Lines Matching +full:- +full:- +full:no +full:- +full:install +full:- +full:suggests
4 This is a detailed breakdown of significant changes. For a high-level overview
13 ----------------
15 - [OpenSSL 3.5](#openssl-35)
16 - [OpenSSL 3.4](#openssl-34)
17 - [OpenSSL 3.3](#openssl-33)
18 - [OpenSSL 3.2](#openssl-32)
19 - [OpenSSL 3.1](#openssl-31)
20 - [OpenSSL 3.0](#openssl-30)
21 - [OpenSSL 1.1.1](#openssl-111)
22 - [OpenSSL 1.1.0](#openssl-110)
23 - [OpenSSL 1.0.2](#openssl-102)
24 - [OpenSSL 1.0.1](#openssl-101)
25 - [OpenSSL 1.0.0](#openssl-100)
26 - [OpenSSL 0.9.x](#openssl-09x)
29 -----------
35 Issue summary: Use of -addreject option with the openssl x509 application adds
41 ([CVE-2025-4575])
66 Examples of such schemes are ED25519 or ML-DSA.
70 * The TLS Signature algorithms defaults now include all three ML-DSA variants as
75 * Added a `no-tls-deprecated-ec` configuration option.
77 The `no-tls-deprecated-ec` option disables support for TLS elliptic curve
80 compiled in, but, as before, they are not included in the default run-time
83 With the `enable-tls-deprecated-ec` option these TLS groups remain enabled at
89 * Added new API to enable 0-RTT for 3rd party QUIC stacks.
102 * Add SLH-DSA as specified in FIPS 205.
106 * ML-KEM as specified in FIPS 203.
111 TLS hybrid key post-quantum/classical key agreement schemes.
115 * Add ML-DSA as specified in FIPS 204.
135 replace the ad-hoc byte arrays that are pervasive throughout the library.
144 bits are no longer enabled by default.
152 server-side key exchange group selection.
154 Extend the server-side key exchange group selection algorithm and related
156 (hybrid-)KEMs.
168 16-bit, 32-bit and 64-bit integers in either little-endian or big-endian
169 form, regardless of the host byte-order. See the `OPENSSL_load_u16_le(3)`
180 * Support DEFAULT keyword and '-' prefix in `SSL_CTX_set1_groups_list()`.
182 available groups to the default selection. The '-' prefix allows the calling
185 *Frederik Wedel-Heinen*
188 from `des-ede3-cbc` to `aes-256-cbc`.
190 AES-256 provides a stronger 256-bit key encryption than legacy 3DES.
207 * The `-rawin` option of the `pkeyutl` command is now implied (and thus no
208 longer required) when using `-digest` or when signing or verifying with an
210 The `-digest` and `-rawin` option may only be given with `-sign` or `verify`.
232 configuration option `enable-fips-jitter`.
248 currently no built-in ciphers that support pipelining. This new API replaces
255 Previously there was no way to create a CMS SignedData signature without a
257 …However, there is a use case (PAdES signatures [ETSI EN 319 142-1](https://www.etsi.org/deliver/et…
261 The new `-no_signing_time` option of the `cms` command enables this flag.
265 * Parallel dual-prime 1024/1536/2048-bit modular exponentiation for
269 times, for the sign/decryption operations of rsaz-2k/3k/4k (`openssl speed rsa`)
274 * VAES/AVX-512 support for AES-XTS.
277 vectorized implementation of AES-XTS with a throughput improvement
289 every 4 input bytes. Such behaviour could cause writes to a non-allocated
294 in the initial non-encoded message.
304 * Added a new CLI option `-provparam` and API functions for setting of
318 * Added a build configuration option `enable-sslkeylog` for enabling support
329 -----------
347 ([CVE-2024-12797])
351 * Fixed timing side-channel in ECDSA signature computation.
356 the NIST P-521 curve is affected. To be able to measure this leak, the
360 ([CVE-2024-13176])
366 again if there are no certs or crls in the CMS object.
382 RSA-SHA2-256 including new API functions in the EVP_PKEY_sign,
404 FIPS 140-3 requires indicators to be used if the FIPS provider allows
405 non-approved algorithms. An algorithm is approved if it passes all
416 Note that new FIPS 140-3 restrictions have been enforced such as
417 RSA Encryption using PKCS1 padding is no longer approved.
423 *Shane Lontis, Paul Dale, Po-Hsing Wu and Dimitri John Ledkov*
460 with registry keys. See NOTES-WINDOWS.md.
464 * Added options `-not_before` and `-not_after` for explicit setting
467 `-startdate` and `-enddate` options.
472 is unapproved and has `fips=no` property.
476 * SHAKE-128 and SHAKE-256 implementations have no default digest length
498 * Added support for integrity-only cipher suites TLS_SHA256_SHA256 and
506 with the respective CLI options `-template`,
507 `-crlcert`, `-oldcrl`, `-crlout`, `-crlform>`, and `-rsp_crl`.
522 public API. There is no command-line tool support at this time.
524 *Damian Hobson-Garcia*
527 option `enable-pie` configures the cflag '-fPIE' and ldflag '-pie' to
535 which are Y2038-safe.
540 precomputed values. This is used by the P-256 implementation.
545 -----------
549 * Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic
552 Use of the low-level GF(2^m) elliptic curve APIs with untrusted
553 explicit values for the field polynomial can lead to out-of-bounds memory
561 ([CVE-2024-9143])
575 ([CVE-2024-6119])
585 ([CVE-2024-5535])
610 ([CVE-2024-4741])
627 ([CVE-2024-4603])
641 * The `-verify` option to the `openssl crl` and `openssl req` will make
648 error of -1 once it is exhausted. Users may need to reserve using this
662 the input string, in accordance with ITU-T X.690 section 11.7 and 11.8.
681 OSSL_PKEY_PARAM_RSA_DERIVE_FROM_PQ param in the EVP_PKEY-RSA documentation.
688 of [0|no|false|off] will disable the setting. All other values, or the
693 * Added `-set_issuer` and `-set_subject` options to `openssl x509` to
694 override the Issuer and Subject when creating a certificate. The `-subj`
695 option now is an alias for `-set_subject`.
699 * OPENSSL_sk_push() and sk_<TYPE>_push() functions now return 0 instead of -1
710 - `certProfile` request message header and respective `-profile` CLI option
711 - support for delayed delivery of all types of response messages
717 * The build of exporters (such as `.pc` files for pkg-config) cleaned up to
730 server to prefer session resumption using PSK-only key exchange over PSK
735 * New API `SSL_write_ex2`, which can be used to send an end-of-stream (FIN)
749 The qlog output from OpenSSL currently uses a pre-standard draft version of
753 disabled with the build-time option `no-unstable-qlog`. See the
754 openssl-qlog(7) manpage for details.
771 non-blocking manner. Refer to the SSL_poll(3) manpage for details.
788 * Applied AES-GCM unroll8 optimisation to Microsoft Azure Cobalt 100
793 X509_STORE_get0_objects API in multi-threaded applications. Refer to the
802 * Optimized AES-CTR for ARM Neoverse V1 and V2
806 * Enable AES and SHA3 optimisations on Apple Silicon M3-based MacOS systems
816 * Various optimizations for cryptographic routines using RISC-V vector crypto
832 -----------
836 * Fixed an issue where some non-default TLS server configurations can cause
841 This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option
843 anti-replay protection is in use). In this case, under certain conditions,
850 ([CVE-2024-2511])
877 ([CVE-2024-0727])
894 with the "-pubin" and "-check" options on untrusted data.
899 ([CVE-2023-6237])
904 have the contained AlgorithmIdentifier.algorithm set to id-ecPublicKey
917 be various - from no consequences, if the calling application does not
918 depend on the contents of non-volatile XMM registers at all, to the worst
925 ([CVE-2023-6129])
930 `no-apps`.
946 ([CVE-2023-5678])
959 * Added a function to delete objects from store by URI - OSSL_STORE_delete()
960 and the corresponding provider-storemgmt API function
965 * Added OSSL_FUNC_store_open_ex() provider-storemgmt API function to pass
992 libcrypto from 4.4 MB to 4.9 MB. A new configure option `no-sm2-precomp` has
1007 speed of the NIST P-384 elliptic curve. To enable the implementation
1008 the build option `enable-ec_nistp_64_gcc_128` must be used.
1035 * Provide a new configure option `no-http` that can be used to disable the
1036 HTTP support. Provide new configure options `no-apps` and `no-docs` to
1041 * Provide a new configure option `no-ecx` that can be used to disable the
1057 * TLS round-trip time calculation was added by a Brigham Young University
1064 * Added the "-quic" option to s_client to enable connectivity to QUIC servers.
1065 QUIC requires the use of ALPN, so this must be specified via the "-alpn"
1066 option. Use of the "advanced" s_client command command via the "-adv" option
1071 * Added an "advanced" command mode to s_client. Use this with the "-adv"
1075 escaping mechanism. After starting s_client with "-adv" type "{help}"
1093 * Added further assembler code for the RISC-V architecture.
1102 * Improved support for non-default library contexts and property queries
1119 * Implemented SM4-XTS support.
1123 * Added platform-agnostic OSSL_sleep() function.
1131 * Implemented AES-GCM-SIV (RFC8452) support.
1135 * Added support for pluggable (provider-based) TLS signature algorithms.
1139 for example suitable providers to deliver post-quantum or quantum-safe
1144 * Added support for pluggable (provider-based) CMS signature algorithms.
1206 SSL_get0_iana_groups() function-like macro, retrieves the list of
1209 a caller-supplied array with the list of extension types present in the
1219 * The PKCS12_parse() function now supports MAC-less PKCS12 files.
1226 *Arran Cudbard-Bell*
1240 default but are now no longer allowed. By default TLS compression was
1262 * Subject or issuer names in X.509 objects are now displayed as UTF-8 strings
1273 The `-x509v1` option of `req` prefers generation of X.509 v1 certificates.
1287 as well as the `-srvcertout` and `-serial` CLI options.
1302 * `CMS_add0_cert()` and `CMS_add1_cert()` no longer throw an error if
1305 and no longer throw an error for them.
1309 * Fixed and extended `util/check-format.pl` for checking adherence to the
1310 coding style <https://www.openssl.org/policies/technical/coding-style.html>.
1315 * Added BIO_s_dgram_pair() and BIO_s_dgram_mem() that provide memory-based
1329 URI string of `org.openssl.winstore://`. This URI scheme currently takes no
1331 compile-time option `no-winstore`. This store is not currently used by
1345 * Added `-ktls` option to `s_server` and `s_client` commands to enable the
1358 * New parameter `-digest` for openssl cms command allowing signing
1359 pre-computed digests and new CMS API functions supporting that
1371 decryption as a protection against Bleichenbacher-like attacks.
1375 issues like CVE-2020-25659 and CVE-2020-25657. This protection can be
1382 * Added support for Brainpool curves in TLS-1.3.
1396 -----------
1402 that alter the key or IV length ([CVE-2023-5363]).
1411 does not save the contents of non-volatile XMM registers on Windows 64
1415 x86_64 processors supporting the AVX512-IFMA instructions.
1418 be various - from no consequences, if the calling application does not
1419 depend on the contents of non-volatile XMM registers at all, to the worst
1426 ([CVE-2023-4807])
1435 fixing CVE-2023-3446 it was discovered that a large q parameter value can
1445 ([CVE-2023-3817])
1464 ([CVE-2023-3446])
1468 * Do not ignore empty associated data entries with AES-SIV.
1470 The AES-SIV algorithm allows for authentication of multiple associated
1474 The AES-SIV implementation in OpenSSL just returns success for such call
1476 The empty data thus will not be authenticated. ([CVE-2023-2975])
1481 applications that use empty associated data entries with AES-SIV.
1488 * When building with the `enable-fips` option and using the resulting
1490 master secret (FIPS 140-3 IG G.Q) and the Hash and HMAC DRBGs will
1491 not operate with truncated digests (FIPS 140-3 IG G.R).
1498 OBJECT IDENTIFIER sub-identifiers to canonical numeric text form.
1501 numeric text form. For gigantic sub-identifiers, this would take a very
1503 sub-identifier. ([CVE-2023-2650])
1511 most 128 sub-identifiers, and that the maximum value that each sub-
1512 identifier may have is 2^32-1 (4294967295 decimal).
1514 For each byte of every sub-identifier, only the 7 lower bits are part of
1523 *Liu-ErMeng*
1525 * Added a -pedantic option to fipsinstall that adjusts the various
1531 * Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms which
1533 trigger a crash of an application using AES-XTS decryption if the memory
1536 ([CVE-2023-1255])
1540 * Reworked the Fix for the Timing Oracle in RSA Decryption ([CVE-2022-4304]).
1542 a severe 2-3x performance regression in the typical use case
1552 truncated digests with Hash and HMAC DRBGs (q.v. FIPS 140-3 IG D.R.).
1553 The option '-no_drbg_truncated_digests' can optionally be
1561 ([CVE-2023-0466])
1570 ([CVE-2023-0465])
1575 against CVE-2023-0464. The default limit is set to 1000 nodes, which
1580 ([CVE-2023-0464])
1588 The option '-ems_check' can optionally be supplied to
1593 * The FIPS provider includes a few non-approved algorithms for
1618 * AES-GCM enabled with AVX512 vAES and vPCLMULQDQ.
1626 * Parallel dual-prime 1536/2048-bit modular exponentiation for
1638 `DEFINE_LHASH_OF_EX`, which omits the corresponding type-specific function
1648 * When generating safe-prime DH parameters set the recommended private key
1653 * Change the default salt length for PKCS#1 RSASSA-PSS signatures to the
1655 FIPS 186-4 section 5. This is implemented by a new option
1656 `OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX` ("auto-digestmax") for the
1663 -----------
1683 ([CVE-2023-0401])
1706 ([CVE-2023-0286])
1721 security requirements imposed by standards such as FIPS 140-3.
1722 ([CVE-2023-0217])
1736 ([CVE-2023-0216])
1740 * Fixed Use-after-free following BIO_new_NDEF.
1755 then a use-after-free will occur. This will most likely result in a crash.
1756 ([CVE-2023-0215])
1781 ([CVE-2022-4450])
1792 modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
1793 ([CVE-2022-4304])
1805 ([CVE-2022-4203])
1817 ([CVE-2022-3996])
1827 For symmetry, our implementation of `EVP_PKEY_ASN1_METHOD->export_to`
1854 ([CVE-2022-3786])
1857 attacker-controlled bytes on the stack. This buffer overflow could
1860 ([CVE-2022-3602])
1920 ([CVE-2022-3358])
1929 * Fixed the linux-mips64 Configure target which was missing the
1944 * Fixed detection of ktls support in cross-compile environment on Linux
1980 implementation prior to commit 2621751 ("aes/asm/aesv8-armx.pl: avoid
1981 32-bit lane assignment in CTR mode") for 64bit targets only, since it is
1982 reportedly 2-17% slower and the silicon errata only affects 32bit targets.
2005 ([CVE-2022-2274])
2009 * AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised
2017 ([CVE-2022-2097])
2024 CVE-2022-1292, further bugs where the c_rehash script does not
2028 When the CVE-2022-1292 was fixed it was not discovered that there
2038 (CVE-2022-2068)
2042 * Case insensitive string comparison no longer uses locales. It has instead
2049 * Case insensitive string comparison is reimplemented via new locale-agnostic
2064 (CVE-2022-1292)
2070 where the (non-default) flag OCSP_NOCHECKS is used to return a postivie
2081 verifying an ocsp response with the "-no_cert_checks" option the command line
2086 ([CVE-2022-1343])
2090 * Fixed a bug where the RC4-MD5 ciphersuite incorrectly used the
2093 An attacker could exploit this issue by performing a man-in-the-middle attack
2097 Note that data sent from an OpenSSL 3.0 endpoint to a non-OpenSSL 3.0
2101 3.0 server would be impacted when talking to a non-OpenSSL 3.0 client.
2108 endpoint communicating with a non-OpenSSL 3.0 endpoint will fail to complete
2112 cannot decrypt data that has been encrypted using this ciphersuite - they can
2116 the RC4-MD5 ciphersuite. This ciphersuite is not compiled by default in
2122 1) OpenSSL must have been compiled with the (non-default) compile time option
2123 enable-weak-ssl-ciphers
2134 6) Both endpoints must negotiate the RC4-MD5 ciphersuite in preference to any
2136 (CVE-2022-1434)
2151 (CVE-2022-1473)
2157 statistics are no longer supported. For compatibility, these statistics are
2165 for non-prime moduli.
2182 - TLS clients consuming server certificates
2183 - TLS servers consuming client certificates
2184 - Hosting providers taking certificates or private keys from customers
2185 - Certificate authorities parsing certification requests from subscribers
2186 - Anything else which parses ASN.1 elliptic curve parameters
2190 ([CVE-2022-0778])
2200 * Made the AES constant time code for no-asm configurations
2202 The AES constant time code can be enabled, for no assembly
2203 builds, with: ./config no-asm -DOPENSSL_AES_CONST_TIME
2241 ([CVE-2021-4044])
2305 * Encrypting more than 2^64 TLS records with AES-GCM is disallowed
2306 as per FIPS 140-2 IG A.5 "Key/IV Pair Uniqueness Requirements from
2307 SP 800-38D". The communication will fail at this point.
2317 beginning of a PEM-formatted file.
