[Bug 958430] Re: [FFe] Please merge openssl 1.0.1 from Debian unstable
Colin Watson
cjwatson at canonical.com
Thu Mar 22 16:40:16 UTC 2012
Upstream NEWS file:
Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.1:
o TLS/DTLS heartbeat support.
o SCTP support.
o RFC 5705 TLS key material exporter.
o RFC 5764 DTLS-SRTP negotiation.
o Next Protocol Negotiation.
o PSS signatures in certificates, requests and CRLs.
o Support for password based recipient info for CMS.
o Support TLS v1.2 and TLS v1.1.
o Preliminary FIPS capability for unvalidated 2.0 FIPS module.
o SRP support.
Major changes between OpenSSL 1.0.0g and OpenSSL 1.0.0h:
o Fix for CMS/PKCS#7 MMA CVE-2012-0884
o Corrected fix for CVE-2011-4619
o Various DTLS fixes.
Debian changelog:
openssl (1.0.1-2) unstable; urgency=low
* Properly quote the new cflags in Configure
-- Kurt Roeckx <kurt at roeckx.be> Mon, 19 Mar 2012 19:56:05 +0100
openssl (1.0.1-1) unstable; urgency=low
* New upstream version
- Remove kfreebsd-pipe.patch, fixed upstream
- Update pic.patch, openssl-pod-misspell.patch and make-targets.patch
- Add OPENSSL_1.0.1 to version-script.patch and libssl1.0.0.symbols for
the new functions.
- AES-NI support (Closes: #644743)
* pic.patch: upstream made OPENSSL_ia32cap_P and OPENSSL_cpuid_setup
hidden on amd64, no need to access it PIC anymore.
* pic.patch: Make OPENSSL_ia32cap_P hidden on i386 too (Closes: #663977)
* Enable hardening using dpkg-buildflags (Closes: #653495)
* s_client and s_server were forcing SSLv3 only connection when SSLv2 was
disabled instead of the SSLv2 with upgrade method. (Closes: #664454)
* Add Beaks on openssh < 1:5.9p1-4, it has a too strict version check.
-- Kurt Roeckx <kurt at roeckx.be> Mon, 19 Mar 2012 18:23:32 +0100
openssl (1.0.0h-1) unstable; urgency=high
* New upstream version
- Fixes CVE-2012-0884
- Fixes CVE-2012-1165
- Properly fix CVE-2011-4619
- pkg-config.patch applied upstream, remove it.
* Enable assembler for all i386 arches. The assembler does proper
detection of CPU support, including cpuid support.
This should fix a problem with AES 192 and 256 with the padlock
engine because of the difference in NO_ASM between the between
the i686 optimized library and the engine.
-- Kurt Roeckx <kurt at roeckx.be> Tue, 13 Mar 2012 21:08:17 +0100
I've done some performance testing, which is in bug 796456 (private,
sorry). I can quote my own numbers from that:
for x in sha1 rc4 aes-{128,256}-cbc md5; do openssl speed -evp $x
2>/dev/null | grep -A1 ^type; done | sed '2,${/type/d}'
Core 2 Duo T7100 (my laptop, getting on a bit):
amd64 1.0.0g-1ubuntu1:
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
sha1 32959.34k 85644.07k 174930.39k 243954.98k 266935.33k
rc4 90403.67k 98901.49k 101289.27k 102313.50k 103083.61k
aes-128-cbc 51210.81k 58557.04k 60279.01k 126155.41k 129400.50k
aes-256-cbc 38099.06k 41632.22k 44081.90k 42170.87k 43401.11k
md5 36105.68k 103355.47k 215324.51k 296345.24k 334079.66k
amd64 1.0.1-2ubuntu1 (unreleased):
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
sha1 35898.84k 97968.17k 201869.01k 280300.41k 314556.36k
rc4 148796.23k 248179.50k 299200.47k 317167.51k 315630.36k
aes-128-cbc 80029.11k 86546.17k 88989.02k 89460.83k 89581.44k
aes-256-cbc 58424.85k 62711.92k 63304.52k 63263.34k 63661.19k
md5 39243.77k 110190.34k 233141.78k 318653.39k 360757.60k
i386 1.0.0g-1ubuntu1:
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
sha1 20799.30k 58511.68k 121232.04k 166728.83k 187707.50k
rc4 144625.18k 190355.72k 207533.54k 217030.23k 230849.46k
aes-128-cbc 63992.57k 73048.85k 76678.75k 78265.56k 77791.23k
aes-256-cbc 50812.10k 56796.46k 58252.89k 58130.56k 58776.23k
md5 25959.21k 78649.23k 183409.83k 275312.09k 326038.87k
i386 1.0.1-2ubuntu1 (unreleased):
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
sha1 28814.07k 84153.79k 187597.59k 273172.48k 315113.47k
rc4 213104.86k 295053.10k 329978.88k 351678.81k 367037.10k
aes-128-cbc 73415.73k 85662.90k 88118.29k 88727.21k 89155.35k
aes-256-cbc 54117.90k 59359.41k 61571.61k 60992.35k 63965.87k
md5 30211.77k 88190.74k 200825.25k 291140.04k 327380.36k
Xeon X5550 (porter-amd64.canonical.com):
amd64 1.0.0g-1ubuntu1:
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
sha1 51464.13k 135581.95k 268001.37k 354723.50k 391353.69k
rc4 285698.47k 340625.22k 297458.99k 300018.35k 300826.62k
aes-128-cbc 84038.84k 93140.52k 96024.32k 96636.93k 96952.32k
aes-256-cbc 62973.73k 67858.18k 69276.76k 69656.92k 69716.65k
md5 62959.22k 181574.51k 387815.08k 543501.65k 615374.85k
amd64 1.0.1-2ubuntu1 (unreleased):
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
sha1 59043.94k 165165.57k 345374.63k 474867.03k 532654.76k
rc4 243205.74k 479680.62k 637097.39k 702863.70k 725865.81k
aes-128-cbc 248449.33k 290760.30k 300079.79k 302154.07k 303478.10k
aes-256-cbc 190183.11k 200553.96k 210688.26k 219256.49k 218715.48k
md5 60728.21k 179583.34k 387689.90k 546985.64k 620229.97k
So now my laptop is a bit slower on AES when running amd64, but in i386
mode it's an improvement across the board. That's probably OK given its
age.
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2011-4619
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-0884
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-1165
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/958430
Title:
[FFe] Please merge openssl 1.0.1 from Debian unstable
Status in “openssl” package in Ubuntu:
Confirmed
Bug description:
Please use openssl 1.0.1 in Ubuntu 12.04 LTS.
I really need TLS 1.1 support and cannot wait another 2 years.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/958430/+subscriptions
More information about the foundations-bugs
mailing list