MatrixSSL http://www.matrixssl.org/ en-us peersec@peersec.com 2008-03-11T09:26:44-08:00 hourly 1 2000-01-01T12:00+00:00 PeerSec Networks http://www.peersec.com/psIcon32.gif http://www.matrixssl.org/ 74 32 Enterprise Level Security for Devices (TM) MatrixSSL 1.8.5 http://www.matrixssl.org/archives/000145.html API changes
  • Internal API change to accommodate MatrixSSH users.

Functional changes
  • Ignore TLS extensions sent with SSL 3.0 ClientHello. Thunderbird sends these extensions if negotiating down from a TLS connection, even though they are meaningless.
  • Enhanced the parsing of the Key Usage certificate extension.

Bug fixes and optimizations
  • Assure file reads into memory are NULL terminated. This was an issue flagged by Valgrind that doesn't present a problem in practice.
  • 2008 copyright update.

Notes
  • MatrixSSL 1.8.4 was not a public release.

]]> 145@http://www.matrixssl.org/ Releases 2008-03-11T09:26:44-08:00 MatrixSSL 1.8.3 http://www.matrixssl.org/archives/000144.html API changes
  • ‘const’ qualifiers added to literal string parameters for matrixRsaReadPrivKey, matrixRsaReadKeys, matrixRsaReadKeysEx and matrixX509ReadPubKey.

Functional changes
  • Additional error reporting in RSA public decryption routine.

Bug fixes and optimizations
  • Improved the enforcement of maximum certificate chain length.
  • Added the –fPIC compile option to default POSIX builds.
  • Fixed one time memory leak on error conditional during certificate parsing.
  • 2007 copyright update.

]]> 144@http://www.matrixssl.org/ Releases 2007-02-07T13:22:22-08:00 MatrixSSL 1.8.2 http://www.matrixssl.org/archives/000143.html API additions
  • None

Functional changes
  • New "leaky bucket" algorithm for empty message denial-of-service countermeasure. Previously, the count of empty messages was continually being incremented by the MatrixSSL library regardless of any interleaving valid messages. This could potentially cause the connection to be closed if a peer was sending many blank SSL messages. The count will now decrement on valid messages. This change is most relevant to use-cases that involve an OpenSSL client communicating with a MatrixSSL server, as these clients tend to periodically send a blank record.

Bug fixes and optimizations
  • None

]]> 143@http://www.matrixssl.org/ Releases 2006-10-05T14:22:46-08:00 MatrixSSL 1.8.1 http://www.matrixssl.org/archives/000141.html API additions
  • None

Functional changes
  • Cleaner POSIX cross platform compiles for newer versions of Linux.
  • Build support for Intel Macs (tested on OS X 10.4 CoreDuo).

Bug fixes and optimizations
  • Minor compile warnings fixed.
  • Graceful handling when MAX_CHAIN_LEN limit is exceeded in certificate parsing.
  • Added ASN.1 BMPSTRING format support to certificate parsing.
  • Fixed matrixSslReadKeysMem so that private key parameter is optional.
  • Fixed one time memory leak for client initialization issues that include non-parsable certificates.

]]> 141@http://www.matrixssl.org/ Releases 2006-07-11T15:37:56-08:00 MatrixSSL 1.8 http://www.matrixssl.org/archives/000140.html API additions
  • Addition of two new server APIs that allow the user to add a custom flag value to client sessions. Servers may now assign persistant custom data to connected sessions that can be later retrieved from a session that was established with a session resumption handshake. See the API documentation for matrixSslSetResumptionFlag and matrixSslGetResumptionFlag for more details.

Functional changes
  • Ability to put multiple certificates in a single PEM file.
  • The handshake will now fail on an un-authenticated cert if no user validation callback has been defined with matrixSslSetCertValidator. It is still encouraged that a callback be registered.
  • Users can now reply to a closure alert with a closure alert of their own using matrixSslEncodeClosureAlert. Previously, the SSL_CLOSED flag prevented this. Now only error cases will prevent the closure alert from being created.

Bug fixes and optimizations
  • Numerous compile warnings fixed. Especially in the area of unsigned char / char type mismatches.
  • Added explicit ‘void’ types to empty parameter functions.
  • Fixed a bad shift operation in cipherSuite.c (no functional change).
  • Fixed possible memory leak of pre-master secret if deleteSession called on some corner failure cases.
  • Fixed compile and link issues when USE_FILE_SYSTEM was turned off in matrixConfig.h.
  • Fix for unknown X.509 certificate extension parsing in which the extensions did not provide explicit data lengths in the encoding.
  • Fixed parse issue with an empty AuthorityKeyIdentifier certificate extension.
  • Created new sample certificates with updated dates.

]]> 140@http://www.matrixssl.org/ Releases 2006-04-06T13:33:41-08:00 MatrixSSL 1.7.3 http://www.matrixssl.org/archives/000138.html Bug fixes and optimizations
  • Fixed issue with certificate extension parsing causing a cert with some unrecognized extensions to fail validation.
  • Fixed requirement when USE_CLIENT_SIDE is enabled with ReadKeysMem - CA is no longer required.