2337 "AES-128-SIV", "AES-128-CBC-CTS" and "CAMELLIA-128-CBC-CTS" which were
2338 previously only accessible via low-level interfaces. Use EVP_CIPHER_fetch()
2348 `--libdir=lib` to override the libdir if adding the postfix is
2354 no longer interoperable with OpenSSL 1.1.1.
2370 be suppressed if the undocumented -DI_CAN_LIVE_WITH_LNK4049 was set.
2375 * Rework and make DEBUG macros consistent. Remove unused -DCONF_DEBUG,
2376 -DBN_CTX_DEBUG, and REF_PRINT. Add a new tracing category and use it for
2377 printing reference counts. Rename -DDEBUG_UNUSED to -DUNUSED_RESULT_DEBUG
2394 * Client-initiated renegotiation is disabled by default. To allow it, use
2395 the -client_renegotiation option, the SSL_OP_ALLOW_CLIENT_RENEGOTIATION
2405 * OpenSSL includes a cryptographic module that is intended to be FIPS 140-2
2406 validated. Please consult the README-FIPS and
2407 README-PROVIDERS files, as well as the migration guide.
2517 RIPEMD-160 have been moved to the legacy provider.
2534 * A number of functions handling low-level keys or engines were deprecated
2545 - NID_pbeWithMD2AndDES_CBC
2546 - NID_pbeWithMD5AndDES_CBC
2547 - NID_pbeWithSHA1AndRC2_CBC
2548 - NID_pbeWithMD2AndRC2_CBC
2549 - NID_pbeWithMD5AndRC2_CBC
2550 - NID_pbeWithSHA1AndDES_CBC
2573 algorithms. This is enabled by including the no-cached-fetch option
2578 * pkcs12 now uses defaults of PBKDF2, AES and SHA-256, with a MAC iteration
2583 * The openssl speed command does not use low-level API calls anymore.
2587 * Parallel dual-prime 1024-bit modular exponentiation for AVX512_IFMA
2592 * Combining the Configure options no-ec and no-dh no longer disables TLSv1.3.
2613 RSA_padding_add_SSLv23() and the `-ssl` option in the deprecated
2621 is not allowed to return a value > 1, this is no more taken as failure.
2631 * The default key generation method for the regular 2-prime RSA keys was
2632 changed to the FIPS 186-4 B.3.6 method.
2663 when using the `-check` or `-pubcheck`
2674 * The `-cipher-commands` and `-digest-commands` options
2676 Instead use the `-cipher-algorithms` and `-digest-algorithms` options.
2681 The 'quick' one-shot (yet somewhat limited) function L<EVP_PKEY_Q_keygen(3)>
2686 * All of the low-level EC_KEY functions have been deprecated.
2701 * The `-crypt` option to the `passwd` command line tool has been removed.
2705 * The -C option to the `x509`, `dhparam`, `dsaparam`, and `ecparam` commands
2730 * Added new option for 'openssl list', '-providers', which will display the
2761 ignore TLS protocol version bounds when configuring DTLS-based contexts, and
2763 TLS-based contexts. The commands can be repeated to set bounds of both
2765 "max_protocol" command-line switches, in case some application uses both TLS
2771 error. Now only the "version-flexible" SSL_CTX instances are subject to
2772 limits in configuration files in command-line options.
2791 * Added ciphertext stealing algorithms AES-128-CBC-CTS, AES-192-CBC-CTS and
2792 AES-256-CBC-CTS to the providers. CS1, CS2 and CS3 variants are supported.
2810 a non-default `OSSL_LIB_CTX`.
2841 * Add CAdES-BES signature verification support, mostly derived
2846 * Add CAdES-BES signature scheme and attributes support (RFC 5126) to CMS API.
2850 * Added the AuthEnvelopedData content type structure (RFC 5083) with AES-GCM
2909 * The main project documents (README, NEWS, CHANGES, INSTALL, SUPPORT)
2923 [ATX headings]: https://github.github.com/gfm/#atx-headings
2924 [setext headings]: https://github.github.com/gfm/#setext-headings
2925 [inline links]: https://github.github.com/gfm/#inline-link
2926 [reference links]: https://github.github.com/gfm/#reference-link
2927 [fenced code blocks]: https://github.github.com/gfm/#fenced-code-blocks
2928 [indented code blocks]: https://github.github.com/gfm/#indented-code-blocks
2933 A new directory test-runs/ with subdirectories named like the
2940 See L<openssl-cmp(1)> and L<OSSL_CMP_exec_IR_ses(3)> as starting points.
2947 user-defined BIOs (allowing implicit connections), persistent connections,
2949 The legacy OCSP-focused (and only partly documented) API
2954 * Added `util/check-format.pl`, a tool for checking adherence to the
2967 * All of the low-level RSA functions have been deprecated.
2971 * X509 certificates signed using SHA1 are no longer allowed at security
2978 and no new features will be added to them.
2988 maintenance mode and no new features will be added to them.
2992 * All of the low-level DH functions have been deprecated.
2996 * All of the low-level DSA functions have been deprecated.
3005 * Deprecated low-level ECDH and ECDSA functions.
3024 * All of the low-level HMAC functions have been deprecated.
3029 - Common options (such as -rand/-writerand, TLS version control, etc)
3030 were refactored and point to newly-enhanced descriptions in openssl.pod.
3031 - Added style conformance for all options (with help from Richard Levitte),
3033 that all options are documented and that no unimplemented options
3035 - Documented some internals, such as all use of environment variables.
3036 - Addressed all internal broken L<> references.
3040 * All of the low-level CMAC functions have been deprecated.
3044 * The low-level MD2, MD4, MD5, MDC2, RIPEMD160 and Whirlpool digest
3059 * All of the low-level cipher functions have been deprecated.
3085 used in exponentiation with 512-bit moduli. No EC algorithms are
3086 affected. Analysis suggests that attacks against 2-prime RSA1024,
3087 3-prime RSA1536, and DSA1024 as a result of this defect would be very
3091 Also applications directly using the low-level API BN_mod_exp may be
3093 ([CVE-2019-1551])
3097 * Most memory-debug features have been deprecated, and the functionality
3098 replaced with no-ops.
3139 * Change the interpretation of the '--api' configuration option to
3140 mean that this is a desired API compatibility level with no
3143 the given version, no requires that 'no-deprecated' is also used
3149 value is valid as before, such as -DOPENSSL_API_COMPAT=0x10100000L.
3157 -DOPENSSL_API_COMPAT=30000 For 3.0
3158 -DOPENSSL_API_COMPAT=30200 For 3.2
3161 given API compatibility level, -DOPENSSL_NO_DEPRECATED must be
3172 - X509_LOOKUP_store()
3173 - X509_STORE_load_file()
3174 - X509_STORE_load_path()
3175 - X509_STORE_load_store()
3176 - SSL_add_store_cert_subjects_to_stack()
3177 - SSL_CTX_set_default_verify_store()
3178 - SSL_CTX_load_verify_file()
3179 - SSL_CTX_load_verify_dir()
3180 - SSL_CTX_load_verify_store()
3185 The presence of this system service is determined at run-time.
3194 of application written for pre-3.0 OpenSSL easier.
3216 * s390x assembly pack: add hardware-support for P-256, P-384, P-521,
3254 * Added the `-copy_extensions` option to the `x509` command for use with
3255 `-req` and `-x509toreq`. When given with the `copy` or `copyall` argument,
3260 * Added the `-copy_extensions` option to the `req` command for use with
3261 `-x509`. When given with the `copy` or `copyall` argument,
3269 and for not self-signed certs there is an authorityKeyIdentifier extension
3278 (which may be done by using the CLI option `-x509_strict`):
3290 unless they are self-signed.
3300 * For built-in EC curves, ensure an EC_GROUP built from the curve name is
3316 ([CVE-2019-1547])
3330 The old behaviour can be re-enabled in the CMS code by setting the
3345 * Revised BN_generate_prime_ex to not avoid factors 2..17863 in p-1
3348 the 2-prime and 3-prime RSA modules were easy to distinguish, since
3350 2-prime vs. 3-prime RSA keys was possible by computing N mod 3.
3356 fix TLS connections between an EBCDIC system and a non-EBCDIC system that
3400 * `{CRYPTO,OPENSSL}_mem_debug_{push,pop}` are now no-ops and have been
3449 * Change PBKDF2 to conform to SP800-132 instead of the older PKCS5 RFC2898.
3458 * Add target VC-WIN32-UWP, VC-WIN64A-UWP, VC-WIN32-ARM-UWP and
3459 VC-WIN64-ARM-UWP in Windows OneCore target for making building libraries
3460 for Windows Store apps easier. Also, the "no-uplink" option has been added.
3476 * Added OPENSSL_info() to get diverse built-in OpenSSL data, such
3491 * Limit the number of blocks in a data unit for AES-XTS to 2^20 as
3492 mandated by IEEE Std 1619-2018.
3523 'enable-buildtest-c++'.
3558 (scrypt, TLS1 PRF and HKDF). The low-level KDF functions for PBKDF2
3571 * Fix a bug in the computation of the endpoint-pair shared secret used
3593 - Major releases (indicated by incrementing the MAJOR release number)
3595 - Minor releases (indicated by incrementing the MINOR release number)
3597 - Patch releases (indicated by incrementing the PATCH number)
3604 * Add support for RFC5297 SIV mode (siv128), including AES-SIV.
3614 * Recreate the OS390-Unix config target. It no longer relies on a
3615 special script like it did for OpenSSL pre-1.1.0.
3620 a 'build.info' keyword SUBDIRS to indicate what sub-directories to
3650 * AES-XTS mode now enforces that its two keys are different to mitigate
3664 * Added new option for 'openssl list', '-objects', which will display the
3669 * Added the options `-crl_lastupdate` and `-crl_nextupdate` to `openssl ca`,
3675 * Added support for Linux Kernel TLS data-path. The Linux Kernel data-path
3677 applications with zero-copy system calls such as sendfile and splice.
3709 doc/man7/provider.pod, doc/man7/provider-base.pod, and they in turn
3716 -------------
3746 again, but this time passing a non-NULL value for the "out" parameter.
3761 ([CVE-2021-3711])
3805 ([CVE-2021-3712])
3822 that non-CA certificates must not be able to issue other certificates.
3836 ([CVE-2021-3450])
3850 ([CVE-2021-3449])
3863 ([CVE-2021-23841])
3870 CVE-2021-23839.
3880 ([CVE-2021-23840])
3888 threat model and therefore no CVE is assigned.
3907 ([CVE-2020-1971])
3919 ignore TLS protocol version bounds when configuring DTLS-based contexts, and
3921 TLS-based contexts. The commands can be repeated to set bounds of both
3923 "max_protocol" command-line switches, in case some application uses both TLS
3929 error. Now only the "version-flexible" SSL_CTX instances are subject to
3930 limits in configuration files in command-line options.
3950 ([CVE-2020-1967])
3954 * Added AES consttime code for no-asm configurations
3956 when building openssl for no-asm.
3957 Enable with: ./config no-asm -DOPENSSL_AES_CONST_TIME
3958 Disable with: ./config no-asm -DOPENSSL_NO_AES_CONST_TIME
3974 * Revised BN_generate_prime_ex to not avoid factors 3..17863 in p-1
3977 the 2-prime and 3-prime RSA modules were easy to distinguish, since
3979 2-prime vs. 3-prime RSA keys was possible by computing N mod 3.
4023 The presence of this system service is determined at run-time.
4046 ([CVE-2019-1549])
4050 * For built-in EC curves, ensure an EC_GROUP built from the curve name is
4066 ([CVE-2019-1547])
4080 The old behaviour can be re-enabled in the CMS code by setting the
4082 ([CVE-2019-1563])
4097 fix TLS connections between an EBCDIC system and a non-EBCDIC system that
4108 ([CVE-2019-1552])
4144 'enable-buildtest-c++'.
4148 * Enable SHA3 pre-hashing for ECDSA and DSA.
4153 This changes the size when using the `genpkey` command when no size is given.
4161 util/fix-doc-nits accordingly.
4182 * Prevent over long nonces in ChaCha20-Poly1305.
4184 ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input
4204 is safe because no such use sets such a long nonce value. However user
4205 applications that use this cipher directly and set a non-default nonce
4210 ([CVE-2019-1543])
4230 * Change the info callback signals for the start and end of a post-handshake
4234 can break KeyUpdate handling. Instead we no longer signal the start and end
4251 ([CVE-2018-0734])
4262 ([CVE-2018-0735])
4290 * s390x assembly pack: add (improved) hardware-support for the following
4291 cryptographic primitives: sha3, shake, aes-gcm, aes-ccm, aes-ctr, aes-ofb,
4292 aes-cfb/cfb8, aes-ecb.
4297 parameter is no longer accepted, as it leads to a corrupt table. NULL
4304 differential addition-and-doubling in homogeneous projective coordinates
4305 from Izu-Takagi "A fast parallel elliptic curve multiplication resistant
4306 against side channel attacks" and Brier-Joye "Weierstrass Elliptic Curves
4307 and Side-Channel Attacks" Eq. (8) for y-coordinate recovery, modified
4314 For larger primes this will result in more rounds of Miller-Rabin.
4316 to 2^-128.
4320 * Increase the number of Miller-Rabin rounds for DSA key generating to 64.
4332 length-invariant. Switch even to fixed-length Montgomery multiplication.
4338 differential addition-and-doubling in mixed Lopez-Dahab projective
4347 differential addition-and-doubling algorithms.
4359 * Numerous side-channel attack mitigations have been applied. This may have
4369 mitigate conflict between 1.0 and 1.1 side-by-side installations. It
4371 multi-version installation is managed.
4379 EC cryptosystem implementations are then safer-by-default.
4403 Many applications do not properly handle non-application data records, and
4462 * Fixed X509_NAME_ENTRY_set to get multi-valued RDNs right in all cases.
4516 in responder mode now supports the new "-multi" option, which
4518 requests. The "-timeout" option now also limits the OCSP
4523 as a long-running service, making the OpenSSL CA somewhat more
4524 feature-complete. In this mode, most diagnostic messages logged
4551 The default RAND method now utilizes an AES-CTR DRBG according to
4552 NIST standard SP 800-90Ar1. The new random generator is essentially
4555 using an AES-CTR bit stream and which seeds and reseeds itself
4559 - Support for multiple DRBG instances with seed chaining.
4560 - The default RAND method makes use of a DRBG.
4561 - There is a public and private DRBG instance.
4562 - The DRBG instances are fork-safe.
4563 - Keep all global DRBG instances on the secure heap if it is enabled.
4564 - The public and private DRBG instance are per thread for lock free
4600 * Add multi-prime RSA (RFC 8017) support.
4604 * Add SM3 implemented according to GB/T 32905-2016
4615 * Add SM4 implemented according to GB/T 32907-2016.
4620 * Reimplement -newreq-nodes and ERR_error_string_n; the
4654 To disable, configure with 'no-ui-console'. 'no-ui' is still
4671 * Add devcrypto engine. This has been implemented against cryptodev-linux,
4673 Enable by configuring with 'enable-devcryptoeng'. This is done by default
4707 * Ignore the '-named_curve auto' value for compatibility of applications
4712 * Fragmented SSL/TLS alerts are no longer accepted. An alert message is 2
4713 bytes long. In theory it is permissible in SSLv3 - TLSv1.2 to fragment such
4715 it make no sense to send an empty alert record, or to fragment one. TLSv1.3
4731 'z' is to be used for [s]size_t, and 'j' - with [u]int64_t.
4740 * Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
4758 Also remove OPENSSL_GLOBAL entirely, as it became a no-op.
4762 * Remove the VMS-specific reimplementation of gmtime from crypto/o_times.c.
4770 are no longer allowed.
4779 default unless the new "-noservername" option is used. The server name is
4780 based on the host provided to the "-connect" option unless overridden by
4781 using "-servername".
4791 prevent issues where no progress is being made and the peer continually
4798 <https://www.akkadia.org/drepper/SHA-crypt.txt>
4816 -------------
4820 * For built-in EC curves, ensure an EC_GROUP built from the curve name is
4836 ([CVE-2019-1547])
4850 The old behaviour can be re-enabled in the CMS code by setting the
4852 ([CVE-2019-1563])
4860 ([CVE-2019-1552])
4867 This changes the size when using the `genpkey` command when no size is given.
4873 * Prevent over long nonces in ChaCha20-Poly1305.
4875 ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input
4895 is safe because no such use sets such a long nonce value. However user
4896 applications that use this cipher directly and set a non-default nonce
4901 ([CVE-2019-1543])
4936 ([CVE-2018-0734])
4947 ([CVE-2018-0735])
4968 ([CVE-2018-0732])
4981 ([CVE-2018-0737])
4986 parameter is no longer accepted, as it leads to a corrupt table. NULL
4992 length-invariant. Switch even to fixed-length Montgomery multiplication.
4998 For larger primes this will result in more rounds of Miller-Rabin.
5000 to 2^-128.
5004 * Increase the number of Miller-Rabin rounds for DSA key generating to 64.
5020 are no longer allowed.
5031 some characters, such as form-feed, were incorrectly treated as whitespace
5037 and use the "-binary" flag (for the "cms" command line application) or set
5049 are no such structures used within SSL/TLS that come from untrusted sources
5052 This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz
5054 ([CVE-2018-0739])
5058 * Incorrect CRYPTO_memcmp on HP-UX PA-RISC
5060 Because of an implementation bug the PA-RISC CRYPTO_memcmp function is
5065 HP-UX assembler, so that only HP-UX PA-RISC targets are affected.
5069 ([CVE-2018-0733])
5084 changes this is no longer possible in 1.1.0. Therefore, the new
5085 SSL_OP_NO_RENEGOTIATION option from 1.1.1-dev has been backported to
5094 * Removed the OS390-Unix config target. It relied on a script that doesn't
5102 used in exponentiation with 1024-bit moduli. No EC algorithms are affected.
