1 *** Notes, Please read ***
4 CyaSSL now needs all examples and tests to be run from the CyaSSL home
5 directory. This is because it finds certs and keys from ./certs/. Trying to
6 maintain the ability to run each program from its own directory, the testsuite
7 directory, the main directory (for make check/test), and for the various
8 different project layouts (with or without config) was becoming harder and
9 harder. Now to run testsuite just do:
15 make check (when using autoconf)
17 On *nix or Windows the examples and testsuite will check to see if the current
18 directory is the source directory and if so, attempt to change to the CyaSSL
19 home directory. This should work in most setup cases, if not, just follow the
20 beginning of the note and specify the full path.
24 CyaSSL takes a different approach to certificate verification than OpenSSL does.
25 The default policy for the client is to verify the server, this means that if
26 you don't load CAs to verify the server you'll get a connect error, no signer
27 error to confirm failure (-188). If you want to mimic OpenSSL behavior of
28 having SSL_connect succeed even if verifying the server fails and reducing
29 security you can do this by calling:
31 SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0);
33 before calling SSL_new(); Though it's not recommended.
38 CyaSSL Release 3.1.0 (07/14/2014)
40 Release 3.1.0 CyaSSL has bug fixes and new features including:
42 - Fix for older versions of icc without 128-bit type
43 - Intel ASM syntax for AES-NI
44 - Updated NTRU support, keygen benchmark
45 - FIPS check for minimum required HMAC key length
46 - Small stack (--enable-smallstack) improvements for PKCS#7, ASN
47 - TLS extension support for DTLS
48 - Default I/O callbacks external to user
49 - Updated example client with bad clock test
50 - Ability to set optional ECC context info
51 - Ability to enable/disable DH separate from opensslextra
52 - Additional test key/cert buffers for CA and server
53 - Updated example certificates
55 The CyaSSL manual is available at:
56 http://www.yassl.com/documentation/CyaSSL-Manual.pdf. For build instructions
57 and comments about the new features please check the manual.
60 ************ CyaSSL Release 3.0.2 (05/30/2014)
62 Release 3.0.2 CyaSSL has bug fixes and new features including:
64 - Added the following cipher suites:
65 * TLS_PSK_WITH_AES_128_GCM_SHA256
66 * TLS_PSK_WITH_AES_256_GCM_SHA384
67 * TLS_PSK_WITH_AES_256_CBC_SHA384
68 * TLS_PSK_WITH_NULL_SHA384
69 * TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
70 * TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
71 * TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
72 * TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
73 * TLS_DHE_PSK_WITH_NULL_SHA256
74 * TLS_DHE_PSK_WITH_NULL_SHA384
75 * TLS_DHE_PSK_WITH_AES_128_CCM
76 * TLS_DHE_PSK_WITH_AES_256_CCM
77 - Added AES-NI support for Microsoft Visual Studio builds.
78 - Changed small stack build to be disabled by default.
79 - Updated the Hash DRBG and provided a configure option to enable.
81 The CyaSSL manual is available at:
82 http://www.yassl.com/documentation/CyaSSL-Manual.pdf. For build instructions
83 and comments about the new features please check the manual.
86 ************ CyaSSL Release 3.0.0 (04/29/2014)
88 Release 3.0.0 CyaSSL has bug fixes and new features including:
90 - FIPS release candidate
91 - X.509 improvements that address items reported by Suman Jana with security
92 researchers at UT Austin and UC Davis
93 - Small stack size improvements, --enable-smallstack. Offloads large local
94 variables to the heap. (Note this is not complete.)
95 - Updated AES-CCM-8 cipher suites to use approved suite numbers.
97 The CyaSSL manual is available at:
98 http://www.yassl.com/documentation/CyaSSL-Manual.pdf. For build instructions
99 and comments about the new features please check the manual.
102 ************ CyaSSL Release 2.9.4 (04/09/2014)
104 Release 2.9.4 CyaSSL has bug fixes and new features including:
106 - Security fixes that address items reported by Ivan Fratric of the Google
108 - X.509 Unknown critical extensions treated as errors, report by Suman Jana with
109 security researchers at UT Austin and UC Davis
110 - Sniffer fixes for corrupted packet length and Jumbo frames
111 - ARM thumb mode assembly fixes
112 - Xcode 5.1 support including new clang
113 - PIC32 MZ hardware support
114 - CyaSSL Object has enough room to read the Record Header now w/o allocs
115 - FIPS wrappers for AES, 3DES, SHA1, SHA256, SHA384, HMAC, and RSA.
116 - A sample I/O pool is demonstrated with --enable-iopool to overtake memory
117 handling and reduce memory fragmentation on I/O large sizes
119 The CyaSSL manual is available at:
120 http://www.yassl.com/documentation/CyaSSL-Manual.pdf. For build instructions
121 and comments about the new features please check the manual.
