mirror of
https://github.com/CHN-beta/nixpkgs.git
synced 2026-01-12 02:40:31 +08:00
c05c515eff
Updates OpenSSL 3.x latest to 3.4.1 Security Fixes in 3.4.1: * Fixed RFC7250 handshakes with unauthenticated servers don't abort as expected. ([CVE-2024-12797]) * Fixed timing side-channel in ECDSA signature computation. ([CVE-2024-13176](https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176)) Release notes: https://github.com/openssl/openssl/blob/openssl-3.4.0/NEWS.md#openssl-34 Some significant changes: * Deprecation of TS_VERIFY_CTX_set_* functions and addition of replacement TS_VERIFY_CTX_set0_* functions with improved semantics * SHAKE-128 and SHAKE-256 implementations have no default digest length anymore. That means these algorithms cannot be used with EVP_DigestFinal/_ex() unless the xoflen param is set before. * An empty renegotiate extension will be used in TLS client hellos instead of the empty renegotiation SCSV, for all connections with a minimum TLS version > 1.0. * Deprecation of SSL_SESSION_get_time(), SSL_SESSION_set_time() and SSL_CTX_flush_sessions() functions in favor of their respective _ex functions which are Y2038-safe on platforms with Y2038-safe time_t Some new features: * Support for directly fetched composite signature algorithms such as RSA-SHA2-256 including new API functions * New options -not_before and -not_after for explicit setting start and end dates of certificates created with the req and x509 apps * Support for attribute certificates * Support for pkeyutl in combination with key encapsulation (e.q. PQC-KEMs): -encap/-decap Signed-off-by: Markus Theil <theil.markus@gmail.com>