5103 Analysis suggests that attacks against RSA and DSA as a result of this
5110 no longer an option since CVE-2016-0701.
5116 was originally found via the OSS-Fuzz project.
5117 ([CVE-2017-3738])
5126 procedure. No EC algorithms are affected. Analysis suggests that attacks
5140 This issue was reported to OpenSSL by the OSS-Fuzz project.
5141 ([CVE-2017-3736])
5148 OpenSSL could do a one-byte buffer overread. The most likely result
5151 This issue was reported to OpenSSL by the OSS-Fuzz project.
5152 ([CVE-2017-3735])
5158 * Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
5163 * Remove the VMS-specific reimplementation of gmtime from crypto/o_times.c.
5171 * Encrypt-Then-Mac renegotiation crash
5173 During a renegotiation handshake if the Encrypt-Then-Mac extension is
5174 negotiated where it was not in the original handshake (or vice-versa) then
5179 ([CVE-2017-3733])
5187 If one side of an SSL/TLS path is running on a 32-bit host and a specific
5189 perform an out-of-bounds read, usually resulting in a crash.
5192 ([CVE-2017-3731])
5204 ([CVE-2017-3730])
5211 procedure. No EC algorithms are affected. Analysis suggests that attacks
5222 similar to CVE-2015-3193 but must be treated as a separate problem.
5224 This issue was reported to OpenSSL by the OSS-Fuzz project.
5225 ([CVE-2017-3732])
5231 * ChaCha20/Poly1305 heap-buffer-overflow
5233 TLS connections using `*-CHACHA20-POLY1305` ciphersuites are susceptible to
5238 ([CVE-2016-7054])
5252 ([CVE-2016-7053])
5258 There is a carry propagating bug in the Broadwell-specific Montgomery
5260 longer than 256 bits. Analysis suggests that attacks against RSA, DSA
5265 erroneous outcome of public-key operations with specially crafted input.
5266 Among EC algorithms only Brainpool P-512 curves are affected and one
5268 detail, because pre-requisites for attack are considered unlikely. Namely
5276 ([CVE-2016-7055])
5289 The patch applied to address CVE-2016-6307 resulted in an issue where if a
5299 ([CVE-2016-6309])
5313 the "no-ocsp" build time option are not affected.
5316 ([CVE-2016-6304])
5327 ([CVE-2016-6305])
5365 memory - which would then mean a more serious Denial of Service.
5368 (CVE-2016-6307 and CVE-2016-6308)
5372 * solaris-x86-cc, i.e. 32-bit configuration with vendor compiler,
5374 assemble our modules with -KPIC flag. As result it, assembly
5376 lack of side-channel resistant code, which is incompatible with
5384 * Windows command-line tool supports UTF-8 opt-in option for arguments
5387 with Windows CryptoAPI and protected with non-ASCII password, as well
5388 as files generated under UTF-8 locale on Linux also protected with
5389 non-ASCII password.
5393 * To mitigate the SWEET32 attack ([CVE-2016-2183]), 3DES cipher suites
5395 See the RC4 item below to re-enable both.
5415 no-ops and deprecated.
5420 calling CryptGenRandom(). Various other RAND-related tickets
5469 * Triple-DES ciphers have been moved from HIGH to MEDIUM.
5475 OPENSSL_LOCAL_CONFIG_DIR as well as the in-source Configurations/
5488 the "no-shared" Configure option.
5492 * Remove the no-aes, no-hmac, no-rsa, no-sha and no-md5 Configure options.
5498 * Make various cleanup routines no-ops and mark them as deprecated. Most
5499 global cleanup functions are no longer required because they are handled
5500 via auto-deinit (see OPENSSL_init_crypto and OPENSSL_init_ssl man pages).
5501 Explicitly de-initing can cause problems (e.g. where a library that uses
5502 OpenSSL de-inits, but an application is still using it). The affected
5510 * --strict-warnings no longer enables runtime debugging options
5512 enabled with '--debug' builds.
5540 * Removed no-rijndael as a config option. Rijndael is an old name for AES.
5553 * Removed the aged BC-32 config and all its supporting scripts
5571 encryptions/decryptions simultaneously. There are currently no built-in
5581 AES128-CBC. The kernel must be version 4.1.0 or greater.
5585 * OpenSSL now uses a new threading API. It is no longer necessary to
5586 set locking callbacks to use OpenSSL in a multi-threaded environment. There
5588 also possible to configure OpenSSL at compile time for "no-threads". The
5589 old threading API should no longer be used. The functions have been
5590 replaced with "no-op" compatibility macros.
5599 * Add SSL_CIPHER queries for authentication and key-exchange.
5604 - Prefer (EC)DHE handshakes over plain RSA.
5605 - Prefer AEAD ciphers over legacy ciphers.
5606 - Prefer ECDSA over RSA when both certificates are available.
5607 - Prefer TLSv1.2 ciphers/PRF.
5608 - Remove DSS, SEED, IDEA, CAMELLIA, and AES-CCM from the
5619 disabled by default. They can be re-enabled using the
5620 enable-weak-ssl-ciphers option to Configure.
5624 * If the server has ALPN configured, but supports no protocols that the
5634 draft-ietf-curdle-pkix-02. The corresponding EVP_PKEY method supports
5637 TLS support complies with draft-ietf-tls-rfc4492bis-08 and uses
5644 In order to fix an unavoidable memory leak ([CVE-2016-0798]),
5652 credentials, this behaviour is not constant time and no strong
5664 the configuration option "disable-dynamic-engine".
5669 with "disable-dso" or "disable-pic".
5684 If this isn't desirable, the configuration options "disable-pic"
5685 or "no-pic" can be used to disable the use of PIC. This will
5690 * Removed JPAKE code. It was experimental and has no wide use.
5696 is for. Also, the configuration option --install_prefix is
5702 for DTLS; configure with enable-heartbeats. Code that uses the
5723 template in Configurations, like unix-Makefile.tmpl or
5730 libraries" in INSTALL.
5736 * Added support for auto-initialisation and de-initialisation of the library.
5737 OpenSSL no longer requires explicit init or deinit routines to be called,
5758 the leading 0-byte.
5770 SSL_CTX_sess_set_get_cb was changed. The read-only input buffer
5777 RNG, and other conditional uses of DPURIFY. This makes -DPURIFY a no-op.
5800 Also, the center of configuration information is no longer
5810 --prefix and --openssldir change their semantics, and become more
5813 --prefix shall be used exclusively to give the location INSTALLTOP
5817 --openssldir shall be used exclusively to give the default
5822 values of both the --prefix value and the --openssldir value will
5824 The default for --openssldir is INSTALLTOP/ssl.
5826 Anyone who uses --openssldir to specify where OpenSSL is to be
5827 installed MUST change to use --prefix instead.
5839 * EGD is no longer supported by default; use enable-egd when
5863 example, be used to implement local end-entity certificate or
5864 trust-anchor "pinning", where the "pin" data takes the form
5873 source files with -DOPENSSL_API_COMPAT=0x10100000L, which hides
5879 should be used with the --api=1.1.0 option to entirely remove
5882 Essentially the same effect can be achieved with the "no-deprecated"
5888 they should update their compile-time OPENSSL_API_COMPAT define
5917 now redirect key generation and no longer need to convert to or from
5920 Note: the ecdsa.h and ecdh.h headers are now no longer needed and just
5926 ciphers who are no longer supported and drops support the ephemeral RSA key
5954 * Added ASYNC support. Libcrypto now includes the async sub-library to enable
5967 "-no_ecdhe" option has been removed from s_server.
5993 with OpenSSL (case-matching; e.g., OPENSSL_VERSION for #define's)
6028 * Remove EVP_CHECK_DES_KEY, a compile-time option that never compiled.
6046 * Fix no-stdio build.
6065 * Revamped memory debug; only -DCRYPTO_MDEBUG and -DCRYPTO_MDEBUG_ABORT
6119 EXP-DH-RSA-DES-CBC-SHA and EXP-DH-DSS-DES-CBC-SHA. These two ciphersuites
6137 code and the associated standard is no longer considered fit-for-purpose.
6164 draft-ietf-tls-session-hash-03.txt. Thanks for Alfredo Pironti for an
6177 Access to deprecated functions can be re-enabled by running config with
6178 "enable-deprecated". In addition applications wishing to use deprecated
6181 in the header files (e.g. ec.h will no longer, by default, include bn.h)
6187 at <https://www.openssl.org/source/OCB-patent-grant-OpenSSL.pdf>. Support
6188 for OCB can be removed by calling config with no-ocb.
6198 done while fixing the error code for the key-too-small case.
6200 *Annie Yousar <a.yousar@informatik.hu-berlin.de>*
6221 16-bit platforms such as WIN16
6226 - Use setbuf() and remove OPENSSL_NO_SETVBUF_IONBF
6227 - Rename OPENSSL_SYSNAME_xxx to OPENSSL_SYS_xxx
6228 - OPENSSL_NO_EC{DH,DSA} merged into OPENSSL_NO_EC
6229 - OPENSSL_NO_RIPEMD160, OPENSSL_NO_RIPEMD merged into OPENSSL_NO_RMD160
6230 - OPENSSL_NO_FP_API merged into OPENSSL_NO_STDIO
6231 - Remove OPENSSL_NO_BIO OPENSSL_NO_BUFFER OPENSSL_NO_CHAIN_VERIFY
6235 - Remove MS_STATIC; it's a relic from platforms <32 bits.
6246 NULL. Remove the non-null checks from callers. Save much code.
6266 * Harmonize version and its documentation. -f flag is used to display
6286 preparing the fix ([CVE-2014-0160])
6291 ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
6296 flaw and to Yuval Yarom for supplying a fix ([CVE-2014-0076])
6305 * Experimental encrypt-then-mac support.
6308 draft-gutmann-tls-encrypt-then-mac-02.txt
6311 server) using e.g. -DTLSEXT_TYPE_encrypt_then_mac=0x42
6313 For non-compliant peers (i.e. just about everything) this should have no
6327 * Extend CMS code to support RSA-PSS signatures and RSA-OAEP for
6367 * Add FIPS selftest for ECDH algorithm using P-224 and B-233 curves.
6391 FIPS 186-3 A.2.3.
6393 * Add support for HMAC DRBG from SP800-90. Update DRBG algorithm test and
6410 there is no multiple of the block length between min_len and
6419 information in FIPS186-3, SP800-57 and SP800-131A.
6424 must supply all data in one chunk (i.e. no update, final) and the
6438 there should be no binary compatibility issues as existing applications
6455 anyway as the X9.31 PRNG is now deprecated by FIPS 140-2
6459 * Extensive self tests and health checking required by SP800-90 DRBG.
6474 leading zeroes if needed: this complies with SP800-56A et al.
6478 * Initial implementation of SP800-90 DRBGs for Hash and CTR. Not used by
6496 * Add selftest checks and algorithm block of non-fips algorithms in
6507 * New build option no-ec2m to disable characteristic 2 code.
6522 * Initial, experimental EVP support for AES-GCM. AAD can be input by
6538 no longer an error code) or a negative error code. Also if the
6548 * Improve forward-security support: add functions
6569 * New -verify_name option in command line utilities to set verification
6579 * Experimental renegotiation in s_server -www mode. If the client
6587 multi-process servers.
6606 * New -noct, -requestct, -requirect and -ctlogfile options for s_client.
6612 * SSLv3 is by default disabled at build-time. Builds that are not
6613 configured with "enable-ssl3" will not support SSLv3.
6618 -------------
6622 * For built-in EC curves, ensure an EC_GROUP built from the curve name is
6638 ([CVE-2019-1547])
6652 The old behaviour can be re-enabled in the CMS code by setting the
6654 ([CVE-2019-1563])
6660 '/usr/local/ssl' is an unsafe prefix for location to install OpenSSL
6661 binaries and run-time config file.
6662 ([CVE-2019-1552])
6669 This changes the size when using the `genpkey` command when no size is given.
6675 * Add FIPS support for Android Arm 64-bit
6677 Support for Android Arm 64-bit was added to the OpenSSL FIPS Object
6679 'android64-aarch64' was missing OpenSSL 1.0.2, whence it could not be
6680 built with FIPS support on Android Arm 64-bit. This omission has been
6687 * 0-byte record padding oracle
6697 In order for this to be exploitable "non-stitched" ciphersuites must be in
6706 ([CVE-2019-1559])
6726 ([CVE-2018-5407])
6737 ([CVE-2018-0734])
6758 ([CVE-2018-0732])
6771 ([CVE-2018-0737])
6776 parameter is no longer accepted, as it leads to a corrupt table. NULL
6782 length-invariant. Switch even to fixed-length Montgomery multiplication.
6788 For larger primes this will result in more rounds of Miller-Rabin.
6790 to 2^-128.
6794 * Increase the number of Miller-Rabin rounds for DSA key generating to 64.
6810 are no longer allowed.
6821 are no such structures used within SSL/TLS that come from untrusted sources
6824 This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz
6826 ([CVE-2018-0739])
6851 ([CVE-2017-3737])
6858 used in exponentiation with 1024-bit moduli. No EC algorithms are affected.
6859 Analysis suggests that attacks against RSA and DSA as a result of this
6866 no longer an option since CVE-2016-0701.
6872 was originally found via the OSS-Fuzz project.
6873 ([CVE-2017-3738])
6882 procedure. No EC algorithms are affected. Analysis suggests that attacks
6896 This issue was reported to OpenSSL by the OSS-Fuzz project.
6897 ([CVE-2017-3736])
6904 OpenSSL could do a one-byte buffer overread. The most likely result
6907 This issue was reported to OpenSSL by the OSS-Fuzz project.
6913 * Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
6922 If one side of an SSL/TLS path is running on a 32-bit host and a specific
6924 perform an out-of-bounds read, usually resulting in a crash.
6927 ([CVE-2017-3731])
6934 procedure. No EC algorithms are affected. Analysis suggests that attacks
6945 similar to CVE-2015-3193 but must be treated as a separate problem.
6947 This issue was reported to OpenSSL by the OSS-Fuzz project.
6948 ([CVE-2017-3732])
6954 There is a carry propagating bug in the Broadwell-specific Montgomery
6956 longer than 256 bits. Analysis suggests that attacks against RSA, DSA
6961 erroneous outcome of public-key operations with specially crafted input.
6962 Among EC algorithms only Brainpool P-512 curves are affected and one
6964 detail, because pre-requisites for attack are considered unlikely. Namely
6972 ([CVE-2016-7055])
6978 prevent issues where no progress is being made and the peer continually
6992 ([CVE-2016-7052])
7006 the "no-ocsp" build time option are not affected.
7009 ([CVE-2016-6304])
7018 ([CVE-2016-2183])
7034 ([CVE-2016-6303])
7048 ([CVE-2016-6302])
7061 ([CVE-2016-2182])
7073 ([CVE-2016-2180])
7099 ([CVE-2016-2177])
7107 implementation means that a non-constant time codepath is followed for
7108 certain operations. This has been demonstrated through a cache-timing
7114 ([CVE-2016-2178])
7120 In a DTLS connection where handshake messages are delivered out-of-order
7125 remain in the buffer when they are no longer required. These messages will
7132 ([CVE-2016-2179])
7147 ([CVE-2016-2181])
7163 ([CVE-2016-6306])
7169 * Prevent padding oracle in AES-NI CBC MAC check
7173 AES-NI.
7176 attack ([CVE-2013-0169]). The padding check was rewritten to be in
7178 compared against either the MAC or padding bytes. But it no longer
7182 This issue was reported by Juraj Somorovsky using TLS-Attacker.
7201 ([CVE-2016-2105])
7216 therefore there is no possibility of an overflow. Since all instances are
7217 one of these two forms, it is believed that there can be no overflows in
7221 of these calls have also been analysed too and it is believed there are no
7225 ([CVE-2016-2106])
7241 ([CVE-2016-2109])
7252 ([CVE-2016-2176])
7266 * Only remove the SSLv2 methods with the no-ssl2-method option. When the
7274 Builds that are not configured with "enable-weak-ssl-ciphers" will not
7280 is by default disabled at build-time. Builds that are not configured with
7281 "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used,
7282 users who want to negotiate SSLv2 via the version-flexible SSLv23_method()
7290 explicitly uses the version-specific SSLv2_method() or its client and
7292 recovery have been removed. Specifically, the SSLv2 40-bit EXPORT
7293 ciphers, and SSLv2 56-bit DES are no longer available.
7294 ([CVE-2016-0800])
7298 * Fix a double-free in DSA code
7307 ([CVE-2016-0705])
7324 credentials, this behaviour is not constant time and no strong
7327 ([CVE-2016-0798])
7352 ([CVE-2016-0797])
7373 functions when printing out human-readable dumps of ASN.1 data. Therefore
7384 ([CVE-2016-0799])
7390 A side-channel attack was found which makes use of cache-bank conflicts on
7391 the Intel Sandy-Bridge microarchitecture which could lead to the recovery
7394 hyper-threaded core as the victim thread which is performing decryptions.
