Lines Matching +full:ats +full:- +full:supported
4 This is a high-level summary of the most important changes.
11 ----------------
13 - [OpenSSL 3.0](#openssl-30)
14 - [OpenSSL 1.1.1](#openssl-111)
15 - [OpenSSL 1.1.0](#openssl-110)
16 - [OpenSSL 1.0.2](#openssl-102)
17 - [OpenSSL 1.0.1](#openssl-101)
18 - [OpenSSL 1.0.0](#openssl-100)
19 - [OpenSSL 0.9.x](#openssl-09x)
22 -----------
41 ([CVE-2024-6119])
48 supported client protocols buffer may cause a crash or memory contents
51 ([CVE-2024-5535])
76 ([CVE-2024-4741])
93 ([CVE-2024-4603])
105 * Fixed an issue where some non-default TLS server configurations can cause
110 This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option
112 anti-replay protection is in use). In this case, under certain conditions,
119 ([CVE-2024-2511])
147 ([CVE-2024-0727])
164 with the "-pubin" and "-check" options on untrusted data.
169 ([CVE-2023-6237])
174 have the contained AlgorithmIdentifier.algorithm set to id-ecPublicKey
187 be various - from no consequences, if the calling application does not
188 depend on the contents of non-volatile XMM registers at all, to the worst
195 ([CVE-2023-6129])
209 ([CVE-2023-5678])
217 that alter the key or IV length ([CVE-2023-5363]).
226 does not save the contents of non-volatile XMM registers on Windows 64
230 x86_64 processors supporting the AVX512-IFMA instructions.
233 be various - from no consequences, if the calling application does not
234 depend on the contents of non-volatile XMM registers at all, to the worst
241 ([CVE-2023-4807])
250 fixing CVE-2023-3446 it was discovered that a large q parameter value can
260 ([CVE-2023-3817])
279 ([CVE-2023-3446])
283 * Do not ignore empty associated data entries with AES-SIV.
285 The AES-SIV algorithm allows for authentication of multiple associated
289 The AES-SIV implementation in OpenSSL just returns success for such call
291 The empty data thus will not be authenticated. ([CVE-2023-2975])
296 applications that use empty associated data entries with AES-SIV.
306 OBJECT IDENTIFIER sub-identifiers to canonical numeric text form.
309 numeric text form. For gigantic sub-identifiers, this would take a very
311 sub-identifier. ([CVE-2023-2650])
319 most 128 sub-identifiers, and that the maximum value that each sub-
320 identifier may have is 2^32-1 (4294967295 decimal).
322 For each byte of every sub-identifier, only the 7 lower bits are part of
329 * Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms which
331 trigger a crash of an application using AES-XTS decryption if the memory
334 ([CVE-2023-1255])
338 * Reworked the Fix for the Timing Oracle in RSA Decryption ([CVE-2022-4304]).
340 a severe 2-3x performance regression in the typical use case
352 ([CVE-2023-0466])
361 ([CVE-2023-0465])
366 against CVE-2023-0464. The default limit is set to 1000 nodes, which
371 ([CVE-2023-0464])
386 ([CVE-2023-0401])
409 ([CVE-2023-0286])
424 security requirements imposed by standards such as FIPS 140-3.
425 ([CVE-2023-0217])
439 ([CVE-2023-0216])
443 * Fixed Use-after-free following BIO_new_NDEF.
458 then a use-after-free will occur. This will most likely result in a crash.
459 ([CVE-2023-0215])
484 ([CVE-2022-4450])
495 modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
496 ([CVE-2022-4304])
508 ([CVE-2022-4203])
520 ([CVE-2022-3996])
530 For symmetry, our implementation of `EVP_PKEY_ASN1_METHOD->export_to`
557 ([CVE-2022-3786])
560 attacker-controlled bytes on the stack. This buffer overflow could
563 ([CVE-2022-3602])
623 ([CVE-2022-3358])
632 * Fixed the linux-mips64 Configure target which was missing the
647 * Fixed detection of ktls support in cross-compile environment on Linux
683 implementation prior to commit 2621751 ("aes/asm/aesv8-armx.pl: avoid
684 32-bit lane assignment in CTR mode") for 64bit targets only, since it is
685 reportedly 2-17% slower and the silicon errata only affects 32bit targets.
708 ([CVE-2022-2274])
712 * AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised
720 ([CVE-2022-2097])
727 CVE-2022-1292, further bugs where the c_rehash script does not
731 When the CVE-2022-1292 was fixed it was not discovered that there
741 (CVE-2022-2068)
752 * Case insensitive string comparison is reimplemented via new locale-agnostic
767 (CVE-2022-1292)
773 where the (non-default) flag OCSP_NOCHECKS is used to return a postivie
784 verifying an ocsp response with the "-no_cert_checks" option the command line
789 ([CVE-2022-1343])
793 * Fixed a bug where the RC4-MD5 ciphersuite incorrectly used the
796 An attacker could exploit this issue by performing a man-in-the-middle attack
800 Note that data sent from an OpenSSL 3.0 endpoint to a non-OpenSSL 3.0
804 3.0 server would be impacted when talking to a non-OpenSSL 3.0 client.
811 endpoint communicating with a non-OpenSSL 3.0 endpoint will fail to complete
815 cannot decrypt data that has been encrypted using this ciphersuite - they can
819 the RC4-MD5 ciphersuite. This ciphersuite is not compiled by default in
825 1) OpenSSL must have been compiled with the (non-default) compile time option
826 enable-weak-ssl-ciphers
837 6) Both endpoints must negotiate the RC4-MD5 ciphersuite in preference to any
839 (CVE-2022-1434)
854 (CVE-2022-1473)
860 statistics are no longer supported. For compatibility, these statistics are
868 for non-prime moduli.
885 - TLS clients consuming server certificates
886 - TLS servers consuming client certificates
887 - Hosting providers taking certificates or private keys from customers
888 - Certificate authorities parsing certification requests from subscribers
889 - Anything else which parses ASN.1 elliptic curve parameters
893 ([CVE-2022-0778])
903 * Made the AES constant time code for no-asm configurations
906 builds, with: ./config no-asm -DOPENSSL_AES_CONST_TIME
944 ([CVE-2021-4044])
1008 * Encrypting more than 2^64 TLS records with AES-GCM is disallowed
1009 as per FIPS 140-2 IG A.5 "Key/IV Pair Uniqueness Requirements from
1010 SP 800-38D". The communication will fail at this point.
1020 beginning of a PEM-formatted file.
1040 "AES-128-SIV", "AES-128-CBC-CTS" and "CAMELLIA-128-CBC-CTS" which were
1051 `--libdir=lib` to override the libdir if adding the postfix is
1073 be suppressed if the undocumented -DI_CAN_LIVE_WITH_LNK4049 was set.
1078 * Rework and make DEBUG macros consistent. Remove unused -DCONF_DEBUG,
1079 -DBN_CTX_DEBUG, and REF_PRINT. Add a new tracing category and use it for
1080 printing reference counts. Rename -DDEBUG_UNUSED to -DUNUSED_RESULT_DEBUG
1097 * Client-initiated renegotiation is disabled by default. To allow it, use
1098 the -client_renegotiation option, the SSL_OP_ALLOW_CLIENT_RENEGOTIATION
1108 * OpenSSL includes a cryptographic module that is intended to be FIPS 140-2
1109 validated. Please consult the README-FIPS and
1110 README-PROVIDERS files, as well as the migration guide.
1184 supported by the OS, otherwise CriticalSection continues to be used.
1220 RIPEMD-160 have been moved to the legacy provider.
1237 * A number of functions handling low-level keys or engines were deprecated
1248 - NID_pbeWithMD2AndDES_CBC
1249 - NID_pbeWithMD5AndDES_CBC
1250 - NID_pbeWithSHA1AndRC2_CBC
1251 - NID_pbeWithMD2AndRC2_CBC
1252 - NID_pbeWithMD5AndRC2_CBC
1253 - NID_pbeWithSHA1AndDES_CBC
1276 algorithms. This is enabled by including the no-cached-fetch option
1281 * pkcs12 now uses defaults of PBKDF2, AES and SHA-256, with a MAC iteration
1286 * The openssl speed command does not use low-level API calls anymore.
1290 * Parallel dual-prime 1024-bit modular exponentiation for AVX512_IFMA
1295 * Combining the Configure options no-ec and no-dh no longer disables TLSv1.3.
1316 RSA_padding_add_SSLv23() and the `-ssl` option in the deprecated
1334 * The default key generation method for the regular 2-prime RSA keys was
1335 changed to the FIPS 186-4 B.3.6 method.
1365 * Behavior of the `pkey` app is changed, when using the `-check` or `-pubcheck`
1376 * The `-cipher-commands` and `-digest-commands` options
1378 Instead use the `-cipher-algorithms` and `-digest-algorithms` options.
1383 The 'quick' one-shot (yet somewhat limited) function L<EVP_PKEY_Q_keygen(3)>
1403 * The `-crypt` option to the `passwd` command line tool has been removed.
1407 * The -C option to the `x509`, `dhparam`, `dsaparam`, and `ecparam` commands
1432 * Added new option for 'openssl list', '-providers', which will display the
1463 ignore TLS protocol version bounds when configuring DTLS-based contexts, and
1465 TLS-based contexts. The commands can be repeated to set bounds of both
1467 "max_protocol" command-line switches, in case some application uses both TLS
1473 error. Now only the "version-flexible" SSL_CTX instances are subject to
1474 limits in configuration files in command-line options.
1493 * Added ciphertext stealing algorithms AES-128-CBC-CTS, AES-192-CBC-CTS and
1494 AES-256-CBC-CTS to the providers. CS1, CS2 and CS3 variants are supported.
1512 a non-default `OSSL_LIB_CTX`.
1543 * Add CAdES-BES signature verification support, mostly derived
1548 * Add CAdES-BES signature scheme and attributes support (RFC 5126) to CMS API.
1552 * Added the AuthEnvelopedData content type structure (RFC 5083) with AES-GCM
1625 [ATX headings]: https://github.github.com/gfm/#atx-headings
1626 [setext headings]: https://github.github.com/gfm/#setext-headings
1627 [inline links]: https://github.github.com/gfm/#inline-link
1628 [reference links]: https://github.github.com/gfm/#reference-link
1629 [fenced code blocks]: https://github.github.com/gfm/#fenced-code-blocks
1630 [indented code blocks]: https://github.github.com/gfm/#indented-code-blocks
1635 A new directory test-runs/ with subdirectories named like the
1642 See L<openssl-cmp(1)> and L<OSSL_CMP_exec_IR_ses(3)> as starting points.
1649 user-defined BIOs (allowing implicit connections), persistent connections,
1651 The legacy OCSP-focused (and only partly documented) API
1656 * Added `util/check-format.pl`, a tool for checking adherence to the
1731 - Common options (such as -rand/-writerand, TLS version control, etc)
1732 were refactored and point to newly-enhanced descriptions in openssl.pod.
1733 - Added style conformance for all options (with help from Richard Levitte),
1737 - Documented some internals, such as all use of environment variables.
1738 - Addressed all internal broken L<> references.
1746 * The low-level MD2, MD4, MD5, MDC2, RIPEMD160 and Whirlpool digest
1787 used in exponentiation with 512-bit moduli. No EC algorithms are
1788 affected. Analysis suggests that attacks against 2-prime RSA1024,
1789 3-prime RSA1536, and DSA1024 as a result of this defect would be very
1792 have to re-use the DH512 private key, which is not recommended anyway.
1793 Also applications directly using the low-level API BN_mod_exp may be
1795 ([CVE-2019-1551])
1799 * Most memory-debug features have been deprecated, and the functionality
1800 replaced with no-ops.
1825 allow varying behavior in a supported and predictable manner.
1841 * Change the interpretation of the '--api' configuration option to
1845 the given version, no requires that 'no-deprecated' is also used
1851 value is valid as before, such as -DOPENSSL_API_COMPAT=0x10100000L.
1859 -DOPENSSL_API_COMPAT=30000 For 3.0
1860 -DOPENSSL_API_COMPAT=30200 For 3.2
1863 given API compatibility level, -DOPENSSL_NO_DEPRECATED must be
1874 - X509_LOOKUP_store()
1875 - X509_STORE_load_file()
1876 - X509_STORE_load_path()
1877 - X509_STORE_load_store()
1878 - SSL_add_store_cert_subjects_to_stack()
1879 - SSL_CTX_set_default_verify_store()
1880 - SSL_CTX_load_verify_file()
1881 - SSL_CTX_load_verify_dir()
1882 - SSL_CTX_load_verify_store()
1887 The presence of this system service is determined at run-time.
1896 of application written for pre-3.0 OpenSSL easier.
1918 * s390x assembly pack: add hardware-support for P-256, P-384, P-521,
1956 * Added the `-copy_extensions` option to the `x509` command for use with
1957 `-req` and `-x509toreq`. When given with the `copy` or `copyall` argument,
1962 * Added the `-copy_extensions` option to the `req` command for use with
1963 `-x509`. When given with the `copy` or `copyall` argument,
1971 and for not self-signed certs there is an authorityKeyIdentifier extension
1980 (which may be done by using the CLI option `-x509_strict`):
1992 unless they are self-signed.
2002 * For built-in EC curves, ensure an EC_GROUP built from the curve name is
2018 ([CVE-2019-1547])
2032 The old behaviour can be re-enabled in the CMS code by setting the
2047 * Revised BN_generate_prime_ex to not avoid factors 2..17863 in p-1
2050 the 2-prime and 3-prime RSA modules were easy to distinguish, since
2052 2-prime vs. 3-prime RSA keys was possible by computing N mod 3.
2058 fix TLS connections between an EBCDIC system and a non-EBCDIC system that
2102 * `{CRYPTO,OPENSSL}_mem_debug_{push,pop}` are now no-ops and have been
2151 * Change PBKDF2 to conform to SP800-132 instead of the older PKCS5 RFC2898.
2160 * Add target VC-WIN32-UWP, VC-WIN64A-UWP, VC-WIN32-ARM-UWP and
2161 VC-WIN64-ARM-UWP in Windows OneCore target for making building libraries
2162 for Windows Store apps easier. Also, the "no-uplink" option has been added.
2178 * Added OPENSSL_info() to get diverse built-in OpenSSL data, such
2193 * Limit the number of blocks in a data unit for AES-XTS to 2^20 as
2194 mandated by IEEE Std 1619-2018.
2225 'enable-buildtest-c++'.
2259 those algorithms that were already supported through the EVP_PKEY API
2260 (scrypt, TLS1 PRF and HKDF). The low-level KDF functions for PBKDF2
2273 * Fix a bug in the computation of the endpoint-pair shared secret used
2281 re-used X509_PUBKEY object if the second PUBKEY is malformed.
2295 - Major releases (indicated by incrementing the MAJOR release number)
2297 - Minor releases (indicated by incrementing the MINOR release number)
2299 - Patch releases (indicated by incrementing the PATCH number)
2306 * Add support for RFC5297 SIV mode (siv128), including AES-SIV.
2316 * Recreate the OS390-Unix config target. It no longer relies on a
2317 special script like it did for OpenSSL pre-1.1.0.