124 ************ CyaSSL Release 2.9.0 (02/07/2014)
126 Release 2.9.0 CyaSSL has bug fixes and new features including:
127 - Freescale Kinetis RNGB support
128 - Freescale Kinetis mmCAU support
129 - TLS Hello extensions
131 - Secure Renegotiation (null)
134 - PKCS #7 Enveloped data and signed data
135 - PKCS #10 Certificate Signing Request generation
136 - DTLS sliding window
138 - API change to integrate into Certificate Manager
140 - example client/server support for OCSP
141 - OCSP nonces are optional
143 - Windows build additions
144 - Windows CYGWIN build fixes
145 - Updated test certificates
146 - Microchip MPLAB Harmony support
147 - Update autoconf scripts
148 - Additional X.509 inspection functions
149 - ECC encrypt/decrypt primitives
150 - ECC Certificate generation
152 The Freescale Kinetis K53 RNGB documentation can be found in Chapter 33 of the
153 K53 Sub-Family Reference Manual:
154 http://cache.freescale.com/files/32bit/doc/ref_manual/K53P144M100SF2RM.pdf
156 Freescale Kinetis K60 mmCAU (AES, DES, 3DES, MD5, SHA, SHA256) documentation
157 can be found in the "ColdFire/ColdFire+ CAU and Kinetis mmCAU Software Library
159 http://cache.freescale.com/files/32bit/doc/user_guide/CAUAPIUG.pdf
162 *****************CyaSSL Release 2.8.0 (8/30/2013)
164 Release 2.8.0 CyaSSL has bug fixes and new features including:
165 - AES-GCM and AES-CCM use AES-NI
166 - NetX default IO callback handlers
167 - IPv6 fixes for DTLS Hello Cookies
168 - The ability to unload Certs/Keys after the handshake, CyaSSL_UnloadCertsKeys()
169 - SEP certificate extensions
170 - Callback getters for easier resource freeing
171 - External CYASSL_MAX_ERROR_SZ for correct error buffer sizing
172 - MacEncrypt and DecryptVerify Callbacks for User Atomic Record Layer Processing
173 - Public Key Callbacks for ECC and RSA
174 - Client now sends blank cert upon request if doesn't have one with TLS <= 1.2
177 The CyaSSL manual is available at:
178 http://www.yassl.com/documentation/CyaSSL-Manual.pdf. For build instructions
179 and comments about the new features please check the manual.
182 *****************CyaSSL Release 2.7.0 (6/17/2013)
184 Release 2.7.0 CyaSSL has bug fixes and new features including:
185 - SNI support for client and server
186 - KEIL MDK-ARM projects
187 - Wildcard check to domain name match, and Subject altnames are checked too
188 - Better error messages for certificate verification errors
189 - Ability to discard session during handshake verify
190 - More consistent error returns across all APIs
191 - Ability to unload CAs at the CTX or CertManager level
192 - Authority subject id support for Certificate matching
193 - Persistent session cache functionality
194 - Persistent CA cache functionality
195 - Client session table lookups to push serverID table to library level
196 - Camellia support to sniffer
197 - User controllable settings for DTLS timeout values
198 - Sniffer fixes for caching long lived sessions
199 - DTLS reliability enhancements for the handshake
200 - Better ThreadX support
202 When compiling with Mingw, libtool may give the following warning due to
203 path conversion errors:
205 libtool: link: Could not determine host file name corresponding to **
206 libtool: link: Continuing, but uninstalled executables may not work.
208 If so, examples and testsuite will have problems when run, showing an
209 error while loading shared libraries. To resolve, please run "make install".
211 The CyaSSL manual is available at:
212 http://www.yassl.com/documentation/CyaSSL-Manual.pdf. For build instructions
213 and comments about the new features please check the manual.
216 ************** CyaSSL Release 2.6.0 (04/15/2013)
218 Release 2.6.0 CyaSSL has bug fixes and new features including:
219 - DTLS 1.2 support including AEAD ciphers
220 - SHA-3 finalist Blake2 support, it's fast and uses little resources
221 - SHA-384 cipher suites including ECC ones
222 - HMAC now supports SHA-512
223 - Track memory use for example client/server with -t option
224 - Better IPv6 examples with --enable-ipv6, before if ipv6 examples/tests were
225 turned on, localhost only was used. Now link-local (with scope ids) and ipv6
226 hosts can be used as well.
