123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525 |
- *** Note, Please read ***
- CyaSSL takes a different approach to certificate verification than OpenSSL does.
- The default policy for the client is to verify the server, this means that if
- you don't load CAs to verify the server you'll get a connect error, unable to
- verify. It you want to mimic OpenSSL behavior of having SSL_connect succeed
- even if verifying the server fails and reducing security you can do this by
- calling:
- SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0);
- before calling SSL_new(); Though it's not recommended.
- *** end Note ***
- CyaSSL Release 1.8.0 (12/23/2010)
- Release 1.8.0 for CyaSSL adds bug fixes, x509 v3 CA signed certificate
- generation, a C standard library abstraction layer, lower memory use, increased
- portability through the os_settings.h file, and the ability to use NTRU cipher
- suites when used in conjunction with an NTRU license and library.
- The initial CyaSSL manual offering is included in the doc/ directory. For
- build instructions and comments about the new features please check the manual.
- Please send any comments or questions to support@yassl.com.
- Happy Holidays.
-
- ********************* CyaSSL Release 1.6.5 (9/9/2010)
- Release 1.6.5 for CyaSSL adds bug fixes and x509 v3 self signed certificate
- generation.
-
- For general build instructions see doc/Building_CyaSSL.pdf.
- To enable certificate generation support add this option to ./configure
- ./configure --enable-certgen
- An example is included in ctaocrypt/test/test.c and documentation is provided
- in doc/CyaSSL_Extensions_Reference.pdf item 11.
- ********************** CyaSSL Release 1.6.0 (8/27/2010)
- Release 1.6.0 for CyaSSL adds bug fixes, RIPEMD-160, SHA-512, and RSA key
- generation.
-
- For general build instructions see doc/Building_CyaSSL.pdf.
- To add RIPEMD-160 support add this option to ./configure
- ./configure --enable-ripemd
- To add SHA-512 support add this option to ./configure
- ./configure --enable-sha512
- To add RSA key generation support add this option to ./configure
- ./configure --enable-keygen
- Please see ctaocrypt/test/test.c for examples and usage.
- For Windows, RIPEMD-160 and SHA-512 are enabled by default but key generation is
- off by default. To turn key generation on add the define CYASSL_KEY_GEN to
- CyaSSL.
- ************* CyaSSL Release 1.5.6 (7/28/2010)
- Release 1.5.6 for CyaSSL adds bug fixes, compatibility for our JSSE provider,
- and a fix for GCC builds on some systems.
-
- For general build instructions see doc/Building_CyaSSL.pdf.
- To add AES-NI support add this option to ./configure
- ./configure --enable-aesni
- You'll need GCC 4.4.3 or later to make use of the assembly.
- ************** CyaSSL Release 1.5.4 (7/7/2010)
- Release 1.5.4 for CyaSSL adds bug fixes, support for AES-NI, SHA1 speed
- improvements from loop unrolling, and support for the Mongoose Web Server.
-
- For general build instructions see doc/Building_CyaSSL.pdf.
- To add AES-NI support add this option to ./configure
- ./configure --enable-aesni
- You'll need GCC 4.4.3 or later to make use of the assembly.
- *************** CyaSSL Release 1.5.0 (5/11/2010)
- Release 1.5.0 for CyaSSL adds bug fixes, GoAhead WebServer support, sniffer
- support, and initial swig interface support.
- For general build instructions see doc/Building_CyaSSL.pdf.
- To add support for GoAhead WebServer either --enable-opensslExtra or if you
- don't want all the features of opensslExtra you can just define GOAHEAD_WS
- instead. GOAHEAD_WS can be added to ./configure with CFLAGS=-DGOAHEAD_WS or
- you can define it yourself.
- To look at the sniffer support please see the sniffertest app in
- sslSniffer/sslSnifferTest. Build with --enable-sniffer on *nix or use the
- vcproj files on windows. You'll need to have pcap installed on *nix and
- WinPcap on windows.
- A swig interface file is now located in the swig directory for using Python,
- Java, Perl, and others with CyaSSL. This is initial support and experimental,
- please send questions or comments to support@yassl.com.
- When doing load testing with CyaSSL, on the echoserver example say, the client
- machine may run out of tcp ephemeral ports, they will end up in the TIME_WAIT
- queue, and can't be reused by default. There are generally two ways to fix
- this. 1) Reduce the length sockets remain on the TIME_WAIT queue or 2) Allow
- items on the TIME_WAIT queue to be reused.
