From 0d1312bcf83d0f19fde5f8c602918091c21f7e3e Mon Sep 17 00:00:00 2001 From: Iristyle Date: Fri, 12 Oct 2012 13:36:17 -0400 Subject: [PATCH] OpenSSL.Light for Win32 1.0.1c --- OpenSSL.Light/OpenSSL.Light.nuspec | 96 ++++++++++++++++++++++ OpenSSL.Light/OpenSSL.Light.png | Bin 0 -> 4929 bytes OpenSSL.Light/tools/chocolateyInstall.ps1 | 24 ++++++ 3 files changed, 120 insertions(+) create mode 100644 OpenSSL.Light/OpenSSL.Light.nuspec create mode 100644 OpenSSL.Light/OpenSSL.Light.png create mode 100644 OpenSSL.Light/tools/chocolateyInstall.ps1 diff --git a/OpenSSL.Light/OpenSSL.Light.nuspec b/OpenSSL.Light/OpenSSL.Light.nuspec new file mode 100644 index 0000000..fc73935 --- /dev/null +++ b/OpenSSL.Light/OpenSSL.Light.nuspec @@ -0,0 +1,96 @@ + + + + OpenSSL.Light + OpenSSL - The Open Source SSL and TLS toolkit + 1.0.1.3 + Shining Light Productions + Ethan Brown + Open Source SSL v2/v3 and TLS v1 toolkit + This is really 1.0.1c, but the Nuget spec doesn't allow such version identifiers, so the file versions are used. + + The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL toolkit and its related documentation. + + The Win32 OpenSSL Installation Project is dedicated to providing a simple installation of OpenSSL. It is easy to set up and easy to use through the simple, effective installer. No need to compile anything or jump through any hoops, just click a few times and it is installed, leaving you to doing real work. Download it today! Note that these are default builds of OpenSSL and subject to local and state laws. More information can be found in the legal agreement of the installation. + + http://slproweb.com/products/Win32OpenSSL.html + openssl SSL TLS pfx pem key RSA + http://www.openssl.org/source/license.html + false + https://github.com/Iristyle/ChocolateyPackages/raw/master/SABnzbd/OpenSSL.Light/OpenSSL.Light.png + Changes between 1.0.1b and 1.0.1c [10 May 2012] + + *) Sanity check record length before skipping explicit IV in TLS + 1.2, 1.1 and DTLS to avoid DoS attack. + + Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic + fuzzing as a service testing platform. + (CVE-2012-2333) + [Steve Henson] + + *) Initialise tkeylen properly when encrypting CMS messages. + Thanks to Solar Designer of Openwall for reporting this issue. + [Steve Henson] + + *) In FIPS mode don't try to use composite ciphers as they are not + approved. + [Steve Henson] + + Changes between 1.0.1a and 1.0.1b [26 Apr 2012] + + *) OpenSSL 1.0.0 sets SSL_OP_ALL to 0x80000FFFL and OpenSSL 1.0.1 and + 1.0.1a set SSL_OP_NO_TLSv1_1 to 0x00000400L which would unfortunately + mean any application compiled against OpenSSL 1.0.0 headers setting + SSL_OP_ALL would also set SSL_OP_NO_TLSv1_1, unintentionally disablng + TLS 1.1 also. Fix this by changing the value of SSL_OP_NO_TLSv1_1 to + 0x10000000L Any application which was previously compiled against + OpenSSL 1.0.1 or 1.0.1a headers and which cares about SSL_OP_NO_TLSv1_1 + will need to be recompiled as a result. Letting be results in + inability to disable specifically TLS 1.1 and in client context, + in unlike event, limit maximum offered version to TLS 1.0 [see below]. + [Steve Henson] + + *) In order to ensure interoperabilty SSL_OP_NO_protocolX does not + disable just protocol X, but all protocols above X *if* there are + protocols *below* X still enabled. In more practical terms it means + that if application wants to disable TLS1.0 in favor of TLS1.1 and + above, it's not sufficient to pass SSL_OP_NO_TLSv1, one has to pass + SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2. This applies to + client side. + [Andy Polyakov] + + Changes between 1.0.1 and 1.0.1a [19 Apr 2012] + + *) Check for potentially exploitable overflows in asn1_d2i_read_bio + BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer + in CRYPTO_realloc_clean. + + Thanks to Tavis Ormandy, Google Security Team, for discovering this + issue and to Adam Langley <agl@chromium.org> for fixing it. + (CVE-2012-2110) + [Adam Langley (Google), Tavis Ormandy, Google Security Team] + + *) Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections. + [Adam Langley] + + *) Workarounds for some broken servers that "hang" if a client hello + record length exceeds 255 bytes: + + 1. Do not use record version number > TLS 1.0 in initial client + hello: some (but not all) hanging servers will now work. + 2. If we set OPENSSL_MAX_TLS1_2_CIPHER_LENGTH this will truncate + the number of ciphers sent in the client hello. This should be + set to an even number, such as 50, for example by passing: + -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure. + Most broken servers should now work. + 3. If all else fails setting OPENSSL_NO_TLS1_2_CLIENT will disable + TLS 1.2 client