Fix security hole.

author: Ben Laurie <ben@openssl.org> 1999-03-22 12:22:14 +0000
committer: Ben Laurie <ben@openssl.org> 1999-03-22 12:22:14 +0000
commit: b4cadc6e1343c01b06613053a90ed2ee85e65090 (patch)
tree: 5670424b0d897cd7f8161e321f0f514131265159 /CHANGES
parent: 0f423567a72b68b617ad5554e51095f1017a9d7b (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/CHANGES b/CHANGES
index 82b190b700..2a00607326 100644
--- a/CHANGES
+++ b/CHANGES
@@ -5,6 +5,16 @@
 
  Changes between 0.9.1c and 0.9.2
 
+  *) Make SSL_get_peer_cert_chain() work in servers. Unfortunately, it still
+     doesn't work when the session is reused. Coming soon!
+     [Ben Laurie]
+
+  *) Fix a security hole, that allows sessions to be reused in the wrong
+     context thus bypassing client cert protection! All software that uses
+     client certs and session caches in multiple contexts NEEDS PATCHING to
+     allow session reuse! A fuller solution is in the works.
+     [Ben Laurie, problem pointed out by Holger Reif, Bodo Moeller (and ???)]
+
   *) Some more source tree cleanups (removed obsolete files
      crypto/bf/asm/bf586.pl, test/test.txt and crypto/sha/asm/f.s; changed
      permission on "config" script to be executable) and a fix for the INSTALL
author	Ben Laurie <ben@openssl.org>	1999-03-22 12:22:14 +0000
committer	Ben Laurie <ben@openssl.org>	1999-03-22 12:22:14 +0000
commit	b4cadc6e1343c01b06613053a90ed2ee85e65090 (patch)
tree	5670424b0d897cd7f8161e321f0f514131265159 /CHANGES
parent	0f423567a72b68b617ad5554e51095f1017a9d7b (diff)