227 - Xcode v4.6 project for iOS v6.1 update
228 - settings.h is now checked in all *.c files for true one file setting detection
229 - Better alignment at SSL layer for hardware crypto alignment needs
230 * Note, SSL itself isn't friendly to alignment with 5 byte TLS headers and
231 13 bytes DTLS headers, but every effort is now made to align with the
232 CYASSL_GENERAL_ALIGNMENT flag which sets desired alignment requirement
233 - NO_64BIT flag to turn off 64bit data type accumulators in public key code
234 * Note, some systems are faster with 32bit accumulators
235 - --enable-stacksize for example client/server stack use
236 * Note, modern desktop Operating Systems may add bytes to each stack frame
237 - Updated compression/decompression with direct crypto access
238 - All ./configure options are now lowercase only for consistency
239 - ./configure builds default to fastmath option
240 * Note, if on ia32 and building in shared mode this may produce a problem
241 with a missing register being available because of PIC, there are at least
243 1) --disable-fastmath , don't use fastmath
244 2) --disable-shared, don't build a shared library
245 3) C_EXTRA_FLAGS=-DTFM_NO_ASM , turn off assembly use
246 4) use clang, it just seems to work
247 5) play around with no PIC options to force all registers being open
248 - Many new ./configure switches for option enable/disable for example
255 * null (allow NULL ciphers)
256 * oldtls (only use TLS 1.2)
257 * asn (no certs or public keys allowed)
258 - ./configure generates cyassl/options.h which allows a header the user can
259 include in their app to make sure the same options are set at the app and
261 - autoconf no longer needs serial-tests which lowers version requirements of
262 automake to 1.11 and autoconf to 2.63
264 The CyaSSL manual is available at:
265 http://www.yassl.com/documentation/CyaSSL-Manual.pdf. For build instructions
266 and comments about the new features please check the manual.
270 ************** CyaSSL Release 2.5.0 (02/04/2013)
272 Release 2.5.0 CyaSSL has bug fixes and new features including:
273 - Fix for TLS CBC padding timing attack identified by Nadhem Alfardan and
274 Kenny Paterson: http://www.isg.rhul.ac.uk/tls/
275 - Microchip PIC32 (MIPS16, MIPS32) support
276 - Microchip MPLAB X example projects for PIC32 Ethernet Starter Kit
277 - Updated CTaoCrypt benchmark app for embedded systems
278 - 1024-bit test certs/keys and cert/key buffers
279 - AES-CCM-8 crypto and cipher suites
280 - Camellia crypto and cipher suites
281 - Bumped minimum autoconf version to 2.65, automake version to 1.12
282 - Addition of OCSP callbacks
283 - STM32F2 support with hardware crypto and RNG
284 - Cavium NITROX support
286 CTaoCrypt now has support for the Microchip PIC32 and has been tested with
287 the Microchip PIC32 Ethernet Starter Kit, the XC32 compiler and
288 MPLAB X IDE in both MIPS16 and MIPS32 instruction set modes. See the README
289 located under the <cyassl_root>/mplabx directory for more details.
291 To add Cavium NITROX support do:
293 ./configure --with-cavium=/home/user/cavium/software
295 pointing to your licensed cavium/software directory. Since Cavium doesn't
296 build a library we pull in the cavium_common.o file which gives a libtool
297 warning about the portability of this. Also, if you're using the github source
298 tree you'll need to remove the -Wredundant-decls warning from the generated
299 Makefile because the cavium headers don't conform to this warning. Currently
300 CyaSSL supports Cavium RNG, AES, 3DES, RC4, HMAC, and RSA directly at the crypto
301 layer. Support at the SSL level is partial and currently just does AES, 3DES,
302 and RC4. RSA and HMAC are slower until the Cavium calls can be utilized in non
303 blocking mode. The example client turns on cavium support as does the crypto
304 test and benchmark. Please see the HAVE_CAVIUM define.
306 CyaSSL is able to use the STM32F2 hardware-based cryptography and random number
307 generator through the STM32F2 Standard Peripheral Library. For necessary
308 defines, see the CYASSL_STM32F2 define in settings.h. Documentation for the
309 STM32F2 Standard Peripheral Library can be found in the following document:
310 http://www.st.com/internet/com/TECHNICAL_RESOURCES/TECHNICAL_LITERATURE/USER_MANUAL/DM00023896.pdf
312 The CyaSSL manual is available at:
313 http://www.yassl.com/documentation/CyaSSL-Manual.pdf. For build instructions
314 and comments about the new features please check the manual.
318 *************** CyaSSL Release 2.4.6 (12/20/2012)
320 Release 2.4.6 CyaSSL has bug fixes and a few new features including:
321 - ECC into main version
322 - Lean PSK build (reduced code size, RAM usage, and stack usage)
323 - FreeBSD CRL monitor support
325 - CyaSSL_send() and CyaSSL_recv() for I/O flag setting
326 - CodeWarrior Support
328 - Freescale Kinetis support including Hardware RNG
329 - autoconf builds use jobserver
331 - Sniffer memory reductions
333 Thanks to Brian Aker for the improved autoconf system, make rpm, cyassl-config,
334 warning system, and general good ideas for improving CyaSSL!
336 The Freescale Kinetis K70 RNGA documentation can be found in Chapter 37 of the
337 K70 Sub-Family Reference Manual:
338 http://cache.freescale.com/files/microcontrollers/doc/ref_manual/K70P256M150SF3RM.pdf
340 The CyaSSL manual is available at:
341 http://www.yassl.com/documentation/CyaSSL-Manual.pdf. For build instructions
342 and comments about the new features please check the manual.