2322 a 'build.info' keyword SUBDIRS to indicate what sub-directories to
2352 * AES-XTS mode now enforces that its two keys are different to mitigate
2366 * Added new option for 'openssl list', '-objects', which will display the
2371 * Added the options `-crl_lastupdate` and `-crl_nextupdate` to `openssl ca`,
2377 * Added support for Linux Kernel TLS data-path. The Linux Kernel data-path
2379 applications with zero-copy system calls such as sendfile and splice.
2411 doc/man7/provider.pod, doc/man7/provider-base.pod, and they in turn
2412 refer to other manuals describing the API specific for supported
2418 -------------
2446 again, but this time passing a non-NULL value for the "out" parameter.
2461 ([CVE-2021-3711])
2505 ([CVE-2021-3712])
2522 that non-CA certificates must not be able to issue other certificates.
2536 ([CVE-2021-3450])
2550 ([CVE-2021-3449])
2563 ([CVE-2021-23841])
2570 CVE-2021-23839.
2580 ([CVE-2021-23840])
2607 ([CVE-2020-1971])
2619 ignore TLS protocol version bounds when configuring DTLS-based contexts, and
2621 TLS-based contexts. The commands can be repeated to set bounds of both
2623 "max_protocol" command-line switches, in case some application uses both TLS
2629 error. Now only the "version-flexible" SSL_CTX instances are subject to
2630 limits in configuration files in command-line options.
2650 ([CVE-2020-1967])
2654 * Added AES consttime code for no-asm configurations
2656 when building openssl for no-asm.
2657 Enable with: ./config no-asm -DOPENSSL_AES_CONST_TIME
2658 Disable with: ./config no-asm -DOPENSSL_NO_AES_CONST_TIME
2674 * Revised BN_generate_prime_ex to not avoid factors 3..17863 in p-1
2677 the 2-prime and 3-prime RSA modules were easy to distinguish, since
2679 2-prime vs. 3-prime RSA keys was possible by computing N mod 3.
2723 The presence of this system service is determined at run-time.
2746 ([CVE-2019-1549])
2750 * For built-in EC curves, ensure an EC_GROUP built from the curve name is
2766 ([CVE-2019-1547])
2780 The old behaviour can be re-enabled in the CMS code by setting the
2782 ([CVE-2019-1563])
2797 fix TLS connections between an EBCDIC system and a non-EBCDIC system that
2808 ([CVE-2019-1552])
2844 'enable-buildtest-c++'.
2848 * Enable SHA3 pre-hashing for ECDSA and DSA.
2861 util/fix-doc-nits accordingly.
2882 * Prevent over long nonces in ChaCha20-Poly1305.
2884 ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input
2905 applications that use this cipher directly and set a non-default nonce
2910 ([CVE-2019-1543])
2930 * Change the info callback signals for the start and end of a post-handshake
2951 ([CVE-2018-0734])
2962 ([CVE-2018-0735])
2981 callback can adjust the supported TLS versions in response to the contents
2990 * s390x assembly pack: add (improved) hardware-support for the following
2991 cryptographic primitives: sha3, shake, aes-gcm, aes-ccm, aes-ctr, aes-ofb,
2992 aes-cfb/cfb8, aes-ecb.
3004 differential addition-and-doubling in homogeneous projective coordinates
3005 from Izu-Takagi "A fast parallel elliptic curve multiplication resistant
3006 against side channel attacks" and Brier-Joye "Weierstrass Elliptic Curves
3007 and Side-Channel Attacks" Eq. (8) for y-coordinate recovery, modified
3014 For larger primes this will result in more rounds of Miller-Rabin.
3016 to 2^-128.
3020 * Increase the number of Miller-Rabin rounds for DSA key generating to 64.
3032 length-invariant. Switch even to fixed-length Montgomery multiplication.
3038 differential addition-and-doubling in mixed Lopez-Dahab projective
3047 differential addition-and-doubling algorithms.
3059 * Numerous side-channel attack mitigations have been applied. This may have
3069 mitigate conflict between 1.0 and 1.1 side-by-side installations. It
3071 multi-version installation is managed.
3079 EC cryptosystem implementations are then safer-by-default.
3095 length does not exceed the maximum supported digest length when performing
3103 Many applications do not properly handle non-application data records, and
3162 * Fixed X509_NAME_ENTRY_set to get multi-valued RDNs right in all cases.
3216 in responder mode now supports the new "-multi" option, which
3218 requests. The "-timeout" option now also limits the OCSP
3223 as a long-running service, making the OpenSSL CA somewhat more
3224 feature-complete. In this mode, most diagnostic messages logged
3251 The default RAND method now utilizes an AES-CTR DRBG according to
3252 NIST standard SP 800-90Ar1. The new random generator is essentially
3255 using an AES-CTR bit stream and which seeds and reseeds itself
3259 - Support for multiple DRBG instances with seed chaining.
3260 - The default RAND method makes use of a DRBG.
3261 - There is a public and private DRBG instance.
3262 - The DRBG instances are fork-safe.
3263 - Keep all global DRBG instances on the secure heap if it is enabled.
3264 - The public and private DRBG instance are per thread for lock free
3300 * Add multi-prime RSA (RFC 8017) support.
3304 * Add SM3 implemented according to GB/T 32905-2016
3315 * Add SM4 implemented according to GB/T 32907-2016.
3320 * Reimplement -newreq-nodes and ERR_error_string_n; the
3354 To disable, configure with 'no-ui-console'. 'no-ui' is still
3371 * Add devcrypto engine. This has been implemented against cryptodev-linux,
3373 Enable by configuring with 'enable-devcryptoeng'. This is done by default
3407 * Ignore the '-named_curve auto' value for compatibility of applications
3413 bytes long. In theory it is permissible in SSLv3 - TLSv1.2 to fragment such
3431 'z' is to be used for [s]size_t, and 'j' - with [u]int64_t.
3440 * Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
3458 Also remove OPENSSL_GLOBAL entirely, as it became a no-op.
3462 * Remove the VMS-specific reimplementation of gmtime from crypto/o_times.c.
3479 default unless the new "-noservername" option is used. The server name is
3480 based on the host provided to the "-connect" option unless overridden by
3481 using "-servername".
3498 <https://www.akkadia.org/drepper/SHA-crypt.txt>
3510 * The RSA "null" method, which was partially supported to avoid patent
3516 -------------
3520 * For built-in EC curves, ensure an EC_GROUP built from the curve name is
3536 ([CVE-2019-1547])
3550 The old behaviour can be re-enabled in the CMS code by setting the
3552 ([CVE-2019-1563])
3560 ([CVE-2019-1552])
3573 * Prevent over long nonces in ChaCha20-Poly1305.
3575 ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input
3596 applications that use this cipher directly and set a non-default nonce
3601 ([CVE-2019-1543])
3613 re-used X509_PUBKEY object if the second PUBKEY is malformed.
3636 ([CVE-2018-0734])
3647 ([CVE-2018-0735])
3668 ([CVE-2018-0732])
3681 ([CVE-2018-0737])
3692 length-invariant. Switch even to fixed-length Montgomery multiplication.
3698 For larger primes this will result in more rounds of Miller-Rabin.
3700 to 2^-128.
3704 * Increase the number of Miller-Rabin rounds for DSA key generating to 64.
3731 some characters, such as form-feed, were incorrectly treated as whitespace
3737 and use the "-binary" flag (for the "cms" command line application) or set
3752 This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz
3754 ([CVE-2018-0739])
3758 * Incorrect CRYPTO_memcmp on HP-UX PA-RISC
3760 Because of an implementation bug the PA-RISC CRYPTO_memcmp function is
3765 HP-UX assembler, so that only HP-UX PA-RISC targets are affected.
3769 ([CVE-2018-0733])
3785 SSL_OP_NO_RENEGOTIATION option from 1.1.1-dev has been backported to
3794 * Removed the OS390-Unix config target. It relied on a script that doesn't
3802 used in exponentiation with 1024-bit moduli. No EC algorithms are affected.
3810 no longer an option since CVE-2016-0701.
3816 was originally found via the OSS-Fuzz project.
3817 ([CVE-2017-3738])
3840 This issue was reported to OpenSSL by the OSS-Fuzz project.
3841 ([CVE-2017-3736])
3848 OpenSSL could do a one-byte buffer overread. The most likely result
3851 This issue was reported to OpenSSL by the OSS-Fuzz project.
3852 ([CVE-2017-3735])
3858 * Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
3863 * Remove the VMS-specific reimplementation of gmtime from crypto/o_times.c.
3871 * Encrypt-Then-Mac renegotiation crash
3873 During a renegotiation handshake if the Encrypt-Then-Mac extension is
3874 negotiated where it was not in the original handshake (or vice-versa) then
3879 ([CVE-2017-3733])
3887 If one side of an SSL/TLS path is running on a 32-bit host and a specific
3889 perform an out-of-bounds read, usually resulting in a crash.
3892 ([CVE-2017-3731])
3904 ([CVE-2017-3730])
3922 similar to CVE-2015-3193 but must be treated as a separate problem.
3924 This issue was reported to OpenSSL by the OSS-Fuzz project.
3925 ([CVE-2017-3732])
3931 * ChaCha20/Poly1305 heap-buffer-overflow
3933 TLS connections using `*-CHACHA20-POLY1305` ciphersuites are susceptible to
3938 ([CVE-2016-7054])
3952 ([CVE-2016-7053])
3958 There is a carry propagating bug in the Broadwell-specific Montgomery
3965 erroneous outcome of public-key operations with specially crafted input.
3966 Among EC algorithms only Brainpool P-512 curves are affected and one
3968 detail, because pre-requisites for attack are considered unlikely. Namely
3976 ([CVE-2016-7055])
3989 The patch applied to address CVE-2016-6307 resulted in an issue where if a
3999 ([CVE-2016-6309])
4013 the "no-ocsp" build time option are not affected.
4016 ([CVE-2016-6304])
4027 ([CVE-2016-6305])
4065 memory - which would then mean a more serious Denial of Service.
4068 (CVE-2016-6307 and CVE-2016-6308)
4072 * solaris-x86-cc, i.e. 32-bit configuration with vendor compiler,
4074 assemble our modules with -KPIC flag. As result it, assembly
4076 lack of side-channel resistant code, which is incompatible with
4084 * Windows command-line tool supports UTF-8 opt-in option for arguments
4087 with Windows CryptoAPI and protected with non-ASCII password, as well
4088 as files generated under UTF-8 locale on Linux also protected with
4089 non-ASCII password.
4093 * To mitigate the SWEET32 attack ([CVE-2016-2183]), 3DES cipher suites
4095 See the RC4 item below to re-enable both.
4115 no-ops and deprecated.
4120 calling CryptGenRandom(). Various other RAND-related tickets
4169 * Triple-DES ciphers have been moved from HIGH to MEDIUM.
4175 OPENSSL_LOCAL_CONFIG_DIR as well as the in-source Configurations/
4188 the "no-shared" Configure option.
4192 * Remove the no-aes, no-hmac, no-rsa, no-sha and no-md5 Configure options.
4198 * Make various cleanup routines no-ops and mark them as deprecated. Most
4200 via auto-deinit (see OPENSSL_init_crypto and OPENSSL_init_ssl man pages).
4201 Explicitly de-initing can cause problems (e.g. where a library that uses
4202 OpenSSL de-inits, but an application is still using it). The affected
4210 * --strict-warnings no longer enables runtime debugging options
4212 enabled with '--debug' builds.
4240 * Removed no-rijndael as a config option. Rijndael is an old name for AES.
4253 * Removed the aged BC-32 config and all its supporting scripts
4271 encryptions/decryptions simultaneously. There are currently no built-in
4281 AES128-CBC. The kernel must be version 4.1.0 or greater.
4286 set locking callbacks to use OpenSSL in a multi-threaded environment. There
4287 are two supported threading models: pthreads and windows threads. It is
4288 also possible to configure OpenSSL at compile time for "no-threads". The
4290 replaced with "no-op" compatibility macros.
4299 * Add SSL_CIPHER queries for authentication and key-exchange.
4304 - Prefer (EC)DHE handshakes over plain RSA.
4305 - Prefer AEAD ciphers over legacy ciphers.
4306 - Prefer ECDSA over RSA when both certificates are available.
4307 - Prefer TLSv1.2 ciphers/PRF.
4308 - Remove DSS, SEED, IDEA, CAMELLIA, and AES-CCM from the
4319 disabled by default. They can be re-enabled using the
4320 enable-weak-ssl-ciphers option to Configure.
4334 draft-ietf-curdle-pkix-02. The corresponding EVP_PKEY method supports
4337 TLS support complies with draft-ietf-tls-rfc4492bis-08 and uses
4344 In order to fix an unavoidable memory leak ([CVE-2016-0798]),
4364 the configuration option "disable-dynamic-engine".
4369 with "disable-dso" or "disable-pic".
4384 If this isn't desirable, the configuration options "disable-pic"
4385 or "no-pic" can be used to disable the use of PIC. This will
4396 is for. Also, the configuration option --install_prefix is
4402 for DTLS; configure with enable-heartbeats. Code that uses the
4423 template in Configurations, like unix-Makefile.tmpl or
4436 * Added support for auto-initialisation and de-initialisation of the library.
4458 the leading 0-byte.
4470 SSL_CTX_sess_set_get_cb was changed. The read-only input buffer
4477 RNG, and other conditional uses of DPURIFY. This makes -DPURIFY a no-op.
4510 --prefix and --openssldir change their semantics, and become more
4513 --prefix shall be used exclusively to give the location INSTALLTOP
4517 --openssldir shall be used exclusively to give the default
4522 values of both the --prefix value and the --openssldir value will
4524 The default for --openssldir is INSTALLTOP/ssl.
4526 Anyone who uses --openssldir to specify where OpenSSL is to be
4527 installed MUST change to use --prefix instead.
4539 * EGD is no longer supported by default; use enable-egd when
4563 example, be used to implement local end-entity certificate or
4564 trust-anchor "pinning", where the "pin" data takes the form
4573 source files with -DOPENSSL_API_COMPAT=0x10100000L, which hides
4579 should be used with the --api=1.1.0 option to entirely remove
4582 Essentially the same effect can be achieved with the "no-deprecated"
4588 they should update their compile-time OPENSSL_API_COMPAT define
4600 * Add support for setting the minimum and maximum supported protocol.
4626 ciphers who are no longer supported and drops support the ephemeral RSA key
4654 * Added ASYNC support. Libcrypto now includes the async sub-library to enable
4666 exclude it using the list of supported ciphers. This also means that the
4667 "-no_ecdhe" option has been removed from s_server.
4693 with OpenSSL (case-matching; e.g., OPENSSL_VERSION for #define's)
4728 * Remove EVP_CHECK_DES_KEY, a compile-time option that never compiled.
4746 * Fix no-stdio build.
4765 * Revamped memory debug; only -DCRYPTO_MDEBUG and -DCRYPTO_MDEBUG_ABORT
4819 EXP-DH-RSA-DES-CBC-SHA and EXP-DH-DSS-DES-CBC-SHA. These two ciphersuites
4837 code and the associated standard is no longer considered fit-for-purpose.
