | This gives warnings for some symbols but seems to work.
|
---|
1082 |
|
---|
1083 |
|
---|
1084 | --To build on Linux, Solaris, *BSD, Mac OS X, or Cygwin:
|
---|
1085 |
|
---|
1086 | ./configure
|
---|
1087 | make
|
---|
1088 |
|
---|
1089 | from the ./testsuite/ directory run ./testsuite
|
---|
1090 |
|
---|
1091 | to make a debug build:
|
---|
1092 |
|
---|
1093 | ./configure --enable-debug --disable-shared
|
---|
1094 | make
|
---|
1095 |
|
---|
1096 |
|
---|
1097 |
|
---|
1098 | --To build on Win32
|
---|
1099 |
|
---|
1100 | Choose (Re)Build All from the project workspace
|
---|
1101 |
|
---|
1102 | Run the testsuite program
|
---|
1103 |
|
---|
1104 |
|
---|
1105 |
|
---|
1106 |
|
---|
1107 |
|
---|
1108 | *************************CyaSSL version 0.9.9 (7/25/2008)
|
---|
1109 |
|
---|
1110 | This release of CyaSSL adds bug fixes, Pre-Shared Keys, over-rideable memory
|
---|
1111 | handling, and optionally TomsFastMath. Thanks to Mois辿s Guimar達es for the
|
---|
1112 | work on TomsFastMath.
|
---|
1113 |
|
---|
1114 | To optionally use TomsFastMath pass --enable-fastmath to ./configure
|
---|
1115 | Or define USE_FAST_MATH in each project from CyaSSL for MSVC.
|
---|
1116 |
|
---|
1117 | Please use the benchmark routine before and after to see the performance
|
---|
1118 | difference, on some platforms the gains will be little but RSA encryption
|
---|
1119 | always seems to be faster. On x86-64 machines with GCC the normal math library
|
---|
1120 | may outperform the fast one when using CFLAGS=-m64 because TomsFastMath can't
|
---|
1121 | yet use -m64 because of GCCs inability to do 128bit division.
|
---|
1122 |
|
---|
1123 | **** UPDATE GCC 4.2.1 can now do 128bit division ***
|
---|
1124 |
|
---|
1125 | See notes below (0.2.0) for complete build instructions.
|
---|
1126 |
|
---|
1127 |
|
---|
1128 | ****************CyaSSL version 0.9.8 (5/7/2008)
|
---|
1129 |
|
---|
1130 | This release of CyaSSL adds bug fixes, client side Diffie-Hellman, and better
|
---|
1131 | socket handling.
|
---|
1132 |
|
---|
1133 | See notes below (0.2.0) for complete build instructions.
|
---|
1134 |
|
---|
1135 |
|
---|
1136 | ****************CyaSSL version 0.9.6 (1/31/2008)
|
---|
1137 |
|
---|
1138 | This release of CyaSSL adds bug fixes, increased session management, and a fix
|
---|
1139 | for gnutls.
|
---|
1140 |
|
---|
1141 | See notes below (0.2.0) for complete build instructions.
|
---|
1142 |
|
---|
1143 |
|
---|
1144 | ****************CyaSSL version 0.9.0 (10/15/2007)
|
---|
1145 |
|
---|
1146 | This release of CyaSSL adds bug fixes, MSVC 2005 support, GCC 4.2 support,
|
---|
1147 | IPV6 support and test, and new test certificates.
|
---|
1148 |
|
---|
1149 | See notes below (0.2.0) for complete build instructions.
|
---|
1150 |
|
---|
1151 |
|
---|
1152 | ****************CyaSSL version 0.8.0 (1/10/2007)
|
---|
1153 |
|
---|
1154 | This release of CyaSSL adds increased socket support, for non-blocking writes,
|
---|
1155 | connects, and interrupted system calls.
|
---|
1156 |
|
---|
1157 | See notes below (0.2.0) for complete build instructions.
|
---|
1158 |
|
---|
1159 |
|
---|
1160 | ****************CyaSSL version 0.6.3 (10/30/2006)
|
---|
1161 |
|
---|
1162 | This release of CyaSSL adds debug logging to stderr to aid in the debugging of
|
---|
1163 | CyaSSL on systems that may not provide the best support.
|
---|
1164 |
|
---|
1165 | If CyaSSL is built with debugging support then you need to call
|
---|
1166 | CyaSSL_Debugging_ON() to turn logging on.
|
---|
1167 |
|
---|
1168 | On Unix use ./configure --enable-debug
|
---|
1169 |
|
---|
1170 | On Windows define DEBUG_CYASSL when building CyaSSL
|
---|
1171 |
|
---|
1172 |
|
---|
1173 | To turn logging back off call CyaSSL_Debugging_OFF()
|
---|
1174 |
|
---|
1175 | See notes below (0.2.0) for complete build instructions.
|
---|
1176 |
|
---|
1177 |
|
---|
1178 | *****************CyaSSL version 0.6.2 (10/29/2006)
|
---|
1179 |
|
---|
1180 | This release of CyaSSL adds TLS 1.1.
