ELSA-2021-9561

Описание

[1:1.1.1k-4]

• Fixes bugs in s390x AES code.
• Uses the first detected address family if IPv6 is not available
• Reverts the changes in https://github.com/openssl/openssl/pull/13305 as it introduces a regression if server has a DSA key pair, the handshake fails when the protocol is not explicitly set to TLS 1.2. However, if the patch is reverted, it has an effect on the 'ssl_reject_handshake' feature in nginx. Although, this feature will continue to work, TLS 1.3 protocol becomes unavailable/disabled. This is already known - https://trac.nginx.org/nginx/ticket/2071#comment:1 As per https://github.com/openssl/openssl/issues/16075#issuecomment-879939938, nginx could early callback instead of servername callback.
• Resolves: rhbz#1978214
• Related: rhbz#1934534

[1:1.1.1k-3]

• Cleansup the peer point formats on renegotiation
• Resolves rhbz#1965362

[1:1.1.1k-2]

• Fixes FIPS_selftest to work in FIPS mode. Resolves: rhbz#1940085
• Using safe primes for FIPS DH self-test

[1.1.1k-1]

• Update to version 1.1.1k

[1.1.1g-16]

• Use AI_ADDRCONFIG only when explicit host name is given
• Allow only curves defined in RFC 8446 in TLS 1.3