4864 draft-ietf-tls-session-hash-03.txt. Thanks for Alfredo Pironti for an
4877 Access to deprecated functions can be re-enabled by running config with
4878 "enable-deprecated". In addition applications wishing to use deprecated
4887 at <https://www.openssl.org/source/OCB-patent-grant-OpenSSL.pdf>. Support
4888 for OCB can be removed by calling config with no-ocb.
4898 done while fixing the error code for the key-too-small case.
4900 *Annie Yousar <a.yousar@informatik.hu-berlin.de>*
4921 16-bit platforms such as WIN16
4926 - Use setbuf() and remove OPENSSL_NO_SETVBUF_IONBF
4927 - Rename OPENSSL_SYSNAME_xxx to OPENSSL_SYS_xxx
4928 - OPENSSL_NO_EC{DH,DSA} merged into OPENSSL_NO_EC
4929 - OPENSSL_NO_RIPEMD160, OPENSSL_NO_RIPEMD merged into OPENSSL_NO_RMD160
4930 - OPENSSL_NO_FP_API merged into OPENSSL_NO_STDIO
4931 - Remove OPENSSL_NO_BIO OPENSSL_NO_BUFFER OPENSSL_NO_CHAIN_VERIFY
4935 - Remove MS_STATIC; it's a relic from platforms <32 bits.
4946 NULL. Remove the non-null checks from callers. Save much code.
4966 * Harmonize version and its documentation. -f flag is used to display
4986 preparing the fix ([CVE-2014-0160])
4991 ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
4996 flaw and to Yuval Yarom for supplying a fix ([CVE-2014-0076])
5005 * Experimental encrypt-then-mac support.
5008 draft-gutmann-tls-encrypt-then-mac-02.txt
5011 server) using e.g. -DTLSEXT_TYPE_encrypt_then_mac=0x42
5013 For non-compliant peers (i.e. just about everything) this should have no
5027 * Extend CMS code to support RSA-PSS signatures and RSA-OAEP for
5067 * Add FIPS selftest for ECDH algorithm using P-224 and B-233 curves.
5079 * New function FIPS_get_cipherbynid() to lookup FIPS supported ciphers
5091 FIPS 186-3 A.2.3.
5093 * Add support for HMAC DRBG from SP800-90. Update DRBG algorithm test and
5119 information in FIPS186-3, SP800-57 and SP800-131A.
5155 anyway as the X9.31 PRNG is now deprecated by FIPS 140-2
5159 * Extensive self tests and health checking required by SP800-90 DRBG.
5161 instantiate at maximum supported strength.
5174 leading zeroes if needed: this complies with SP800-56A et al.
5178 * Initial implementation of SP800-90 DRBGs for Hash and CTR. Not used by
5196 * Add selftest checks and algorithm block of non-fips algorithms in
5207 * New build option no-ec2m to disable characteristic 2 code.
5222 * Initial, experimental EVP support for AES-GCM. AAD can be input by
5248 * Improve forward-security support: add functions
5269 * New -verify_name option in command line utilities to set verification
5279 * Experimental renegotiation in s_server -www mode. If the client
5287 multi-process servers.
5306 * New -noct, -requestct, -requirect and -ctlogfile options for s_client.
5313 -------------
5317 * For built-in EC curves, ensure an EC_GROUP built from the curve name is
5333 ([CVE-2019-1547])
5347 The old behaviour can be re-enabled in the CMS code by setting the
5349 ([CVE-2019-1563])
5356 binaries and run-time config file.
5357 ([CVE-2019-1552])
5370 * Add FIPS support for Android Arm 64-bit
5372 Support for Android Arm 64-bit was added to the OpenSSL FIPS Object
5374 'android64-aarch64' was missing OpenSSL 1.0.2, whence it could not be
5375 built with FIPS support on Android Arm 64-bit. This omission has been
5382 * 0-byte record padding oracle
5392 In order for this to be exploitable "non-stitched" ciphersuites must be in
5401 ([CVE-2019-1559])
5421 ([CVE-2018-5407])
5432 ([CVE-2018-0734])
5453 ([CVE-2018-0732])
5466 ([CVE-2018-0737])
5477 length-invariant. Switch even to fixed-length Montgomery multiplication.
5483 For larger primes this will result in more rounds of Miller-Rabin.
5485 to 2^-128.
5489 * Increase the number of Miller-Rabin rounds for DSA key generating to 64.
5519 This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz
5521 ([CVE-2018-0739])
5546 ([CVE-2017-3737])
5553 used in exponentiation with 1024-bit moduli. No EC algorithms are affected.
5561 no longer an option since CVE-2016-0701.
5567 was originally found via the OSS-Fuzz project.
5568 ([CVE-2017-3738])
5591 This issue was reported to OpenSSL by the OSS-Fuzz project.
5592 ([CVE-2017-3736])
5599 OpenSSL could do a one-byte buffer overread. The most likely result
5602 This issue was reported to OpenSSL by the OSS-Fuzz project.
5608 * Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
5617 If one side of an SSL/TLS path is running on a 32-bit host and a specific
5619 perform an out-of-bounds read, usually resulting in a crash.
5622 ([CVE-2017-3731])
5640 similar to CVE-2015-3193 but must be treated as a separate problem.
5642 This issue was reported to OpenSSL by the OSS-Fuzz project.
5643 ([CVE-2017-3732])
5649 There is a carry propagating bug in the Broadwell-specific Montgomery
5656 erroneous outcome of public-key operations with specially crafted input.
5657 Among EC algorithms only Brainpool P-512 curves are affected and one
5659 detail, because pre-requisites for attack are considered unlikely. Namely
5667 ([CVE-2016-7055])
5687 ([CVE-2016-7052])
5701 the "no-ocsp" build time option are not affected.
5704 ([CVE-2016-6304])
5713 ([CVE-2016-2183])
5729 ([CVE-2016-6303])
5743 ([CVE-2016-6302])
5756 ([CVE-2016-2182])
5768 ([CVE-2016-2180])
5794 ([CVE-2016-2177])
5802 implementation means that a non-constant time codepath is followed for
5803 certain operations. This has been demonstrated through a cache-timing
5809 ([CVE-2016-2178])
5815 In a DTLS connection where handshake messages are delivered out-of-order
5827 ([CVE-2016-2179])
5842 ([CVE-2016-2181])
5858 ([CVE-2016-6306])
5864 * Prevent padding oracle in AES-NI CBC MAC check
5868 AES-NI.
5871 attack ([CVE-2013-0169]). The padding check was rewritten to be in
5877 This issue was reported by Juraj Somorovsky using TLS-Attacker.
5896 ([CVE-2016-2105])
5920 ([CVE-2016-2106])
5936 ([CVE-2016-2109])
5947 ([CVE-2016-2176])
5961 * Only remove the SSLv2 methods with the no-ssl2-method option. When the
5969 Builds that are not configured with "enable-weak-ssl-ciphers" will not
5975 is by default disabled at build-time. Builds that are not configured with
5976 "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used,
5977 users who want to negotiate SSLv2 via the version-flexible SSLv23_method()
5985 explicitly uses the version-specific SSLv2_method() or its client and
5987 recovery have been removed. Specifically, the SSLv2 40-bit EXPORT
5988 ciphers, and SSLv2 56-bit DES are no longer available.
5989 ([CVE-2016-0800])
5993 * Fix a double-free in DSA code
6002 ([CVE-2016-0705])
6022 ([CVE-2016-0798])
6047 ([CVE-2016-0797])
6068 functions when printing out human-readable dumps of ASN.1 data. Therefore
6079 ([CVE-2016-0799])
6085 A side-channel attack was found which makes use of cache-bank conflicts on
6086 the Intel Sandy-Bridge microarchitecture which could lead to the recovery
6089 hyper-threaded core as the victim thread which is performing decryptions.
6095 ([CVE-2016-0702])
6099 * Change the `req` command to generate a 2048-bit RSA/DSA key by default,
6136 ([CVE-2016-0701])
6149 ([CVE-2015-3197])
6171 ([CVE-2015-3193])
6187 ([CVE-2015-3194])
6200 ([CVE-2015-3195])
6253 This issue was reported to OpenSSL by Joseph Barr-Pixton.
6254 ([CVE-2015-1788])
6258 * Exploitable out-of-bounds read in X509_cmp_time
6274 ([CVE-2015-1789])
6281 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
6289 ([CVE-2015-1790])
6300 ([CVE-2015-1792])
6306 If a NewSessionTicket is received by a multi-threaded client when attempting to
6309 ([CVE-2015-1791])
6313 * Only support 256-bit or stronger elliptic curves with the
6314 'ecdh_auto' setting (server) or by default (client). Of supported
6315 curves, prefer P-256 (both).
6329 ([CVE-2015-0291])
6339 using non-blocking IO. Typically, when the user application is using a
6345 ([CVE-2015-0290])
6362 ([CVE-2015-0207])
6374 ([CVE-2015-0286])
6389 ([CVE-2015-0208])
6403 ([CVE-2015-0287])
6410 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
6418 ([CVE-2015-0289])
6426 a specially crafted SSLv2 CLIENT-MASTER-KEY message.
6430 ([CVE-2015-0293])
6439 ([CVE-2015-1787])
6447 - The client is on a platform where the PRNG has not been seeded
6449 - A protocol specific client method version has been used (i.e. not
6451 - A ciphersuite is used that does not require additional random data from
6452 the PRNG beyond the initial ClientHello client random (e.g. PSK-RC4-SHA).
6461 openssl s_client -psk 1a2b3c4d -tls1_2 -cipher PSK-RC4-SHA
6462 ([CVE-2015-0285])
6477 ([CVE-2015-0209])
6487 ([CVE-2015-0288])
6502 near-optimal performance even on newer platforms.
6506 * Accelerated NIST P-256 elliptic curve implementation for x86_64
6518 bogus results, with non-infinity inputs mapped to infinity too.)
6529 * Add support for little-endian ppc64 Linux target.
6536 Both 32- and 64-bit modes are supported.
6557 implementations, AESNI-SHA256 and GCM, and multi-buffer support
6597 * Add -rev test option to s_server to just reverse order of characters
6603 * New option -brief for s_client and s_server to print out a brief summary
6612 * New option -crl_download in several openssl utilities to download CRLs
6617 * New options -CRL and -CRLform for s_client and s_server for CRLs.
6653 "enable-ssl-trace". New options to s_client and s_server to enable
6658 * New ctrl and macro to retrieve supported points extensions.
6725 supported signature algorithms.
6729 * Support for distinct client and server supported signature algorithms.
6736 supported signature algorithms. Add very simple example to s_server.
6750 certificate signature algorithms contained in the supported algorithms
6763 * Add new functions to allow customised supported signature algorithms
6795 * Initial experimental support for explicitly trusted non-root CAs.
6798 setting is used: whether to trust (e.g., -addtrust option to the x509
6803 * Add -trusted_first option which attempts to find certificates in the
6813 * Support for linux-x32, ILP32 environment in x86_64 framework.
6817 * Experimental multi-implementation support for FIPS capable OpenSSL.
6852 to set list of supported curves.
6856 * New ctrls to retrieve supported signature algorithms and
6857 supported curve values as an array of NIDs. Extend openssl utility
6863 between NIDs and the more common NIST names such as "P-256". Enhance
6883 * New function i2d_re_X509_tbs for re-encoding the TBS portion of
6885 Note: Related 1.0.2-beta specific macros X509_get_cert_info,
6890 -------------
6902 the "no-ocsp" build time option are not affected.
6905 ([CVE-2016-6304])
6914 ([CVE-2016-2183])
6930 ([CVE-2016-6303])
6944 ([CVE-2016-6302])
6957 ([CVE-2016-2182])
6969 ([CVE-2016-2180])
6995 ([CVE-2016-2177])
7003 implementation means that a non-constant time codepath is followed for
7004 certain operations. This has been demonstrated through a cache-timing
7010 ([CVE-2016-2178])
7016 In a DTLS connection where handshake messages are delivered out-of-order
7028 ([CVE-2016-2179])
7043 ([CVE-2016-2181])
7059 ([CVE-2016-6306])
7065 * Prevent padding oracle in AES-NI CBC MAC check
7069 AES-NI.
7072 attack ([CVE-2013-0169]). The padding check was rewritten to be in
7078 This issue was reported by Juraj Somorovsky using TLS-Attacker.
7079 ([CVE-2016-2107])
7098 ([CVE-2016-2105])
7122 ([CVE-2016-2106])
7138 ([CVE-2016-2109])
7149 ([CVE-2016-2176])
7163 * Only remove the SSLv2 methods with the no-ssl2-method option. When the
7171 Builds that are not configured with "enable-weak-ssl-ciphers" will not
7177 is by default disabled at build-time. Builds that are not configured with
7178 "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used,
7179 users who want to negotiate SSLv2 via the version-flexible SSLv23_method()
7187 explicitly uses the version-specific SSLv2_method() or its client and
7189 recovery have been removed. Specifically, the SSLv2 40-bit EXPORT
7190 ciphers, and SSLv2 56-bit DES are no longer available.
7191 ([CVE-2016-0800])
7195 * Fix a double-free in DSA code
7204 ([CVE-2016-0705])
7224 ([CVE-2016-0798])
7249 ([CVE-2016-0797])
7270 functions when printing out human-readable dumps of ASN.1 data. Therefore
7281 ([CVE-2016-0799])
7287 A side-channel attack was found which makes use of cache-bank conflicts on
7288 the Intel Sandy-Bridge microarchitecture which could lead to the recovery
7291 hyper-threaded core as the victim thread which is performing decryptions.
7297 ([CVE-2016-0702])
7301 * Change the req command to generate a 2048-bit RSA/DSA key by default,
7327 ([CVE-2015-3197])
7349 ([CVE-2015-3194])
7362 ([CVE-2015-3195])
7391 ([CVE-2015-1793])
7397 If PSK identity hints are received by a multi-threaded client then
7401 ([CVE-2015-3196])
7424 This issue was reported to OpenSSL by Joseph Barr-Pixton.
7425 ([CVE-2015-1788])
7429 * Exploitable out-of-bounds read in X509_cmp_time
7445 ([CVE-2015-1789])
7452 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
7460 ([CVE-2015-1790])
7471 ([CVE-2015-1792])
7477 If a NewSessionTicket is received by a multi-threaded client when attempting to
7480 ([CVE-2015-1791])
7488 * dhparam: generate 2048-bit parameters by default.
7502 ([CVE-2015-0286])
7516 ([CVE-2015-0287])
7523 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
7531 ([CVE-2015-0289])
7539 a specially crafted SSLv2 CLIENT-MASTER-KEY message.