support entirely. + [Steve Henson] + + *) Fix SEGV in Vector Permutation AES module observed in OpenSSH. + [Andy Polyakov] + + + + + diff --git a/OpenSSL.Light/OpenSSL.Light.png b/OpenSSL.Light/OpenSSL.Light.png new file mode 100644 index 0000000000000000000000000000000000000000..b5a8799db2148315a5120c4b8373b53f0dee3f85 GIT binary patch literal 4929 zcmV-H6Ta+;P)004R=004l4008;_004mL004C`008P>0026e000+nl3&F}00009 za7bBm001r`001r`0jlENk^lez8gxZibW?9;ba!ELWdKlNX>N2bPDNB8b~7$DE-^4L z^m3s901}Z&L_t(&-tC(SbWYdW$4>}}F$rSkMvE$|3sqdhWtpmm`=OPzT4at&1W`gI z$e=X^p_NIfNN+1aL?jZDB0@aeW zkN^KO?Ps58|MUOlpIWraRQm5{%fIewW&ZzVC@-`YeM4#chZDdUzyA8`Pe1)sc>DI% zGiS~pIdV2L^I}fU^@|rD+`rHBCr_UItB}DwneBrI56+x9vv1$Nq@<)>yLM$}W?sI0 z`O%|Cj~_n<(+WWN@y8#j`R%vgCMPHF+_^I&BZGeK8$jT#9t7@x`Q;a$|EHnQ@aLa@ z7Q*ft%EN~bnaOhqpf+;?^n^u=77rNU)uM%4?b=SJrcTwXyVR`dZe{gxhYsNm4u`jG zyLb04HUH!^u;BCO&(E1Nr(?&CwQJWlF)`6Jjo%tIYBX%vuvf2Mfq{XiPoD-a(9|~s zxPpR$kdTnRefwHkT2`x8O*540)vMR9U!UGQJUr6V(*;uj0W`e4yn5@(`t|GKn6A#9 zJ9p^Nq5b>!-??+AA_ADioom;kr%s)0Vd0=@?{eALc#a%7$H{4~tLwC3!``#BwAVCV zIh&gL_v)3Cnp#v;RGtL=(*+*^+^}IolO|2H3QMC#jpojsd-LW^B~M_AigfGNO$aNm z)T&i$?AWo#j~_?a0Rbq63>l)Y5D*Y>`}S>K<>%+4H#s>u)G3z$(8tL5zV@1f0phWZ z8!z?uM_ZvTH#e7IXrH!w_w2v_eWIZP*QC02lf%Q&?mr<1ScA~eP%|?#tr7*Gk#tl6 z&cNZj@4jo^yt!7n(xOF+9Xoa)>DZ;gg9qzh`TF`^zka;}a5TNfVRpRRwiRS;8#UUv zVMA6{*43+5@7=p67L74r^5n^rexpY_lyKl;W|kfo$E!b;En+!{iej7W zCX^Tr^Z+Y?X)4VSyRYd zx^=6H1fX<>w{FGL3ZUa!x8A#VFS20dvK0q~g@w`c<|zX33Y&t1Q52()!06BC27fBr zdv3Moc8gVf<&{_TSlHUy5(43nSr_}l zw!}YF21*P%zj##e88Bb~Z(n}-<%oy~Oco81*D9JI%**l-BNU*s?Ch}kn4R*PA?&Af zb6w2MRg;eg4!m;Z3TBtVpsnc9qw`r=g#`sq4CP*a{`VOfIXia}%S!BIG^gSK?(yT> zmoFbnP0dbBq}tv5eBwD(O(H_%y5Po*%co9pL$`Nt-aNTyPxg)-XAU3Mhh+SMuaW&B zXu%D#D2e6ijr$unZhZ62H^{GW^T1Gs4I8F!*rP`e%nSCNCepBY8U+PFL~uo53T^z! z+G$%A0+{ZNyu2w58!B;LzF;rKg8`9ZJEmz{|M8DVS69`uy0CRI z0RfmSk*193=#N^rwlg)IHg@d7*|R?yHEM#P6Tl7Z-+$BM#V$>nIMuAFng`n3f9dV* zWNtp;*>0U{)jE=qAvhwEZQ8Uka+UbrK7IO3pFSOB*w=h8Wj^jtCX-XJppT1uVywYY;BcJd^B+)AqRkBB{8Gn0Ri?U`oXor-90NU z&E3+H`*%!Cw#3F>ym(Qf>HXWcJD0%f*`>>Y0|yc!A{&+uK)i6M$BEdU|3os_p}dIoHWDF=%{D zOl1g2jf~W{`g+3#79Z;9sEGV3DvE%CX<-)ly>Q`z|KP!@$+X_RL)_ft{#{E;P-al^ z;d$rJe^{^HQzEUcA#ZO?j51|D<;fHW%XGK8#mM!!n!_ynmofsPGSfT_juf68mz57%1-Kf#djT?`pr(ej< zCIre%N>V|=I7>?&=n3$5aza;-IB{S<U6Y zYGP|;MZS8^oI{0UZ!R^J3BMVz<~p+5(Qm2bxPsFHFxOHio;L} zkwfVC@v6z>e*Ksz@*d&hQXT;ebT%i4-0D*kWNSOMSu?q})3o`sW-SX0T)AkGTx(XY z#P_mnctzeb*e8}p!1e3p5ukF>po#u58AOEKGHL;-v9YloI&?6?apA&+l0K7I6GcZG zuq`+S^c#p-CK1%AQKO6+zV+5yL`Skad*OWmz|HH?9Au}0y(pV3^3p1D z4f6BDZldxP6L9k2L1CIa>&m4|r?qOOdWc@T_UO^0tdI>6T>&~sF?)