Further updates to CHANGES and NEWS

author Matt Caswell <matt@openssl.org>

Thu, 28 Jan 2016 12:28:53 +0000 (12:28 +0000)

committer Matt Caswell <matt@openssl.org>

Thu, 28 Jan 2016 17:06:38 +0000 (17:06 +0000)
author Matt Caswell <matt@openssl.org>
Thu, 28 Jan 2016 12:28:53 +0000 (12:28 +0000)
committer Matt Caswell <matt@openssl.org>
Thu, 28 Jan 2016 17:06:38 +0000 (17:06 +0000)
diff --git a/CHANGES b/CHANGES

index ca3c62639fbb9f4ba7c029b9774018f0f7c469c1..24cf8212578dbd307abbfbc35f00747e89190682 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,13 @@
  
   Changes between 1.0.1q and 1.0.1r [xx XXX xxxx]
  
+  *) Protection for DH small subgroup attacks
+
+     As a precautionary measure the SSL_OP_SINGLE_DH_USE option has been
+     switched on by default and cannot be disabled. This could have some
+     performance impact.
+     [Matt Caswell]
+
    *) SSLv2 doesn't block disabled ciphers
  
       A malicious client can negotiate SSLv2 ciphers that have been disabled on
diff --git a/NEWS b/NEWS

index 13dcd01aacc85dfc10b5503c7fee288dcaa39e0b..d8e4fd0173c195da74509be00360e790c851e06a 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -7,6 +7,7 @@
  
    Major changes between OpenSSL 1.0.1q and OpenSSL 1.0.1r [under development]
  
+      o Protection for DH small subgroup attacks
        o SSLv2 doesn't block disabled ciphers (CVE-2015-3197)
  
    Major changes between OpenSSL 1.0.1p and OpenSSL 1.0.1q [3 Dec 2015]
author	Matt Caswell <matt@openssl.org>
	Thu, 28 Jan 2016 12:28:53 +0000 (12:28 +0000)
committer	Matt Caswell <matt@openssl.org>
	Thu, 28 Jan 2016 17:06:38 +0000 (17:06 +0000)