7543 ([CVE-2015-0293])
7558 ([CVE-2015-0209])
7568 ([CVE-2015-0288])
7588 ([CVE-2014-3571])
7598 ([CVE-2015-0206])
7602 * Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
7603 built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl
7606 ([CVE-2014-3569])
7615 ([CVE-2014-3572])
7619 * Remove non-export ephemeral RSA code on client and server. This code
7621 non-export ciphersuites and could be used by a server to effectively
7625 ([CVE-2015-0204])
7637 ([CVE-2015-0205])
7651 By using non-DER or invalid encodings outside the signed portion of a
7672 Re-encode DSA/ECDSA signatures and compare with the original received
7683 ([CVE-2014-8275])
7695 ([CVE-2014-3570])
7712 * Tighten client-side session ticket handling during renegotiation:
7737 ([CVE-2014-3513])
7749 ([CVE-2014-3567])
7753 * Build option no-ssl3 is incomplete.
7755 When OpenSSL is configured with "no-ssl3" as a build option, servers
7758 ([CVE-2014-3568])
7765 ([CVE-2014-3566])
7771 Re-encode DigestInto in DER and check against the original when
7787 ([CVE-2014-3512])
7793 is badly fragmented. This allows a man-in-the-middle attacker to force a
7799 ([CVE-2014-3511])
7810 ([CVE-2014-3510])
7817 ([CVE-2014-3507])
7825 ([CVE-2014-3506])
7832 Thanks to Adam Langley and Wan-Teh Chang for discovering and researching
7834 ([CVE-2014-3505])
7844 ([CVE-2014-3509])
7855 ([CVE-2014-5139])
7865 ([CVE-2014-3508])
7871 bogus results, with non-infinity inputs mapped to infinity too.)
7882 researching this issue. ([CVE-2014-0224])
7890 Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
7891 ([CVE-2014-0221])
7900 Thanks to Jüri Aedla for reporting this issue. ([CVE-2014-0195])
7908 this issue. ([CVE-2014-3470])
7912 * Harmonize version and its documentation. -f flag is used to display
7934 preparing the fix ([CVE-2014-0160])
7939 ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
7944 flaw and to Yuval Yarom for supplying a fix ([CVE-2014-0076])
7948 * TLS pad extension: draft-agl-tls-padding-03
7962 ([CVE-2013-4353])
7966 to be resent. ([CVE-2013-6450])
7971 avoids preferring ECDHE-ECDSA ciphers when the client appears to be
7973 several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug
7981 * Correct fix for CVE-2013-0169. The original didn't work on AES-NI
7998 ([CVE-2013-0169])
8007 ([CVE-2012-2686])
8012 This fixes a DoS attack. ([CVE-2013-0166])
8041 Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
8043 ([CVE-2012-2333])
8090 ([CVE-2012-2110])
8094 * Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections.
8106 -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure.
8142 *Robin Seggelmann <seggelmann@fh-muenster.de>*
8146 *Robin Seggelmann <seggelmann@fh-muenster.de>*
8154 - x86[_64]: AES-NI, PCLMULQDQ, RDRAND support;
8155 - x86[_64]: SSSE3 support (SHA1, vector-permutation AES);
8156 - x86_64: bit-sliced AES implementation;
8157 - ARM: NEON support, contemporary platforms optimizations;
8158 - s390x: z196 support;
8159 - `*`: GHASH and GF(2^m) multiplication implementations;
8163 * Make TLS-SRP code conformant with RFC 5054 API cleanup
8172 * Add DTLS-SRTP negotiation from RFC 5764.
8177 <http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-00>. Can be
8178 disabled with a no-npn flag to config or Configure. Code donated
8183 * Add optional 64-bit optimized implementations of elliptic curves NIST-P224,
8184 NIST-P256, NIST-P521, with constant-time single point multiplication on
8186 required to use this (present in gcc 4.4 and later, for 64-bit builds).
8189 Specify "enable-ec_nistp_64_gcc_128" on the Configure (or config) command
8209 * New -sigopt option to the ca, req and x509 utilities. Additional
8222 New function ASN1_item_sign_ctx() signs a pre-initialised
8261 * Session-handling fixes:
8262 - Fix handling of connections that are resuming with a session ID,
8264 - Fix a bug that suppressed issuing of a new ticket if the client
8266 - Try to set the ticket lifetime hint to something reasonable.
8267 - Make tickets shorter by excluding irrelevant information.
8268 - On the client side, don't ignore renewed tickets.
8276 * Add RC4-MD5 and AESNI-SHA1 "stitched" implementations.
8284 portions. This adds all GCM ciphersuites supported by RFC5288 and
8304 switch between FIPS and non-FIPS modes.
8310 keep original code iff non-FIPS operations are allowed.
8314 * Add -attime option to openssl utilities.
8327 * New build option no-ec2m to disable characteristic 2 code.
8331 * Backport libcrypto audit of return value checking from 1.1.0-dev; not
8341 * Add similar low-level API blocking to ciphers.
8345 * low-level digest APIs are not approved in FIPS mode: any attempt
8364 * Output TLS supported curves in preference order instead of numerical
8374 * Add support for FIPS mode in ssl library: disable SSLv3, non-FIPS ciphers
8433 *Robin Seggelmann <seggelmann@fh-muenster.de>*
8443 *Robin Seggelmann <seggelmann@fh-muenster.de>, Steve Henson*
8457 -------------
8470 ([CVE-2015-3195])
8476 If PSK identity hints are received by a multi-threaded client then
8480 ([CVE-2015-3196])
8497 This issue was reported to OpenSSL by Joseph Barr-Pixton.
8498 ([CVE-2015-1788])
8502 * Exploitable out-of-bounds read in X509_cmp_time
8518 ([CVE-2015-1789])
8525 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
8533 ([CVE-2015-1790])
8544 ([CVE-2015-1792])
8550 If a NewSessionTicket is received by a multi-threaded client when attempting to
8553 ([CVE-2015-1791])
8567 ([CVE-2015-0286])
8581 ([CVE-2015-0287])
8588 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
8596 ([CVE-2015-0289])
8604 a specially crafted SSLv2 CLIENT-MASTER-KEY message.
8608 ([CVE-2015-0293])
8623 ([CVE-2015-0209])
8633 ([CVE-2015-0288])
8653 ([CVE-2014-3571])
8663 ([CVE-2015-0206])
8667 * Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
8668 built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl
8671 ([CVE-2014-3569])
8680 ([CVE-2014-3572])
8684 * Remove non-export ephemeral RSA code on client and server. This code
8686 non-export ciphersuites and could be used by a server to effectively
8690 ([CVE-2015-0204])
8702 ([CVE-2015-0205])
8714 ([CVE-2014-3570])
8720 By using non-DER or invalid encodings outside the signed portion of a
8752 ([CVE-2014-8275])
8766 ([CVE-2014-3567])
8770 * Build option no-ssl3 is incomplete.
8772 When OpenSSL is configured with "no-ssl3" as a build option, servers
8775 ([CVE-2014-3568])
8782 ([CVE-2014-3566])
8805 ([CVE-2014-3510])
8812 ([CVE-2014-3507])
8820 ([CVE-2014-3506])
8827 Thanks to Adam Langley and Wan-Teh Chang for discovering and researching
8829 ([CVE-2014-3505])
8839 ([CVE-2014-3509])
8849 ([CVE-2014-3508])
8855 bogus results, with non-infinity inputs mapped to infinity too.)
8866 researching this issue. ([CVE-2014-0224])
8874 Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
8875 ([CVE-2014-0221])
8884 Thanks to Jüri Aedla for reporting this issue. ([CVE-2014-0195])
8892 this issue. ([CVE-2014-3470])
8896 * Harmonize version and its documentation. -f flag is used to display
8911 ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
8916 flaw and to Yuval Yarom for supplying a fix ([CVE-2014-0076])
8924 to be resent. ([CVE-2013-6450])
8929 avoids preferring ECDHE-ECDSA ciphers when the client appears to be
8931 several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug
8949 ([CVE-2013-0169])
8954 This fixes a DoS attack. ([CVE-2013-0166])
8978 Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
8980 ([CVE-2012-2333])
8997 ([CVE-2012-2110])
9007 old behaviour can be re-enabled in the CMS code by setting the
9011 this issue. ([CVE-2012-0884])
9015 * Fix CVE-2011-4619: make sure we really are receiving a
9023 * Fix for DTLS DoS issue introduced by fix for CVE-2011-4109.
9026 preparing a fix. ([CVE-2012-0050])
9042 <seggelmann@fh-muenster.de> and Michael Tuexen <tuexen@fh-muenster.de>
9043 for preparing the fix. ([CVE-2011-4108])
9048 ([CVE-2011-4576])
9054 Adam Langley for preparing the fix. ([CVE-2011-4619])
9058 * Check parameters are not NULL in GOST ENGINE. ([CVE-2012-0027])
9064 and Rob Austein <sra@hactrn.net> for fixing it. ([CVE-2011-4577])
9072 * Fix ssl_ciph.c set-up race.
9096 * In ssl3_clear, preserve s3->init_extra along with s3->rbuf.
9103 by initialising X509_STORE_CTX properly. ([CVE-2011-3207])
9108 for multi-threaded use of ECDH. ([CVE-2011-3210])
9130 * Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014
9144 Thanks to Martin Rex for discovering this bug. CVE-2010-4180
9148 * Fixed J-PAKE implementation error, originally discovered by
9150 Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252
9158 be shared by multiple threads. CVE-2010-3864
9170 ([CVE-2010-1633])
9172 *Steve Henson, Peter-Michael Hager <hager@dortmund.net>*
9186 * Add new -subject_hash_old and -issuer_hash_old options to x509 utility to
9241 *Michael Tuexen <tuexen@fh-muenster.de>*
9280 openssl dgst -sha256 foo
9313 * Add session ticket override functionality for use by EAP-FAST.
9322 * Type-checked OBJ_bsearch_ex.
9326 * Type-checked OBJ_bsearch. Also some constification necessitated
9327 by type-checking. Still to come: TXT_DB, bsearch(?),
9368 * Initial indirect CRL support. Currently only supported in the CRLs
9400 and URI types are currently supported.
9406 * To cater for systems that provide a pointer-based thread ID rather
9413 as a pointer-based thread ID to distinguish between threads.
9426 OpenSSL 0.9.9-dev between June 2006 and August 2008. Also, if an
9448 * Revamp of STACK to provide stronger type-checking. Still to come:
9459 * Revamp of LHASH to provide stronger type-checking. Still to come:
9478 files from Configure script, currently only included in VC-WIN32.
9499 draft-rescorla-tls-opaque-prf-input-00.txt. Since this is not an
9505 -DTLSEXT_TYPE_opaque_prf_input=0x9527
9516 an internal copy of the length-'len' string at 'src', and will
9517 return non-zero for success.
9535 has to return non-zero to report success: usually 1 to use opaque
9564 supported.
9595 * Add option -stream to use PKCS#7 streaming in smime utility. New
9604 ENGINE support for HMAC keys which are unextractable. New -mac and
9605 -macopt options to dgst utility.
9609 * New option -sigopt to dgst utility. Update dgst to use
9618 ("foo+bar"), moving ("+foo+bar"), disabling ("-foo+bar", or
9626 This means that you can now say, e.g., "PSK:-PSK:HIGH" to enable
9654 away into the non-exported interface ssl/ssl_locl.h, so this
9672 * Add support for dsa-with-SHA224 and dsa-with-SHA256.
9683 * Add support for the ecdsa-with-SHA224/256/384/512 signature types.
9706 -verify_return_error to s_client and s_server. This causes real errors
9749 * Non-blocking OCSP request processing. Add -timeout option to ocsp
9775 list-message-digest-algorithms and list-cipher-algorithms.
9780 of degrees of non-zero coefficients is now terminated with -1.
9806 kECDHr - ECDH cert, signed with RSA
9807 kECDHe - ECDH cert, signed with ECDSA
9808 kECDH - ECDH cert (signed with either RSA or ECDSA)
9809 kEECDH - ephemeral ECDH
9810 ECDH - ECDH cert or ephemeral ECDH
9812 aECDH - ECDH cert
9813 aECDSA - ECDSA cert
9814 ECDSA - ECDSA cert
9816 AECDH - anonymous ECDH
9817 EECDH - non-anonymous ephemeral ECDH (equivalent to "kEECDH:-AECDH")
9821 * Add additional S/MIME capabilities for AES and GOST ciphers if supported.
9843 * New -resign option to smime utility. This adds one or more signers
9844 to an existing PKCS#7 signedData structure. Also -md option to use an
9855 * New -macalg option to pkcs12 utility to allow setting of an alternative
9874 supported by any public key method supporting the encrypt operation. A
9885 2 is mandatory (that is it is the only supported type). Modify
9958 "list-public-key-algorithms" to print out info.
9962 * Implement the Supported Elliptic Curves Extension for
9963 ECC ciphersuites from draft-ietf-tls-ecc-12.txt.
9986 De-spaghettify the public key ASN1 handling. Move public and private
9994 * Implement the Supported Point Formats Extension for
9995 ECC ciphersuites from draft-ietf-tls-ecc-12.txt.
10004 PSK-RC4-SHA, PSK-3DES-EDE-CBC-SHA, PSK-AES128-CBC-SHA,
10005 PSK-AES256-CBC-SHA
10037 - SSL_CTX_set_tlsext_servername_callback()
10039 - SSL_CTX_set_tlsext_servername_arg()
10040 SSL_CTRL_SET_TLSEXT_HOSTNAME - SSL_set_tlsext_host_name()
10042 openssl s_client has a new '-servername ...' option.
10044 openssl s_server has new options '-servername_host ...', '-cert2 ...',
10045 '-key2 ...', '-servername_fatal' (subject to change). This allows
10046 testing the HostName extension for a specific single host name ('-cert'
10047 and '-key' remain fallbacks for handshakes without HostName
10049 default is a warning; it becomes fatal with the '-servername_fatal'
10058 * BIGNUM code on 64-bit SPARCv9 targets is switched from bn(64,64) to
10062 implementations, between 32- and 64-bit builds without hassle.
10075 "64-bit" performance on certain 32-bit targets.
10086 * New option -V for 'openssl ciphers'. This prints the ciphersuite code
10134 -------------
10139 update s->server with a new major version number. As of
10140 - OpenSSL 0.9.8m if 'short' is a 16-bit type,
10141 - OpenSSL 0.9.8f if 'short' is longer than 16 bits,
10144 protection is active. ([CVE-2010-0740])
10148 * Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL
10155 * Always check bn_wexpand() return values for failure. ([CVE-2009-3245])
10180 highest version of TLS/SSL supported. Although TLS >= 2.0 is some way
10189 This results in significant per-connection memory leaks and
10190 has caused some security issues including CVE-2008-1678 and
10191 CVE-2009-4355.
10233 * Implement RFC5746. Re-enable renegotiation but require the extension
10244 servername handling. Use a non-zero length session ID when attempting
10259 * Add --strict-warnings option to Configure script to include devteam
10264 * Add support for --libdir option and LIBDIR variable in makefiles. This
10295 it used to have an ad-hoc builder which was unable to cope with anything
10303 with non-FIPS digests are now usable in FIPS mode.
10314 buffered. ([CVE-2009-1378])
10324 ([CVE-2009-1377])
10328 * Keep a copy of frag->msg_header.frag_len so it can be used after the
10329 parent structure is freed. ([CVE-2009-1379])
10333 * Handle non-blocking I/O properly in SSL_shutdown() call.
