From e436c963f0976b885a7db04681344779e26dd3b5 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Wed, 23 Apr 2014 09:56:37 +0200 Subject: Update OpenSSL to 1.0.1g and statically link OpenVPN with it --- main/openssl/patches/README | 52 +++++++++++++++++++++++++++++---------------- 1 file changed, 34 insertions(+), 18 deletions(-) (limited to 'main/openssl/patches/README') diff --git a/main/openssl/patches/README b/main/openssl/patches/README index 54b6e068..5348e425 100644 --- a/main/openssl/patches/README +++ b/main/openssl/patches/README @@ -3,18 +3,6 @@ progs.patch: Fixup sources under the apps/ directory that are not built under the android environment. -small_records.patch: - -Reduce OpenSSL memory consumption. -SSL records may be as large as 16K, but are typically < 2K. In -addition, a historic bug in Windows allowed records to be as large -32K. OpenSSL statically allocates read and write buffers (34K and -18K respectively) used for processing records. -With this patch, OpenSSL statically allocates 4K + 4K buffers, with -the option of dynamically growing buffers to 34K + 4K, which is a -saving of 44K per connection for the typical case. - - handshake_cutthrough.patch Enables SSL3+ clients to send application data immediately following the @@ -26,14 +14,42 @@ jsse.patch Support for JSSE implementation based on OpenSSL. -npn.patch +channelid.patch + +Implements TLS Channel ID support as both a client and a server. +See http://tools.ietf.org/html/draft-balfanz-tls-channelid-00. + +eng_dyn_dirs.patch + +Fixes the case of having multiple DIR_ADD commands sent to eng_dyn + +fix_clang_build.patch + +Fixes the Clang based build. + +tls12_digests.patch + +Fixes a bug with handling TLS 1.2 and digest functions for DSA and ECDSA +keys. + +alpn.patch + +This change adds support for ALPN in OpenSSL. ALPN is the IETF +blessed version of NPN and we'll be supporting both ALPN and NPN for +some time yet. + +cbc_record_splitting.patch -Transport Layer Security (TLS) Next Protocol Negotiation Extension +BEAST attack client-side mitigation. Removes 0/n record splitting, adds 1/n-1 +record splitting. Record splitting is disabled by default. -sslv3_uninit_padding.patch +paddingext.patch -This patch sets the padding for SSLv3 block ciphers to zero. +ClientHello padding extension which is added, when needed, to work around bugs +in F5 terminators. -sha1_armv4_large.patch +dsa_nonce.patch -This patch eliminates memory stores to addresses below SP. +Adds an option to mix in hash of message and private key into (EC)DSA nonces to +make (EC)DSA more resilient to weaknesses in RNGs used for nonces. The feature +is disabled by default. -- cgit v1.2.3