|
---|
1181 |
|
---|
1182 | Note that CyaSSL has certificate verification on by default, unlike OpenSSL.
|
---|
1183 | To emulate OpenSSL behavior, you must call SSL_CTX_set_verify() with
|
---|
1184 | SSL_VERIFY_NONE. In order to have full security you should never do this,
|
---|
1185 | provide CyaSSL with the proper certificates to eliminate impostors and call
|
---|
1186 | CyaSSL_check_domain_name() to prevent man in the middle attacks.
|
---|
1187 |
|
---|
1188 | See notes below (0.2.0) for build instructions.
|
---|
1189 |
|
---|
1190 | *****************CyaSSL version 0.6.0 (10/25/2006)
|
---|
1191 |
|
---|
1192 | This release of CyaSSL adds more SSL functions, better autoconf, nonblocking
|
---|
1193 | I/O for accept, connect, and read. There is now an --enable-small configure
|
---|
1194 | option that turns off TLS, AES, DES3, HMAC, and ERROR_STRINGS, see configure.in
|
---|
1195 | for the defines. Note that TLS requires HMAC and AES requires TLS.
|
---|
1196 |
|
---|
1197 | See notes below (0.2.0) for build instructions.
|
---|
1198 |
|
---|
1199 |
|
---|
1200 | *****************CyaSSL version 0.5.5 (09/27/2006)
|
---|
1201 |
|
---|
1202 | This mini release of CyaSSL adds better input processing through buffered input
|
---|
1203 | and big message support. Added SSL_pending() and some sanity checks on user
|
---|
1204 | settings.
|
---|
1205 |
|
---|
1206 | See notes below (0.2.0) for build instructions.
|
---|
1207 |
|
---|
1208 |
|
---|
1209 | *****************CyaSSL version 0.5.0 (03/27/2006)
|
---|
1210 |
|
---|
1211 | This release of CyaSSL adds AES support and minor bug fixes.
|
---|
1212 |
|
---|
1213 | See notes below (0.2.0) for build instructions.
|
---|
1214 |
|
---|
1215 |
|
---|
1216 | *****************CyaSSL version 0.4.0 (03/15/2006)
|
---|
1217 |
|
---|
1218 | This release of CyaSSL adds TLSv1 client/server support and libtool.
|
---|
1219 |
|
---|
1220 | See notes below for build instructions.
|
---|
1221 |
|
---|
1222 |
|
---|
1223 | *****************CyaSSL version 0.3.0 (02/26/2006)
|
---|
1224 |
|
---|
1225 | This release of CyaSSL adds SSLv3 server support and session resumption.
|
---|
1226 |
|
---|
1227 | See notes below for build instructions.
|
---|
1228 |
|
---|
1229 |
|
---|
1230 | *****************CyaSSL version 0.2.0 (02/19/2006)
|
---|
1231 |
|
---|
1232 |
|
---|
1233 | This is the first release of CyaSSL and its crypt brother, CTaoCrypt. CyaSSL
|
---|
1234 | is written in ANSI C with the idea of a small code size, footprint, and memory
|
---|
1235 | usage in mind. CTaoCrypt can be as small as 32K, and the current client
|
---|
1236 | version of CyaSSL can be as small as 12K.
|
---|
1237 |
|
---|
1238 |
|
---|
1239 | The first release of CTaoCrypt supports MD5, SHA-1, 3DES, ARC4, Big Integer
|
---|
1240 | Support, RSA, ASN parsing, and basic x509 (en/de)coding.
|
---|
1241 |
|
---|
1242 | The first release of CyaSSL supports normal client RSA mode SSLv3 connections
|
---|
1243 | with support for SHA-1 and MD5 digests. Ciphers include 3DES and RC4.
|
---|
1244 |
|
---|
1245 |
|
---|
1246 | --To build on Linux, Solaris, *BSD, Mac OS X, or Cygwin:
|
---|
1247 |
|
---|
1248 | ./configure
|
---|
1249 | make
|
---|
1250 |
|
---|
1251 | from the ./testsuite/ directory run ./testsuite
|
---|
1252 |
|
---|
1253 | to make a debug build:
|
---|
1254 |
|
---|
1255 | ./configure --enable-debug --disable-shared
|
---|
1256 | make
|
---|
1257 |
|
---|
1258 |
|
---|
1259 |
|
---|
1260 | --To build on Win32
|
---|
1261 |
|
---|
1262 | Choose (Re)Build All from the project workspace
|
---|
1263 |
|
---|
1264 | Run the testsuite program
|
---|
1265 |
|
---|
1266 |
|
---|
1267 |
|
---|
1268 | *** The next release of CyaSSL will support a server and more OpenSSL
|
---|
1269 | compatibility functions.
|
---|
1270 |
|
---|
1271 |
|
---|
1272 | Please send questions or comments to todd@wolfssl.com
|
---|
1273 |
|
---|