10335 *Darryl Miles <darryl-mailinglists@netbauds.net>*
10343 * Disable renegotiation completely - this fixes a severe security
10344 problem ([CVE-2009-3555]) at the cost of breaking all
10345 renegotiation. Renegotiation can be re-enabled by setting
10346 SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s3->flags at
10347 run-time. This is really not recommended unless you know what
10356 zeroing past the valid field. ([CVE-2009-0789])
10362 appear to verify correctly. ([CVE-2009-0591])
10368 a legal length. ([CVE-2009-0590])
10388 * New -hex option for openssl rand.
10409 ([CVE-2008-5077]).
10427 * Tweak Configure so that you need to say "experimental-jpake" to enable
10428 JPAKE, and need to use -DOPENSSL_EXPERIMENTAL_JPAKE in applications.
10445 * Change the server-side SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG behavior
10456 ChangeCipherSpec as first record ([CVE-2009-1386]).
10466 double-checked locking was incomplete for RSA blinding,
10468 doubly unsafe triple-checked locking.
10477 - Avoid size_t integer overflow in HASH_UPDATE (md32_common.h).
10479 - Avoid a buffer overflow in d2i_SSL_SESSION() (ssl_asn1.c).
10483 - Change bn_nist.c so that it will properly handle input BIGNUMs
10486 - Enforce the 'num' check in BN_div() (bn_div.c) for non-BN_DEBUG
10491 * Allow engines to be "soft loaded" - i.e. optionally don't die if
10500 * Fix BN_GF2m_mod_arr() top-bit cleanup code.
10512 Not compiled unless enable-capieng specified to Configure.
10529 Codenomicon TLS test suite ([CVE-2008-1672])
10534 a remote crash found by Codenomicon TLS test suite ([CVE-2008-0891])
10558 the 'db' section contains nothing but zeroes (there is a one-byte
10563 * Partial backport from 0.9.9-dev:
10567 While 0.9.9-dev uses assembler for various architectures, only
10569 32-bit x86 is available through a compile-time setting.
10571 To try the 32-bit x86 assembler implementation, use Configure
10572 option "enable-montasm" (which exists only for this backport).
10574 As "enable-montasm" for 32-bit x86 disclaims code stability
10576 backported from 0.9.9-dev for further performance improvements,
10578 e.g. x86_64, try `-DMONT_FROM_WORD___NON_DEFAULT_0_9_8_BUILD`.)
10589 * Reverse ENGINE-internal logic for caching default ENGINE handles.
10596 'uptodate' flag is reset so that auto-discovery will be used next
10609 only supported if data is detached: setting the streaming flag is
10613 with the enable-cms configuration option.
10650 - fixed wrong usage of ioctlsocket() when build for LIBC BSD sockets
10651 - fixed do_tests.pl to run the test suite with CLIB builds too (CLIB_OPT)
10652 - added some more tests to do_tests.pl
10653 - fixed RunningProcess usage so that it works with newer LIBC NDKs too
10654 - removed usage of BN_LLONG for CLIB builds to avoid runtime dependency
10655 - added new Configure targets netware-clib-bsdsock, netware-clib-gcc,
10656 netware-clib-bsdsock-gcc, netware-libc-bsdsock-gcc
10657 - various changes to netware.pl to enable gcc-cross builds on Win32
10659 - changed crypto/bio/b_sock.c to work with macro functions (CLIB BSD)
10660 - various changes to fix missing prototype warnings
10661 - fixed x86nasm.pl to create correct asm files for NASM COFF output
10662 - added AES, WHIRLPOOL and CPUID assembler code to build files
10663 - added missing AES assembler make rules to mk1mf.pl
10664 - fixed order of includes in `apps/ocsp.c` so that `e_os.h` settings apply
10680 + DTLS interoperation with non-compliant servers
10692 pre-0.9.8f clients. To allow for hassle free upgrade post-0.9.8e
10695 This update even addresses CVE-2007-4995.
10707 supported.
10744 - SSL_CTX_set_tlsext_servername_callback()
10746 - SSL_CTX_set_tlsext_servername_arg()
10747 SSL_CTRL_SET_TLSEXT_HOSTNAME - SSL_set_tlsext_host_name()
10749 openssl s_client has a new '-servername ...' option.
10751 openssl s_server has new options '-servername_host ...', '-cert2 ...',
10752 '-key2 ...', '-servername_fatal' (subject to change). This allows
10753 testing the HostName extension for a specific single host name ('-cert'
10754 and '-key' remain fallbacks for handshakes without HostName
10756 default is a warning; it becomes fatal with the '-servername_fatal'
10782 * Add the Korean symmetric 128-bit cipher SEED (see
10786 TLS_RSA_WITH_SEED_CBC_SHA = "SEED-SHA"
10787 TLS_DHE_DSS_WITH_SEED_CBC_SHA = "DHE-DSS-SEED-SHA"
10788 TLS_DHE_RSA_WITH_SEED_CBC_SHA = "DHE-RSA-SEED-SHA"
10789 TLS_DH_anon_WITH_SEED_CBC_SHA = "ADH-SEED-SHA"
10793 is configured with 'enable-seed'.
10801 J.-P. Seifert, "New Branch Prediction Vulnerabilities in OpenSSL
10805 respectively, which are slower, but avoid the security-relevant
10820 constant-time implementations for more than just exponentiation.
10837 out-of-context reuse was forbidden only if SSL_VERIFY_PEER was
10848 authentication-only ciphersuites.
10852 * Update the SSL_get_shared_ciphers() fix CVE-2006-3738 which was
10854 ([CVE-2007-5135]) [Ben Laurie]
10896 *Goetz Babin-Ebell*
10901 cause a denial of service. ([CVE-2006-2940])
10906 in a denial of service. ([CVE-2006-2937]) [Steve Henson]
10909 ([CVE-2006-3738]) [Tavis Ormandy and Will Drewry, Google Security Team]
10912 malicious SSLv2 server. ([CVE-2006-4343])
10917 match only those. Before that, "AES256-SHA" would be interpreted
10918 as a pattern and match "AES128-SHA" too (since AES128-SHA got
10922 "RC4-MD5" that intentionally matched multiple ciphersuites --
10929 Thus, "RC4-MD5" again will properly select both the SSL 2.0
10946 ([CVE-2006-4339]) [Ben Laurie and Google Security Team]
10961 However, please upgrade to OpenSSL 0.9.9[-dev] for
10962 non-experimental use of the ECC ciphersuites to get TLS extension
10970 - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
10971 - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
10972 - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")
10975 draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really
10979 draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as
10985 dual-core machines) and other potential thread-safety issues.
10989 * Add the symmetric cipher Camellia (128-bit, 192-bit, 256-bit key
10990 versions), which is now available for royalty-free use
10996 is configured with 'enable-camellia'.
11020 * Update support for ECC-based TLS ciphersuites according to
11021 draft-ietf-tls-ecc-12.txt with proposed changes (but without
11022 TLS extensions, which are supported starting with the 0.9.9
11036 Static zlib linking now works on Windows and the new --with-zlib-include
11037 --with-zlib-lib options to Configure can be used to supply the location
11064 countermeasure against man-in-the-middle protocol-version
11066 idea. ([CVE-2005-2969])
11081 * Avoid some small subgroup attacks in Diffie-Hellman.
11085 * Add functions for well-known primes.
11122 * Add -utf8 command line and config file option to 'ca'.
11132 involves renaming the source and generated shared-libs for
11141 use it. Make -CSP option work again in pkcs12 utility.
11146 - automatic re-creation of the BN_BLINDING parameters after
11148 - add new function for parameter creation
11149 - introduce flags to control the update behaviour of the
11151 - hide BN_BLINDING structure
11172 * Use SHA-1 instead of MD5 as the default digest algorithm for
11177 * Compile clean with "-Wall -Wmissing-prototypes
11178 -Wstrict-prototypes -Wmissing-declarations -Werror". Currently
11184 The new counterpiece to "no-xxx" is "enable-xxx".
11187 "enable-rc5" and "enable-mdc2", respectively, are specified.
11191 fee for non-commercial use. As before, "no-idea" can be used to
11198 EGEE (Enabling Grids for E-science in Europe).
11203 as Intel P4, IA-64 and AMD64.
11207 * New utility extract-section.pl. This can be used specify an alternative
11218 * New arguments -certform, -keyform and -pass for s_client and s_server
11243 * New FIPS 180-2 algorithms, SHA-224/-256/-384/-512 are implemented.
11259 moved from CA.pl to the 'ca' utility with a new option -create_serial.
11264 patchlevels, 0.9.7e employed 'openssl x509 -next_serial' in
11272 give fewer recursive includes, which could break lazy source code - so
11276 backwards-compatible behaviour prevails when this isn't defined.
11313 static array of bignums, BN_CTX now uses a linked-list of such arrays
11349 * BN_CTX_get() should return zero-valued bignums, providing the same
11382 * Because of the callback-based approach for implementing LHASH as a
11383 template type, lh_insert() adds opaque objects to hash-tables and
11386 (and losing the object pointers). So some over-zealous constifications in
11400 aren't necessarily the greatest nomenclatures - but this is what was used
11407 the self-tests were still using deprecated key-generation functions so
11428 modulus operations are not performed. The (pre-generated) prime
11430 re-generated on some platforms because of the "division by zero"
11435 * Update support for ECC-based TLS ciphersuites according to
11436 draft-ietf-tls-ecc-03.txt: the KDF1 key derivation function with
11437 SHA-1 now is only used for "small" curves (where the
11451 *Götz Babin-Ebell <babin-ebell@trustcenter.de> via Richard Levitte*
11463 to certificate and key stores, be they simple file-based stores, or
11464 HSM-type store, or LDAP stores, or...
11477 a string. The copy gets NUL-terminated. BUF_memdup() duplicates
11485 searched-for key would be inserted to preserve sorting order.
11506 * Make it possible to create self-signed certificates with 'openssl ca'
11507 in such a way that the self-signed certificate becomes part of the
11509 as all other certificate signing. The new flag '-selfsign' enables
11516 request can be signed by that key (self-signing).
11529 * Generate multi-valued AVAs using '+' notation in config files for
11547 dsa_mod_exp() and/or bn_mod_exp() handlers if they are non-NULL,
11576 * Add full support for -rpath/-R, both in shared libraries and
11606 ./config -DOPENSSL_USE_GMP -lgmp
11611 testing availability of engines with "-t" - the old behaviour is
11612 produced by increasing the feature's verbosity with "-tt".
11623 * Key-generation can now be implemented in RSA_METHOD, DSA_METHOD
11630 * Change the "progress" mechanism used in key-generation and
11636 migrate to the new functions. Also, the new key-generation API
11637 functions operate on a caller-supplied key-structure and return
11638 success/failure rather than returning a key or NULL - this is to
11652 * cb will point to my_cb; my_arg can be retrieved as cb->arg.
11661 draft-ietf-tls-compression-04.txt.
11671 -- at least one of the pair shall be present -- }
11692 to avoid the need to access 'a->neg' directly in applications.
11696 * Implement fast modular reduction for pseudo-Mersenne primes
11717 the usual use of --prefix and/or --openssldir, and at run
11733 files while avoiding the low-level API.
11737 algorithm NIDs can be set to -1 for no encryption, the mac
11740 Enhance pkcs12 utility by making the -nokeys and -nocerts
11741 options work when creating a PKCS#12 file. New option -nomac
11744 instead of the low-level API.
11760 * Let 'openssl req' fail if an argument to '-newkey' is not
11765 * Add support for ECC-based ciphersuites from draft-ietf-tls-ecc-01.txt.
11901 functionality is disabled at compile-time.
11908 Modify asn1_parse2 (crypto/asn1/asn1_par.c) so that in non-'dump'
11909 mode the content of non-printable OCTET STRINGs is output in a
11922 - Curves (i.e., groups) are encoded explicitly unless asn1_flag
11924 - Points are encoded in uncompressed form by default; options for
11973 EC_METHOD) that verifies that the curve discriminant is non-zero.
11988 - 'openssl req' now has a '-newkey ecdsa:file' option;
11989 - EVP_PKCS82PKEY (crypto/evp/evp_pkey.c) now can handle ECDSA;
11990 - X509_PUBKEY_get (crypto/asn1/x_pubkey.c) and
11994 - ECDSA engine support has been added.
12030 authentication-only ciphersuites.
12074 cause a denial of service. ([CVE-2006-2940])
12079 in a denial of service. ([CVE-2006-2937]) [Steve Henson]
12082 ([CVE-2006-3738]) [Tavis Ormandy and Will Drewry, Google Security Team]
12085 malicious SSLv2 server. ([CVE-2006-4343])
12090 ciphersuite selects this one ciphersuite (so that "AES256-SHA"
12091 will no longer include "AES128-SHA"), and any other similar
12093 "RC4-MD5" will still include both the SSL 2.0 ciphersuite and the
12102 ([CVE-2006-4339]) [Ben Laurie and Google Security Team]
12112 - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
12113 - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
12114 - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")
12117 draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really
12121 draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as
12127 dual-core machines) and other potential thread-safety issues.
12142 * Add new Windows build target VC-32-GMAKE for VC++. This uses GNU make
12154 safely run with a non-FIPSed libcrypto, as it may crash because of
12163 countermeasure against man-in-the-middle protocol-version
12165 idea. ([CVE-2005-2969])
12177 the exponentiation using a fixed-length exponent. (Otherwise,
12184 * Make a new fixed-window mod_exp implementation the default for
12185 RSA, DSA, and DH private-key operations so that the sequence of
12188 cache-timing and potential related attacks.
12207 * Add support for smime-type MIME parameter in S/MIME messages which some
12244 they must be explicitly allowed in run-time. See
12251 * Use (SSL_RANDOM_VALUE - 4) bytes of pseudo random data when generating
12253 (SSL_RANDOM_VALUE - sizeof(time_t)) would be used which would result in
12286 * Back-port of selected performance improvements from development
12296 * Add new -passin argument to dgst.
12301 this is needed for some certificates that re-encode DNs into UTF8Strings
12312 - if there is an unhandled critical extension (unless the user
12314 - if the path length has been exceeded (if one is set at all)
12315 - that certain extensions fit the associated purpose (if one has
12342 certificate is created using 'openssl req -x509'. The initial serial
12343 number file is created using 'openssl x509 -next_serial' in CA.pl
12350 * Fix null-pointer assignment in do_change_cipher_spec() revealed
12351 by using the Codenomicon TLS Test Tool ([CVE-2004-0079])
12356 ([CVE-2004-0112])
12406 invalid tags (CVE-2003-0543 and CVE-2003-0544).
12408 Free up ASN1_TYPE correctly if ANY type is invalid ([CVE-2003-0545]).
12415 * New -ignore_err option in ocsp application to stop the server
12461 * Countermeasure against the Klima-Pokorny-Rosa extension of
12471 They would be ill-advised to do so in most cases.
12477 an unpredictable seed -- if it is not unpredictable, there
12478 is no point in blinding anyway). Make RSA blinding thread-safe
12479 by remembering the creator's thread ID in rsa->blinding and
12480 having all other threads use local one-time blinding factors
12481 (this requires more computation than sharing rsa->blinding, but
12488 ENGINE as defaults for all supported algorithms irrespective of
12505 between bad padding and a MAC verification error. ([CVE-2003-0078])
12511 * Make the no-err option work as intended. The intention with no-err
12519 used by default when no-err is given.
