24784774 Upgrade 11.3-SRU to OpenSSL 1.0.2
20358335 memory leak in libcrypto
21297601 32-bit FIPS openssl(1) should link to the mediator link
21791492 Workaround to suppress the link check error should be removed
22021385 openssl ts sub-command dumps core
22021787 openssl s_client sub-command dumps core
22445522 openssl makefile contains undeclared dependency on rsync
22859741 Update OpenSSL FIPS module to 2.0.12
23230454 Use DES3 for pkcs12 certificate encryption
23285559 ssh libcrypto`solaris_locking_setup() atfork handler calls malloc()
24377801 solaris_dynlock_create() should check for a ret val of 0 from pthread_mutex_init
24943813 problem in LIBRARY/OPENSSL
#
# This was developed in house. The change is internal to Solaris, and
# it will not be contributed upstream.
#
# This patch will change the default cipher used to encrypt certificate
# to 3DES as RC2 is considered weak cipher. The default cipher for 1.1 will
# become 3DES.
#
--- openssl/apps/pkcs12.c Tue May 3 06:44:42 2016
+++ openssl/apps/pkcs12.c.new Wed May 4 15:11:00 2016
@@ -142,12 +142,7 @@
if (!load_config(bio_err, NULL))
goto end;
-# ifdef OPENSSL_FIPS
- if (FIPS_mode())
- cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
- else
-# endif
- cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
+ cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
args = argv + 1;
@@ -379,9 +374,9 @@
BIO_printf(bio_err,
"-twopass separate MAC, encryption passwords\n");
BIO_printf(bio_err,
- "-descert encrypt PKCS#12 certificates with triple DES (default RC2-40)\n");
+ "-descert encrypt PKCS#12 certificates with triple DES (default)\n");
BIO_printf(bio_err,
- "-certpbe alg specify certificate PBE algorithm (default RC2-40)\n");
+ "-certpbe alg specify certificate PBE algorithm (default 3DES)\n");
BIO_printf(bio_err,
"-keypbe alg specify private key PBE algorithm (default 3DES)\n");
BIO_printf(bio_err,
--- openssl/doc/crypto/PKCS12_create.pod Fri May 6 09:10:00 2016
+++ openssl/doc/crypto/PKCS12_create.pod Fri May 6 09:14:16 2016
@@ -30,9 +30,9 @@
The parameters B<nid_key>, B<nid_cert>, B<iter>, B<mac_iter> and B<keytype>
can all be set to zero and sensible defaults will be used.
-These defaults are: 40 bit RC2 encryption for certificates, triple DES
-encryption for private keys, a key iteration count of PKCS12_DEFAULT_ITER
-(currently 2048) and a MAC iteration count of 1.
+These defaults are: triple DES encryption for certificates and private keys,
+a key iteration count of PKCS12_DEFAULT_ITER (currently 2048) and a MAC
+iteration count of 1.
The default MAC iteration count is 1 in order to retain compatibility with
old software which did not interpret MAC iteration counts. If such compatibility