- To reduce the TIME_WAIT length in OS X to 3 seconds (3000 milliseconds)
- sudo sysctl -w net.inet.tcp.msl=3000
- In Linux
- sudo sysctl -w net.ipv4.tcp_tw_reuse=1
- allows reuse of sockets in TIME_WAIT
- sudo sysctl -w net.ipv4.tcp_tw_recycle=1
- works but seems to remove sockets from TIME_WAIT entirely?
- sudo sysctl -w net.ipv4.tcp_fin_timeout=1
- doen't control TIME_WAIT, it controls FIN_WAIT(2) contrary to some posts
- ******************** CyaSSL Release 1.4.0 (2/18/2010)
- Release 1.3.0 for CyaSSL adds bug fixes, better multi TLS/SSL version support
- through SSLv23_server_method(), and improved documentation in the doc/ folder.
- For general build instructions doc/Building_CyaSSL.pdf.
- ******************** CyaSSL Release 1.3.0 (1/21/2010)
- Release 1.3.0 for CyaSSL adds bug fixes, a potential security problem fix,
- better porting support, removal of assert()s, and a complete THREADX port.
- For general build instructions see rc1 below.
- ******************** CyaSSL Release 1.2.0 (11/2/2009)
- Release 1.2.0 for CyaSSL adds bug fixes and session negotiation if first use is
- read or write.
- For general build instructions see rc1 below.
- ******************** CyaSSL Release 1.1.0 (9/2/2009)
- Release 1.1.0 for CyaSSL adds bug fixes, a check against malicious session
- cache use, support for lighttpd, and TLS 1.2.
- To get TLS 1.2 support please use the client and server functions:
- SSL_METHOD *TLSv1_2_server_method(void);
- SSL_METHOD *TLSv1_2_client_method(void);
- CyaSSL was tested against lighttpd 1.4.23. To build CyaSSL for use with
- lighttpd use the following commands from the CyaSSL install dir <CyaSSLDir>:
- ./configure --disable-shared --enable-opensslExtra --enable-fastmath --without-zlib
- make
- make openssl-links
- Then to build lighttpd with CyaSSL use the following commands from the
- lighttpd install dir:
- ./configure --with-openssl --with-openssl-includes=<CyaSSLDir>/include --with-openssl-libs=<CyaSSLDir>/lib LDFLAGS=-lm
- make
- On some systems you may get a linker error about a duplicate symbol for
- MD5_Init or other MD5 calls. This seems to be caused by the lighttpd src file
- md5.c, which defines MD5_Init(), and is included in liblightcomp_la-md5.o.
- When liblightcomp is linked with the SSL_LIBs the linker may complain about
- the duplicate symbol. This can be fixed by editing the lighttpd src file md5.c
- and adding this line to the beginning of the file:
- #if 0
- and this line to the end of the file
- #endif
- Then from the lighttpd src dir do a:
- make clean
- make
- If you get link errors about undefined symbols more than likely the actual
- OpenSSL libraries are found by the linker before the CyaSSL openssl-links that
- point to the CyaSSL library, causing the linker confusion. This can be fixed
- by editing the Makefile in the lighttpd src directory and changing the line:
- SSL_LIB = -lssl -lcrypto
- to
- SSL_LIB = -lcyassl
- Then from the lighttpd src dir do a:
- make clean
- make
- This should remove any confusion the linker may be having with missing symbols.
- For any questions or concerns please contact support@yassl.com .
- For general build instructions see rc1 below.
- ******************CyaSSL Release 1.0.6 (8/03/2009)
- Release 1.0.6 for CyaSSL adds bug fixes, an improved session cache, and faster
- math with a huge code option.
- The session cache now defaults to a client mode, also good for embedded servers.
- For servers not under heavy load (less than 200 new sessions per minute), define
- BIG_SESSION_CACHE. If the server will be under heavy load, define
- HUGE_SESSION_CACHE.
- There is now a fasthugemath option for configure. This enables fastmath plus
- even faster math by greatly increasing the code size of the math library. Use
- the benchmark utility to compare public key operations.
- For general build instructions see rc1 below.
- ******************CyaSSL Release 1.0.3 (5/10/2009)
- Release 1.0.3 for CyaSSL adds bug fixes and add increased support for OpenSSL
- compatibility when building other applications.
- Release 1.0.3 includes an alpha release of DTLS for both client and servers.
- This is only for testing purposes at this time. Rebroadcast and reordering
- aren't fully implemented at this time but will be for the next release.
- For general build instructions see rc1 below.
