lp:ubuntu/precise/openssl
- Get this branch:
- bzr branch lp:ubuntu/precise/openssl
Branch merges
Branch information
- Owner:
- Ubuntu branches
- Status:
- Mature
Recent revisions
- 77. By Jamie Strandboge
-
* SECURITY UPDATE: fix various overflows
- debian/patches/ CVE-2012- 2110.patch: adjust crypto/a_d2i_fp.c,
crypto/buffer.c and crypto/mem.c to verify size of lengths
- CVE-2012-2110 - 76. By Colin Watson
-
* Backport more upstream patches to work around TLS 1.2 failures
(LP #965371):
- Do not use record version number > TLS 1.0 in initial client hello:
some (but not all) hanging servers will now work.
- Truncate the number of ciphers sent in the client hello to 50. Most
broken servers should now work.
- Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections.
* Don't re-enable TLS 1.2 client support by default yet, since more of the
sites listed in the above bug and its duplicates still fail if I do that
versus leaving it disabled. - 71. By Colin Watson
-
Pass cross-compiling options to 'make install' as well, since apparently
it likes to rebuild fips_premain_dso. - 68. By Colin Watson
-
* Temporarily work around TLS 1.2 failures as suggested by upstream
(LP #965371):
- Use client version when deciding whether to send supported signature
algorithms extension.
- Experimental workaround to large client hello issue: if
OPENSSL_NO_TLS1_ 2_CLIENT is set then TLS v1.2 is disabled for clients
only.
- Compile with -DOPENSSL_NO_TLS1_ 2_CLIENT.
This fixes most of the reported problems, but does not fix the case of
servers that reject version numbers they don't support rather than
trying to negotiate a lower version (e.g. www.mediafire.com).
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp:ubuntu/quantal/openssl