7400 ([CVE-2016-0702])
7404 * Change the `req` command to generate a 2048-bit RSA/DSA key by default,
7405 if no keysize is specified with default_bits. This fixes an
7441 ([CVE-2016-0701])
7454 ([CVE-2015-3197])
7463 procedure. No EC algorithms are affected. Analysis suggests that attacks
7476 ([CVE-2015-3193])
7492 ([CVE-2015-3194])
7505 ([CVE-2015-3195])
7558 This issue was reported to OpenSSL by Joseph Barr-Pixton.
7559 ([CVE-2015-1788])
7563 * Exploitable out-of-bounds read in X509_cmp_time
7579 ([CVE-2015-1789])
7586 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
7594 ([CVE-2015-1790])
7605 ([CVE-2015-1792])
7611 If a NewSessionTicket is received by a multi-threaded client when attempting to
7614 ([CVE-2015-1791])
7618 * Only support 256-bit or stronger elliptic curves with the
7620 curves, prefer P-256 (both).
7634 ([CVE-2015-0291])
7644 using non-blocking IO. Typically, when the user application is using a
7650 ([CVE-2015-0290])
7667 ([CVE-2015-0207])
7679 ([CVE-2015-0286])
7694 ([CVE-2015-0208])
7708 ([CVE-2015-0287])
7715 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
7723 ([CVE-2015-0289])
7731 a specially crafted SSLv2 CLIENT-MASTER-KEY message.
7735 ([CVE-2015-0293])
7744 ([CVE-2015-1787])
7752 - The client is on a platform where the PRNG has not been seeded
7754 - A protocol specific client method version has been used (i.e. not
7756 - A ciphersuite is used that does not require additional random data from
7757 the PRNG beyond the initial ClientHello client random (e.g. PSK-RC4-SHA).
7766 openssl s_client -psk 1a2b3c4d -tls1_2 -cipher PSK-RC4-SHA
7767 ([CVE-2015-0285])
7782 ([CVE-2015-0209])
7792 ([CVE-2015-0288])
7807 near-optimal performance even on newer platforms.
7811 * Accelerated NIST P-256 elliptic curve implementation for x86_64
7823 bogus results, with non-infinity inputs mapped to infinity too.)
7834 * Add support for little-endian ppc64 Linux target.
7841 Both 32- and 64-bit modes are supported.
7862 implementations, AESNI-SHA256 and GCM, and multi-buffer support
7902 * Add -rev test option to s_server to just reverse order of characters
7908 * New option -brief for s_client and s_server to print out a brief summary
7917 * New option -crl_download in several openssl utilities to download CRLs
7922 * New options -CRL and -CRLform for s_client and s_server for CRLs.
7958 "enable-ssl-trace". New options to s_client and s_server to enable
7998 preference list abort the handshake. If client has no suitable
8063 and print them out in s_client and s_server. Abort handshake if no
8100 * Initial experimental support for explicitly trusted non-root CAs.
8103 setting is used: whether to trust (e.g., -addtrust option to the x509
8108 * Add -trusted_first option which attempts to find certificates in the
8118 * Support for linux-x32, ILP32 environment in x86_64 framework.
8122 * Experimental multi-implementation support for FIPS capable OpenSSL.
8168 between NIDs and the more common NIST names such as "P-256". Enhance
8188 * New function i2d_re_X509_tbs for re-encoding the TBS portion of
8190 Note: Related 1.0.2-beta specific macros X509_get_cert_info,
8195 -------------
8207 the "no-ocsp" build time option are not affected.
8210 ([CVE-2016-6304])
8219 ([CVE-2016-2183])
8235 ([CVE-2016-6303])
8249 ([CVE-2016-6302])
8262 ([CVE-2016-2182])
8274 ([CVE-2016-2180])
8300 ([CVE-2016-2177])
8308 implementation means that a non-constant time codepath is followed for
8309 certain operations. This has been demonstrated through a cache-timing
8315 ([CVE-2016-2178])
8321 In a DTLS connection where handshake messages are delivered out-of-order
8326 remain in the buffer when they are no longer required. These messages will
8333 ([CVE-2016-2179])
8348 ([CVE-2016-2181])
8364 ([CVE-2016-6306])
8370 * Prevent padding oracle in AES-NI CBC MAC check
8374 AES-NI.
8377 attack ([CVE-2013-0169]). The padding check was rewritten to be in
8379 compared against either the MAC or padding bytes. But it no longer
8383 This issue was reported by Juraj Somorovsky using TLS-Attacker.
8384 ([CVE-2016-2107])
8403 ([CVE-2016-2105])
8418 therefore there is no possibility of an overflow. Since all instances are
8419 one of these two forms, it is believed that there can be no overflows in
8423 of these calls have also been analysed too and it is believed there are no
8427 ([CVE-2016-2106])
8443 ([CVE-2016-2109])
8454 ([CVE-2016-2176])
8468 * Only remove the SSLv2 methods with the no-ssl2-method option. When the
8476 Builds that are not configured with "enable-weak-ssl-ciphers" will not
8482 is by default disabled at build-time. Builds that are not configured with
8483 "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used,
8484 users who want to negotiate SSLv2 via the version-flexible SSLv23_method()
8492 explicitly uses the version-specific SSLv2_method() or its client and
8494 recovery have been removed. Specifically, the SSLv2 40-bit EXPORT
8495 ciphers, and SSLv2 56-bit DES are no longer available.
8496 ([CVE-2016-0800])
8500 * Fix a double-free in DSA code
8509 ([CVE-2016-0705])
8526 credentials, this behaviour is not constant time and no strong
8529 ([CVE-2016-0798])
8554 ([CVE-2016-0797])
8575 functions when printing out human-readable dumps of ASN.1 data. Therefore
8586 ([CVE-2016-0799])
8592 A side-channel attack was found which makes use of cache-bank conflicts on
8593 the Intel Sandy-Bridge microarchitecture which could lead to the recovery
8596 hyper-threaded core as the victim thread which is performing decryptions.
8602 ([CVE-2016-0702])
8606 * Change the req command to generate a 2048-bit RSA/DSA key by default,
8607 if no keysize is specified with default_bits. This fixes an
8632 ([CVE-2015-3197])
8654 ([CVE-2015-3194])
8667 ([CVE-2015-3195])
8696 ([CVE-2015-1793])
8702 If PSK identity hints are received by a multi-threaded client then
8706 ([CVE-2015-3196])
8729 This issue was reported to OpenSSL by Joseph Barr-Pixton.
8730 ([CVE-2015-1788])
8734 * Exploitable out-of-bounds read in X509_cmp_time
8750 ([CVE-2015-1789])
8757 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
8765 ([CVE-2015-1790])
8776 ([CVE-2015-1792])
8782 If a NewSessionTicket is received by a multi-threaded client when attempting to
8785 ([CVE-2015-1791])
8793 * dhparam: generate 2048-bit parameters by default.
8807 ([CVE-2015-0286])
8821 ([CVE-2015-0287])
8828 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
8836 ([CVE-2015-0289])
8844 a specially crafted SSLv2 CLIENT-MASTER-KEY message.
8848 ([CVE-2015-0293])
8863 ([CVE-2015-0209])
8873 ([CVE-2015-0288])
8893 ([CVE-2014-3571])
8903 ([CVE-2015-0206])
8907 * Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
8908 built with the no-ssl3 option and an SSL v3 ClientHello is received the ssl
8911 ([CVE-2014-3569])
8920 ([CVE-2014-3572])
8924 * Remove non-export ephemeral RSA code on client and server. This code
8926 non-export ciphersuites and could be used by a server to effectively
8930 ([CVE-2015-0204])
8942 ([CVE-2015-0205])
8956 By using non-DER or invalid encodings outside the signed portion of a
8958 Although no details of the signed portion of the certificate can be changed
8977 Re-encode DSA/ECDSA signatures and compare with the original received
8988 ([CVE-2014-8275])
9000 ([CVE-2014-3570])
9017 * Tighten client-side session ticket handling during renegotiation:
9042 ([CVE-2014-3513])
9054 ([CVE-2014-3567])
9058 * Build option no-ssl3 is incomplete.
9060 When OpenSSL is configured with "no-ssl3" as a build option, servers
9063 ([CVE-2014-3568])
9070 ([CVE-2014-3566])
9076 Re-encode DigestInto in DER and check against the original when
9080 Note: this is a precautionary measure and no attacks are currently known.
9092 ([CVE-2014-3512])
9098 is badly fragmented. This allows a man-in-the-middle attacker to force a
9104 ([CVE-2014-3511])
9115 ([CVE-2014-3510])
9122 ([CVE-2014-3507])
9130 ([CVE-2014-3506])
9137 Thanks to Adam Langley and Wan-Teh Chang for discovering and researching
9139 ([CVE-2014-3505])
9149 ([CVE-2014-3509])
9160 ([CVE-2014-5139])
9170 ([CVE-2014-3508])
9176 bogus results, with non-infinity inputs mapped to infinity too.)
9187 researching this issue. ([CVE-2014-0224])
9195 Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
9196 ([CVE-2014-0221])
9205 Thanks to Jüri Aedla for reporting this issue. ([CVE-2014-0195])
9213 this issue. ([CVE-2014-3470])
9217 * Harmonize version and its documentation. -f flag is used to display
9239 preparing the fix ([CVE-2014-0160])
9244 ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
9249 flaw and to Yuval Yarom for supplying a fix ([CVE-2014-0076])
9253 * TLS pad extension: draft-agl-tls-padding-03
9267 ([CVE-2013-4353])
9271 to be resent. ([CVE-2013-6450])
9276 avoids preferring ECDHE-ECDSA ciphers when the client appears to be
9278 several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug
9286 * Correct fix for CVE-2013-0169. The original didn't work on AES-NI
9303 ([CVE-2013-0169])
9312 ([CVE-2012-2686])
9317 This fixes a DoS attack. ([CVE-2013-0166])
9346 Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
9348 ([CVE-2012-2333])
9395 ([CVE-2012-2110])
9399 * Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections.
9411 -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure.
9447 *Robin Seggelmann <seggelmann@fh-muenster.de>*
9451 *Robin Seggelmann <seggelmann@fh-muenster.de>*
9459 - x86[_64]: AES-NI, PCLMULQDQ, RDRAND support;
9460 - x86[_64]: SSSE3 support (SHA1, vector-permutation AES);
9461 - x86_64: bit-sliced AES implementation;
9462 - ARM: NEON support, contemporary platforms optimizations;
9463 - s390x: z196 support;
9464 - `*`: GHASH and GF(2^m) multiplication implementations;
9468 * Make TLS-SRP code conformant with RFC 5054 API cleanup
9477 * Add DTLS-SRTP negotiation from RFC 5764.
9482 <http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-00>. Can be
9483 disabled with a no-npn flag to config or Configure. Code donated
9488 * Add optional 64-bit optimized implementations of elliptic curves NIST-P224,
9489 NIST-P256, NIST-P521, with constant-time single point multiplication on
9491 required to use this (present in gcc 4.4 and later, for 64-bit builds).
9494 Specify "enable-ec_nistp_64_gcc_128" on the Configure (or config) command
9514 * New -sigopt option to the ca, req and x509 utilities. Additional
9522 corresponding EVP_MD_CTX structure. No application support yet.
9527 New function ASN1_item_sign_ctx() signs a pre-initialised
9535 handling will be the same no matter what EVP_PKEY_METHOD is used.
9566 * Session-handling fixes:
9567 - Fix handling of connections that are resuming with a session ID,
9569 - Fix a bug that suppressed issuing of a new ticket if the client
9571 - Try to set the ticket lifetime hint to something reasonable.
9572 - Make tickets shorter by excluding irrelevant information.
9573 - On the client side, don't ignore renewed tickets.
9581 * Add RC4-MD5 and AESNI-SHA1 "stitched" implementations.
9609 switch between FIPS and non-FIPS modes.
9615 keep original code iff non-FIPS operations are allowed.
9619 * Add -attime option to openssl utilities.
9632 * New build option no-ec2m to disable characteristic 2 code.
9636 * Backport libcrypto audit of return value checking from 1.1.0-dev; not
9646 * Add similar low-level API blocking to ciphers.
9650 * low-level digest APIs are not approved in FIPS mode: any attempt
9679 * Add support for FIPS mode in ssl library: disable SSLv3, non-FIPS ciphers
9704 All server ciphersuites should now work correctly in TLS v1.2. No client
9705 support yet and no support for client certificates.
9738 *Robin Seggelmann <seggelmann@fh-muenster.de>*
9748 *Robin Seggelmann <seggelmann@fh-muenster.de>, Steve Henson*
9762 -------------
9775 ([CVE-2015-3195])
9781 If PSK identity hints are received by a multi-threaded client then
9785 ([CVE-2015-3196])
9802 This issue was reported to OpenSSL by Joseph Barr-Pixton.
9803 ([CVE-2015-1788])
9807 * Exploitable out-of-bounds read in X509_cmp_time
9823 ([CVE-2015-1789])
9830 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
9838 ([CVE-2015-1790])
9849 ([CVE-2015-1792])
9855 If a NewSessionTicket is received by a multi-threaded client when attempting to
9858 ([CVE-2015-1791])
9872 ([CVE-2015-0286])
9886 ([CVE-2015-0287])
9893 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
9901 ([CVE-2015-0289])
9909 a specially crafted SSLv2 CLIENT-MASTER-KEY message.
9913 ([CVE-2015-0293])
9928 ([CVE-2015-0209])
9938 ([CVE-2015-0288])
9958 ([CVE-2014-3571])
9968 ([CVE-2015-0206])
9972 * Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
9973 built with the no-ssl3 option and an SSL v3 ClientHello is received the ssl
9976 ([CVE-2014-3569])
9985 ([CVE-2014-3572])
9989 * Remove non-export ephemeral RSA code on client and server. This code
9991 non-export ciphersuites and could be used by a server to effectively
9995 ([CVE-2015-0204])
10007 ([CVE-2015-0205])
10019 ([CVE-2014-3570])
10025 By using non-DER or invalid encodings outside the signed portion of a
10027 Although no details of the signed portion of the certificate can be changed
10046 Re-encode DSA/ECDSA signatures and compare with the original received
10057 ([CVE-2014-8275])
10071 ([CVE-2014-3567])
10075 * Build option no-ssl3 is incomplete.
10077 When OpenSSL is configured with "no-ssl3" as a build option, servers
10080 ([CVE-2014-3568])
10087 ([CVE-2014-3566])
10093 Re-encode DigestInto in DER and check against the original when
10097 Note: this is a precautionary measure and no attacks are currently known.
10110 ([CVE-2014-3510])
10117 ([CVE-2014-3507])
10125 ([CVE-2014-3506])
10132 Thanks to Adam Langley and Wan-Teh Chang for discovering and researching
10134 ([CVE-2014-3505])
10144 ([CVE-2014-3509])
10154 ([CVE-2014-3508])
10160 bogus results, with non-infinity inputs mapped to infinity too.)
10171 researching this issue. ([CVE-2014-0224])
10179 Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
10180 ([CVE-2014-0221])
10189 Thanks to Jüri Aedla for reporting this issue. ([CVE-2014-0195])
10197 this issue. ([CVE-2014-3470])
10201 * Harmonize version and its documentation. -f flag is used to display
10216 ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
10221 flaw and to Yuval Yarom for supplying a fix ([CVE-2014-0076])
10229 to be resent. ([CVE-2013-6450])
10234 avoids preferring ECDHE-ECDSA ciphers when the client appears to be
10236 several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug
10254 ([CVE-2013-0169])
10259 This fixes a DoS attack. ([CVE-2013-0166])
10283 Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
10285 ([CVE-2012-2333])
10302 ([CVE-2012-2110])
10312 old behaviour can be re-enabled in the CMS code by setting the
10316 this issue. ([CVE-2012-0884])
10320 * Fix CVE-2011-4619: make sure we really are receiving a
10328 * Fix for DTLS DoS issue introduced by fix for CVE-2011-4109.
10331 preparing a fix. ([CVE-2012-0050])
10347 <seggelmann@fh-muenster.de> and Michael Tuexen <tuexen@fh-muenster.de>
10348 for preparing the fix. ([CVE-2011-4108])
10353 ([CVE-2011-4576])
10359 Adam Langley for preparing the fix. ([CVE-2011-4619])
10363 * Check parameters are not NULL in GOST ENGINE. ([CVE-2012-0027])
10369 and Rob Austein <sra@hactrn.net> for fixing it. ([CVE-2011-4577])
10377 * Fix ssl_ciph.c set-up race.
10401 * In ssl3_clear, preserve s3->init_extra along with s3->rbuf.
10408 by initialising X509_STORE_CTX properly. ([CVE-2011-3207])
10413 for multi-threaded use of ECDH. ([CVE-2011-3210])
10435 * Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014
10449 Thanks to Martin Rex for discovering this bug. CVE-2010-4180
10453 * Fixed J-PAKE implementation error, originally discovered by
10455 Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252
10463 be shared by multiple threads. CVE-2010-3864
10475 ([CVE-2010-1633])
10477 *Steve Henson, Peter-Michael Hager <hager@dortmund.net>*
10491 * Add new -subject_hash_old and -issuer_hash_old options to x509 utility to
10546 *Michael Tuexen <tuexen@fh-muenster.de>*
10562 * If no SSLv2 ciphers are used don't use an SSLv2 compatible client hello:
10585 openssl dgst -sha256 foo
10618 * Add session ticket override functionality for use by EAP-FAST.
10627 * Type-checked OBJ_bsearch_ex.
10631 * Type-checked OBJ_bsearch. Also some constification necessitated
10632 by type-checking. Still to come: TXT_DB, bsearch(?),
10643 X509_time_adj() is still usable and will no longer have any date issues.
10711 * To cater for systems that provide a pointer-based thread ID rather
10718 as a pointer-based thread ID to distinguish between threads.
