Lines Matching +full:ats +full:- +full:supported
4 This is a high-level summary of the most important changes.
11 ----------------
13 - [OpenSSL 3.0](#openssl-30)
14 - [OpenSSL 1.1.1](#openssl-111)
15 - [OpenSSL 1.1.0](#openssl-110)
16 - [OpenSSL 1.0.2](#openssl-102)
17 - [OpenSSL 1.0.1](#openssl-101)
18 - [OpenSSL 1.0.0](#openssl-100)
19 - [OpenSSL 0.9.x](#openssl-09x)
22 -----------
33 * Fixed timing side-channel in ECDSA signature computation.
37 probability only for some of the supported elliptic curves. In particular
38 the NIST P-521 curve is affected. To be able to measure this leak, the
42 ([CVE-2024-13176])
46 * Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic
49 Use of the low-level GF(2^m) elliptic curve APIs with untrusted
50 explicit values for the field polynomial can lead to out-of-bounds memory
58 ([CVE-2024-9143])
72 ([CVE-2024-6119])
79 supported client protocols buffer may cause a crash or memory contents
82 ([CVE-2024-5535])
107 ([CVE-2024-4741])
124 ([CVE-2024-4603])
136 * Fixed an issue where some non-default TLS server configurations can cause
141 This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option
143 anti-replay protection is in use). In this case, under certain conditions,
150 ([CVE-2024-2511])
178 ([CVE-2024-0727])
195 with the "-pubin" and "-check" options on untrusted data.
200 ([CVE-2023-6237])
205 have the contained AlgorithmIdentifier.algorithm set to id-ecPublicKey
218 be various - from no consequences, if the calling application does not
219 depend on the contents of non-volatile XMM registers at all, to the worst
226 ([CVE-2023-6129])
240 ([CVE-2023-5678])
248 that alter the key or IV length ([CVE-2023-5363]).
257 does not save the contents of non-volatile XMM registers on Windows 64
261 x86_64 processors supporting the AVX512-IFMA instructions.
264 be various - from no consequences, if the calling application does not
265 depend on the contents of non-volatile XMM registers at all, to the worst
272 ([CVE-2023-4807])
281 fixing CVE-2023-3446 it was discovered that a large q parameter value can
291 ([CVE-2023-3817])
310 ([CVE-2023-3446])
314 * Do not ignore empty associated data entries with AES-SIV.
316 The AES-SIV algorithm allows for authentication of multiple associated
320 The AES-SIV implementation in OpenSSL just returns success for such call
322 The empty data thus will not be authenticated. ([CVE-2023-2975])
327 applications that use empty associated data entries with AES-SIV.
337 OBJECT IDENTIFIER sub-identifiers to canonical numeric text form.
340 numeric text form. For gigantic sub-identifiers, this would take a very
342 sub-identifier. ([CVE-2023-2650])
350 most 128 sub-identifiers, and that the maximum value that each sub-
351 identifier may have is 2^32-1 (4294967295 decimal).
353 For each byte of every sub-identifier, only the 7 lower bits are part of
360 * Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms which
362 trigger a crash of an application using AES-XTS decryption if the memory
365 ([CVE-2023-1255])
369 * Reworked the Fix for the Timing Oracle in RSA Decryption ([CVE-2022-4304]).
371 a severe 2-3x performance regression in the typical use case
383 ([CVE-2023-0466])
392 ([CVE-2023-0465])
397 against CVE-2023-0464. The default limit is set to 1000 nodes, which
402 ([CVE-2023-0464])
417 ([CVE-2023-0401])
440 ([CVE-2023-0286])
455 security requirements imposed by standards such as FIPS 140-3.
456 ([CVE-2023-0217])
470 ([CVE-2023-0216])
474 * Fixed Use-after-free following BIO_new_NDEF.
489 then a use-after-free will occur. This will most likely result in a crash.
490 ([CVE-2023-0215])
515 ([CVE-2022-4450])
526 modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
527 ([CVE-2022-4304])
539 ([CVE-2022-4203])
551 ([CVE-2022-3996])
561 For symmetry, our implementation of `EVP_PKEY_ASN1_METHOD->export_to`
588 ([CVE-2022-3786])
591 attacker-controlled bytes on the stack. This buffer overflow could
594 ([CVE-2022-3602])
654 ([CVE-2022-3358])
663 * Fixed the linux-mips64 Configure target which was missing the
678 * Fixed detection of ktls support in cross-compile environment on Linux
714 implementation prior to commit 2621751 ("aes/asm/aesv8-armx.pl: avoid
715 32-bit lane assignment in CTR mode") for 64bit targets only, since it is
716 reportedly 2-17% slower and the silicon errata only affects 32bit targets.
