On 01/06/2014 09:49 AM, OpenSSL wrote:

>    OpenSSL version 1.0.1f released
>    ===============================
>    The OpenSSL project team is pleased to announce the release of
>    version 1.0.1f of our open source toolkit for SSL/TLS. For details
>    of changes and known issues see the release notes at:
>         http://www.openssl.org/news/openssl-1.0.1-notes.html

Looking at the source on github, i see that Nick Mathewson's
no_gmt_unix_time branch was also merged between 1.0.1e and 1.0.1f, but
it is not mentioned in the release notes.

I fully support the draft that recommends this change:


but i also think it's a potentially significant change that is worth
acknowledging publicly (it breaks at least tlsdate -- i don't know about
other systems that rely on this).

as an aside, the commit message of
2583270191a8b27eed303c03ece1da97b9b69fd3 appears to be misleading.  it says:

    Control sending time with SSL_SEND_{CLIENT,SERVER}RANDOM_MODE

but the code change indicates that the config flag is named
SSL_MODE_SEND_{CLIENT,SERVER}HELLO_TIME, which has the opposite sense
from the commit message's implication.

Thanks for taking this step to minimize data leakage from TLS clients
and servers!



Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to