and the compliance(1M) and compliance-tailor(1M) man pages.■Protecting executables from stack corruption is now a security extension in Oracle Solarisrather than the no_exec_userstacksystem variable that previously was set in the /etc/systemfile. The nxstacksecurity extension is set by default. In addition, the nxheapsecurity extension protects from heap corruption. For more information, see the “Protectingthe Process Heap and Executable Stacks From Compromise” in Securing Systems andAttached Devices in Oracle Solaris 11.3.■The Cryptographic Framework now includes the Camellia algorithm. To view themechanisms that Camellia supports, run the cryptoadm list -m | grep camelliacommand. The SPARC T4 Series and SPARC T8 Series servers provide hardwareacceleration for this algorithm.■The Kernel SSL proxy supports SSLv3, but disables it by default. See “SSL Kernel ProxyEncrypts Web Server Communications” in Securing the Network in Oracle Solaris 11.3.■The pktool gencsrcommand can now create certificates for certificate authorities that donot follow the standard PKCS #10: Certification Request Syntax Specification (http://). See the pktool(1) man page.■When a certificate from a Certificate Authority (CA) is missing or corrupted, you can fixthe resulting problem by adding or removing certificates from the Oracle Solaris keystore.For more information, see “Adding CA Certificates to the Oracle Solaris CA Keystore” inManaging Encryption and Certificates in Oracle Solaris 11.3.■Oracle Solaris provides client support for KMIP version 1.1, enabling clients tocommunicate with Key Management Interoperability Protocol (KMIP)-compliant serverssuch as the Oracle Key Vault (OKV). PKCS #11 applications, as clients, can communicatewith KMIP-compliant servers to create and use asymmetric keys. See Chapter 5, “KMIPand PKCS #11 Client Applications” in Managing Encryption and Certificates in OracleSolaris 11.3.■Oracle Solaris offers an opensshimplementation of Secure Shell. This OpenSSHimplementation is built on OpenSSH 7.2p2 plus additional features. The sunsshimplementation is still the default. You use the pkg mediatorcommand to switch betweenthe two implementations. For more information, see “OpenSSH Implementation of SecureShell” in Managing Secure Shell Access in Oracle Solaris 11.3.■To aid in making the transition to IPsec and IKEv2, Oracle Solaris provides the passactionand the ike_versionoption. The passaction enables a server to support IPsec and non-IPsec clients, and the ike_versionoption enables you to specify the version of the IKEprotocol that an IPsec policy rule must use. This option helps a network run two versions ofthe IKE protocol and require the newer IKE protocol on only those systems that can supportit. For information and links to examples, see “What’s New in Network Security in OracleSolaris 11.3” in Securing the Network in Oracle Solaris 11.3.