diff options
author | slontis <shane.lontis@oracle.com> | 2023-02-08 17:22:43 +1000 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2023-03-07 18:24:45 +0100 |
commit | 50ea5cdcb735916591e35a04c1f5a659bf253ddc (patch) | |
tree | 8cdfdf314aa83a346256e15dcf36a18c8e931bea /CHANGES.md | |
parent | de13699370183ab565f548267afa57e25a921ca9 (diff) | |
download | openssl-50ea5cdcb735916591e35a04c1f5a659bf253ddc.tar.gz |
Add option to FIPS module to enforce EMS check during KDF TLS1_PRF.
Fixes #19989
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20241)
Diffstat (limited to 'CHANGES.md')
-rw-r--r-- | CHANGES.md | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/CHANGES.md b/CHANGES.md index b5381e9847..711454ec43 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -237,6 +237,13 @@ OpenSSL 3.1 ### Changes between 3.0 and 3.1.0 [xx XXX xxxx] + * Add FIPS provider configuration option to enforce the + Extended Master Secret (EMS) check during the TLS1_PRF KDF. + The option '-ems-check' can optionally be supplied to + 'openssl fipsinstall'. + + *Shane Lontis* + * The FIPS provider includes a few non-approved algorithms for backward compatibility purposes and the "fips=yes" property query must be used for all algorithm fetches to ensure FIPS compliance. |