345 *************** CyaSSL Release 2.4.0 (10/10/2012)
347 Release 2.4.0 CyaSSL has bug fixes and a few new features including:
349 - Reduced memory usage after handshake
350 - Updated build process
352 The CyaSSL manual is available at:
353 http://www.yassl.com/documentation/CyaSSL-Manual.pdf. For build instructions
354 and comments about the new features please check the manual.
358 *************** CyaSSL Release 2.3.0 (8/10/2012)
360 Release 2.3.0 CyaSSL has bug fixes and a few new features including:
361 - AES-GCM crypto and cipher suites
362 - make test cipher suite checks
363 - Subject AltName processing
364 - Command line support for client/server examples
365 - Sniffer SessionTicket support
366 - SHA-384 cipher suites
367 - Verify cipher suite validity when user overrides
369 - DTLS Cookie support, reliability coming soon
371 The CyaSSL manual is available at:
372 http://www.yassl.com/documentation/CyaSSL-Manual.pdf. For build instructions
373 and comments about the new features please check the manual.
377 ***************CyaSSL Release 2.2.0 (5/18/2012)
379 Release 2.2.0 CyaSSL has bug fixes and a few new features including:
380 - Initial CRL support (--enable-crl)
381 - Initial OCSP support (--enable-ocsp)
382 - Add static ECDH suites
384 - ECC client certificate support
385 - Add medium session cache size (1055 sessions)
387 - Protection against mutex reinitialization
390 The CyaSSL manual is available at:
391 http://www.yassl.com/documentation/CyaSSL-Manual.pdf. For build instructions
392 and comments about the new features please check the manual.
396 ***************CyaSSL Release 2.0.8 (2/24/2012)
398 Release 2.0.8 CyaSSL has bug fixes and a few new features including:
399 - A fix for malicious certificates pointed out by Remi Gacogne (thanks)
400 resulting in NULL pointer use.
401 - Respond to renegotiation attempt with no_renegoatation alert
402 - Add basic path support for load_verify_locations()
403 - Add set Temp EC-DHE key size
404 - Extra checks on rsa test when porting into
407 The CyaSSL manual is available at:
408 http://www.yassl.com/documentation/CyaSSL-Manual.pdf. For build instructions
409 and comments about the new features please check the manual.
413 ************* CyaSSL Release 2.0.6 (1/27/2012)
415 Release 2.0.6 CyaSSL has bug fixes and a few new features including:
416 - Fixes for CA basis constraint check
417 - CTX reference counting
418 - Initial unit test additions
419 - Lean and Mean Windows fix
421 - SSMTP build support
422 - Ability to group handshake messages with set_group_messages(ctx/ssl)
423 - CA cache addition callback
424 - Export Base64_Encode for general use
426 The CyaSSL manual is available at:
427 http://www.yassl.com/documentation/CyaSSL-Manual.pdf. For build instructions
428 and comments about the new features please check the manual.
432 ************* CyaSSL Release 2.0.2 (12/05/2011)
434 Release 2.0.2 CyaSSL has bug fixes and a few new features including:
435 - CTaoCrypt Runtime library detection settings when directly using the crypto
437 - Default certificate generation now uses SHAwRSA and adds SHA256wRSA generation
438 - All test certificates now use 2048bit and SHA-1 for better modern browser
440 - Direct AES block access and AES-CTR (counter) mode
441 - Microchip pic32 support
443 The CyaSSL manual is available at:
444 http://www.yassl.com/documentation/CyaSSL-Manual.pdf. For build instructions
445 and comments about the new features please check the manual.
449 ************* CyaSSL Release 2.0.0rc3 (9/28/2011)
451 Release 2.0.0rc3 for CyaSSL has bug fixes and a few new features including:
452 - updated autoconf support
453 - better make install and uninstall (uses system directories)
454 - make test / make check
455 - CyaSSL headers now in <cyassl/*.h>
456 - CTaocrypt headers now in <cyassl/ctaocrypt/*.h>
457 - OpenSSL compatibility headers now in <cyassl/openssl/*.h>
458 - examples and tests all run from home directory so can use certs in ./certs
461 So previous applications that used the OpenSSL compatibility header
462 <openssl/ssl.h> now need to include <cyassl/openssl/ssl.h> instead, no other
463 changes are required.
465 Special Thanks to Brian Aker for his autoconf, install, and header patches.
467 The CyaSSL manual is available at:
468 http://www.yassl.com/documentation/CyaSSL-Manual.pdf. For build instructions
469 and comments about the new features please check the manual.
471 ************CyaSSL Release 2.0.0rc2 (6/6/2011)
473 Release 2.0.0rc2 for CyaSSL has bug fixes and a few new features including:
474 - bug fixes (Alerts, DTLS with DHE)
477 - Wshadow warnings removed
479 - CTaoCrypt public headers now all have ctc_ prefix (the manual is still being
480 updated to reflect this change)
483 This is the 2nd and perhaps final release candidate for version 2.
484 Please send any comments or questions to support@yassl.com.
486 The CyaSSL manual is available at:
487 http://www.yassl.com/documentation/CyaSSL-Manual.pdf. For build instructions
488 and comments about the new features please check the manual.