10731 OpenSSL 0.9.9-dev between June 2006 and August 2008. Also, if an
10735 intermediate development versions of OpenSSL; this is no longer the
10753 * Revamp of STACK to provide stronger type-checking. Still to come:
10764 * Revamp of LHASH to provide stronger type-checking. Still to come:
10783 files from Configure script, currently only included in VC-WIN32.
10804 draft-rescorla-tls-opaque-prf-input-00.txt. Since this is not an
10805 official specification yet and no extension type assignment by
10810 -DTLSEXT_TYPE_opaque_prf_input=0x9527
10821 an internal copy of the length-'len' string at 'src', and will
10822 return non-zero for success.
10840 has to return non-zero to report success: usually 1 to use opaque
10877 with no application modification.
10900 * Add option -stream to use PKCS#7 streaming in smime utility. New
10909 ENGINE support for HMAC keys which are unextractable. New -mac and
10910 -macopt options to dgst utility.
10914 * New option -sigopt to dgst utility. Update dgst to use
10923 ("foo+bar"), moving ("+foo+bar"), disabling ("-foo+bar", or
10931 This means that you can now say, e.g., "PSK:-PSK:HIGH" to enable
10959 away into the non-exported interface ssl/ssl_locl.h, so this
10962 categories, so there is no longer a need to coagulate AES128 and
10977 * Add support for dsa-with-SHA224 and dsa-with-SHA256.
10988 * Add support for the ecdsa-with-SHA224/256/384/512 signature types.
11011 -verify_return_error to s_client and s_server. This causes real errors
11012 to be returned by the verify callback instead of carrying on no matter
11023 partitioned by DP are handled but no indirect CRL or reason partitioning
11054 * Non-blocking OCSP request processing. Add -timeout option to ocsp
11080 list-message-digest-algorithms and list-cipher-algorithms.
11085 of degrees of non-zero coefficients is now terminated with -1.
11106 The temporary ciphersuite alias "ECCdraft" is no longer
11107 available, and ECC ciphersuites are no longer excluded from "ALL"
11111 kECDHr - ECDH cert, signed with RSA
11112 kECDHe - ECDH cert, signed with ECDSA
11113 kECDH - ECDH cert (signed with either RSA or ECDSA)
11114 kEECDH - ephemeral ECDH
11115 ECDH - ECDH cert or ephemeral ECDH
11117 aECDH - ECDH cert
11118 aECDSA - ECDSA cert
11119 ECDSA - ECDSA cert
11121 AECDH - anonymous ECDH
11122 EECDH - non-anonymous ephemeral ECDH (equivalent to "kEECDH:-AECDH")
11148 * New -resign option to smime utility. This adds one or more signers
11149 to an existing PKCS#7 signedData structure. Also -md option to use an
11160 * New -macalg option to pkcs12 utility to allow setting of an alternative
11182 a no op.
11263 "list-public-key-algorithms" to print out info.
11268 ECC ciphersuites from draft-ietf-tls-ecc-12.txt.
11291 De-spaghettify the public key ASN1 handling. Move public and private
11300 ECC ciphersuites from draft-ietf-tls-ecc-12.txt.
11309 PSK-RC4-SHA, PSK-3DES-EDE-CBC-SHA, PSK-AES128-CBC-SHA,
11310 PSK-AES256-CBC-SHA
11342 - SSL_CTX_set_tlsext_servername_callback()
11344 - SSL_CTX_set_tlsext_servername_arg()
11345 SSL_CTRL_SET_TLSEXT_HOSTNAME - SSL_set_tlsext_host_name()
11347 openssl s_client has a new '-servername ...' option.
11349 openssl s_server has new options '-servername_host ...', '-cert2 ...',
11350 '-key2 ...', '-servername_fatal' (subject to change). This allows
11351 testing the HostName extension for a specific single hostname ('-cert'
11352 and '-key' remain fallbacks for handshakes without HostName
11354 default is a warning; it becomes fatal with the '-servername_fatal'
11363 * BIGNUM code on 64-bit SPARCv9 targets is switched from bn(64,64) to
11367 implementations, between 32- and 64-bit builds without hassle.
11372 to ec2_smpl.c, and no longer require the OPENSSL_EC_BIN_PT_COMP
11380 "64-bit" performance on certain 32-bit targets.
11391 * New option -V for 'openssl ciphers'. This prints the ciphersuite code
11439 -------------
11444 update s->server with a new major version number. As of
11445 - OpenSSL 0.9.8m if 'short' is a 16-bit type,
11446 - OpenSSL 0.9.8f if 'short' is longer than 16 bits,
11449 protection is active. ([CVE-2010-0740])
11453 * Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL
11460 * Always check bn_wexpand() return values for failure. ([CVE-2009-3245])
11480 This should be fine since flushing with no data to flush is a no op.
11494 This results in significant per-connection memory leaks and
11495 has caused some security issues including CVE-2008-1678 and
11496 CVE-2009-4355.
11522 and would have no code in place to handle the server denying it so the
11538 * Implement RFC5746. Re-enable renegotiation but require the extension
11549 servername handling. Use a non-zero length session ID when attempting
11564 * Add --strict-warnings option to Configure script to include devteam
11569 * Add support for --libdir option and LIBDIR variable in makefiles. This
11570 makes it possible to install openssl libraries in locations which
11600 it used to have an ad-hoc builder which was unable to cope with anything
11608 with non-FIPS digests are now usable in FIPS mode.
11615 with sending out of seq handshake messages until there is no memory
11617 sequence number made no sense and would be part of another handshake.
11619 buffered. ([CVE-2009-1378])
11625 currently no limitation to this buffer allowing an attacker to perform
11626 a DOS attack with sending records with future epochs until there is no
11629 ([CVE-2009-1377])
11633 * Keep a copy of frag->msg_header.frag_len so it can be used after the
11634 parent structure is freed. ([CVE-2009-1379])
11638 * Handle non-blocking I/O properly in SSL_shutdown() call.
11640 *Darryl Miles <darryl-mailinglists@netbauds.net>*
11648 * Disable renegotiation completely - this fixes a severe security
11649 problem ([CVE-2009-3555]) at the cost of breaking all
11650 renegotiation. Renegotiation can be re-enabled by setting
11651 SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s3->flags at
11652 run-time. This is really not recommended unless you know what
11661 zeroing past the valid field. ([CVE-2009-0789])
11667 appear to verify correctly. ([CVE-2009-0591])
11673 a legal length. ([CVE-2009-0590])
11693 * New -hex option for openssl rand.
11714 ([CVE-2008-5077]).
11732 * Tweak Configure so that you need to say "experimental-jpake" to enable
11733 JPAKE, and need to use -DOPENSSL_EXPERIMENTAL_JPAKE in applications.
11750 * Change the server-side SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG behavior
11761 ChangeCipherSpec as first record ([CVE-2009-1386]).
11771 double-checked locking was incomplete for RSA blinding,
11773 doubly unsafe triple-checked locking.
11782 - Avoid size_t integer overflow in HASH_UPDATE (md32_common.h).
11784 - Avoid a buffer overflow in d2i_SSL_SESSION() (ssl_asn1.c).
11788 - Change bn_nist.c so that it will properly handle input BIGNUMs
11791 - Enforce the 'num' check in BN_div() (bn_div.c) for non-BN_DEBUG
11796 * Allow engines to be "soft loaded" - i.e. optionally don't die if
11805 * Fix BN_GF2m_mod_arr() top-bit cleanup code.
11817 Not compiled unless enable-capieng specified to Configure.
11834 Codenomicon TLS test suite ([CVE-2008-1672])
11839 a remote crash found by Codenomicon TLS test suite ([CVE-2008-0891])
11863 the 'db' section contains nothing but zeroes (there is a one-byte
11868 * Partial backport from 0.9.9-dev:
11872 While 0.9.9-dev uses assembler for various architectures, only
11874 32-bit x86 is available through a compile-time setting.
11876 To try the 32-bit x86 assembler implementation, use Configure
11877 option "enable-montasm" (which exists only for this backport).
11879 As "enable-montasm" for 32-bit x86 disclaims code stability
11881 backported from 0.9.9-dev for further performance improvements,
11883 e.g. x86_64, try `-DMONT_FROM_WORD___NON_DEFAULT_0_9_8_BUILD`.)
11894 * Reverse ENGINE-internal logic for caching default ENGINE handles.
11901 'uptodate' flag is reset so that auto-discovery will be used next
11918 with the enable-cms configuration option.
11955 - fixed wrong usage of ioctlsocket() when build for LIBC BSD sockets
11956 - fixed do_tests.pl to run the test suite with CLIB builds too (CLIB_OPT)
11957 - added some more tests to do_tests.pl
11958 - fixed RunningProcess usage so that it works with newer LIBC NDKs too
11959 - removed usage of BN_LLONG for CLIB builds to avoid runtime dependency
11960 - added new Configure targets netware-clib-bsdsock, netware-clib-gcc,
11961 netware-clib-bsdsock-gcc, netware-libc-bsdsock-gcc
11962 - various changes to netware.pl to enable gcc-cross builds on Win32
11964 - changed crypto/bio/b_sock.c to work with macro functions (CLIB BSD)
11965 - various changes to fix missing prototype warnings
11966 - fixed x86nasm.pl to create correct asm files for NASM COFF output
11967 - added AES, WHIRLPOOL and CPUID assembler code to build files
11968 - added missing AES assembler make rules to mk1mf.pl
11969 - fixed order of includes in `apps/ocsp.c` so that `e_os.h` settings apply
11985 + DTLS interoperation with non-compliant servers
11997 pre-0.9.8f clients. To allow for hassle free upgrade post-0.9.8e
12000 This update even addresses CVE-2007-4995.
12020 with no application modification.
12049 - SSL_CTX_set_tlsext_servername_callback()
12051 - SSL_CTX_set_tlsext_servername_arg()
12052 SSL_CTRL_SET_TLSEXT_HOSTNAME - SSL_set_tlsext_host_name()
12054 openssl s_client has a new '-servername ...' option.
12056 openssl s_server has new options '-servername_host ...', '-cert2 ...',
12057 '-key2 ...', '-servername_fatal' (subject to change). This allows
12058 testing the HostName extension for a specific single hostname ('-cert'
12059 and '-key' remain fallbacks for handshakes without HostName
12061 default is a warning; it becomes fatal with the '-servername_fatal'
12087 * Add the Korean symmetric 128-bit cipher SEED (see
12091 TLS_RSA_WITH_SEED_CBC_SHA = "SEED-SHA"
12092 TLS_DHE_DSS_WITH_SEED_CBC_SHA = "DHE-DSS-SEED-SHA"
12093 TLS_DHE_RSA_WITH_SEED_CBC_SHA = "DHE-RSA-SEED-SHA"
12094 TLS_DH_anon_WITH_SEED_CBC_SHA = "ADH-SEED-SHA"
12098 is configured with 'enable-seed'.
12106 J.-P. Seifert, "New Branch Prediction Vulnerabilities in OpenSSL
12110 respectively, which are slower, but avoid the security-relevant
12125 constant-time implementations for more than just exponentiation.
12142 out-of-context reuse was forbidden only if SSL_VERIFY_PEER was
12153 authentication-only ciphersuites.
12157 * Update the SSL_get_shared_ciphers() fix CVE-2006-3738 which was
12159 ([CVE-2007-5135]) [Ben Laurie]
12201 *Goetz Babin-Ebell*
12206 cause a denial of service. ([CVE-2006-2940])
12211 in a denial of service. ([CVE-2006-2937]) [Steve Henson]
12214 ([CVE-2006-3738]) [Tavis Ormandy and Will Drewry, Google Security Team]
12217 malicious SSLv2 server. ([CVE-2006-4343])
12222 match only those. Before that, "AES256-SHA" would be interpreted
12223 as a pattern and match "AES128-SHA" too (since AES128-SHA got
12227 "RC4-MD5" that intentionally matched multiple ciphersuites --
12234 Thus, "RC4-MD5" again will properly select both the SSL 2.0
12251 ([CVE-2006-4339]) [Ben Laurie and Google Security Team]
12266 However, please upgrade to OpenSSL 0.9.9[-dev] for
12267 non-experimental use of the ECC ciphersuites to get TLS extension
12275 - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
12276 - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
12277 - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")
12280 draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really
12284 draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as
12290 dual-core machines) and other potential thread-safety issues.
12294 * Add the symmetric cipher Camellia (128-bit, 192-bit, 256-bit key
12295 versions), which is now available for royalty-free use
12301 is configured with 'enable-camellia'.
12325 * Update support for ECC-based TLS ciphersuites according to
12326 draft-ietf-tls-ecc-12.txt with proposed changes (but without
12341 Static zlib linking now works on Windows and the new --with-zlib-include
12342 --with-zlib-lib options to Configure can be used to supply the location
12369 countermeasure against man-in-the-middle protocol-version
12371 idea. ([CVE-2005-2969])
12386 * Avoid some small subgroup attacks in Diffie-Hellman.
12390 * Add functions for well-known primes.
12403 * Make PKCS7_decrypt() work even if no certificate is supplied by
12427 * Add -utf8 command line and config file option to 'ca'.
12437 involves renaming the source and generated shared-libs for
12446 use it. Make -CSP option work again in pkcs12 utility.
12451 - automatic re-creation of the BN_BLINDING parameters after
12453 - add new function for parameter creation
12454 - introduce flags to control the update behaviour of the
12456 - hide BN_BLINDING structure
12477 * Use SHA-1 instead of MD5 as the default digest algorithm for
12482 * Compile clean with "-Wall -Wmissing-prototypes
12483 -Wstrict-prototypes -Wmissing-declarations -Werror". Currently
12489 The new counterpiece to "no-xxx" is "enable-xxx".
12492 "enable-rc5" and "enable-mdc2", respectively, are specified.
12495 is frequently required for interoperability, and there is no license
12496 fee for non-commercial use. As before, "no-idea" can be used to
12503 EGEE (Enabling Grids for E-science in Europe).
12508 as Intel P4, IA-64 and AMD64.
12512 * New utility extract-section.pl. This can be used specify an alternative
12523 * New arguments -certform, -keyform and -pass for s_client and s_server
12548 * New FIPS 180-2 algorithms, SHA-224/-256/-384/-512 are implemented.
12564 moved from CA.pl to the 'ca' utility with a new option -create_serial.
12569 patchlevels, 0.9.7e employed 'openssl x509 -next_serial' in
12577 give fewer recursive includes, which could break lazy source code - so
12581 backwards-compatible behaviour prevails when this isn't defined.
12614 * Reimplemented the BN_CTX implementation. There is now no more static
12618 static array of bignums, BN_CTX now uses a linked-list of such arrays
12654 * BN_CTX_get() should return zero-valued bignums, providing the same
12687 * Because of the callback-based approach for implementing LHASH as a
12688 template type, lh_insert() adds opaque objects to hash-tables and
12691 (and losing the object pointers). So some over-zealous constifications in
12705 aren't necessarily the greatest nomenclatures - but this is what was used
12712 the self-tests were still using deprecated key-generation functions so
12733 modulus operations are not performed. The (pre-generated) prime
12735 re-generated on some platforms because of the "division by zero"
12740 * Update support for ECC-based TLS ciphersuites according to
12741 draft-ietf-tls-ecc-03.txt: the KDF1 key derivation function with
12742 SHA-1 now is only used for "small" curves (where the
12756 *Götz Babin-Ebell <babin-ebell@trustcenter.de> via Richard Levitte*
12768 to certificate and key stores, be they simple file-based stores, or
12769 HSM-type store, or LDAP stores, or...
12782 a string. The copy gets NUL-terminated. BUF_memdup() duplicates
12790 searched-for key would be inserted to preserve sorting order.
12811 * Make it possible to create self-signed certificates with 'openssl ca'
12812 in such a way that the self-signed certificate becomes part of the
12814 as all other certificate signing. The new flag '-selfsign' enables
12821 request can be signed by that key (self-signing).
12827 'unique_subject' is set to 'no' in the main CA section (default
12834 * Generate multi-valued AVAs using '+' notation in config files for
12852 dsa_mod_exp() and/or bn_mod_exp() handlers if they are non-NULL,
12881 * Add full support for -rpath/-R, both in shared libraries and
12911 ./config -DOPENSSL_USE_GMP -lgmp
12916 testing availability of engines with "-t" - the old behaviour is
12917 produced by increasing the feature's verbosity with "-tt".
12928 * Key-generation can now be implemented in RSA_METHOD, DSA_METHOD
12935 * Change the "progress" mechanism used in key-generation and
12941 migrate to the new functions. Also, the new key-generation API
12942 functions operate on a caller-supplied key-structure and return
12943 success/failure rather than returning a key or NULL - this is to
12957 * cb will point to my_cb; my_arg can be retrieved as cb->arg.
12966 draft-ietf-tls-compression-04.txt.
12976 -- at least one of the pair shall be present -- }
12997 to avoid the need to access 'a->neg' directly in applications.
13001 * Implement fast modular reduction for pseudo-Mersenne primes
13022 the usual use of --prefix and/or --openssldir, and at run
13038 files while avoiding the low-level API.
13042 algorithm NIDs can be set to -1 for no encryption, the mac
13045 Enhance pkcs12 utility by making the -nokeys and -nocerts
13046 options work when creating a PKCS#12 file. New option -nomac
13049 instead of the low-level API.
