Jan 28, 2013
- Certificate Revocation List (CRL) - Two new APIs have been added to support CRLs.
If a Certificate Authority uses the CRL Distribution Points extension to identify the URI where a CRL can be found, use the new matrixSslGetCRL API to aid in the fetch. If a local CRL is available use the matrixSslLoadCRL API to register the revoked certificates with the CA for testing during the SSL handshake. The client example application implements these two new APIs as a reference..
Client Certificate Authentication - This has been a feature in the commercial MatrixSSL release for some time. Client Certs are being deployed more often now, so we were asked by some open source users to include this feature under GPL.
Enable the USE_CLIENT_AUTH define in matrixsslConfig.h to add support for this feature to the library.
Clients and servers are both supported and the example applications implement client authentication for reference. The sslTest utility will exercise the client authentication handshake variations as well.
- Assembly Language Opimizations - Assembly code optimizations that were previously only available in commercial versions of MatrixSSL are now included in the open source packages. Optimizations for common processors such as ARM, x86, x86_64, and MIPS32 can now be enabled with the use of compile-time defines. RSA operations gain a significant speed advantage using these optimizations.
Public API Changes
- Client management of the session ID for resumption is now more explicit. The new matrixSslNewSessionId and matrixSslDeleteSessionId APIs enable library control of the sslSessionId_t parameter used in matrixSslNewClientSession. Refer to the API documentation for more details.
- An additional parameter has been added to the matrixSslNewServerSession and matrixSslNewClientSession APIs for compatibility with MatrixDTLS packages. For SSL usage, the final parameter should be 0 to both of these functions.
- This function prototype previously used a void return value. This change to an int return type was made simply to keep the core/ module APIs consistent.</li>
Bug Fixes and Improvements
- X.509 certificate parsing now includes separate time format fields for the notBefore and notAfter identifiers. UTCTIME and GENERALIZEDTIME are still supported. However, it is not correct to assume both must be the same type. The psX509Cert_t structure accessible through the certificate callback will contain notBeforeTimeType and notAfterTimeType members instead of timeType.
- The alert type and description were not correctly passed to the user via matrixSslReceivedData when the TLS 1.1 protocol was being used.
- The length parser in the internal X.509 parseGeneralNames function assumed values less than 255. All lengths are supported now.
Optional Attributes in a PKCS#8 format are now properly recognized.
The PKCS#12 key generation algorithm is now more flexible. Previous implementations assumed a salt length of 8 bytes. Salts may now be up to 20 bytes. Also, certificates will be re-ordered in a child-to-parent hierarchy after the parse is complete.