490 ***********CyaSSL Release 2.0.0rc1 (5/2/2011)
492 Release 2.0.0rc1 for CyaSSL has many new features including:
494 - SHA-256 cipher suites
495 - Root Certificate Verification (instead of needing all certs in the chain)
496 - PKCS #8 private key encryption (supports PKCS #5 v1-v2 and PKCS #12)
497 - Serial number retrieval for x509
498 - PBKDF2 and PKCS #12 PBKDF
499 - UID parsing for x509
500 - SHA-256 certificate signatures
501 - Client and server can send chains (SSL_CTX_use_certificate_chain_file)
502 - CA loading can now parse multiple certificates per file
503 - Dynamic memory runtime hooks
504 - Runtime hooks for logging
506 - More informative error codes
507 - More informative logging messages
508 - Version downgrade more robust (use SSL_v23*)
509 - Shared build only by default through ./configure
510 - Compiler visibility is now used, internal functions not polluting namespace
511 - Single Makefile, no recursion, for faster and simpler building
512 - Turn on all warnings possible build option, warning fixes
515 Because of all the new features and the multiple OS, compiler, feature-set
516 options that CyaSSL allows, there may be some configuration fixes needed.
517 Please send any comments or questions to support@yassl.com.
519 The CyaSSL manual is available at:
520 http://www.yassl.com/documentation/CyaSSL-Manual.pdf. For build instructions
521 and comments about the new features please check the manual.
523 ****************** CyaSSL Release 1.9.0 (3/2/2011)
525 Release 1.9.0 for CyaSSL adds bug fixes, improved TLSv1.2 through testing and
526 better hash/sig algo ids, --enable-webServer for the yaSSL embedded web server,
527 improper AES key setup detection, user cert verify callback improvements, and
530 The CyaSSL manual offering is included in the doc/ directory. For build
531 instructions and comments about the new features please check the manual.
533 Please send any comments or questions to support@yassl.com.
535 ****************** CyaSSL Release 1.8.0 (12/23/2010)
537 Release 1.8.0 for CyaSSL adds bug fixes, x509 v3 CA signed certificate
538 generation, a C standard library abstraction layer, lower memory use, increased
539 portability through the os_settings.h file, and the ability to use NTRU cipher
540 suites when used in conjunction with an NTRU license and library.
542 The initial CyaSSL manual offering is included in the doc/ directory. For
543 build instructions and comments about the new features please check the manual.
545 Please send any comments or questions to support@yassl.com.
550 ********************* CyaSSL Release 1.6.5 (9/9/2010)
552 Release 1.6.5 for CyaSSL adds bug fixes and x509 v3 self signed certificate
555 For general build instructions see doc/Building_CyaSSL.pdf.
557 To enable certificate generation support add this option to ./configure
558 ./configure --enable-certgen
560 An example is included in ctaocrypt/test/test.c and documentation is provided
561 in doc/CyaSSL_Extensions_Reference.pdf item 11.
563 ********************** CyaSSL Release 1.6.0 (8/27/2010)
565 Release 1.6.0 for CyaSSL adds bug fixes, RIPEMD-160, SHA-512, and RSA key
568 For general build instructions see doc/Building_CyaSSL.pdf.
570 To add RIPEMD-160 support add this option to ./configure
571 ./configure --enable-ripemd
573 To add SHA-512 support add this option to ./configure
574 ./configure --enable-sha512
576 To add RSA key generation support add this option to ./configure
577 ./configure --enable-keygen
579 Please see ctaocrypt/test/test.c for examples and usage.
581 For Windows, RIPEMD-160 and SHA-512 are enabled by default but key generation is
582 off by default. To turn key generation on add the define CYASSL_KEY_GEN to
586 ************* CyaSSL Release 1.5.6 (7/28/2010)
588 Release 1.5.6 for CyaSSL adds bug fixes, compatibility for our JSSE provider,
589 and a fix for GCC builds on some systems.
591 For general build instructions see doc/Building_CyaSSL.pdf.
593 To add AES-NI support add this option to ./configure
594 ./configure --enable-aesni
596 You'll need GCC 4.4.3 or later to make use of the assembly.
598 ************** CyaSSL Release 1.5.4 (7/7/2010)
600 Release 1.5.4 for CyaSSL adds bug fixes, support for AES-NI, SHA1 speed
601 improvements from loop unrolling, and support for the Mongoose Web Server.
603 For general build instructions see doc/Building_CyaSSL.pdf.
605 To add AES-NI support add this option to ./configure
606 ./configure --enable-aesni
608 You'll need GCC 4.4.3 or later to make use of the assembly.
610 *************** CyaSSL Release 1.5.0 (5/11/2010)
612 Release 1.5.0 for CyaSSL adds bug fixes, GoAhead WebServer support, sniffer
613 support, and initial swig interface support.