12579 * IA-32 assembler support enhancements: unified ELF targets, support
12585 FreeBSD on non-x86 processors is separate from x86 processors on
12606 instead of the special (and badly supported) LIBKRB5. LIBKRB5 is
12634 warnings and a request that patches get sent to openssl-dev.
12638 * Add the VC-CE target, introduce the WINCE sysname, and add
12643 * Change the DLL names for Cygwin to cygcrypto-x.y.z.dll and
12644 cygssl-x.y.z.dll, where x, y and z are the major, minor and
12654 * Avoid using fixed-size buffers for one-line DNs.
12713 * Add assertions to prevent user-supplied crypto functions from
12731 * Fix off-by-one error in EGD path.
12761 Remote buffer overflow in SSL3 protocol - an attacker could
12762 supply an oversized master key in Kerberos-enabled versions.
12763 ([CVE-2002-0657])
12771 * Make -nameopt work fully for req and add -reqopt switch.
12773 *Michael Bell <michael.bell@rz.hu-berlin.de>, Steve Henson*
12787 which may be activated as a side-effect of selecting a single cipher.
12795 * Add appropriate support for separate platform-dependent build
12796 directories. The recommended way to make a platform-dependent
12803 mkdir -p objtree/"`uname -s`-`uname -r`-`uname -m`"
12804 cd objtree/"`uname -s`-`uname -r`-`uname -m`"
12805 (cd $OPENSSL_SOURCE; find . -type f) | while read F; do
12806 mkdir -p `dirname $F`
12807 ln -s $OPENSSL_SOURCE/$F $F
12821 *Götz Babin-Ebell <babinebell@trustcenter.de>*
12823 * Improve diagnostics in file reading and command-line digests.
12828 error in AES-CFB decryption.
12847 * Fix escaping of non-ASCII characters when using the -subj option
12858 Some more OID additions. (Michael Bell <michael.bell@rz.hu-berlin.de>)
12871 * Fix the 'app_verify_callback' interface so that the user-defined
12879 i=s->ctx->app_verify_callback(&ctx)
12881 i=s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg).
12914 the same as the utility itself: that is the -config
12945 * Have the CHIL engine fork-safe (as defined by nCipher) and actually
12954 * Add the configuration target debug-linux-ppro.
12966 * Add -keyform to rsautl, and document -engine.
13019 (up to about 10% better than before for P-192 and P-224).
13043 SSL object, and 'arg' is the application-defined value set by
13046 'openssl s_client' and 'openssl s_server' have new '-msg' options
13077 * Add -multi and -mr options to "openssl speed" - giving multiple parallel
13078 runs for the former and machine-readable output for the latter.
13082 * Add '-noemailDN' option to 'openssl ca'. This prevents inclusion
13083 of the e-mail address in the DN (i.e., it will go into a certificate
13125 particular extension is supported.
13162 support for symmetric ciphers and digest implementations - so ENGINEs
13167 API changes worth noting - some RSA, DSA, DH, and RAND functions that
13169 reverted back - the hooking from this code to ENGINE is now a good
13170 deal more passive and at run-time, operations deal directly with
13173 functions dealing with `BN_MOD_EXP[_CRT]` handlers have been removed -
13224 * Add support for shared libraries for Unixware-7
13238 makes them more flexible to be built both as statically-linked ENGINEs
13239 and self-contained shared-libraries loadable via the "dynamic" ENGINE.
13240 Also, add stub code to each that makes building them as self-contained
13241 shared-libraries easier (see [README-Engine.md](README-Engine.md)).
13247 self-contained shared-libraries. The "dynamic" ENGINE exposes control
13248 commands that can be used to configure what shared-library to load and
13250 the [README-Engine.md](README-Engine.md) file
13251 that brings its information up-to-date and
13253 (ie. how to use it, how to build "dynamic"-loadable ENGINEs, etc).
13282 ex_data state - it's now all inside ex_data.c and all "class" code (eg.
13283 RSA, BIO, SSL_CTX, etc) no longer stores its own STACKS and per-class
13288 thread-safety problems that existed, and (b) makes it possible to clean
13414 Added openssl-style ASN.1 macros for Kerberos ticket, ap_req,
13421 * Cause 'openssl speed' to use fully hard-coded DSA keys as it
13432 s-cbc 4408.85k 5560.51k 5778.46k 5862.20k 5825.16k
13433 s-cbc 4389.55k 5571.17k 5792.23k 5846.91k 5832.11k
13434 s-cbc 4394.32k 5575.92k 5807.44k 5848.37k 5841.30k
13436 s-cbc 3482.66k 5069.49k 5496.39k 5614.16k 5639.28k
13437 s-cbc 3480.74k 5068.76k 5510.34k 5609.87k 5635.52k
13438 s-cbc 3483.72k 5067.62k 5504.60k 5708.01k 5724.80k
13441 s-cbc 4660.16k 5650.19k 5807.19k 5827.13k 5783.32k
13443 s-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
13447 * Added the OS2-EMX target.
13466 * Change all calls to low-level digest routines in the library and
13483 dialog box interfaces, application-defined prompts, the possibility
13490 attribute in PKCS#12 files, add new -CSP option to pkcs12 utility.
13576 per-structure level rather than having to store it globally.
13588 by ENGINE_by_id() normally, when it is incremented on the pre-existing
13600 - verbosity levels ('-v', '-vv', and '-vvv') that provide information
13602 - executing control commands from command line arguments using the
13603 '-pre' and '-post' switches. '-post' is only used if '-t' is
13605 the individual commands are colon-separated, for example;
13606 openssl engine chil -pre FORK_CHECK:0 -pre SO_PATH:/lib/test.so
13612 and input types for run-time discovery by calling applications. A
13615 the new string-based API function ENGINE_ctrl_cmd_string(). (Eg. this
13624 OpenSSL-based application. Commands have been added to all the
13625 existing hardware-supporting ENGINEs, noticeably "SO_PATH" to allow
13626 control over shared-library paths without source code alterations.
13640 should already have non-const pointers to it (ie. they should only
13646 - "atalla" and "ubsec" string definitions were moved from header files
13648 rather than hard-coded - allowing parameterisation of these values
13650 - Removed unused "#if 0"'d code.
13651 - Fixed engine list iteration code so it uses ENGINE_free() to release
13653 - Constified the RAND_METHOD element of ENGINE structures.
13654 - Constified various get/set functions as appropriate and added
13655 missing functions (including a catch-all ENGINE_cpy that duplicates
13657 - Removed NULL parameter checks in get/set functions. Setting a method
13661 - Deprecate the ENGINE_FLAGS_MALLOCED define and move the area for
13663 - Changed prototypes for ENGINE handler functions (init(), finish(),
13664 ctrl(), key-load functions, etc) to take an (ENGINE*) parameter.
13670 used only if the modulus is odd. On 32-bit systems, it is faster
13671 only for relatively small moduli (roughly 20-30% for 128-bit moduli,
13672 roughly 5-15% for 256-bit moduli), so we use it only for moduli
13673 up to 450 bits. In 64-bit environments, the binary algorithm
13722 Lenka Fibikova <fibikova@exp-math.uni-essen.de>*
13738 * Add the -HTTP option to s_server. It is similar to -WWW, but requires
13744 change the def and num file printf format specifier from "%-40sXXX"
13745 to "%-39s XXX". The latter will always guarantee a space after the
13792 * New option '-subj arg' for 'openssl req' and 'openssl ca'. This
13799 Add options '-batch' and '-verbose' to 'openssl req'.
13859 checked. Two new options -validity_period and -status_age added to
13893 can be useful for session caching in multiple-server environments. A
13894 command-line switch for testing this (and any client code that wishes
13909 sure e_os2.h will cover all platform-specific cases together with
13911 Additionally, it is now possible to define configuration/platform-
13915 from `OPENSSL_SYSNAME_*` or compiler-specific macros depending on
13920 * New option -set_serial to 'req' and 'x509' this allows the serial
13930 supported. Add new CRL extensions to V3 code and some new objects.
13947 port and path components: primarily to parse OCSP URLs. New -url
13958 the request is nonce-less.
13964 e.g. `(openssl x509 -out cert1; openssl x509 -out cert2) <certs`.
13993 * Add the option -VAfile to 'openssl ocsp', so the user can give the
14000 handle the new API. Currently only ECB, CBC modes supported. Add new
14065 is initialised to -1 but X509_time_adj() now has to check the value
14111 * New '-extfile ...' option to 'openssl ca' for reading X.509v3
14114 the '-extensions ...' option may be used for specifying the
14127 `openssl ca -status <serial>` prints the status of the cert with
14129 `openssl ca -updatedb` updates the expiry status of certificates
14134 * New '-newreq-nodes' command option to CA.pl. This is like
14135 '-newreq', but calls 'openssl req' with the '-nodes' option
14150 * New SSLeay_version code SSLEAY_DIR to determine the compiled-in
14151 value of OPENSSLDIR. This is available via the new '-d' option
14152 to 'openssl version', and is also included in 'openssl version -a'.
14179 There should no longer be any prototype-casting required when using
14190 The locations /var/run/egd-pool, /dev/egd-pool, /etc/egd-pool, and
14199 (select timeout) and read in non-blocking mode. DEVRANDOM now
14204 For VMS, there's a currently-empty rand_vms.c.
14323 problems: As the program is single-threaded, all we have
14332 during TLS/SSL handshakes so that thread-safety is essential.
14334 for multi-threaded use, so it probably should be abolished.
14388 * Fix BN_uadd and BN_usub: Always return non-negative results instead
14393 * BN_div bugfix: If the result is 0, the sign (res->neg) must not be
14400 that provide type-safety and avoid function pointer casting for the
14401 type-specific callbacks.
14421 (using the probabilistic Tonelli-Shanks algorithm unless
14425 *Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller*
14468 * Change BN_mod_mul so that the result is always non-negative.
14490 These functions always generate non-negative results.
14499 *Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller*
14501 <!--
14515 -->
14518 unless the '-salt' option is used (which usually means that
14521 or the new '-noverify' option is used.
14524 non-interactive use of 'openssl passwd' (passwords on the command
14525 line, '-stdin' option, '-in ...' option) and thus should not
14542 casts back to non-const were required (to be solved at a later
14564 are built-in in OpenSSL shall ever be used or not. The benefit is
14618 * Rework the filename-translation in the DSO code. It is now possible to
14625 * Support threads on FreeBSD-elf in Configure.
14674 * Fix null-pointer assignment in do_change_cipher_spec() revealed
14675 by using the Codenomicon TLS Test Tool ([CVE-2004-0079])
14684 certain ASN.1 tags ([CVE-2003-0851])
14693 invalid tags (CVE-2003-0543 and CVE-2003-0544).
14719 * Countermeasure against the Klima-Pokorny-Rosa extension of
14729 They would be ill-advised to do so in most cases.
14735 an unpredictable seed -- if it is not unpredictable, there
14736 is no point in blinding anyway). Make RSA blinding thread-safe
14737 by remembering the creator's thread ID in rsa->blinding and
14738 having all other threads use local one-time blinding factors
14739 (this requires more computation than sharing rsa->blinding, but
14751 between bad padding and a MAC verification error. ([CVE-2003-0078])
14769 because the session->cipher setting was not restored when reloading
14777 length of the REQUEST-CERTIFICATE message is 18 .. 34, not 17 .. 33.
14779 *Zeev Lieber <zeev-l@yahoo.com>*
14802 the bitwise-OR of the two for use by the majority of applications
14805 changing anyway, so this is more a bug-fix than a behavioural
14810 * Don't impose a 16-byte length minimum on session IDs in ssl/s3_clnt.c
14827 contents. Bug found by Sam Varshavchik <mrsam@courier-mta.com>
14839 * [In 0.9.6g-engine release:]
14848 *Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>,
14855 *Arne Ansper <arne@ats.cyber.ee>, Bodo Moeller*
14884 implementations is desired (e.g. '-bugs' option to 's_client' and
14895 F30602-01-2-0537.
14900 supplied buffer. ([CVE-2002-0659])
14910 too small for 64 bit platforms. ([CVE-2002-0655])
14911 *Matthew Byng-Maddick <mbm@aldigital.co.uk> and Ben Laurie (CHATS)>*
14913 * Remote buffer overflow in SSL3 protocol - an attacker could
14914 supply an oversized session ID to a client. ([CVE-2002-0656])
14918 * Remote buffer overflow in SSL2 protocol - an attacker could
14919 supply an oversized client master key. ([CVE-2002-0656])
14926 encoded as NULL) with id-dsa-with-sha1.
14935 an end-of-file condition would erroneously be flagged, when the CRLF
14938 BASE64-decoding BIO. Bug fund and patch submitted by Pavel Tsekov
14954 * TLS/SSL library bugfix: use s->s3->in_read_app_data differently
14957 processing was enabled when in fact s->s3->in_read_app_data was
14960 *Bodo Moeller; problem pointed out by Arne Ansper <arne@ats.cyber.ee>*
14970 * Fix DH_generate_parameters() so that it works for 'non-standard'
14977 a generator of the order-q subgroup is just as good, if not
14988 returning non-zero before the data has been completely received
14989 when using non-blocking I/O.
15025 * [In 0.9.6d-engine release:]
15030 * Add the configuration target linux-s390x.
15032 *Neale Ferguson <Neale.Ferguson@SoftwareAG-USA.com> via Richard Levitte*
15038 invocations of ssl3_accept when using non-blocking I/O, the
15043 To avoid this problem, we now set s->new_session to 2 instead of
15048 * Bugfix: Return -1 from ssl3_get_server_done (ssl3/s3_clnt.c)
15062 type, we must throw them away by setting rr->length to 0.
15080 * Fix crypto/objects/objects.h: "ld-ce" should be "id-ce",
15082 Also some ip-pda OIDs in crypto/objects/objects.txt were
15092 * [In 0.9.6c-engine release:]
15097 * [In 0.9.6c-engine release:]
15105 rearranged (all '-L' options must appear before the first object
15110 * [In 0.9.6c-engine release:]
15116 * [In 0.9.6c-engine release:]
15122 * [In 0.9.6c-engine release:]
15133 messages are stored in a single piece (fixed-length part and
15134 variable-length part combined) and fix various bugs found on the way.
15155 never resets s->method to s->ctx->method when called from within
15204 * Add OpenUNIX-8 support including shared libraries
15221 * Rabin-Miller test analyses assume uniformly distributed witnesses,
15253 configuration target "alpha-cc-rpath", which will never be selected
15265 * Enhanced support for IA-64 Unix platforms (well, Linux and HP-UX).
15286 dh->length and always used
15288 BN_rand_range(priv_key, dh->p).
15290 BN_rand_range() is not necessary for Diffie-Hellman, and this
15291 specific range makes Diffie-Hellman unnecessarily inefficient if
15292 dh->length (recommended exponent length) is much smaller than the
15293 length of dh->p. We could use BN_rand_range() if the order of
15295 dh->length.