]]> 138@http://www.matrixssl.org/ Releases 2005-11-16T18:28:43-08:00 MatrixSSL 1.7.1b http://www.matrixssl.org/archives/000136.html Bug fixes and optimizations
  • Fixed packaging issue causing a build error on Windows and Linux. No functional change from 1.7.1

]]> 136@http://www.matrixssl.org/ Releases 2005-09-17T11:39:20-08:00 MatrixSSL 1.7.1 http://www.matrixssl.org/archives/000135.html Bug fixes and optimizations
  • Fixed certificate chain parsing bug where a valid certificate chain was marked as invalid under certain circumstances. The result of the fix is that more cert chain configurations are supported.
  • Added support for cert validation when the server sends the Root CA cert in addition to the lower levels of the chain. Typically the Root CA cert is loaded into the client, and not sent by the server. We have encountered some deployments where the server does send the root CA as well, and now successfully validate this chain.
  • Relaxed parsing of the CertificateSerialNumber field within AuthorityKeyIdentifier. Although officially defined as an ASN.1 INTEGER type, some certificate generators use a non-integer value. Parser now supports these technically incorrect datatypes.

]]> 135@http://www.matrixssl.org/ Releases 2005-09-13T14:48:19-08:00 MatrixSSL 1.7 http://www.matrixssl.org/archives/000134.html Overall changes
  • Explicit support for anonymous RSA handshaking
  • New APIs to support anonymous handshaking and re-handshaking over existing connections with new key material

Functional changes
  • Version updated from 1.2.5 to 1.7 to mirror commercial MatrixSSL versioning
  • Directory and file reorganization

Bug fixes and optimizations
  • Significantly accelerated RSA handshake speeds
  • Additional parsing of X.509 certificate extensions

]]> 134@http://www.matrixssl.org/ Releases 2005-08-17T19:21:41-08:00 MatrixSSL 1.2.5 http://www.matrixssl.org/archives/000110.html Overall changes
  • No API changes from 1.2.4 release

Functional changes
  • Updated expiration date in sample certificates

Bug fixes and optimizations
  • Remove unnecessary link to -lcrypto on Linux
  • Fix prevTicks compatibility on non-i386 Linux platforms

]]> 110@http://www.matrixssl.org/ Releases 2005-04-04T15:47:31-08:00 MatrixSSL 1.2.4 http://www.matrixssl.org/archives/000103.html Overall changes
  • No API changes from 1.2.2 release
  • There was no public 1.2.3 release

Functional changes
  • Client will reply with NULL cert message if client authentication is requested.

Bug fixes and optimizations
  • Generate static libraries in addition to shared objects on Linux
  • AMD64/Nacona x64 compile support on Linux
  • Changed all instances of int types to int32 to be more explicit and to allow easy global redefinitions for porting
  • Corrected the maximum message size limit to match the SSL specification
  • Cert parse can handle duplicate distinguished name entries.
  • ASN.1 parse fix for AlgorithmIdentifier missing the trailing NULL
  • Checking certificate version before doing checking the 'ca' member of the basic constraint entry during certificate validation.
  • Developers may notice some internal routines using a psPool_t parameter. These parameters allow deterministic memory support in the commercial version of MatrixSSL. They are unused in the GNU version of MatrixSSL.

]]> 103@http://www.matrixssl.org/ Releases 2005-02-24T11:00:28-08:00 MatrixSSL 1.2.2 http://www.matrixssl.org/archives/000097.html Functional changes
  • Added legacy certificate support

    • - for certificates without basic constraints
    - MD2 support for older certificates (Because it is a less secure algorithm, it must be explicitly enabled).

Bug fixes and optimizations
  • Sanity check against invalid key lengths from certificate (potential DOS fix)
  • Fixed 64 bit issue with mpi.c
  • Fix potential leak in certificates with duplicate fields
  • Allow application data parsing within re-handshake state

]]> 97@http://www.matrixssl.org/ Releases 2004-09-23T14:30:29-08:00 MatrixSSL 1.2.1 http://www.matrixssl.org/archives/000095.html Bug fixes and optimizations
  • Increased max SSL record length to 16K + 2K for Apache compatibility
  • Validate outgoing record length in matrixSslEncode()
  • Sanity check mac padding loop
  • Validate all ASN.1 length fields in X.509 certificates

]]> 95@http://www.matrixssl.org/ Releases 2004-08-16T10:59:45-08:00 MatrixSSL 1.2 http://www.matrixssl.org/archives/000093.html Functional changes
  • Added re-handshake support

    • - A connected server may issue a HelloRequest message to the client
    - A connected client may issue a new ClientHello message to the server
  • Added support for certificate chaining
  • Added RSA_WITH_NULL_SHA1 and RSA_WITH_NULL_MD5 ciphers to provide authentication and tamper detection without encryption overhead. (Because these are less secure ciphers, they must be explicitly enabled in cipherSuite.c).

Bug fixes and optimizations
  • Cleaned up several mismatched types (mostly unsigned char to char compiler warnings)
  • Rework of the cipher suite logic to support re-handshaking
  • Rename internal APIs to avoid namespace issues with other packages

API changes from 1.1 release
  • Added matrixSslSetSessionOption()
  • Added matrixSslEncodeHelloRequest()
  • Added 'next' member to the sslCertInfo_t structure. This member creates a linked list to expose certificate chains to the user.

]]> 93@http://www.matrixssl.org/ Releases 2004-07-29T11:05:24-08:00 MatrixSSL 1.1.2 http://www.matrixssl.org/archives/000094.html Bug fixes and optimizations
  • Remove newline requirement for private key parsing
  • Allow NULL certificate for matrixSslReadKeys()
  • Cleaned up some spurious compiler warnings

]]> 94@http://www.matrixssl.org/ Releases 2004-07-08T13:55:01-08:00