615 For general build instructions see doc/Building_CyaSSL.pdf.
617 To add support for GoAhead WebServer either --enable-opensslExtra or if you
618 don't want all the features of opensslExtra you can just define GOAHEAD_WS
619 instead. GOAHEAD_WS can be added to ./configure with CFLAGS=-DGOAHEAD_WS or
620 you can define it yourself.
622 To look at the sniffer support please see the sniffertest app in
623 sslSniffer/sslSnifferTest. Build with --enable-sniffer on *nix or use the
624 vcproj files on windows. You'll need to have pcap installed on *nix and
627 A swig interface file is now located in the swig directory for using Python,
628 Java, Perl, and others with CyaSSL. This is initial support and experimental,
629 please send questions or comments to support@yassl.com.
631 When doing load testing with CyaSSL, on the echoserver example say, the client
632 machine may run out of tcp ephemeral ports, they will end up in the TIME_WAIT
633 queue, and can't be reused by default. There are generally two ways to fix
634 this. 1) Reduce the length sockets remain on the TIME_WAIT queue or 2) Allow
635 items on the TIME_WAIT queue to be reused.
638 To reduce the TIME_WAIT length in OS X to 3 seconds (3000 milliseconds)
640 sudo sysctl -w net.inet.tcp.msl=3000
644 sudo sysctl -w net.ipv4.tcp_tw_reuse=1
646 allows reuse of sockets in TIME_WAIT
648 sudo sysctl -w net.ipv4.tcp_tw_recycle=1
650 works but seems to remove sockets from TIME_WAIT entirely?
652 sudo sysctl -w net.ipv4.tcp_fin_timeout=1
654 doen't control TIME_WAIT, it controls FIN_WAIT(2) contrary to some posts
657 ******************** CyaSSL Release 1.4.0 (2/18/2010)
659 Release 1.3.0 for CyaSSL adds bug fixes, better multi TLS/SSL version support
660 through SSLv23_server_method(), and improved documentation in the doc/ folder.
662 For general build instructions doc/Building_CyaSSL.pdf.
664 ******************** CyaSSL Release 1.3.0 (1/21/2010)
666 Release 1.3.0 for CyaSSL adds bug fixes, a potential security problem fix,
667 better porting support, removal of assert()s, and a complete THREADX port.
669 For general build instructions see rc1 below.
671 ******************** CyaSSL Release 1.2.0 (11/2/2009)
673 Release 1.2.0 for CyaSSL adds bug fixes and session negotiation if first use is
676 For general build instructions see rc1 below.
678 ******************** CyaSSL Release 1.1.0 (9/2/2009)
680 Release 1.1.0 for CyaSSL adds bug fixes, a check against malicious session
681 cache use, support for lighttpd, and TLS 1.2.
683 To get TLS 1.2 support please use the client and server functions:
685 SSL_METHOD *TLSv1_2_server_method(void);
686 SSL_METHOD *TLSv1_2_client_method(void);
688 CyaSSL was tested against lighttpd 1.4.23. To build CyaSSL for use with
689 lighttpd use the following commands from the CyaSSL install dir <CyaSSLDir>:
691 ./configure --disable-shared --enable-opensslExtra --enable-fastmath --without-zlib
696 Then to build lighttpd with CyaSSL use the following commands from the
697 lighttpd install dir:
699 ./configure --with-openssl --with-openssl-includes=<CyaSSLDir>/include --with-openssl-libs=<CyaSSLDir>/lib LDFLAGS=-lm
703 On some systems you may get a linker error about a duplicate symbol for
704 MD5_Init or other MD5 calls. This seems to be caused by the lighttpd src file
705 md5.c, which defines MD5_Init(), and is included in liblightcomp_la-md5.o.
706 When liblightcomp is linked with the SSL_LIBs the linker may complain about
707 the duplicate symbol. This can be fixed by editing the lighttpd src file md5.c
708 and adding this line to the beginning of the file:
712 and this line to the end of the file
716 Then from the lighttpd src dir do a:
722 If you get link errors about undefined symbols more than likely the actual
723 OpenSSL libraries are found by the linker before the CyaSSL openssl-links that
724 point to the CyaSSL library, causing the linker confusion. This can be fixed
725 by editing the Makefile in the lighttpd src directory and changing the line:
727 SSL_LIB = -lssl -lcrypto
733 Then from the lighttpd src dir do a:
738 This should remove any confusion the linker may be having with missing symbols.
740 For any questions or concerns please contact support@yassl.com .
742 For general build instructions see rc1 below.
744 ******************CyaSSL Release 1.0.6 (8/03/2009)
746 Release 1.0.6 for CyaSSL adds bug fixes, an improved session cache, and faster
747 math with a huge code option.