13065 * Let 'openssl req' fail if an argument to '-newkey' is not
13070 * Add support for ECC-based ciphersuites from draft-ietf-tls-ecc-01.txt.
13206 functionality is disabled at compile-time.
13213 Modify asn1_parse2 (crypto/asn1/asn1_par.c) so that in non-'dump'
13214 mode the content of non-printable OCTET STRINGs is output in a
13227 - Curves (i.e., groups) are encoded explicitly unless asn1_flag
13229 - Points are encoded in uncompressed form by default; options for
13278 EC_METHOD) that verifies that the curve discriminant is non-zero.
13293 - 'openssl req' now has a '-newkey ecdsa:file' option;
13294 - EVP_PKCS82PKEY (crypto/evp/evp_pkey.c) now can handle ECDSA;
13295 - X509_PUBKEY_get (crypto/asn1/x_pubkey.c) and
13299 - ECDSA engine support has been added.
13335 authentication-only ciphersuites.
13379 cause a denial of service. ([CVE-2006-2940])
13384 in a denial of service. ([CVE-2006-2937]) [Steve Henson]
13387 ([CVE-2006-3738]) [Tavis Ormandy and Will Drewry, Google Security Team]
13390 malicious SSLv2 server. ([CVE-2006-4343])
13395 ciphersuite selects this one ciphersuite (so that "AES256-SHA"
13396 will no longer include "AES128-SHA"), and any other similar
13398 "RC4-MD5" will still include both the SSL 2.0 ciphersuite and the
13407 ([CVE-2006-4339]) [Ben Laurie and Google Security Team]
13417 - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
13418 - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
13419 - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")
13422 draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really
13426 draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as
13432 dual-core machines) and other potential thread-safety issues.
13447 * Add new Windows build target VC-32-GMAKE for VC++. This uses GNU make
13459 safely run with a non-FIPSed libcrypto, as it may crash because of
13468 countermeasure against man-in-the-middle protocol-version
13470 idea. ([CVE-2005-2969])
13482 the exponentiation using a fixed-length exponent. (Otherwise,
13489 * Make a new fixed-window mod_exp implementation the default for
13490 RSA, DSA, and DH private-key operations so that the sequence of
13493 cache-timing and potential related attacks.
13512 * Add support for smime-type MIME parameter in S/MIME messages which some
13536 with no (?) obvious way to tell the difference, without these VC++
13537 complains. Also the "definition" of FAR (blank) is no longer included
13549 they must be explicitly allowed in run-time. See
13556 * Use (SSL_RANDOM_VALUE - 4) bytes of pseudo random data when generating
13558 (SSL_RANDOM_VALUE - sizeof(time_t)) would be used which would result in
13591 * Back-port of selected performance improvements from development
13601 * Add new -passin argument to dgst.
13606 this is needed for some certificates that re-encode DNs into UTF8Strings
13617 - if there is an unhandled critical extension (unless the user
13619 - if the path length has been exceeded (if one is set at all)
13620 - that certain extensions fit the associated purpose (if one has
13647 certificate is created using 'openssl req -x509'. The initial serial
13648 number file is created using 'openssl x509 -next_serial' in CA.pl
13655 * Fix null-pointer assignment in do_change_cipher_spec() revealed
13656 by using the Codenomicon TLS Test Tool ([CVE-2004-0079])
13661 ([CVE-2004-0112])
13667 'unique_subject' is set to 'no' in the main CA section (default
13711 invalid tags (CVE-2003-0543 and CVE-2003-0544).
13713 Free up ASN1_TYPE correctly if ANY type is invalid ([CVE-2003-0545]).
13720 * New -ignore_err option in ocsp application to stop the server
13766 * Countermeasure against the Klima-Pokorny-Rosa extension of
13776 They would be ill-advised to do so in most cases.
13782 an unpredictable seed -- if it is not unpredictable, there
13783 is no point in blinding anyway). Make RSA blinding thread-safe
13784 by remembering the creator's thread ID in rsa->blinding and
13785 having all other threads use local one-time blinding factors
13786 (this requires more computation than sharing rsa->blinding, but
13810 between bad padding and a MAC verification error. ([CVE-2003-0078])
13816 * Make the no-err option work as intended. The intention with no-err
13824 used by default when no-err is given.
13841 ssl3_output_cert_chain(): an application had no way to send the
13852 present and it might also want a means of sending no additional
13884 * IA-32 assembler support enhancements: unified ELF targets, support
13890 FreeBSD on non-x86 processors is separate from x86 processors on
13939 warnings and a request that patches get sent to openssl-dev.
13943 * Add the VC-CE target, introduce the WINCE sysname, and add
13944 INSTALL.WCE and appropriate conditionals to make it build.
13948 * Change the DLL names for Cygwin to cygcrypto-x.y.z.dll and
13949 cygssl-x.y.z.dll, where x, y and z are the major, minor and
13959 * Avoid using fixed-size buffers for one-line DNs.
14018 * Add assertions to prevent user-supplied crypto functions from
14036 * Fix off-by-one error in EGD path.
14066 Remote buffer overflow in SSL3 protocol - an attacker could
14067 supply an oversized master key in Kerberos-enabled versions.
14068 ([CVE-2002-0657])
14076 * Make -nameopt work fully for req and add -reqopt switch.
14078 *Michael Bell <michael.bell@rz.hu-berlin.de>, Steve Henson*
14092 which may be activated as a side-effect of selecting a single cipher.
14100 * Add appropriate support for separate platform-dependent build
14101 directories. The recommended way to make a platform-dependent
14108 mkdir -p objtree/"`uname -s`-`uname -r`-`uname -m`"
14109 cd objtree/"`uname -s`-`uname -r`-`uname -m`"
14110 (cd $OPENSSL_SOURCE; find . -type f) | while read F; do
14111 mkdir -p `dirname $F`
14112 ln -s $OPENSSL_SOURCE/$F $F
14126 *Götz Babin-Ebell <babinebell@trustcenter.de>*
14128 * Improve diagnostics in file reading and command-line digests.
14133 error in AES-CFB decryption.
14152 * Fix escaping of non-ASCII characters when using the -subj option
14158 form for "surname", serialNumber has no short form.
14163 Some more OID additions. (Michael Bell <michael.bell@rz.hu-berlin.de>)
14176 * Fix the 'app_verify_callback' interface so that the user-defined
14184 i=s->ctx->app_verify_callback(&ctx)
14186 i=s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg).
14219 the same as the utility itself: that is the -config
14250 * Have the CHIL engine fork-safe (as defined by nCipher) and actually
14259 * Add the configuration target debug-linux-ppro.
14271 * Add -keyform to rsautl, and document -engine.
14324 (up to about 10% better than before for P-192 and P-224).
14348 SSL object, and 'arg' is the application-defined value set by
14351 'openssl s_client' and 'openssl s_server' have new '-msg' options
14382 * Add -multi and -mr options to "openssl speed" - giving multiple parallel
14383 runs for the former and machine-readable output for the latter.
14387 * Add '-noemailDN' option to 'openssl ca'. This prevents inclusion
14388 of the e-mail address in the DN (i.e., it will go into a certificate
14389 extension only). The new configuration file option 'email_in_dn = no'
14467 support for symmetric ciphers and digest implementations - so ENGINEs
14472 API changes worth noting - some RSA, DSA, DH, and RAND functions that
14474 reverted back - the hooking from this code to ENGINE is now a good
14475 deal more passive and at run-time, operations deal directly with
14478 functions dealing with `BN_MOD_EXP[_CRT]` handlers have been removed -
14479 they were not being used by the framework as there is no concept of a
14529 * Add support for shared libraries for Unixware-7
14543 makes them more flexible to be built both as statically-linked ENGINEs
14544 and self-contained shared-libraries loadable via the "dynamic" ENGINE.
14545 Also, add stub code to each that makes building them as self-contained
14546 shared-libraries easier (see [README-Engine.md](README-Engine.md)).
14552 self-contained shared-libraries. The "dynamic" ENGINE exposes control
14553 commands that can be used to configure what shared-library to load and
14555 the [README-Engine.md](README-Engine.md) file
14556 that brings its information up-to-date and
14558 (ie. how to use it, how to build "dynamic"-loadable ENGINEs, etc).
14587 ex_data state - it's now all inside ex_data.c and all "class" code (eg.
14588 RSA, BIO, SSL_CTX, etc) no longer stores its own STACKS and per-class
14593 thread-safety problems that existed, and (b) makes it possible to clean
14719 Added openssl-style ASN.1 macros for Kerberos ticket, ap_req,
14726 * Cause 'openssl speed' to use fully hard-coded DSA keys as it
14737 s-cbc 4408.85k 5560.51k 5778.46k 5862.20k 5825.16k
14738 s-cbc 4389.55k 5571.17k 5792.23k 5846.91k 5832.11k
14739 s-cbc 4394.32k 5575.92k 5807.44k 5848.37k 5841.30k
14741 s-cbc 3482.66k 5069.49k 5496.39k 5614.16k 5639.28k
14742 s-cbc 3480.74k 5068.76k 5510.34k 5609.87k 5635.52k
14743 s-cbc 3483.72k 5067.62k 5504.60k 5708.01k 5724.80k
14746 s-cbc 4660.16k 5650.19k 5807.19k 5827.13k 5783.32k
14748 s-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
14752 * Added the OS2-EMX target.
14767 and with possibilities to have yes/no kind of prompts.
14771 * Change all calls to low-level digest routines in the library and
14788 dialog box interfaces, application-defined prompts, the possibility
14795 attribute in PKCS#12 files, add new -CSP option to pkcs12 utility.
14881 per-structure level rather than having to store it globally.
14891 this case have no functional references and the return value is the single
14893 by ENGINE_by_id() normally, when it is incremented on the pre-existing
14905 - verbosity levels ('-v', '-vv', and '-vvv') that provide information
14907 - executing control commands from command line arguments using the
14908 '-pre' and '-post' switches. '-post' is only used if '-t' is
14910 the individual commands are colon-separated, for example;
14911 openssl engine chil -pre FORK_CHECK:0 -pre SO_PATH:/lib/test.so
14917 and input types for run-time discovery by calling applications. A
14920 the new string-based API function ENGINE_ctrl_cmd_string(). (Eg. this
14929 OpenSSL-based application. Commands have been added to all the
14930 existing hardware-supporting ENGINEs, noticeably "SO_PATH" to allow
14931 control over shared-library paths without source code alterations.
14945 should already have non-const pointers to it (ie. they should only
14951 - "atalla" and "ubsec" string definitions were moved from header files
14953 rather than hard-coded - allowing parameterisation of these values
14955 - Removed unused "#if 0"'d code.
14956 - Fixed engine list iteration code so it uses ENGINE_free() to release
14958 - Constified the RAND_METHOD element of ENGINE structures.
14959 - Constified various get/set functions as appropriate and added
14960 missing functions (including a catch-all ENGINE_cpy that duplicates
14962 - Removed NULL parameter checks in get/set functions. Setting a method
14966 - Deprecate the ENGINE_FLAGS_MALLOCED define and move the area for
14968 - Changed prototypes for ENGINE handler functions (init(), finish(),
14969 ctrl(), key-load functions, etc) to take an (ENGINE*) parameter.
14975 used only if the modulus is odd. On 32-bit systems, it is faster
14976 only for relatively small moduli (roughly 20-30% for 128-bit moduli,
14977 roughly 5-15% for 256-bit moduli), so we use it only for moduli
14978 up to 450 bits. In 64-bit environments, the binary algorithm
15027 Lenka Fibikova <fibikova@exp-math.uni-essen.de>*
15038 finite fields, but as there are no obvious types for fields other
15043 * Add the -HTTP option to s_server. It is similar to -WWW, but requires
15049 change the def and num file printf format specifier from "%-40sXXX"
15050 to "%-39s XXX". The latter will always guarantee a space after the
15097 * New option '-subj arg' for 'openssl req' and 'openssl ca'. This
15104 Add options '-batch' and '-verbose' to 'openssl req'.
15164 checked. Two new options -validity_period and -status_age added to
15198 can be useful for session caching in multiple-server environments. A
15199 command-line switch for testing this (and any client code that wishes
15214 sure e_os2.h will cover all platform-specific cases together with
15216 Additionally, it is now possible to define configuration/platform-
15220 from `OPENSSL_SYSNAME_*` or compiler-specific macros depending on
15225 * New option -set_serial to 'req' and 'x509' this allows the serial
15252 port and path components: primarily to parse OCSP URLs. New -url
15263 the request is nonce-less.
15267 * Disable stdin buffering in `load_cert()` (`apps/apps.c`) so that no certs are
15269 e.g. `(openssl x509 -out cert1; openssl x509 -out cert2) <certs`.
15298 * Add the option -VAfile to 'openssl ocsp', so the user can give the
15370 is initialised to -1 but X509_time_adj() now has to check the value
15388 OCSP_crl_reason_str() and are no longer static. New options
15416 * New '-extfile ...' option to 'openssl ca' for reading X.509v3
15419 the '-extensions ...' option may be used for specifying the
15432 `openssl ca -status <serial>` prints the status of the cert with
15434 `openssl ca -updatedb` updates the expiry status of certificates
15439 * New '-newreq-nodes' command option to CA.pl. This is like
15440 '-newreq', but calls 'openssl req' with the '-nodes' option
15455 * New SSLeay_version code SSLEAY_DIR to determine the compiled-in
15456 value of OPENSSLDIR. This is available via the new '-d' option
15457 to 'openssl version', and is also included in 'openssl version -a'.
15484 There should no longer be any prototype-casting required when using
15495 The locations /var/run/egd-pool, /dev/egd-pool, /etc/egd-pool, and
15504 (select timeout) and read in non-blocking mode. DEVRANDOM now
15509 For VMS, there's a currently-empty rand_vms.c.
15580 ASN1_ITEM and no wrapper functions.
15628 problems: As the program is single-threaded, all we have
15637 during TLS/SSL handshakes so that thread-safety is essential.
15639 for multi-threaded use, so it probably should be abolished.
15693 * Fix BN_uadd and BN_usub: Always return non-negative results instead
15698 * BN_div bugfix: If the result is 0, the sign (res->neg) must not be
15705 that provide type-safety and avoid function pointer casting for the
15706 type-specific callbacks.
15726 (using the probabilistic Tonelli-Shanks algorithm unless
15730 *Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller*
15773 * Change BN_mod_mul so that the result is always non-negative.
15795 These functions always generate non-negative results.
15804 *Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller*
15806 <!--
15820 -->
15823 unless the '-salt' option is used (which usually means that
15826 or the new '-noverify' option is used.
15829 non-interactive use of 'openssl passwd' (passwords on the command
15830 line, '-stdin' option, '-in ...' option) and thus should not
15835 * Remove all references to RSAref, since there's no more need for it.
15847 casts back to non-const were required (to be solved at a later
15869 are built-in in OpenSSL shall ever be used or not. The benefit is
15923 * Rework the filename-translation in the DSO code. It is now possible to
15930 * Support threads on FreeBSD-elf in Configure.
15942 NCONF_get_number() has no error checking at all. As a replacement,
15955 with non blocking I/O was not possible because no retry code was
15979 * Fix null-pointer assignment in do_change_cipher_spec() revealed
15980 by using the Codenomicon TLS Test Tool ([CVE-2004-0079])
15989 certain ASN.1 tags ([CVE-2003-0851])
15998 invalid tags (CVE-2003-0543 and CVE-2003-0544).
16024 * Countermeasure against the Klima-Pokorny-Rosa extension of
16034 They would be ill-advised to do so in most cases.
16040 an unpredictable seed -- if it is not unpredictable, there
16041 is no point in blinding anyway). Make RSA blinding thread-safe
16042 by remembering the creator's thread ID in rsa->blinding and
16043 having all other threads use local one-time blinding factors
16044 (this requires more computation than sharing rsa->blinding, but
16056 between bad padding and a MAC verification error. ([CVE-2003-0078])
16074 because the session->cipher setting was not restored when reloading
16082 length of the REQUEST-CERTIFICATE message is 18 .. 34, not 17 .. 33.
16084 *Zeev Lieber <zeev-l@yahoo.com>*
16107 the bitwise-OR of the two for use by the majority of applications
16110 changing anyway, so this is more a bug-fix than a behavioural
16115 * Don't impose a 16-byte length minimum on session IDs in ssl/s3_clnt.c
16132 contents. Bug found by Sam Varshavchik <mrsam@courier-mta.com>
16144 * [In 0.9.6g-engine release:]
16153 *Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>,
16171 * Fix cipher selection routines: ciphers without encryption had no flags
16189 implementations is desired (e.g. '-bugs' option to 's_client' and
16200 F30602-01-2-0537.
16205 supplied buffer. ([CVE-2002-0659])
16215 too small for 64 bit platforms. ([CVE-2002-0655])
16216 *Matthew Byng-Maddick <mbm@aldigital.co.uk> and Ben Laurie (CHATS)>*
16218 * Remote buffer overflow in SSL3 protocol - an attacker could
16219 supply an oversized session ID to a client. ([CVE-2002-0656])
16223 * Remote buffer overflow in SSL2 protocol - an attacker could
16224 supply an oversized client master key. ([CVE-2002-0656])
16231 encoded as NULL) with id-dsa-with-sha1.
16240 an end-of-file condition would erroneously be flagged, when the CRLF
16243 BASE64-decoding BIO. Bug fund and patch submitted by Pavel Tsekov
16259 * TLS/SSL library bugfix: use s->s3->in_read_app_data differently
16262 processing was enabled when in fact s->s3->in_read_app_data was
16275 * Fix DH_generate_parameters() so that it works for 'non-standard'
16282 a generator of the order-q subgroup is just as good, if not
16293 returning non-zero before the data has been completely received
16294 when using non-blocking I/O.