739 ([CVE-2022-2274])
743 * AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised
751 ([CVE-2022-2097])
758 CVE-2022-1292, further bugs where the c_rehash script does not
762 When the CVE-2022-1292 was fixed it was not discovered that there
772 (CVE-2022-2068)
783 * Case insensitive string comparison is reimplemented via new locale-agnostic
798 (CVE-2022-1292)
804 where the (non-default) flag OCSP_NOCHECKS is used to return a postivie
815 verifying an ocsp response with the "-no_cert_checks" option the command line
820 ([CVE-2022-1343])
824 * Fixed a bug where the RC4-MD5 ciphersuite incorrectly used the
827 An attacker could exploit this issue by performing a man-in-the-middle attack
831 Note that data sent from an OpenSSL 3.0 endpoint to a non-OpenSSL 3.0
835 3.0 server would be impacted when talking to a non-OpenSSL 3.0 client.
842 endpoint communicating with a non-OpenSSL 3.0 endpoint will fail to complete
846 cannot decrypt data that has been encrypted using this ciphersuite - they can
850 the RC4-MD5 ciphersuite. This ciphersuite is not compiled by default in
856 1) OpenSSL must have been compiled with the (non-default) compile time option
857 enable-weak-ssl-ciphers
868 6) Both endpoints must negotiate the RC4-MD5 ciphersuite in preference to any
870 (CVE-2022-1434)
885 (CVE-2022-1473)
891 statistics are no longer supported. For compatibility, these statistics are
899 for non-prime moduli.
916 - TLS clients consuming server certificates
917 - TLS servers consuming client certificates
918 - Hosting providers taking certificates or private keys from customers
919 - Certificate authorities parsing certification requests from subscribers
920 - Anything else which parses ASN.1 elliptic curve parameters
924 ([CVE-2022-0778])
934 * Made the AES constant time code for no-asm configurations
937 builds, with: ./config no-asm -DOPENSSL_AES_CONST_TIME
975 ([CVE-2021-4044])
1039 * Encrypting more than 2^64 TLS records with AES-GCM is disallowed
1040 as per FIPS 140-2 IG A.5 "Key/IV Pair Uniqueness Requirements from
1041 SP 800-38D". The communication will fail at this point.
1051 beginning of a PEM-formatted file.
1071 "AES-128-SIV", "AES-128-CBC-CTS" and "CAMELLIA-128-CBC-CTS" which were
1082 `--libdir=lib` to override the libdir if adding the postfix is
1104 be suppressed if the undocumented -DI_CAN_LIVE_WITH_LNK4049 was set.
1109 * Rework and make DEBUG macros consistent. Remove unused -DCONF_DEBUG,
1110 -DBN_CTX_DEBUG, and REF_PRINT. Add a new tracing category and use it for
1111 printing reference counts. Rename -DDEBUG_UNUSED to -DUNUSED_RESULT_DEBUG
1128 * Client-initiated renegotiation is disabled by default. To allow it, use
1129 the -client_renegotiation option, the SSL_OP_ALLOW_CLIENT_RENEGOTIATION
1139 * OpenSSL includes a cryptographic module that is intended to be FIPS 140-2
1140 validated. Please consult the README-FIPS and
1141 README-PROVIDERS files, as well as the migration guide.
1215 supported by the OS, otherwise CriticalSection continues to be used.
1251 RIPEMD-160 have been moved to the legacy provider.
1268 * A number of functions handling low-level keys or engines were deprecated
1279 - NID_pbeWithMD2AndDES_CBC
1280 - NID_pbeWithMD5AndDES_CBC
1281 - NID_pbeWithSHA1AndRC2_CBC
1282 - NID_pbeWithMD2AndRC2_CBC
1283 - NID_pbeWithMD5AndRC2_CBC
1284 - NID_pbeWithSHA1AndDES_CBC
1307 algorithms. This is enabled by including the no-cached-fetch option
1312 * pkcs12 now uses defaults of PBKDF2, AES and SHA-256, with a MAC iteration
1317 * The openssl speed command does not use low-level API calls anymore.