749 The session cache now defaults to a client mode, also good for embedded servers.
750 For servers not under heavy load (less than 200 new sessions per minute), define
751 BIG_SESSION_CACHE. If the server will be under heavy load, define
754 There is now a fasthugemath option for configure. This enables fastmath plus
755 even faster math by greatly increasing the code size of the math library. Use
756 the benchmark utility to compare public key operations.
759 For general build instructions see rc1 below.
761 ******************CyaSSL Release 1.0.3 (5/10/2009)
763 Release 1.0.3 for CyaSSL adds bug fixes and add increased support for OpenSSL
764 compatibility when building other applications.
766 Release 1.0.3 includes an alpha release of DTLS for both client and servers.
767 This is only for testing purposes at this time. Rebroadcast and reordering
768 aren't fully implemented at this time but will be for the next release.
770 For general build instructions see rc1 below.
772 ******************CyaSSL Release 1.0.2 (4/3/2009)
774 Release 1.0.2 for CyaSSL adds bug fixes for a couple I/O issues. Some systems
775 will send a SIGPIPE on socket recv() at any time and this should be handled by
776 the application by turning off SIGPIPE through setsockopt() or returning from
779 Release 1.0.2 includes an alpha release of DTLS for both client and servers.
780 This is only for testing purposes at this time. Rebroadcast and reordering
781 aren't fully implemented at this time but will be for the next release.
783 For general build instructions see rc1 below.
785 *****************CyaSSL Release Candidiate 3 rc3-1.0.0 (2/25/2009)
788 Release Candidate 3 for CyaSSL 1.0.0 adds bug fixes and adds a project file for
789 iPhone development with Xcode. cyassl-iphone.xcodeproj is located in the root
790 directory. This release also includes a fix for supporting other
791 implementations that bundle multiple messages at the record layer, this was
792 lost when cyassl i/o was re-implemented but is now fixed.
794 For general build instructions see rc1 below.
796 *****************CyaSSL Release Candidiate 2 rc2-1.0.0 (1/21/2009)
799 Release Candidate 2 for CyaSSL 1.0.0 adds bug fixes and adds two new stream
800 ciphers along with their respective cipher suites. CyaSSL adds support for
801 HC-128 and RABBIT stream ciphers. The new suites are:
803 TLS_RSA_WITH_HC_128_SHA
804 TLS_RSA_WITH_RABBIT_SHA
806 And the corresponding cipher names are
811 CyaSSL also adds support for building with devkitPro for PPC by changing the
812 library proper to use libogc. The examples haven't been changed yet but if
813 there's interest they can be. Here's an example ./configure to build CyaSSL
816 ./configure --disable-shared CC=/pathTo/devkitpro/devkitPPC/bin/powerpc-gekko-gcc --host=ppc --without-zlib --enable-singleThreaded RANLIB=/pathTo/devkitpro/devkitPPC/bin/powerpc-gekko-ranlib CFLAGS="-DDEVKITPRO -DGEKKO"
818 For linking purposes you'll need
820 LDFLAGS="-g -mrvl -mcpu=750 -meabi -mhard-float -Wl,-Map,$(notdir $@).map"
822 For general build instructions see rc1 below.
825 ********************CyaSSL Release Candidiate 1 rc1-1.0.0 (12/17/2008)
828 Release Candidate 1 for CyaSSL 1.0.0 contains major internal changes. Several
829 areas have optimization improvements, less dynamic memory use, and the I/O
830 strategy has been refactored to allow alternate I/O handling or Library use.
831 Many thanks to Thierry Fournier for providing these ideas and most of the work.
833 Because of these changes, this release is only a candidate since some problems
834 are probably inevitable on some platform with some I/O use. Please report any
835 problems and we'll try to resolve them as soon as possible. You can contact us
836 at support@yassl.com or todd@yassl.com.
838 Using TomsFastMath by passing --enable-fastmath to ./configure now uses assembly
839 on some platforms. This is new so please report any problems as every compiler,
840 mode, OS combination hasn't been tested. On ia32 all of the registers need to
841 be available so be sure to pass these options to CFLAGS:
843 CFLAGS="-O3 -fomit-frame-pointer"
845 OS X will also need -mdynamic-no-pic added to CFLAGS
847 Also if you're building in shared mode for ia32 you'll need to pass options to
848 LDFLAGS as well on OS X:
850 LDFLAGS=-Wl,-read_only_relocs,warning
852 This gives warnings for some symbols but seems to work.
855 --To build on Linux, Solaris, *BSD, Mac OS X, or Cygwin:
860 from the ./testsuite/ directory run ./testsuite
862 to make a debug build:
864 ./configure --enable-debug --disable-shared
871 Choose (Re)Build All from the project workspace
873 Run the testsuite program
879 *************************CyaSSL version 0.9.9 (7/25/2008)
881 This release of CyaSSL adds bug fixes, Pre-Shared Keys, over-rideable memory
882 handling, and optionally TomsFastMath. Thanks to Moisés Guimarães for the
883 work on TomsFastMath.