16330 * [In 0.9.6d-engine release:]
16335 * Add the configuration target linux-s390x.
16337 *Neale Ferguson <Neale.Ferguson@SoftwareAG-USA.com> via Richard Levitte*
16343 invocations of ssl3_accept when using non-blocking I/O, the
16348 To avoid this problem, we now set s->new_session to 2 instead of
16353 * Bugfix: Return -1 from ssl3_get_server_done (ssl3/s3_clnt.c)
16367 type, we must throw them away by setting rr->length to 0.
16385 * Fix crypto/objects/objects.h: "ld-ce" should be "id-ce",
16387 Also some ip-pda OIDs in crypto/objects/objects.txt were
16397 * [In 0.9.6c-engine release:]
16402 * [In 0.9.6c-engine release:]
16410 rearranged (all '-L' options must appear before the first object
16415 * [In 0.9.6c-engine release:]
16421 * [In 0.9.6c-engine release:]
16427 * [In 0.9.6c-engine release:]
16438 messages are stored in a single piece (fixed-length part and
16439 variable-length part combined) and fix various bugs found on the way.
16460 never resets s->method to s->ctx->method when called from within
16509 * Add OpenUNIX-8 support including shared libraries
16526 * Rabin-Miller test analyses assume uniformly distributed witnesses,
16558 configuration target "alpha-cc-rpath", which will never be selected
16565 Otherwise, if no ServerKeyExchange message occurs, CertificateRequest
16570 * Enhanced support for IA-64 Unix platforms (well, Linux and HP-UX).
16591 dh->length and always used
16593 BN_rand_range(priv_key, dh->p).
16595 BN_rand_range() is not necessary for Diffie-Hellman, and this
16596 specific range makes Diffie-Hellman unnecessarily inefficient if
16597 dh->length (recommended exponent length) is much smaller than the
16598 length of dh->p. We could use BN_rand_range() if the order of
16600 dh->length.
16606 where 'l' is dh->length if this is defined, or BN_num_bits(dh->p)-1
16624 * In crypto/rand/md_rand.c, use a new short-time lock CRYPTO_LOCK_RAND2
16639 *Albert Chin-A-Young <china@thewrittenword.com>*
16641 * Add configuration option to build on Linux on both big-endian and
16642 little-endian MIPS.
16644 *Ralf Baechle <ralf@uni-koblenz.de>*
16646 * Add the possibility to create shared libraries on HP-UX.
16654 Markku-Juhani O. Saarinen <markku-juhani.saarinen@nokia.com>:
16657 'md' followed by enough consecutive 1-byte PRNG requests
16668 Markku-Juhani's attack. (Actually it had never occurred
16670 half from which PRNG output bytes were taken -- I had always
16713 when fixing the server behaviour for backwards-compatible 'client
16717 around 2^-40; see section 5 in Bleichenbacher's CRYPTO '98
16773 * Change bctest again: '-x' expressions are not available in all
16793 If SEQUENCE is length is indefinite just set c->slen to the total
16800 * Change bctest to avoid here-documents inside command substitution
16813 * Check the result of RSA-CRT (see D. Boneh, R. DeMillo, R. Lipton:
16815 Computations, J. Cryptology 14 (2001) 2, 101-119,
16882 due to incorrect handling of multi-threading:
16890 inband-signalling in the previous code (which relied on the
16895 * Add "-rand" option also to s_client and s_server.
16900 *Kurt Hockenbury <khockenb@stevens-tech.edu> and
16919 to be set and top=0 forces the highest bit to be set; top=-1 is new
16924 * In the `NCONF_...`-based implementations for `CONF_...` queries
16944 is more generally accepted (no spaces before the semicolon), since
16980 * Fix 'openssl passwd -1'.
16991 * Fix C code generated by 'openssl dsaparam -C': If a BN_bin2bn
17001 * Increase s2->wbuf allocation by one byte in ssl2_new (ssl/s2_lib.c).
17008 obtain lock CRYPTO_LOCK_RSA before setting `rsa->_method_mod_{n,p,q}`.
17044 * Fix ssl3_pending: If the record in s->s3->rrec is not of type
17052 releases, have been re-implemented by renaming the previous
17063 the method-specific "init()" handler. Also clean up ex_data after
17064 calling the method-specific "finish()" handler. Previously, this was
17083 *Jean-Marc Desperrier <jean-marc.desperrier@certplus.com>*
17087 - Make note of the expected extension for the shared libraries and
17092 - Make as few rebuilds of the shared libraries as possible.
17094 - Still avoid linking the OpenSSL programs with the shared libraries.
17096 - When installing, install the shared libraries separately from the
17111 Previously, it would create entries for disabled algorithms no
17154 case we have no idea what the actual type is so we just lump them all
17160 in a record-oriented fashion. That means that every write() will
17171 Currently, it's a VMS-only method, because that's where it has
17179 but it was in 0.9.6-beta[12].)
17205 documentation and run-time libraries. The devel package contains
17214 *Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>*
17337 In BIO_puts, increment b->num_write as in BIO_write.
17354 used for low-level RSA operations. DER public key
17361 *Andreas Schneider <andreas@ds3.etech.fh-hamburg.de>*
17363 * A demo state-machine implementation was sponsored by
17439 * Add the arguments -CAfile and -CApath to the pkcs12 utility.
17461 * Fix SSL 2.0 rollback checking: Due to an off-by-one error in
17466 In s23_clnt.c, don't use special rollback-attack detection padding
17532 * New options to smime application. -inform and -outform
17534 PEM and DER. The -content option allows the content to be
17559 - New object identifiers are inserted in objects.txt, following
17561 - objects.pl is used to process obj_mac.num and create a new
17563 - obj_dat.pl is used to create a new obj_dat.h, using the data in
17575 * Add BSD-style MD5-based passwords to 'openssl passwd' (option '-1').
17579 * Addition of the command line parameter '-rand file' to 'openssl req'.
17596 added extra typesafe functions: these no longer exist.
17609 the default if no major problems. Similar behaviour for ASN1_SET_OF
17621 an -sgckey command line option to the rsa utility. Thanks to
17623 algorithm to openssl-dev.
17640 * Re-implement BN_mod_exp2_mont using independent (and larger) windows.
17671 * The type-safe stack code has been rejigged. It is now only compiled
17673 by default all type-specific stack functions are "#define"d back to
17675 but retains the type-safety checking possibilities of the original
17683 map type-safe stack functions onto their plain stack counterparts.
17723 for CFB and OFB modes they zero ctx->num.
17749 i.e. non-zero for export ciphersuites, zero otherwise.
17767 Added -fingerprint option to crl utility, to support new c_rehash
17772 * Eliminate non-ANSI declarations in crypto.h and stack.h.
17778 but no ssl client purpose.
17782 * Make PKCS#12 code work with no password. The PKCS#12 spec
17786 double NULL. However no password at all is different and is
17788 treats a blank password as zero length. MSIE treats it as no
17790 the same: PKCS12_parse() tries zero length and no password if
17805 thread_hash is no longer constant once set).
17809 * Bugfix for linux-elf makefile.one.
17823 that are sufficiently small and have no path information
17869 * Add '-tls1' option to 'openssl ciphers', which was already
17877 OpenSSL-based applications) load shared libraries and bind to
17889 * Rename openssl x509 option '-crlext', which was added in 0.9.5,
17890 to '-clrext' (= clear extensions), as intended and documented.
17908 *Ulf Möller, using the problem description in krb4-0.9.7, where
17917 'openssl XXX' exists, the new pseudo-command 'openssl no-XXX'
17918 returns with exit code 0 iff no command of the given name is available.
17919 'no-XXX' is printed in this case, 'XXX' otherwise. In both cases,
17924 the 'no-cipher' compilation switches can be tested this way.
17926 ('openssl no-XXX' is not able to detect pseudo-commands such
17927 as 'quit', 'list-XXX-commands', or 'no-XXX' itself.)
17931 * Update test suite so that 'make test' succeeds in 'no-rsa' configuration.
17939 to parameters -- in previous versions (since OpenSSL 0.9.3) the
17945 * New s_client option -ign_eof: EOF at stdin is ignored, and
17947 This is part of what -quiet does; unlike -quiet, -ign_eof
17960 a purpose has no associated trust setting and it should instead
17984 * Add '-dsaparam' option to 'openssl dhparam' application. This
17991 by 'openssl dhparam -C'.
18017 * New 'rand' application for creating pseudo-random output.
18031 *Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE> and Anonymous*
18091 or -rand.
18101 list to exclude them. This means that no special compilation option
18123 sections with information on -D... compiler switches used for
18125 one of these sections, a pre-processor symbol `OPENSSL_..._DEFINES`
18173 * HP-UX tune-up: new unified configs, HP C compiler bug workaround.
18177 * Add -rand argument to smime and pkcs12 applications and read/write
18204 equal (it gave wrong results if `(rem=(n1-q*d0)&BN_MASK2) < d0)`.
18233 * Add a new -notext option to 'ca' and a -pubkey option to 'spkac'.
18237 * Use a less unusual form of the Miller-Rabin primality test (it used
18238 a binary algorithm for exponentiation integrated into the Miller-Rabin
18260 using 50 iterations of the Rabin-Miller test.
18263 iterations of the Rabin-Miller test as required by the appendix
18264 to FIPS PUB 186[-1]) instead of DSA_is_prime.
18270 for each positive witness in the Rabin-Miller test, not just
18275 function with an 'iteration count' of -1, meaning that a
18277 from an application-provided seed, trial division is skipped).
18282 division before starting the Rabin-Miller test and has
18285 'callback(1, -1, cb_arg)' is called when a number has passed the
18295 * New -pkcs12 option to CA.pl script to write out a PKCS#12 file.
18316 * The return value of RAND_load_file() no longer counts bytes obtained
18317 by stat(). RAND_load_file(..., -1) is new and uses the complete file
18334 Rabin-Miller iterations.
18338 * Diffie-Hellman uses "safe" primes: DH_check() return code renamed to
18360 cipher-strength (using the strength_bits hard coded in the tables).
18363 Fix a bug in the cipher-command parser: when supplying a cipher command
18365 *A-Za-z0-9*, ssl_set_cipher_list used to hang in an endless loop. Now
18368 Due to the strength-sorting extension, the code of the
18370 the readability was also increased :-)
18372 *Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>*
18374 * Minor change to 'x509' utility. The -CAcreateserial option now uses 1
18417 * Do more iterations of Rabin-Miller probable prime test (specifically,
18418 3 for 1024-bit primes, 6 for 512-bit primes, 12 for 256-bit primes
18421 false-positive rate of at most 2^-80 for random input.
18443 -nomaciter option is used. This improves file security and
18448 * Honor the no-xxx Configure options when creating .DEF files.
18454 draft PKCS#9 v2.0 but are compatible with v1.2 provided no
18485 (as in countryName) and using the mask might result in no valid
18505 $PATH. Just exploiting of the BWX extension results in 20-30%
18603 * Initial support for MacOS is now provided. Examine INSTALL.MacOS
18714 can be looked up immediately and no longer need to be "added" using
18718 Also no dynamic allocation is done unless new extensions are added:
18719 so if we don't add custom extensions there is no need to call
18735 -fingerprint and -x509toreq options. Also -x509toreq choked if a
18746 every previous version of OpenSSL and SSLeay made no checks at all.
18763 Two new options to the verify program: -untrusted allows a set of
18764 untrusted certificates to be passed in and -purpose which sets the
18781 utilities to handle the new format: note no releases ever handled public
18796 Added a -pubkey option to the 'x509' utility to output the public key.
18807 CRLs would fail if the file contained no certificates or no CRLs:
18835 openssl verify -CAfile ss.pem ss.pem
18843 but an application-provided verification callback (set by
18845 anyway (i.e. leaves x509_store_ctx->error != X509_V_OK
18847 ssl->verify_result to the appropriate error code to avoid
18856 *Po-Cheng Chen <pocheng@nst.com.tw>, slightly modified by Steve Henson*
18860 -S option to allow a salt to be input on the command line.
18890 the string plus current file name and line number to a per-thread
18893 Also updated memory leak detection code to be multi-thread-safe.
18897 * Add options -text and -noout to pkcs7 utility and delete the
18913 * Fix the -revoke option in ca. It was freeing up memory twice,
18938 with non-optimised assembler. Even so, this now gives around 95%
18958 X509_NAME_add_entry_by_txt(nm, "CN", MBSTRING_ASC, "Steve", -1, -1, 0);
18961 X509_NAME_add_entry_by_txt(nm, field, MBSTRING_UTF8, str, -1, -1, 0);
18977 - Assure unique random numbers after fork().
18978 - Make sure that concurrent threads access the global counter and
18992 dsaparam -genkey (which also ignored its '-rand' option),
19001 of each file listed in the '-rand' option. The function as previously
19003 that support '-rand'.
19036 verification. Also added a -purpose flag to x509 utility to
19053 * RC4 tune-up featuring 30-40% performance improvement on most RISC
19058 * New -noout option to asn1parse. This causes no output to be produced
19059 its main use is when combined with -strparse and -out to extract data
19069 * New option -dhparam in s_server. This allows a DH parameter file to be
19076 * Add -pubin and -pubout options to the rsa and dsa commands. These allow
19078 openssl rsa -in key.pem -pubout -out pubkey.pem
19083 * Fix so PKCS7_dataVerify() doesn't crash if no certificates are contained
19119 working at all :-) A dedicated Windows application might handle this
19136 * Add new -verify -CAfile and -CApath options to the crl program, these
19139 no longer accesses structures directly. Make the ASN1 CRL parsing a bit
19145 * Initialize all non-automatic variables each time one of the openssl
19146 sub-programs is started (this is necessary as they may be started
19159 * Non-copying interface to BIO pairs.
19194 <madwolf@comune.modena.it>. The new option is called -extensions
19195 and can be applied to ca, req and x509. Also -reqexts to override
19196 the request extensions in req and -crlexts to override the crl extensions
19211 config file. They can be printed out with the -text option to req but
19234 library. Also added low-level modexp hooks and CRYPTO_EX structure and
19254 an SSLv2-compatible client hello for SSLv3 or TLSv1 could be read,
19280 * -crlf option to s_client and s_server for sending newlines as
19287 * Install libRSAglue.a when OpenSSL is built with RSAref.
19295 * Fix -startdate and -enddate (which was missing) arguments to 'ca'
19304 For 1024-bit p, DSA_generate_parameters followed by DSA_dup_DH is
19307 much more efficient (160-bit exponentiation instead of 1024-bit
19323 * Allow the -k option to be used more than once in the enc program:
19338 no private key components need be present and it might store extra data
19367 just ignores this garbage); but there is no guarantee whatsoever that
19370 * The -DPLATFORM="\"$(PLATFORM)\"" definition and the similar -DCFLAGS=...
19374 auto-generated file crypto/buildinf.h (created by crypto/Makefile.ssl
19391 the tests. Check out INSTALL.W32 for info.
19395 * Fix memory leaks in s3_clnt.c: All non-anonymous SSL3/TLS1 connections
19402 * New function RSA_check_key and new openssl rsa option -check
19432 Omitting parameters is no longer recommended. The test was also
19441 * Memory leak checking (-DCRYPTO_MDEBUG) had some problems.
19450 to disable memory-checking temporarily.
19455 -DCRYPTO_MDEBUG_TIME is new and additionally stores the current time
19459 -DCRYPTO_MDEBUG_THREAD is also new and adds the thread ID.
19461 -DCRYPTO_MDEBUG_ALL enables all of the above, plus any future
19483 * Fix problems with no-hmac etc.
19504 *Steve Henson, reported by Brien Wheeler <bwheeler@authentica-security.com>*
19524 Fixed, now "no-idea no-rc5 -DCRYPTO_MDEBUG" etc. works as intended.
19535 Whoever hopes to achieve shared-library compatibility across versions
19536 must use this, not the compile-time macro.
19539 Note: All this applies only to multi-threaded programs, others don't
19544 * Add missing case to s3_clnt.c state machine -- one of the new SSL tests
19597 name for unistd.h (for pre-POSIX systems); we need this for NeXTstep,
19607 Changing the behaviour of the former might break existing programs --
19613 fails, it needs to cause bc to give a non-zero result or make test carries
19626 yet. Added a -v2 "cipher" option to pkcs8 application to allow the use
19631 * Instead of "mkdir -p", which is not fully portable, use new
19632 Perl script "util/mkdir-p.pl".
19662 * "linux-sparc64" configuration (ultrapenguin).
19665 "linux-sparc" configuration.
19667 *Christian Forster <fo@hawo.stw.uni-erlangen.de>*
19669 * config now generates no-xxx options for missing ciphers.
19678 * Support BS2000/OSD-POSIX.
19694 * New configuration variants "bsdi-elf-gcc" (BSD/OS 4.x).
19700 * New configuration variant "sco5-gcc".
19723 * SHA library changes for irix64-mips4-cc.
19746 that does this will no longer work (and should use sk_set instead) but
19791 * New option -out to asn1parse to allow the parsed structure to be
19792 output to a file. This is most useful when combined with the -strparse
19797 * Make SSL library a little more fool-proof by not requiring any longer
19801 intended anyway -- now it really works as intended).