#=4<{tNC;^h4 z$N$R{!Bl*VIFD=Bu8}S_vMuBLXf7R~L}O^vvE z#tb$!AoWX0k?oR*aORF3FGK({WGnE=C!YXQyLRocArdU=We5o)!(-$XurrvQ&6_vB z`s%BkAFNxq4yiIqh%q-t!K3IKIyg8WKt=@k`1qhV(DvlnqE2!&1r7DQOI%`ctlgl& z(L;yezqBjn$-RPtPy6?OYW+=3*Q{6}XBrem07iWKmMx&5dSJm}6DAaU>>4$~Kl=Eu`1MIAE3vJ>;*nR zA2^ZCCM4w)3`tTcVSqMDS5P>*0R$r-fWyG1vCmlkZ29V|ujCx%w`^#!n&TmLIZmIh zUC)*rHRuyE_wL+T=j<%OjBT}Qe$%HDr2w>KR}=wUi${&hGi-1~d5@)~5nO`)Cv)Zy zAmZn94jgdQC6ogC^*eX`I5QLR$57nL%R8Q){?r7Ogb4wTj^z^2r3*F(nVmXyYH2@- z^X%NYGnod0#rEynmkv+a>jGBkfQOwI^#K<<)3s|?(w{~Zc!-i=GmWC4^2&%2BT#pi zpy{m&Anx0}ds3%P>bzxE+qS#H!f-uU{KEWv4h%@h_!;a5_Udg*%O&&YGq4y<@yvPx zh^zv7_f823`7S;_&fnj&apSSp)}Jq5e)#ZVEG+n9Y zD%54NwRLz<5OD8`h)_w6xq}9sK6MIK#75}}aBb2g^WZ@`$Ct23?L|uW?%j9q-i?p- z^YeRd&}kIBMn^~Ex-h~<`+)Ka2WQL>q123yPeJ5pPR_Dfvp#6m>OBF`#Dp9f*)*?~ zEhp8fBT1eyR#wyO?AW^!OXyGXj0l*hLl&>=^tZol*}NIcLzp4C7dRjh7V76W&cb5i zvxyxD9zzCy`0%KO3+Hs{;$&g*p24qhjW;#*YTrKC%?&fcoFTx~!eX4fWwxza!4P&F zRbY>*&-hoclOp4fPXa{xM3Av3&6+i<43ucb7hilqX7s+HRFVLyvEeW#K=c4B$?UNz zQIU}gJUph29670PUzeUe-Fo+)GHlo!XXn*HK`F_}RFJSoAFb*M0Fha4ZeDM{?bfG{ z`_Q4QmMkHtU{rk*@q}=YzIX4Ek3VKC*T4Riv8X@K(=#?EhRA(aV&aB~h;?CMkzrwL zLqoa9IB{*?x>XVYg?I19ZrmuZim#9mcHk%tR+~_Y+}Zo@zpp<((HBfS8-iuama*re zvN&pNCIJ%R?~EBUh*OOYXH+VQSDegnO2gI<+9Uym+R4FL#bxy9(U4sR0qUy=$Yc`W zMQqE#Bt`?ox#3S9@=7uRMq!ek0OT=x{d&%mj~EILN~L^D4<}n57g6YW@B61oIn)p3JOmxD<#f2l6nKNgScz_-ptQ=-hSsf=7 z^IBL4CCnrtAz|s#rC{ym=H|+m3Dc$#T(O7XOa^bv+%Sd`U(o|i$fo1r0IZJi(AMPnE}( zv1FG(liRwIU#h^a@U8v6C$UBZ80`bZ%^;zOHZv&mJQ8;0Xj2bIndgxL6H6`gcAcSSn_a4!NNwby$^bl3|Ef+`u9M z7#4_2B5D5ibZlpPtc`hd>r~;K~h(t3wH*_u{LWewIl2{md&deE6W+Izv zh67yYfVl&4SpqkVC6lB%H}K6vIxH`*^ZOGJ?&S1aT01sYzYzl(;9&8xDZ>r|3JYL< zXfz5gLPwYcOw60gpu;cgp#pG#AY#a$R1>2Qju#9?@P#}v9oS+T0s*~&1s&pt1QbSx zUWl_h#@J>JcR)9B{V^MM3@*60m3OVE~}6mNu^-!n7JI^%Vz-P zrIvp;0*dpFMMc;1@|Fx4qTX{L^t ziv%Hhmkosq{0Ry?2V5$EK1?8tJZF*OnZ+66JdswZ42aN1b3s#b>Bs?-VJraU28$#q zZtl5}^o$U2$?(MuH#C6;c`F2fJHOO~X1Rf8h7hq}N}?jn@DC>d!C5kTw0+~oV@yoQ z6LO6v$7ycv+@i%IM@R6LI04iU4dfI<#LS>gkfj0&0TW0f0>}cy;{i0!xdAEBdR8c4 zQJJn-p;%;i0%iF&iBagEn!FV^E1-}p6NVs|{sk<#5fP>^H__2sh5|ju4Ta&PrhHon zpb#Tc!YfuGH#|INC@h5OAs_V2WMrfI2NHmQWM^e1CnY7s$8R@W@!Pg-i;Ihoi`&0% zpO|K)D=HiUFIH9jE%4Q=k^~k@B|cMphA<(`Rlp-3m?&>1pC5~TSLV*h@2MxM9~D8V zL@6@?L3M&8mDN}2`rt~11F{^|r{2e^2^f9$`-c#~