1321 * Parallel dual-prime 1024-bit modular exponentiation for AVX512_IFMA
1326 * Combining the Configure options no-ec and no-dh no longer disables TLSv1.3.
1347 RSA_padding_add_SSLv23() and the `-ssl` option in the deprecated
1365 * The default key generation method for the regular 2-prime RSA keys was
1366 changed to the FIPS 186-4 B.3.6 method.
1396 * Behavior of the `pkey` app is changed, when using the `-check` or `-pubcheck`
1407 * The `-cipher-commands` and `-digest-commands` options
1409 Instead use the `-cipher-algorithms` and `-digest-algorithms` options.
1414 The 'quick' one-shot (yet somewhat limited) function L<EVP_PKEY_Q_keygen(3)>
1434 * The `-crypt` option to the `passwd` command line tool has been removed.
1438 * The -C option to the `x509`, `dhparam`, `dsaparam`, and `ecparam` commands
1463 * Added new option for 'openssl list', '-providers', which will display the
1494 ignore TLS protocol version bounds when configuring DTLS-based contexts, and
1496 TLS-based contexts. The commands can be repeated to set bounds of both
1498 "max_protocol" command-line switches, in case some application uses both TLS
1504 error. Now only the "version-flexible" SSL_CTX instances are subject to
1505 limits in configuration files in command-line options.
1524 * Added ciphertext stealing algorithms AES-128-CBC-CTS, AES-192-CBC-CTS and
1525 AES-256-CBC-CTS to the providers. CS1, CS2 and CS3 variants are supported.
1543 a non-default `OSSL_LIB_CTX`.
1574 * Add CAdES-BES signature verification support, mostly derived
1579 * Add CAdES-BES signature scheme and attributes support (RFC 5126) to CMS API.
1583 * Added the AuthEnvelopedData content type structure (RFC 5083) with AES-GCM
1656 [ATX headings]: https://github.github.com/gfm/#atx-headings
1657 [setext headings]: https://github.github.com/gfm/#setext-headings
1658 [inline links]: https://github.github.com/gfm/#inline-link
1659 [reference links]: https://github.github.com/gfm/#reference-link
1660 [fenced code blocks]: https://github.github.com/gfm/#fenced-code-blocks
1661 [indented code blocks]: https://github.github.com/gfm/#indented-code-blocks
1666 A new directory test-runs/ with subdirectories named like the
1673 See L<openssl-cmp(1)> and L<OSSL_CMP_exec_IR_ses(3)> as starting points.
1680 user-defined BIOs (allowing implicit connections), persistent connections,
1682 The legacy OCSP-focused (and only partly documented) API
1687 * Added `util/check-format.pl`, a tool for checking adherence to the
1762 - Common options (such as -rand/-writerand, TLS version control, etc)
1763 were refactored and point to newly-enhanced descriptions in openssl.pod.
1764 - Added style conformance for all options (with help from Richard Levitte),
1768 - Documented some internals, such as all use of environment variables.
1769 - Addressed all internal broken L<> references.
1777 * The low-level MD2, MD4, MD5, MDC2, RIPEMD160 and Whirlpool digest
1818 used in exponentiation with 512-bit moduli. No EC algorithms are
1819 affected. Analysis suggests that attacks against 2-prime RSA1024,
1820 3-prime RSA1536, and DSA1024 as a result of this defect would be very
1823 have to re-use the DH512 private key, which is not recommended anyway.
1824 Also applications directly using the low-level API BN_mod_exp may be
1826 ([CVE-2019-1551])
1830 * Most memory-debug features have been deprecated, and the functionality
1831 replaced with no-ops.
1856 allow varying behavior in a supported and predictable manner.
1872 * Change the interpretation of the '--api' configuration option to
1876 the given version, no requires that 'no-deprecated' is also used
1882 value is valid as before, such as -DOPENSSL_API_COMPAT=0x10100000L.