19809 * Fix various things to let OpenSSL even pass "egcc -pipe -O2 -Wall
19810 -Wshadow -Wpointer-arith -Wcast-align -Wmissing-prototypes
19811 -Wmissing-declarations -Wnested-externs -Winline" with EGCS 1.1.2+
19822 various ways (and thus what used to be known as ctx->default_cert
19823 is now called ctx->cert, since we don't resort to `s->ctx->[default_]cert`
19824 any longer when s->cert does not give us what we need).
19827 we have solved a couple of bugs of the earlier code where s->cert
19837 that holds per-session data (if available); currently, this is
19865 * Add PEDANTIC compiler flag to allow compilation with gcc -pedantic,
19866 without disallowing inline assembler and the like for non-pedantic builds.
19878 * SHA-1 cleanups and performance enhancements.
19886 * Accept any -xxx and +xxx compiler options in Configure.
19901 DER-encoded.)
19906 x509_vfy.c had what can be considered an off-by-one-error:
19934 * New Configure options "threads" and "no-threads". For systems
19944 * Install various scripts to $(OPENSSLDIR)/misc, not to
19945 $(INSTALLTOP)/bin -- they shouldn't clutter directories
19950 * "make linux-shared" to build shared libraries.
19954 * New Configure option `no-<cipher>` (rsa, idea, rc5, ...).
19972 * New Configure options --prefix=DIR and --openssldir=DIR.
19983 in a comment' is no longer necessary and it doesn't use .err files which
19993 * Change behaviour of ssl2_read when facing length-0 packets: Don't return
20011 * Fix new 56-bit DES export ciphersuites: they were using 7 bytes instead of
20089 * Don't auto-generate pem.h.
20093 * Introduce type-safe ASN.1 SETs.
20097 * Convert various additional casted stacks to type-safe STACK_OF() variants.
20101 * Introduce type-safe STACKs. This will almost certainly break lots of code
20109 * Add `openssl ca -revoke <certfile>` facility which revokes a certificate
20111 This way one no longer has to edit the index.txt file manually for
20112 revoking a certificate. The -revoke option does the gory details now.
20116 * Fix `openssl crl -noout -text` combination where `-noout` killed the
20117 `-text` option at all and this way the `-noout -text` combination was
20129 ciphers that were excluded, e.g. by -DNO_IDEA. Also, test
20133 `openssl list-cipher-commands` is used.
20151 * Add support for PKCS#5 v2.0 ASN1 PBES2 structures. No other support,
20171 * New "-showcerts" option for s_client.
20212 * Make sure the RSA OAEP test is skipped under -DRSAref because
20218 so they no longer are missing under -DNOPROTO.
20238 permission on "config" script to be executable) and a fix for the INSTALL
20248 * Make rsa_oaep_test return non-zero on error.
20253 solaris-sparc-sc4-pic, make, then run shlib/solaris-sc4.sh. It'd be nice
20263 except NULL ciphers". This means the default cipher list will no longer
20283 * Let util/clean-depend.pl work also with older Perl 5.00x versions.
20295 * DES quad checksum was broken on big-endian architectures. Fixed.
20325 added to make sure no one expects that this stuff really works in the
20356 pre-configured entry in Configure's %table under key `<id>` with value
20358 perform a quick test-compile under FreeBSD 3.1 with pgcc and without
20359 assembler stuff you can use `perl Configure "FreeBSD-elf:pgcc:-O6:::"`
20360 now, which overrides the FreeBSD-elf entry on-the-fly.
20368 * Allow DSO flags like -fpic, -fPIC, -KPIC etc. to be specified
20375 * Remarkably, export ciphers were totally broken and no-one had noticed!
20381 questions now is the OpenSSL core team under openssl-core@openssl.org.
20382 And add a paragraph about the dual-license situation to make sure people
20392 to speed processing and no longer clutter the display with confusing
20432 * Don't install bss_file.c under PREFIX/include/
20438 stuff. Fix mk1mf.pl and VC-32.pl to support NT differences also. Various
20449 This means that Apache-SSL and similar packages don't have to mess around
20461 * Get rid of remaining C++-style comments which strict C compilers hate.
20472 their SSL_CTX_xxx() counterparts but work on a per-connection basis. This
20474 per-connection basis (e.g. Apache+mod_ssl) instead of a per-context basis
20476 For the RSA certificate situation is makes no difference, but
20477 for the DSA certificate situation this fixes the "no shared cipher"
20480 no way to reconfigure them.
20484 non-public-API function ssl_cert_instantiate() is used as a helper
20489 * Move s_server -dcert and -dkey options out of the undocumented feature
20512 * Don't hard-code path to Perl interpreter on shebang line of Configure
20513 script. Instead use the usual Shell->Perl transition trick.
20517 * Make `openssl x509 -noout -modulus`' functional also for DSA certificates
20519 -noout -modulus` as it's already the case for `openssl rsa -noout
20520 -modulus`. For RSA the -modulus is the real "modulus" while for DSA
20522 `openssl dsa -modulus` in the past) which serves a similar purpose.
20523 Additionally the NO_RSA no longer completely removes the whole -modulus
20529 * Add Arne Ansper's reliable BIO - this is an encrypted, block-digested
20546 TLS_RSA_EXPORT56_WITH_DES_CBC_SHA, as specified in "56-bit Export Cipher
20547 Suites For TLS", draft-ietf-tls-56-bit-ciphersuites-00.txt.
20555 * Make RSA_NO_PADDING really use no padding.
20577 foundations than the ad-hoc padding used in PKCS #1 v1.5. It is secure
20608 *Lars Weber <3weber@informatik.uni-hamburg.de>*
20612 update to the INSTALL.W32 file with (hopefully) more accurate Win32
20661 - ported BN stuff to OpenSSL's different BN library
20662 - made the perl/ source tree CVS-aware
20663 - renamed the package from SSLeay to OpenSSL (the files still contain
20665 - removed obsolete files (the test scripts will be replaced
20673 2. remove the first part of files where I'm already sure that we no
20677 -rSSLeay_0_8_1b" or they were renamed (as it was definitely the case for
20685 what that's for :-) Fix to ASN1 macro which messed up
20712 * Fixed ms/32all.bat script: `no_asm` -> `no-asm`
20714 *Rainer W. Gerling <gerling@mpg-gv.mpg.de>*
20720 * Modify crl2pkcs7 so it supports multiple -certfile arguments. Fix a
20749 and add a sample to openssl.cnf so req -x509 now adds appropriate
20774 Ad Hoc Way) - Makefile.ssls now all contain local dependencies, which
20779 * Spelling mistake in C version of CAST-128.
20783 * Changes to the error generation code. The perl script err-code.pl
20790 either modify crypto/Makefile.ssl to pass the -regen flag to err_code.pl
20795 * CAST-128 was incorrectly implemented for short keys. The C version has
20797 new assembler HAS NOT BEEN GENERATED FOR WIN32 - the Makefile needs fixing
20799 *Ben Laurie, reported (with fix for C version) by Jun-ichiro itojun
20876 *Bodo Moeller <3moeller@informatik.uni-hamburg.de>*
20878 * Don't blow it for numeric `-newkey` arguments to `apps/req`.
20880 *Bodo Moeller <3moeller@informatik.uni-hamburg.de>*
20912 * Make sure the already existing X509_STORE->depth variable is initialized
20930 are no longer created. This way we have a single and consistent command
20944 * Make the top-level INSTALL documentation easier to understand.
20948 * Makefiles updated to exit if an error occurs in a sub-directory
20963 * Enhanced the err-ins.pl script so it makes the error library number
20981 preserved but no longer messes up this directory. Now it's new room for
21000 *Ben Laurie - pointed out by Ulf Möller <ulf@fitug.de>*
21008 ncr-scde
21009 unixware-2.0
21010 unixware-2.0-pentium
21011 sco5-cc.
21024 ### Changes between 0.9.1b and 0.9.1c [23-Dec-1998]
21031 * Some fixups to the top-level documents.
21035 * Fixed the nasty bug where rsaref.h was not found under compile-time
21040 * Incorporated the popular no-RSA/DSA-only patches
21041 which allow to compile an RSA-free SSLeay.
21045 * Fixed nasty rehash problem under `make -f Makefile.ssl links`
21063 * Recompiled the error-definition header files and added
21068 * Cleaned up the top-level documents;
21073 o renamed MICROSOFT to INSTALL.W32
21118 * Add -strparse option to asn1pars program which parses nested
21131 * Added "-genkey" option to "dsaparam" program.
21139 * Added -a (all) option to "ssleay version" command.
21228 <!-- Links -->
21230 [CVE-2025-4575]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-4575
21231 [CVE-2024-13176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176
21232 [CVE-2024-9143]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143
21233 [CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
21234 [CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535
21235 [CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
21236 [CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603
21237 [CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511
21238 [CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727
21239 [CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237
21240 [CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129
21241 [CVE-2023-5678]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5678
21242 [CVE-2023-5363]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5363
21243 [CVE-2023-4807]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-4807
21244 [CVE-2023-3817]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3817
21245 [CVE-2023-3446]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3446
21246 [CVE-2023-2975]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2975
21247 [RFC 2578 (STD 58), section 3.5]: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5
21248 [CVE-2023-2650]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2650
21249 [CVE-2023-1255]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-1255
21250 [CVE-2023-0466]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466
21251 [CVE-2023-0465]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0465
21252 [CVE-2023-0464]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0464
21253 [CVE-2023-0401]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0401
21254 [CVE-2023-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0286
21255 [CVE-2023-0217]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0217
21256 [CVE-2023-0216]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0216
21257 [CVE-2023-0215]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0215
21258 [CVE-2022-4450]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4450
21259 [CVE-2022-4304]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4304
21260 [CVE-2022-4203]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4203
21261 [CVE-2022-3996]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-3996
21262 [CVE-2022-2274]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2274
21263 [CVE-2022-2097]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2097
21264 [CVE-2020-1971]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1971
21265 [CVE-2020-1967]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1967
21266 [CVE-2019-1563]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1563
21267 [CVE-2019-1559]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1559
21268 [CVE-2019-1552]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1552
21269 [CVE-2019-1551]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1551
21270 [CVE-2019-1549]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1549
21271 [CVE-2019-1547]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1547
21272 [CVE-2019-1543]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1543
21273 [CVE-2018-5407]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-5407
21274 [CVE-2018-0739]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0739
21275 [CVE-2018-0737]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0737
21276 [CVE-2018-0735]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0735
21277 [CVE-2018-0734]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0734
21278 [CVE-2018-0733]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0733
21279 [CVE-2018-0732]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0732
21280 [CVE-2017-3738]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3738
21281 [CVE-2017-3737]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3737
21282 [CVE-2017-3736]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3736
21283 [CVE-2017-3735]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3735
21284 [CVE-2017-3733]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3733
21285 [CVE-2017-3732]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3732
21286 [CVE-2017-3731]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3731
21287 [CVE-2017-3730]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3730
21288 [CVE-2016-7055]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7055
21289 [CVE-2016-7054]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7054
21290 [CVE-2016-7053]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7053
21291 [CVE-2016-7052]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7052
21292 [CVE-2016-6309]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6309
21293 [CVE-2016-6308]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6308
21294 [CVE-2016-6307]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6307
21295 [CVE-2016-6306]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6306
21296 [CVE-2016-6305]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6305
21297 [CVE-2016-6304]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6304
21298 [CVE-2016-6303]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6303
21299 [CVE-2016-6302]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6302
21300 [CVE-2016-2183]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2183
21301 [CVE-2016-2182]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2182
21302 [CVE-2016-2181]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2181
21303 [CVE-2016-2180]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2180
21304 [CVE-2016-2179]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2179
21305 [CVE-2016-2178]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2178
21306 [CVE-2016-2177]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2177
21307 [CVE-2016-2176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2176
21308 [CVE-2016-2109]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2109
21309 [CVE-2016-2107]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2107
21310 [CVE-2016-2106]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2106
21311 [CVE-2016-2105]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2105
21312 [CVE-2016-0800]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0800
21313 [CVE-2016-0799]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0799
21314 [CVE-2016-0798]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0798
21315 [CVE-2016-0797]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0797
21316 [CVE-2016-0705]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0705
21317 [CVE-2016-0702]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0702
21318 [CVE-2016-0701]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0701
21319 [CVE-2015-3197]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3197
21320 [CVE-2015-3196]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3196
21321 [CVE-2015-3195]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3195
21322 [CVE-2015-3194]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3194
21323 [CVE-2015-3193]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3193
21324 [CVE-2015-1793]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1793
21325 [CVE-2015-1792]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1792
21326 [CVE-2015-1791]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1791
21327 [CVE-2015-1790]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1790
21328 [CVE-2015-1789]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1789
21329 [CVE-2015-1788]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1788
21330 [CVE-2015-1787]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1787
21331 [CVE-2015-0293]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0293
21332 [CVE-2015-0291]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0291
21333 [CVE-2015-0290]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0290
21334 [CVE-2015-0289]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0289
21335 [CVE-2015-0288]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0288
21336 [CVE-2015-0287]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0287
21337 [CVE-2015-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0286
21338 [CVE-2015-0285]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0285
21339 [CVE-2015-0209]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0209
21340 [CVE-2015-0208]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0208
21341 [CVE-2015-0207]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0207
21342 [CVE-2015-0206]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0206
21343 [CVE-2015-0205]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0205
21344 [CVE-2015-0204]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0204
21345 [CVE-2014-8275]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-8275
21346 [CVE-2014-5139]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-5139
21347 [CVE-2014-3572]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3572
21348 [CVE-2014-3571]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3571
21349 [CVE-2014-3570]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3570
21350 [CVE-2014-3569]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3569
21351 [CVE-2014-3568]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3568
21352 [CVE-2014-3567]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3567
21353 [CVE-2014-3566]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3566
21354 [CVE-2014-3513]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3513
21355 [CVE-2014-3512]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3512
21356 [CVE-2014-3511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3511
21357 [CVE-2014-3510]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3510
21358 [CVE-2014-3509]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3509
21359 [CVE-2014-3508]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3508
21360 [CVE-2014-3507]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3507
21361 [CVE-2014-3506]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3506
21362 [CVE-2014-3505]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3505
21363 [CVE-2014-3470]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3470
21364 [CVE-2014-0224]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0224
21365 [CVE-2014-0221]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0221
21366 [CVE-2014-0195]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0195
21367 [CVE-2014-0160]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0160
21368 [CVE-2014-0076]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0076
21369 [CVE-2013-6450]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-6450
21370 [CVE-2013-4353]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-4353
21371 [CVE-2013-0169]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-0169
21372 [CVE-2013-0166]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-0166
21373 [CVE-2012-2686]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2686
21374 [CVE-2012-2333]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2333
21375 [CVE-2012-2110]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2110
21376 [CVE-2012-0884]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0884
21377 [CVE-2012-0050]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0050
21378 [CVE-2012-0027]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0027
21379 [CVE-2011-4619]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4619
21380 [CVE-2011-4577]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4577
21381 [CVE-2011-4576]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4576
21382 [CVE-2011-4109]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4109
21383 [CVE-2011-4108]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4108
21384 [CVE-2011-3210]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-3210
21385 [CVE-2011-3207]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-3207
21386 [CVE-2011-0014]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-0014
21387 [CVE-2010-4252]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-4252
21388 [CVE-2010-4180]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-4180
21389 [CVE-2010-3864]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-3864
21390 [CVE-2010-1633]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-1633
21391 [CVE-2010-0740]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-0740
21392 [CVE-2010-0433]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-0433
21393 [CVE-2009-4355]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-4355
21394 [CVE-2009-3555]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-3555
21395 [CVE-2009-3245]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-3245
21396 [CVE-2009-1386]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1386
21397 [CVE-2009-1379]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1379
21398 [CVE-2009-1378]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1378
21399 [CVE-2009-1377]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1377
21400 [CVE-2009-0789]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0789
21401 [CVE-2009-0591]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0591
21402 [CVE-2009-0590]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0590
21403 [CVE-2008-5077]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-5077
21404 [CVE-2008-1678]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-1678
21405 [CVE-2008-1672]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-1672
21406 [CVE-2008-0891]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-0891
21407 [CVE-2007-5135]: https://www.openssl.org/news/vulnerabilities.html#CVE-2007-5135
21408 [CVE-2007-4995]: https://www.openssl.org/news/vulnerabilities.html#CVE-2007-4995
21409 [CVE-2006-4343]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-4343
21410 [CVE-2006-4339]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-4339
21411 [CVE-2006-3738]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-3738
21412 [CVE-2006-2940]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-2940
21413 [CVE-2006-2937]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-2937
21414 [CVE-2005-2969]: https://www.openssl.org/news/vulnerabilities.html#CVE-2005-2969
21415 [CVE-2004-0112]: https://www.openssl.org/news/vulnerabilities.html#CVE-2004-0112
21416 [CVE-2004-0079]: https://www.openssl.org/news/vulnerabilities.html#CVE-2004-0079
21417 [CVE-2003-0851]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0851
21418 [CVE-2003-0545]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0545
21419 [CVE-2003-0544]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0544
21420 [CVE-2003-0543]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0543
21421 [CVE-2003-0078]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0078
21422 [CVE-2002-0659]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0659
21423 [CVE-2002-0657]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0657
21424 [CVE-2002-0656]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0656
21425 [CVE-2002-0655]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0655
21426 [CMVP]: https://csrc.nist.gov/projects/cryptographic-module-validation-program
21427 [ESV]: https://csrc.nist.gov/Projects/cryptographic-module-validation-program/entropy-validations