885 To optionally use TomsFastMath pass --enable-fastmath to ./configure
886 Or define USE_FAST_MATH in each project from CyaSSL for MSVC.
888 Please use the benchmark routine before and after to see the performance
889 difference, on some platforms the gains will be little but RSA encryption
890 always seems to be faster. On x86-64 machines with GCC the normal math library
891 may outperform the fast one when using CFLAGS=-m64 because TomsFastMath can't
892 yet use -m64 because of GCCs inability to do 128bit division.
894 **** UPDATE GCC 4.2.1 can now do 128bit division ***
896 See notes below (0.2.0) for complete build instructions.
899 ****************CyaSSL version 0.9.8 (5/7/2008)
901 This release of CyaSSL adds bug fixes, client side Diffie-Hellman, and better
904 See notes below (0.2.0) for complete build instructions.
907 ****************CyaSSL version 0.9.6 (1/31/2008)
909 This release of CyaSSL adds bug fixes, increased session management, and a fix
912 See notes below (0.2.0) for complete build instructions.
915 ****************CyaSSL version 0.9.0 (10/15/2007)
917 This release of CyaSSL adds bug fixes, MSVC 2005 support, GCC 4.2 support,
918 IPV6 support and test, and new test certificates.
920 See notes below (0.2.0) for complete build instructions.
923 ****************CyaSSL version 0.8.0 (1/10/2007)
925 This release of CyaSSL adds increased socket support, for non-blocking writes,
926 connects, and interrupted system calls.
928 See notes below (0.2.0) for complete build instructions.
931 ****************CyaSSL version 0.6.3 (10/30/2006)
933 This release of CyaSSL adds debug logging to stderr to aid in the debugging of
934 CyaSSL on systems that may not provide the best support.
936 If CyaSSL is built with debugging support then you need to call
937 CyaSSL_Debugging_ON() to turn logging on.
939 On Unix use ./configure --enable-debug
941 On Windows define DEBUG_CYASSL when building CyaSSL
944 To turn logging back off call CyaSSL_Debugging_OFF()
946 See notes below (0.2.0) for complete build instructions.
949 *****************CyaSSL version 0.6.2 (10/29/2006)
951 This release of CyaSSL adds TLS 1.1.
953 Note that CyaSSL has certificate verification on by default, unlike OpenSSL.
954 To emulate OpenSSL behavior, you must call SSL_CTX_set_verify() with
955 SSL_VERIFY_NONE. In order to have full security you should never do this,
956 provide CyaSSL with the proper certificates to eliminate impostors and call
957 CyaSSL_check_domain_name() to prevent man in the middle attacks.
959 See notes below (0.2.0) for build instructions.
961 *****************CyaSSL version 0.6.0 (10/25/2006)
963 This release of CyaSSL adds more SSL functions, better autoconf, nonblocking
964 I/O for accept, connect, and read. There is now an --enable-small configure
965 option that turns off TLS, AES, DES3, HMAC, and ERROR_STRINGS, see configure.in
966 for the defines. Note that TLS requires HMAC and AES requires TLS.
968 See notes below (0.2.0) for build instructions.
971 *****************CyaSSL version 0.5.5 (09/27/2006)
973 This mini release of CyaSSL adds better input processing through buffered input
974 and big message support. Added SSL_pending() and some sanity checks on user
977 See notes below (0.2.0) for build instructions.
980 *****************CyaSSL version 0.5.0 (03/27/2006)
982 This release of CyaSSL adds AES support and minor bug fixes.
984 See notes below (0.2.0) for build instructions.
987 *****************CyaSSL version 0.4.0 (03/15/2006)
989 This release of CyaSSL adds TLSv1 client/server support and libtool.
991 See notes below for build instructions.
994 *****************CyaSSL version 0.3.0 (02/26/2006)
996 This release of CyaSSL adds SSLv3 server support and session resumption.
998 See notes below for build instructions.
1001 *****************CyaSSL version 0.2.0 (02/19/2006)
1004 This is the first release of CyaSSL and its crypt brother, CTaoCrypt. CyaSSL
1005 is written in ANSI C with the idea of a small code size, footprint, and memory
1006 usage in mind. CTaoCrypt can be as small as 32K, and the current client
1007 version of CyaSSL can be as small as 12K.
1010 The first release of CTaoCrypt supports MD5, SHA-1, 3DES, ARC4, Big Integer
1011 Support, RSA, ASN parsing, and basic x509 (en/de)coding.
1013 The first release of CyaSSL supports normal client RSA mode SSLv3 connections
1014 with support for SHA-1 and MD5 digests. Ciphers include 3DES and RC4.
1017 --To build on Linux, Solaris, *BSD, Mac OS X, or Cygwin:
1022 from the ./testsuite/ directory run ./testsuite
1024 to make a debug build:
1026 ./configure --enable-debug --disable-shared
1033 Choose (Re)Build All from the project workspace
1035 Run the testsuite program
1039 *** The next release of CyaSSL will support a server and more OpenSSL
1040 compatibility functions.
1043 Please send questions or comments to todd@yassl.com