Jul 19, 2016
This version fixes a critical remote exploit and is recommended for all users to improve performance and security.
- Critical parsing bug for RSA encrypted blobs
- Security Researcher Hanno Böck reported several issues related to RSA and bignum operations. An error in parsing a maliciously formatted public key block could produce a remotely triggered crash in SSL server parsing. Additional restrictions on the values provided to RSA and DH operations were also added, although an exploit has not been found.
- Coverity and Clang static analyzer cleanup
- Numerous minor issues were fixed based on static analysis.
- HTTP/2 restrictions via ALPN
- MatrixSSL server code will automatically evaluate the ALPN extension and appropriately restrict the cipher suites and key exchange methods if the HTTP/2 protocol is being used. Per the HTTP/2 spec, only AEAD cipher suites and Ephemeral key exchange methods are allowed.
- Enhanced example apps
- Example applications now take additional command line options and also support CRL request and response generation.
- Process shared Session Cache
- Minimal support for a process-shared server session resumption cache is now supported via process-shared mutexes on Linux.
- Enhanced CRL and OCSP support
- A new file crypto/keyformat/crl.c defines additional apis for more complex CRL (Certificate Revocation List) and OCSP support.
- PDF Documents included in tarball package
- Documentation is now included again in the tarball, as well as online.
- Additional minor changes
- Numerous other improvements and bug fixes are included. Release notes are included in the download package. See CHANGES.md.