On 01/06/2014 09:49 AM, OpenSSL wrote: > OpenSSL version 1.0.1f released > =============================== [...] > The OpenSSL project team is pleased to announce the release of > version 1.0.1f of our open source toolkit for SSL/TLS. For details > of changes and known issues see the release notes at: > > http://www.openssl.org/news/openssl-1.0.1-notes.html
Looking at the source on github, i see that Nick Mathewson's no_gmt_unix_time branch was also merged between 1.0.1e and 1.0.1f, but it is not mentioned in the release notes. I fully support the draft that recommends this change: https://tools.ietf.org/html/draft-mathewson-no-gmtunixtime-00 but i also think it's a potentially significant change that is worth acknowledging publicly (it breaks at least tlsdate -- i don't know about other systems that rely on this). as an aside, the commit message of 2583270191a8b27eed303c03ece1da97b9b69fd3 appears to be misleading. it says: Control sending time with SSL_SEND_{CLIENT,SERVER}RANDOM_MODE but the code change indicates that the config flag is named SSL_MODE_SEND_{CLIENT,SERVER}HELLO_TIME, which has the opposite sense from the commit message's implication. Thanks for taking this step to minimize data leakage from TLS clients and servers! Regards, --dkg
signature.asc
Description: OpenPGP digital signature