15301 where 'l' is dh->length if this is defined, or BN_num_bits(dh->p)-1
15319 * In crypto/rand/md_rand.c, use a new short-time lock CRYPTO_LOCK_RAND2
15334 *Albert Chin-A-Young <china@thewrittenword.com>*
15336 * Add configuration option to build on Linux on both big-endian and
15337 little-endian MIPS.
15339 *Ralf Baechle <ralf@uni-koblenz.de>*
15341 * Add the possibility to create shared libraries on HP-UX.
15349 Markku-Juhani O. Saarinen <markku-juhani.saarinen@nokia.com>:
15352 'md' followed by enough consecutive 1-byte PRNG requests
15363 Markku-Juhani's attack. (Actually it had never occurred
15365 half from which PRNG output bytes were taken -- I had always
15408 when fixing the server behaviour for backwards-compatible 'client
15412 around 2^-40; see section 5 in Bleichenbacher's CRYPTO '98
15468 * Change bctest again: '-x' expressions are not available in all
15488 If SEQUENCE is length is indefinite just set c->slen to the total
15495 * Change bctest to avoid here-documents inside command substitution
15508 * Check the result of RSA-CRT (see D. Boneh, R. DeMillo, R. Lipton:
15510 Computations, J. Cryptology 14 (2001) 2, 101-119,
15577 due to incorrect handling of multi-threading:
15585 inband-signalling in the previous code (which relied on the
15590 * Add "-rand" option also to s_client and s_server.
15595 *Kurt Hockenbury <khockenb@stevens-tech.edu> and
15614 to be set and top=0 forces the highest bit to be set; top=-1 is new
15619 * In the `NCONF_...`-based implementations for `CONF_...` queries
15675 * Fix 'openssl passwd -1'.
15686 * Fix C code generated by 'openssl dsaparam -C': If a BN_bin2bn
15696 * Increase s2->wbuf allocation by one byte in ssl2_new (ssl/s2_lib.c).
15703 obtain lock CRYPTO_LOCK_RSA before setting `rsa->_method_mod_{n,p,q}`.
15733 avoid potential security hole. (Re-used sessions on the client side
15739 * Fix ssl3_pending: If the record in s->s3->rrec is not of type
15747 releases, have been re-implemented by renaming the previous
15758 the method-specific "init()" handler. Also clean up ex_data after
15759 calling the method-specific "finish()" handler. Previously, this was
15778 *Jean-Marc Desperrier <jean-marc.desperrier@certplus.com>*
15782 - Make note of the expected extension for the shared libraries and
15787 - Make as few rebuilds of the shared libraries as possible.
15789 - Still avoid linking the OpenSSL programs with the shared libraries.
15791 - When installing, install the shared libraries separately from the
15855 in a record-oriented fashion. That means that every write() will
15866 Currently, it's a VMS-only method, because that's where it has
15874 but it was in 0.9.6-beta[12].)
15900 documentation and run-time libraries. The devel package contains
15909 *Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>*
16032 In BIO_puts, increment b->num_write as in BIO_write.
16049 used for low-level RSA operations. DER public key
16056 *Andreas Schneider <andreas@ds3.etech.fh-hamburg.de>*
16058 * A demo state-machine implementation was sponsored by
16134 * Add the arguments -CAfile and -CApath to the pkcs12 utility.
16156 * Fix SSL 2.0 rollback checking: Due to an off-by-one error in
16161 In s23_clnt.c, don't use special rollback-attack detection padding
16227 * New options to smime application. -inform and -outform
16229 PEM and DER. The -content option allows the content to be
16254 - New object identifiers are inserted in objects.txt, following
16256 - objects.pl is used to process obj_mac.num and create a new
16258 - obj_dat.pl is used to create a new obj_dat.h, using the data in
16270 * Add BSD-style MD5-based passwords to 'openssl passwd' (option '-1').
16274 * Addition of the command line parameter '-rand file' to 'openssl req'.
16316 an -sgckey command line option to the rsa utility. Thanks to
16318 algorithm to openssl-dev.
16335 * Re-implement BN_mod_exp2_mont using independent (and larger) windows.
16366 * The type-safe stack code has been rejigged. It is now only compiled
16368 by default all type-specific stack functions are "#define"d back to
16370 but retains the type-safety checking possibilities of the original
16378 map type-safe stack functions onto their plain stack counterparts.
16418 for CFB and OFB modes they zero ctx->num.
16444 i.e. non-zero for export ciphersuites, zero otherwise.
16462 Added -fingerprint option to crl utility, to support new c_rehash
16467 * Eliminate non-ANSI declarations in crypto.h and stack.h.
16504 * Bugfix for linux-elf makefile.one.
16564 * Add '-tls1' option to 'openssl ciphers', which was already
16572 OpenSSL-based applications) load shared libraries and bind to
16584 * Rename openssl x509 option '-crlext', which was added in 0.9.5,
16585 to '-clrext' (= clear extensions), as intended and documented.
16603 *Ulf Möller, using the problem description in krb4-0.9.7, where
16612 'openssl XXX' exists, the new pseudo-command 'openssl no-XXX'
16614 'no-XXX' is printed in this case, 'XXX' otherwise. In both cases,
16619 the 'no-cipher' compilation switches can be tested this way.
16621 ('openssl no-XXX' is not able to detect pseudo-commands such
16622 as 'quit', 'list-XXX-commands', or 'no-XXX' itself.)
16626 * Update test suite so that 'make test' succeeds in 'no-rsa' configuration.
16634 to parameters -- in previous versions (since OpenSSL 0.9.3) the
16640 * New s_client option -ign_eof: EOF at stdin is ignored, and
16642 This is part of what -quiet does; unlike -quiet, -ign_eof
16679 * Add '-dsaparam' option to 'openssl dhparam' application. This
16686 by 'openssl dhparam -C'.
16712 * New 'rand' application for creating pseudo-random output.
16726 *Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE> and Anonymous*
16786 or -rand.
16818 sections with information on -D... compiler switches used for
16820 one of these sections, a pre-processor symbol `OPENSSL_..._DEFINES`
16868 * HP-UX tune-up: new unified configs, HP C compiler bug workaround.
16872 * Add -rand argument to smime and pkcs12 applications and read/write
16899 equal (it gave wrong results if `(rem=(n1-q*d0)&BN_MASK2) < d0)`.
16928 * Add a new -notext option to 'ca' and a -pubkey option to 'spkac'.
16932 * Use a less unusual form of the Miller-Rabin primality test (it used
16933 a binary algorithm for exponentiation integrated into the Miller-Rabin
16955 using 50 iterations of the Rabin-Miller test.
16958 iterations of the Rabin-Miller test as required by the appendix
16959 to FIPS PUB 186[-1]) instead of DSA_is_prime.
16965 for each positive witness in the Rabin-Miller test, not just
16970 function with an 'iteration count' of -1, meaning that a
16972 from an application-provided seed, trial division is skipped).
16977 division before starting the Rabin-Miller test and has
16980 'callback(1, -1, cb_arg)' is called when a number has passed the
16990 * New -pkcs12 option to CA.pl script to write out a PKCS#12 file.
17012 by stat(). RAND_load_file(..., -1) is new and uses the complete file
17029 Rabin-Miller iterations.
17033 * Diffie-Hellman uses "safe" primes: DH_check() return code renamed to
17055 cipher-strength (using the strength_bits hard coded in the tables).
17058 Fix a bug in the cipher-command parser: when supplying a cipher command
17060 *A-Za-z0-9*, ssl_set_cipher_list used to hang in an endless loop. Now
17063 Due to the strength-sorting extension, the code of the
17065 the readability was also increased :-)
17067 *Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>*
17069 * Minor change to 'x509' utility. The -CAcreateserial option now uses 1
17112 * Do more iterations of Rabin-Miller probable prime test (specifically,
17113 3 for 1024-bit primes, 6 for 512-bit primes, 12 for 256-bit primes
17116 false-positive rate of at most 2^-80 for random input.
17138 -nomaciter option is used. This improves file security and
17143 * Honor the no-xxx Configure options when creating .DEF files.
17200 $PATH. Just exploiting of the BWX extension results in 20-30%
17430 -fingerprint and -x509toreq options. Also -x509toreq choked if a
17458 Two new options to the verify program: -untrusted allows a set of
17459 untrusted certificates to be passed in and -purpose which sets the
17491 Added a -pubkey option to the 'x509' utility to output the public key.
17530 openssl verify -CAfile ss.pem ss.pem
17538 but an application-provided verification callback (set by
17540 anyway (i.e. leaves x509_store_ctx->error != X509_V_OK
17542 ssl->verify_result to the appropriate error code to avoid
17551 *Po-Cheng Chen <pocheng@nst.com.tw>, slightly modified by Steve Henson*
17555 -S option to allow a salt to be input on the command line.
17585 the string plus current file name and line number to a per-thread
17588 Also updated memory leak detection code to be multi-thread-safe.
17592 * Add options -text and -noout to pkcs7 utility and delete the
17608 * Fix the -revoke option in ca. It was freeing up memory twice,
17633 with non-optimised assembler. Even so, this now gives around 95%
17653 X509_NAME_add_entry_by_txt(nm, "CN", MBSTRING_ASC, "Steve", -1, -1, 0);
17656 X509_NAME_add_entry_by_txt(nm, field, MBSTRING_UTF8, str, -1, -1, 0);
17672 - Assure unique random numbers after fork().
17673 - Make sure that concurrent threads access the global counter and
17687 dsaparam -genkey (which also ignored its '-rand' option),
17696 of each file listed in the '-rand' option. The function as previously
17698 that support '-rand'.
17731 verification. Also added a -purpose flag to x509 utility to
17748 * RC4 tune-up featuring 30-40% performance improvement on most RISC
17753 * New -noout option to asn1parse. This causes no output to be produced
17754 its main use is when combined with -strparse and -out to extract data
17764 * New option -dhparam in s_server. This allows a DH parameter file to be
17771 * Add -pubin and -pubout options to the rsa and dsa commands. These allow
17773 openssl rsa -in key.pem -pubout -out pubkey.pem
17788 *Steve Henson, reported by Arne Ansper <arne@ats.cyber.ee>*
17814 working at all :-) A dedicated Windows application might handle this
17831 * Add new -verify -CAfile and -CApath options to the crl program, these
17840 * Initialize all non-automatic variables each time one of the openssl
17841 sub-programs is started (this is necessary as they may be started
17854 * Non-copying interface to BIO pairs.
17889 <madwolf@comune.modena.it>. The new option is called -extensions
17890 and can be applied to ca, req and x509. Also -reqexts to override
17891 the request extensions in req and -crlexts to override the crl extensions
17906 config file. They can be printed out with the -text option to req but
17929 library. Also added low-level modexp hooks and CRYPTO_EX structure and
17949 a SSLv2-compatible client hello for SSLv3 or TLSv1 could be read,
17975 * -crlf option to s_client and s_server for sending newlines as
17990 * Fix -startdate and -enddate (which was missing) arguments to 'ca'
17999 For 1024-bit p, DSA_generate_parameters followed by DSA_dup_DH is
18002 much more efficient (160-bit exponentiation instead of 1024-bit
18018 * Allow the -k option to be used more than once in the enc program:
18065 * The -DPLATFORM="\"$(PLATFORM)\"" definition and the similar -DCFLAGS=...
18069 auto-generated file crypto/buildinf.h (created by crypto/Makefile.ssl
18090 * Fix memory leaks in s3_clnt.c: All non-anonymous SSL3/TLS1 connections
18097 * New function RSA_check_key and new openssl rsa option -check
18136 * Memory leak checking (-DCRYPTO_MDEBUG) had some problems.
18145 to disable memory-checking temporarily.
18150 -DCRYPTO_MDEBUG_TIME is new and additionally stores the current time
18154 -DCRYPTO_MDEBUG_THREAD is also new and adds the thread ID.
18156 -DCRYPTO_MDEBUG_ALL enables all of the above, plus any future
18178 * Fix problems with no-hmac etc.
18199 *Steve Henson, reported by Brien Wheeler <bwheeler@authentica-security.com>*
18219 Fixed, now "no-idea no-rc5 -DCRYPTO_MDEBUG" etc. works as intended.
18230 Whoever hopes to achieve shared-library compatibility across versions
18231 must use this, not the compile-time macro.
18234 Note: All this applies only to multi-threaded programs, others don't
18239 * Add missing case to s3_clnt.c state machine -- one of the new SSL tests
18292 name for unistd.h (for pre-POSIX systems); we need this for NeXTstep,
18302 Changing the behaviour of the former might break existing programs --
18308 fails, it needs to cause bc to give a non-zero result or make test carries
18321 yet. Added a -v2 "cipher" option to pkcs8 application to allow the use
18326 * Instead of "mkdir -p", which is not fully portable, use new
18327 Perl script "util/mkdir-p.pl".
18357 * "linux-sparc64" configuration (ultrapenguin).
18360 "linux-sparc" configuration.
18362 *Christian Forster <fo@hawo.stw.uni-erlangen.de>*
18364 * config now generates no-xxx options for missing ciphers.
18373 * Support BS2000/OSD-POSIX.
18389 * New configuration variants "bsdi-elf-gcc" (BSD/OS 4.x).
18395 * New configuration variant "sco5-gcc".
18418 * SHA library changes for irix64-mips4-cc.
18486 * New option -out to asn1parse to allow the parsed structure to be
18487 output to a file. This is most useful when combined with the -strparse
18492 * Make SSL library a little more fool-proof by not requiring any longer
18496 intended anyway -- now it really works as intended).
18504 * Fix various things to let OpenSSL even pass "egcc -pipe -O2 -Wall
18505 -Wshadow -Wpointer-arith -Wcast-align -Wmissing-prototypes
18506 -Wmissing-declarations -Wnested-externs -Winline" with EGCS 1.1.2+
18517 various ways (and thus what used to be known as ctx->default_cert
18518 is now called ctx->cert, since we don't resort to `s->ctx->[default_]cert`
18519 any longer when s->cert does not give us what we need).
18522 we have solved a couple of bugs of the earlier code where s->cert
18532 that holds per-session data (if available); currently, this is
18560 * Add PEDANTIC compiler flag to allow compilation with gcc -pedantic,
18561 without disallowing inline assembler and the like for non-pedantic builds.
18573 * SHA-1 cleanups and performance enhancements.
18581 * Accept any -xxx and +xxx compiler options in Configure.
18596 DER-encoded.)
18601 x509_vfy.c had what can be considered an off-by-one-error:
18629 * New Configure options "threads" and "no-threads". For systems
18640 $(INSTALLTOP)/bin -- they shouldn't clutter directories
18645 * "make linux-shared" to build shared libraries.
18649 * New Configure option `no-<cipher>` (rsa, idea, rc5, ...).
18667 * New Configure options --prefix=DIR and --openssldir=DIR.
18688 * Change behaviour of ssl2_read when facing length-0 packets: Don't return
18706 * Fix new 56-bit DES export ciphersuites: they were using 7 bytes instead of
18784 * Don't auto-generate pem.h.
18788 * Introduce type-safe ASN.1 SETs.
