[FFe] Please merge openssl 1.0.1 from Debian unstable
Bug #958430 reported by
Christoph_vW
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssl (Ubuntu) |
Fix Released
|
High
|
Colin Watson |
Bug Description
Please use openssl 1.0.1 in Ubuntu 12.04 LTS.
I really need TLS 1.1 support and cannot wait another 2 years.
Related branches
summary: |
- TLS 1.1 support + [FFe] Please sync openssl 1.0.1 from Debian unstable |
Changed in openssl (Ubuntu): | |
status: | New → Confirmed |
Changed in openssl (Ubuntu): | |
assignee: | nobody → Colin Watson (cjwatson) |
summary: |
- [FFe] Please sync openssl 1.0.1 from Debian unstable + [FFe] Please merge openssl 1.0.1 from Debian unstable |
To post a comment you must log in.
Upstream NEWS file:
Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.1:
o TLS/DTLS heartbeat support.
o SCTP support.
o RFC 5705 TLS key material exporter.
o RFC 5764 DTLS-SRTP negotiation.
o Next Protocol Negotiation.
o PSS signatures in certificates, requests and CRLs.
o Support for password based recipient info for CMS.
o Support TLS v1.2 and TLS v1.1.
o Preliminary FIPS capability for unvalidated 2.0 FIPS module.
o SRP support.
Major changes between OpenSSL 1.0.0g and OpenSSL 1.0.0h:
o Fix for CMS/PKCS#7 MMA CVE-2012-0884
o Corrected fix for CVE-2011-4619
o Various DTLS fixes.
Debian changelog:
openssl (1.0.1-2) unstable; urgency=low
* Properly quote the new cflags in Configure
-- Kurt Roeckx <email address hidden> Mon, 19 Mar 2012 19:56:05 +0100
openssl (1.0.1-1) unstable; urgency=low
* New upstream version pipe.patch, fixed upstream pod-misspell. patch and make-targets.patch script. patch and libssl1.0.0.symbols for
- Remove kfreebsd-
- Update pic.patch, openssl-
- Add OPENSSL_1.0.1 to version-
the new functions.
- AES-NI support (Closes: #644743)
* pic.patch: upstream made OPENSSL_ia32cap_P and OPENSSL_cpuid_setup
hidden on amd64, no need to access it PIC anymore.
* pic.patch: Make OPENSSL_ia32cap_P hidden on i386 too (Closes: #663977)
* Enable hardening using dpkg-buildflags (Closes: #653495)
* s_client and s_server were forcing SSLv3 only connection when SSLv2 was
disabled instead of the SSLv2 with upgrade method. (Closes: #664454)
* Add Beaks on openssh < 1:5.9p1-4, it has a too strict version check.
-- Kurt Roeckx <email address hidden> Mon, 19 Mar 2012 18:23:32 +0100
openssl (1.0.0h-1) unstable; urgency=high
* New upstream version
- Fixes CVE-2012-0884
- Fixes CVE-2012-1165
- Properly fix CVE-2011-4619
- pkg-config.patch applied upstream, remove it.
* Enable assembler for all i386 arches. The assembler does proper
detection of CPU support, including cpuid support.
This should fix a problem with AES 192 and 256 with the padlock
engine because of the difference in NO_ASM between the between
the i686 optimized library and the engine.
-- Kurt Roeckx <email address hidden> Tue, 13 Mar 2012 21:08:17 +0100
I've done some performance testing, which is in bug 796456 (private, sorry). I can quote my own numbers from that:
for x in sha1 rc4 aes-{128,256}-cbc md5; do openssl speed -evp $x 2>/dev/null | grep -A1 ^type; done | sed '2,${/type/d}'
Core 2 Duo T7100 (my laptop, getting on a bit):
amd64 1.0.0g-1ubuntu1:
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
sha1 32959.34k 85644.07k 174930.39k 243954.98k 266935.33k
rc4 90403.67k 98901.49k 101289.27k 102313.50k 103083.61k
aes-128-cbc 51210.81k 58557.04k 60279.01k 126155.41k 129400.50k
aes-256-cbc 38099.06k 41632.22k 44081.90k 42170.87k 43401.11k
md5 36105.68k 103355.47k 215324.51k 296345.24k 334079.66k
amd64 1.0.1-2ubuntu1 (unreleased):
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
sha1 35898.84k 97968.17k 201869.01k 280300.41k 314556.36k
rc4 148796.23k 248179.50k 299200.47k 317167.51k 315630.36k
aes-128-c...