- ******************CyaSSL Release 1.0.2 (4/3/2009)
- Release 1.0.2 for CyaSSL adds bug fixes for a couple I/O issues. Some systems
- will send a SIGPIPE on socket recv() at any time and this should be handled by
- the application by turning off SIGPIPE through setsockopt() or returning from
- the handler.
- Release 1.0.2 includes an alpha release of DTLS for both client and servers.
- This is only for testing purposes at this time. Rebroadcast and reordering
- aren't fully implemented at this time but will be for the next release.
- For general build instructions see rc1 below.
- *****************CyaSSL Release Candidiate 3 rc3-1.0.0 (2/25/2009)
- Release Candidate 3 for CyaSSL 1.0.0 adds bug fixes and adds a project file for
- iPhone development with Xcode. cyassl-iphone.xcodeproj is located in the root
- directory. This release also includes a fix for supporting other
- implementations that bundle multiple messages at the record layer, this was
- lost when cyassl i/o was re-implemented but is now fixed.
- For general build instructions see rc1 below.
- *****************CyaSSL Release Candidiate 2 rc2-1.0.0 (1/21/2009)
- Release Candidate 2 for CyaSSL 1.0.0 adds bug fixes and adds two new stream
- ciphers along with their respective cipher suites. CyaSSL adds support for
- HC-128 and RABBIT stream ciphers. The new suites are:
- TLS_RSA_WITH_HC_128_CBC_SHA
- TLS_RSA_WITH_RABBIT_CBC_SHA
- And the corresponding cipher names are
- HC128-SHA
- RABBIT-SHA
- CyaSSL also adds support for building with devkitPro for PPC by changing the
- library proper to use libogc. The examples haven't been changed yet but if
- there's interest they can be. Here's an example ./configure to build CyaSSL
- for devkitPro:
- ./configure --disable-shared CC=/pathTo/devkitpro/devkitPPC/bin/powerpc-gekko-gcc --host=ppc --without-zlib --enable-singleThreaded RANLIB=/pathTo/devkitpro/devkitPPC/bin/powerpc-gekko-ranlib CFLAGS="-DDEVKITPRO -DGEKKO"
- For linking purposes you'll need
- LDFLAGS="-g -mrvl -mcpu=750 -meabi -mhard-float -Wl,-Map,$(notdir $@).map"
- For general build instructions see rc1 below.
- ********************CyaSSL Release Candidiate 1 rc1-1.0.0 (12/17/2008)
- Release Candidate 1 for CyaSSL 1.0.0 contains major internal changes. Several
- areas have optimization improvements, less dynamic memory use, and the I/O
- strategy has been refactored to allow alternate I/O handling or Library use.
- Many thanks to Thierry Fournier for providing these ideas and most of the work.
- Because of these changes, this release is only a candidate since some problems
- are probably inevitable on some platform with some I/O use. Please report any
- problems and we'll try to resolve them as soon as possible. You can contact us
- at support@yassl.com or todd@yassl.com.
- Using TomsFastMath by passing --enable-fastmath to ./configure now uses assembly
- on some platforms. This is new so please report any problems as every compiler,
- mode, OS combination hasn't been tested. On ia32 all of the registers need to
- be available so be sure to pass these options to CFLAGS:
- CFLAGS="-O3 -fomit-frame-pointer"
- OS X will also need -mdynamic-no-pic added to CFLAGS
- Also if you're building in shared mode for ia32 you'll need to pass options to
- LDFLAGS as well on OS X:
- LDFLAGS=-Wl,-read_only_relocs,warning
- This gives warnings for some symbols but seems to work.
- --To build on Linux, Solaris, *BSD, Mac OS X, or Cygwin:
- ./configure
- make
- from the ./testsuite/ directory run ./testsuite
- to make a debug build:
- ./configure --enable-debug --disable-shared
- make
- --To build on Win32
- Choose (Re)Build All from the project workspace
- Run the testsuite program
- *************************CyaSSL version 0.9.9 (7/25/2008)
- This release of CyaSSL adds bug fixes, Pre-Shared Keys, over-rideable memory
- handling, and optionally TomsFastMath. Thanks to Moisés Guimarães for the
- work on TomsFastMath.
- To optionally use TomsFastMath pass --enable-fastmath to ./configure
- Or define USE_FAST_MATH in each project from CyaSSL for MSVC.
- Please use the benchmark routine before and after to see the performance
- difference, on some platforms the gains will be little but RSA encryption
- always seems to be faster. On x86-64 machines with GCC the normal math library
- may outperform the fast one when using CFLAGS=-m64 because TomsFastMath can't
- yet use -m64 because of GCCs inability to do 128bit division.