18792 * Convert various additional casted stacks to type-safe STACK_OF() variants.
18796 * Introduce type-safe STACKs. This will almost certainly break lots of code
18804 * Add `openssl ca -revoke <certfile>` facility which revokes a certificate
18807 revoking a certificate. The -revoke option does the gory details now.
18811 * Fix `openssl crl -noout -text` combination where `-noout` killed the
18812 `-text` option at all and this way the `-noout -text` combination was
18824 ciphers that were excluded, e.g. by -DNO_IDEA. Also, test
18828 `openssl list-cipher-commands` is used.
18866 * New "-showcerts" option for s_client.
18907 * Make sure the RSA OAEP test is skipped under -DRSAref because
18908 OAEP isn't supported when OpenSSL is built with RSAref.
18913 so they no longer are missing under -DNOPROTO.
18943 * Make rsa_oaep_test return non-zero on error.
18948 solaris-sparc-sc4-pic, make, then run shlib/solaris-sc4.sh. It'd be nice
18978 * Let util/clean-depend.pl work also with older Perl 5.00x versions.
18990 * DES quad checksum was broken on big-endian architectures. Fixed.
19051 pre-configured entry in Configure's %table under key `<id>` with value
19053 perform a quick test-compile under FreeBSD 3.1 with pgcc and without
19054 assembler stuff you can use `perl Configure "FreeBSD-elf:pgcc:-O6:::"`
19055 now, which overrides the FreeBSD-elf entry on-the-fly.
19063 * Allow DSO flags like -fpic, -fPIC, -KPIC etc. to be specified
19070 * Remarkably, export ciphers were totally broken and no-one had noticed!
19076 questions now is the OpenSSL core team under openssl-core@openssl.org.
19077 And add a paragraph about the dual-license situation to make sure people
19133 stuff. Fix mk1mf.pl and VC-32.pl to support NT differences also. Various
19144 This means that Apache-SSL and similar packages don't have to mess around
19156 * Get rid of remaining C++-style comments which strict C compilers hate.
19167 their SSL_CTX_xxx() counterparts but work on a per-connection basis. This
19169 per-connection basis (e.g. Apache+mod_ssl) instead of a per-context basis
19179 non-public-API function ssl_cert_instantiate() is used as a helper
19184 * Move s_server -dcert and -dkey options out of the undocumented feature
19207 * Don't hard-code path to Perl interpreter on shebang line of Configure
19208 script. Instead use the usual Shell->Perl transition trick.
19212 * Make `openssl x509 -noout -modulus`' functional also for DSA certificates
19214 -noout -modulus` as it's already the case for `openssl rsa -noout
19215 -modulus`. For RSA the -modulus is the real "modulus" while for DSA
19217 `openssl dsa -modulus` in the past) which serves a similar purpose.
19218 Additionally the NO_RSA no longer completely removes the whole -modulus
19224 * Add Arne Ansper's reliable BIO - this is an encrypted, block-digested
19227 *Arne Ansper <arne@ats.cyber.ee>*
19237 *Arne Ansper <arne@ats.cyber.ee>, integrated by Ben Laurie*
19241 TLS_RSA_EXPORT56_WITH_DES_CBC_SHA, as specified in "56-bit Export Cipher
19242 Suites For TLS", draft-ietf-tls-56-bit-ciphersuites-00.txt.
19272 foundations than the ad-hoc padding used in PKCS #1 v1.5. It is secure
19303 *Lars Weber <3weber@informatik.uni-hamburg.de>*
19356 - ported BN stuff to OpenSSL's different BN library
19357 - made the perl/ source tree CVS-aware
19358 - renamed the package from SSLeay to OpenSSL (the files still contain
19360 - removed obsolete files (the test scripts will be replaced
19372 -rSSLeay_0_8_1b" or they were renamed (as it was definitely the case for
19380 what that's for :-) Fix to ASN1 macro which messed up
19407 * Fixed ms/32all.bat script: `no_asm` -> `no-asm`
19409 *Rainer W. Gerling <gerling@mpg-gv.mpg.de>*
19415 * Modify crl2pkcs7 so it supports multiple -certfile arguments. Fix a
19444 and add a sample to openssl.cnf so req -x509 now adds appropriate
19469 Ad Hoc Way) - Makefile.ssls now all contain local dependencies, which
19474 * Spelling mistake in C version of CAST-128.
19478 * Changes to the error generation code. The perl script err-code.pl
19485 either modify crypto/Makefile.ssl to pass the -regen flag to err_code.pl
19490 * CAST-128 was incorrectly implemented for short keys. The C version has
19492 new assembler HAS NOT BEEN GENERATED FOR WIN32 - the Makefile needs fixing
19494 *Ben Laurie, reported (with fix for C version) by Jun-ichiro itojun
19571 *Bodo Moeller <3moeller@informatik.uni-hamburg.de>*
19573 * Don't blow it for numeric `-newkey` arguments to `apps/req`.
19575 *Bodo Moeller <3moeller@informatik.uni-hamburg.de>*
19593 *Arne Ansper <arne@ats.cyber.ee>*
19597 *Arne Ansper <arne@ats.cyber.ee>*
19601 *Arne Ansper <arne@ats.cyber.ee>*
19605 *Arne Ansper <arne@ats.cyber.ee>*
19607 * Make sure the already existing X509_STORE->depth variable is initialized
19639 * Make the top-level INSTALL documentation easier to understand.
19643 * Makefiles updated to exit if an error occurs in a sub-directory
19658 * Enhanced the err-ins.pl script so it makes the error library number
19695 *Ben Laurie - pointed out by Ulf Möller <ulf@fitug.de>*
19703 ncr-scde
19704 unixware-2.0
19705 unixware-2.0-pentium
19706 sco5-cc.
19719 ### Changes between 0.9.1b and 0.9.1c [23-Dec-1998]
19726 * Some fixups to the top-level documents.
19730 * Fixed the nasty bug where rsaref.h was not found under compile-time
19735 * Incorporated the popular no-RSA/DSA-only patches
19736 which allow to compile an RSA-free SSLeay.
19740 * Fixed nasty rehash problem under `make -f Makefile.ssl links`
19758 * Recompiled the error-definition header files and added
19763 * Cleaned up the top-level documents;
19813 * Add -strparse option to asn1pars program which parses nested
19826 * Added "-genkey" option to "dsaparam" program.
19834 * Added -a (all) option to "ssleay version" command.
19893 this is key exchange mechanism is not supported by SSLeay at all.
19923 <!-- Links -->
19925 [CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
19926 [CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535
19927 [CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
19928 [CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603
19929 [CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511
19930 [CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727
19931 [CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237
19932 [CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129
19933 [CVE-2023-5678]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5678
19934 [CVE-2023-5363]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5363
19935 [CVE-2023-4807]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-4807
19936 [CVE-2023-3817]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3817
19937 [CVE-2023-3446]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3446
19938 [CVE-2023-2975]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2975
19939 [RFC 2578 (STD 58), section 3.5]: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5
19940 [CVE-2023-2650]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2650
19941 [CVE-2023-1255]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-1255
19942 [CVE-2023-0466]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466
19943 [CVE-2023-0465]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0465
19944 [CVE-2023-0464]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0464
19945 [CVE-2023-0401]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0401
19946 [CVE-2023-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0286
19947 [CVE-2023-0217]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0217
19948 [CVE-2023-0216]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0216
19949 [CVE-2023-0215]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0215
19950 [CVE-2022-4450]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4450
19951 [CVE-2022-4304]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4304
19952 [CVE-2022-4203]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4203
19953 [CVE-2022-3996]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-3996
19954 [CVE-2022-2274]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2274
19955 [CVE-2022-2097]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2097
19956 [CVE-2020-1971]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1971
19957 [CVE-2020-1967]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1967
19958 [CVE-2019-1563]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1563
19959 [CVE-2019-1559]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1559
19960 [CVE-2019-1552]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1552
19961 [CVE-2019-1551]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1551
19962 [CVE-2019-1549]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1549
19963 [CVE-2019-1547]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1547
19964 [CVE-2019-1543]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1543
19965 [CVE-2018-5407]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-5407
19966 [CVE-2018-0739]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0739
19967 [CVE-2018-0737]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0737
19968 [CVE-2018-0735]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0735
19969 [CVE-2018-0734]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0734
19970 [CVE-2018-0733]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0733
19971 [CVE-2018-0732]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0732
19972 [CVE-2017-3738]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3738
19973 [CVE-2017-3737]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3737
19974 [CVE-2017-3736]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3736
19975 [CVE-2017-3735]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3735
19976 [CVE-2017-3733]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3733
19977 [CVE-2017-3732]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3732
19978 [CVE-2017-3731]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3731
19979 [CVE-2017-3730]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3730
19980 [CVE-2016-7055]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7055
19981 [CVE-2016-7054]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7054
19982 [CVE-2016-7053]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7053
19983 [CVE-2016-7052]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7052
19984 [CVE-2016-6309]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6309
19985 [CVE-2016-6308]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6308
19986 [CVE-2016-6307]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6307
19987 [CVE-2016-6306]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6306
19988 [CVE-2016-6305]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6305
19989 [CVE-2016-6304]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6304
19990 [CVE-2016-6303]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6303
19991 [CVE-2016-6302]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6302
19992 [CVE-2016-2183]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2183
19993 [CVE-2016-2182]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2182
19994 [CVE-2016-2181]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2181
19995 [CVE-2016-2180]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2180
19996 [CVE-2016-2179]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2179
19997 [CVE-2016-2178]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2178
19998 [CVE-2016-2177]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2177
19999 [CVE-2016-2176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2176
20000 [CVE-2016-2109]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2109
20001 [CVE-2016-2107]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2107
20002 [CVE-2016-2106]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2106
20003 [CVE-2016-2105]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2105
20004 [CVE-2016-0800]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0800
20005 [CVE-2016-0799]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0799
20006 [CVE-2016-0798]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0798
20007 [CVE-2016-0797]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0797
20008 [CVE-2016-0705]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0705
20009 [CVE-2016-0702]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0702
20010 [CVE-2016-0701]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0701
20011 [CVE-2015-3197]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3197
20012 [CVE-2015-3196]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3196
20013 [CVE-2015-3195]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3195
20014 [CVE-2015-3194]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3194
20015 [CVE-2015-3193]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3193
20016 [CVE-2015-1793]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1793
20017 [CVE-2015-1792]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1792
20018 [CVE-2015-1791]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1791
20019 [CVE-2015-1790]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1790
20020 [CVE-2015-1789]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1789
20021 [CVE-2015-1788]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1788
20022 [CVE-2015-1787]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1787
20023 [CVE-2015-0293]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0293
20024 [CVE-2015-0291]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0291
20025 [CVE-2015-0290]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0290
20026 [CVE-2015-0289]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0289
20027 [CVE-2015-0288]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0288
20028 [CVE-2015-0287]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0287
20029 [CVE-2015-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0286
20030 [CVE-2015-0285]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0285
20031 [CVE-2015-0209]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0209
20032 [CVE-2015-0208]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0208
20033 [CVE-2015-0207]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0207
20034 [CVE-2015-0206]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0206
20035 [CVE-2015-0205]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0205
20036 [CVE-2015-0204]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0204
20037 [CVE-2014-8275]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-8275
20038 [CVE-2014-5139]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-5139
20039 [CVE-2014-3572]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3572
20040 [CVE-2014-3571]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3571
20041 [CVE-2014-3570]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3570
20042 [CVE-2014-3569]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3569
20043 [CVE-2014-3568]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3568
20044 [CVE-2014-3567]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3567
20045 [CVE-2014-3566]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3566
20046 [CVE-2014-3513]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3513
20047 [CVE-2014-3512]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3512
20048 [CVE-2014-3511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3511
20049 [CVE-2014-3510]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3510
20050 [CVE-2014-3509]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3509
20051 [CVE-2014-3508]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3508
20052 [CVE-2014-3507]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3507
20053 [CVE-2014-3506]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3506
20054 [CVE-2014-3505]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3505
20055 [CVE-2014-3470]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3470
20056 [CVE-2014-0224]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0224
20057 [CVE-2014-0221]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0221
20058 [CVE-2014-0195]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0195
20059 [CVE-2014-0160]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0160
20060 [CVE-2014-0076]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0076
20061 [CVE-2013-6450]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-6450
20062 [CVE-2013-4353]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-4353
20063 [CVE-2013-0169]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-0169
20064 [CVE-2013-0166]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-0166
20065 [CVE-2012-2686]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2686
20066 [CVE-2012-2333]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2333
20067 [CVE-2012-2110]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2110
20068 [CVE-2012-0884]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0884
20069 [CVE-2012-0050]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0050
20070 [CVE-2012-0027]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0027
20071 [CVE-2011-4619]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4619
20072 [CVE-2011-4577]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4577
20073 [CVE-2011-4576]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4576
20074 [CVE-2011-4109]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4109
20075 [CVE-2011-4108]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4108
20076 [CVE-2011-3210]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-3210
20077 [CVE-2011-3207]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-3207
20078 [CVE-2011-0014]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-0014
20079 [CVE-2010-4252]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-4252
20080 [CVE-2010-4180]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-4180
20081 [CVE-2010-3864]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-3864
20082 [CVE-2010-1633]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-1633
20083 [CVE-2010-0740]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-0740
20084 [CVE-2010-0433]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-0433
20085 [CVE-2009-4355]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-4355
20086 [CVE-2009-3555]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-3555
20087 [CVE-2009-3245]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-3245
20088 [CVE-2009-1386]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1386
20089 [CVE-2009-1379]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1379
20090 [CVE-2009-1378]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1378
20091 [CVE-2009-1377]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1377
20092 [CVE-2009-0789]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0789
20093 [CVE-2009-0591]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0591
20094 [CVE-2009-0590]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0590
20095 [CVE-2008-5077]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-5077
20096 [CVE-2008-1678]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-1678
20097 [CVE-2008-1672]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-1672
20098 [CVE-2008-0891]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-0891
20099 [CVE-2007-5135]: https://www.openssl.org/news/vulnerabilities.html#CVE-2007-5135
20100 [CVE-2007-4995]: https://www.openssl.org/news/vulnerabilities.html#CVE-2007-4995
20101 [CVE-2006-4343]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-4343
20102 [CVE-2006-4339]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-4339
20103 [CVE-2006-3738]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-3738
20104 [CVE-2006-2940]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-2940
20105 [CVE-2006-2937]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-2937
20106 [CVE-2005-2969]: https://www.openssl.org/news/vulnerabilities.html#CVE-2005-2969
20107 [CVE-2004-0112]: https://www.openssl.org/news/vulnerabilities.html#CVE-2004-0112
20108 [CVE-2004-0079]: https://www.openssl.org/news/vulnerabilities.html#CVE-2004-0079
20109 [CVE-2003-0851]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0851
20110 [CVE-2003-0545]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0545
20111 [CVE-2003-0544]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0544
20112 [CVE-2003-0543]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0543
20113 [CVE-2003-0078]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0078
20114 [CVE-2002-0659]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0659
20115 [CVE-2002-0657]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0657
20116 [CVE-2002-0656]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0656
20117 [CVE-2002-0655]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0655