OT: OpenSSL 1.0.1f

Jeffrey Walton noloader at gmail.com
Mon Jan 6 20:40:05 UTC 2014


OpenSSL 1.0.1f was released today. It might be a good time to rebuild
all the versions of nginx using static versions of OpenSSL.

There are three CVE remediations included in the release:
CVE-2013-4353, CVE-2013-6449, CVE-2013-6450.
http://www.openssl.org/news/openssl-1.0.1-notes.html.

It does not look like 1.0.1f changed the default behavior of
ENGINE_rdrand (coderman's been following it).

1.0.1f added hostname and email verification routines so programs no
longer have to do it themselves.

There's also an Apple SecureTransport bug workaround. Apple's
SecrureTransport does not properly negotiate ECDHE-ECDSA cipher
suites. It affects Mac OS X and could affect iOS. It might be prudent
to add SSL_OP_SAFARI_ECDHE_ECDSA_BUG by default.
http://www.mail-archive.com/openssl-dev@openssl.org/msg32629.html.



More information about the nginx mailing list