diff options
author | slontis <shane.lontis@oracle.com> | 2023-02-08 17:22:43 +1000 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2023-03-07 18:26:59 +0100 |
commit | 6a0a3fee222d7687c543bceaf245507674e66c58 (patch) | |
tree | 102d67e993235d4cb0d8f88ac6b8b40e9a97e30e /CHANGES.md | |
parent | 5b2fe0ba65b37950742305684ad54abcba305e13 (diff) |
Add option to FIPS module to enforce EMS check during KDF TLS1_PRF.
Fixes #19989
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20241)
(cherry picked from commit 50ea5cdcb735916591e35a04c1f5a659bf253ddc)
Diffstat (limited to 'CHANGES.md')
-rw-r--r-- | CHANGES.md | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/CHANGES.md b/CHANGES.md index 6586989ec1..24b7ca0e4d 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -24,6 +24,13 @@ OpenSSL 3.1 ### Changes between 3.0 and 3.1.0 [xx XXX xxxx] + * Add FIPS provider configuration option to enforce the + Extended Master Secret (EMS) check during the TLS1_PRF KDF. + The option '-ems-check' can optionally be supplied to + 'openssl fipsinstall'. + + *Shane Lontis* + * The FIPS provider includes a few non-approved algorithms for backward compatibility purposes and the "fips=yes" property query must be used for all algorithm fetches to ensure FIPS compliance. |