- **** UPDATE GCC 4.2.1 can now do 128bit division ***
- See notes below (0.2.0) for complete build instructions.
- ****************CyaSSL version 0.9.8 (5/7/2008)
- This release of CyaSSL adds bug fixes, client side Diffie-Hellman, and better
- socket handling.
- See notes below (0.2.0) for complete build instructions.
- ****************CyaSSL version 0.9.6 (1/31/2008)
- This release of CyaSSL adds bug fixes, increased session management, and a fix
- for gnutls.
- See notes below (0.2.0) for complete build instructions.
- ****************CyaSSL version 0.9.0 (10/15/2007)
- This release of CyaSSL adds bug fixes, MSVC 2005 support, GCC 4.2 support,
- IPV6 support and test, and new test certificates.
- See notes below (0.2.0) for complete build instructions.
- ****************CyaSSL version 0.8.0 (1/10/2007)
- This release of CyaSSL adds increased socket support, for non-blocking writes,
- connects, and interrupted system calls.
- See notes below (0.2.0) for complete build instructions.
- ****************CyaSSL version 0.6.3 (10/30/2006)
- This release of CyaSSL adds debug logging to stderr to aid in the debugging of
- CyaSSL on systems that may not provide the best support.
- If CyaSSL is built with debugging support then you need to call
- CyaSSL_Debugging_ON() to turn logging on.
- On Unix use ./configure --enable-debug
- On Windows define DEBUG_CYASSL when building CyaSSL
- To turn logging back off call CyaSSL_Debugging_OFF()
- See notes below (0.2.0) for complete build instructions.
- *****************CyaSSL version 0.6.2 (10/29/2006)
- This release of CyaSSL adds TLS 1.1.
- Note that CyaSSL has certificate verification on by default, unlike OpenSSL.
- To emulate OpenSSL behavior, you must call SSL_CTX_set_verify() with
- SSL_VERIFY_NONE. In order to have full security you should never do this,
- provide CyaSSL with the proper certificates to eliminate impostors and call
- CyaSSL_check_domain_name() to prevent man in the middle attacks.
- See notes below (0.2.0) for build instructions.
- *****************CyaSSL version 0.6.0 (10/25/2006)
- This release of CyaSSL adds more SSL functions, better autoconf, nonblocking
- I/O for accept, connect, and read. There is now an --enable-small configure
- option that turns off TLS, AES, DES3, HMAC, and ERROR_STRINGS, see configure.in
- for the defines. Note that TLS requires HMAC and AES requires TLS.
- See notes below (0.2.0) for build instructions.
- *****************CyaSSL version 0.5.5 (09/27/2006)
- This mini release of CyaSSL adds better input processing through buffered input
- and big message support. Added SSL_pending() and some sanity checks on user
- settings.
- See notes below (0.2.0) for build instructions.
- *****************CyaSSL version 0.5.0 (03/27/2006)
- This release of CyaSSL adds AES support and minor bug fixes.
- See notes below (0.2.0) for build instructions.
- *****************CyaSSL version 0.4.0 (03/15/2006)
- This release of CyaSSL adds TLSv1 client/server support and libtool.
- See notes below for build instructions.
- *****************CyaSSL version 0.3.0 (02/26/2006)
- This release of CyaSSL adds SSLv3 server support and session resumption.
- See notes below for build instructions.
- *****************CyaSSL version 0.2.0 (02/19/2006)
- This is the first release of CyaSSL and its crypt brother, CTaoCrypt. CyaSSL
- is written in ANSI C with the idea of a small code size, footprint, and memory
- usage in mind. CTaoCrypt can be as small as 32K, and the current client
- version of CyaSSL can be as small as 12K.
- The first release of CTaoCrypt supports MD5, SHA-1, 3DES, ARC4, Big Integer
- Support, RSA, ASN parsing, and basic x509 (en/de)coding.
- The first release of CyaSSL supports normal client RSA mode SSLv3 connections
- with support for SHA-1 and MD5 digests. Ciphers include 3DES and RC4.
- --To build on Linux, Solaris, *BSD, Mac OS X, or Cygwin:
- ./configure
- make
- from the ./testsuite/ directory run ./testsuite
- to make a debug build:
- ./configure --enable-debug --disable-shared
- make
- --To build on Win32
- Choose (Re)Build All from the project workspace
- Run the testsuite program
- *** The next release of CyaSSL will support a server and more OpenSSL
- compatibility functions.
- Please send questions or comments to todd@yassl.com
|