1890 -DOPENSSL_API_COMPAT=30000 For 3.0
1891 -DOPENSSL_API_COMPAT=30200 For 3.2
1894 given API compatibility level, -DOPENSSL_NO_DEPRECATED must be
1905 - X509_LOOKUP_store()
1906 - X509_STORE_load_file()
1907 - X509_STORE_load_path()
1908 - X509_STORE_load_store()
1909 - SSL_add_store_cert_subjects_to_stack()
1910 - SSL_CTX_set_default_verify_store()
1911 - SSL_CTX_load_verify_file()
1912 - SSL_CTX_load_verify_dir()
1913 - SSL_CTX_load_verify_store()
1918 The presence of this system service is determined at run-time.
1927 of application written for pre-3.0 OpenSSL easier.
1949 * s390x assembly pack: add hardware-support for P-256, P-384, P-521,
1987 * Added the `-copy_extensions` option to the `x509` command for use with
1988 `-req` and `-x509toreq`. When given with the `copy` or `copyall` argument,
1993 * Added the `-copy_extensions` option to the `req` command for use with
1994 `-x509`. When given with the `copy` or `copyall` argument,
2002 and for not self-signed certs there is an authorityKeyIdentifier extension
2011 (which may be done by using the CLI option `-x509_strict`):
2023 unless they are self-signed.
2033 * For built-in EC curves, ensure an EC_GROUP built from the curve name is
2049 ([CVE-2019-1547])
2063 The old behaviour can be re-enabled in the CMS code by setting the
2078 * Revised BN_generate_prime_ex to not avoid factors 2..17863 in p-1
2081 the 2-prime and 3-prime RSA modules were easy to distinguish, since
2083 2-prime vs. 3-prime RSA keys was possible by computing N mod 3.
2089 fix TLS connections between an EBCDIC system and a non-EBCDIC system that
2133 * `{CRYPTO,OPENSSL}_mem_debug_{push,pop}` are now no-ops and have been
2182 * Change PBKDF2 to conform to SP800-132 instead of the older PKCS5 RFC2898.
2191 * Add target VC-WIN32-UWP, VC-WIN64A-UWP, VC-WIN32-ARM-UWP and
2192 VC-WIN64-ARM-UWP in Windows OneCore target for making building libraries
2193 for Windows Store apps easier. Also, the "no-uplink" option has been added.
2209 * Added OPENSSL_info() to get diverse built-in OpenSSL data, such
2224 * Limit the number of blocks in a data unit for AES-XTS to 2^20 as
2225 mandated by IEEE Std 1619-2018.
2256 'enable-buildtest-c++'.
2290 those algorithms that were already supported through the EVP_PKEY API
2291 (scrypt, TLS1 PRF and HKDF). The low-level KDF functions for PBKDF2
2304 * Fix a bug in the computation of the endpoint-pair shared secret used
2312 re-used X509_PUBKEY object if the second PUBKEY is malformed.
2326 - Major releases (indicated by incrementing the MAJOR release number)
2328 - Minor releases (indicated by incrementing the MINOR release number)
2330 - Patch releases (indicated by incrementing the PATCH number)
2337 * Add support for RFC5297 SIV mode (siv128), including AES-SIV.
2347 * Recreate the OS390-Unix config target. It no longer relies on a
2348 special script like it did for OpenSSL pre-1.1.0.
2353 a 'build.info' keyword SUBDIRS to indicate what sub-directories to
2383 * AES-XTS mode now enforces that its two keys are different to mitigate
2397 * Added new option for 'openssl list', '-objects', which will display the
2402 * Added the options `-crl_lastupdate` and `-crl_nextupdate` to `openssl ca`,
2408 * Added support for Linux Kernel TLS data-path. The Linux Kernel data-path
2410 applications with zero-copy system calls such as sendfile and splice.
2442 doc/man7/provider.pod, doc/man7/provider-base.pod, and they in turn
2443 refer to other manuals describing the API specific for supported
2449 -------------
2477 again, but this time passing a non-NULL value for the "out" parameter.
2492 ([CVE-2021-3711])
2536 ([CVE-2021-3712])
2553 that non-CA certificates must not be able to issue other certificates.
2567 ([CVE-2021-3450])
2581 ([CVE-2021-3449])
2594 ([CVE-2021-23841])
2601 CVE-2021-23839.
2611 ([CVE-2021-23840])
2638 ([CVE-2020-1971])
2650 ignore TLS protocol version bounds when configuring DTLS-based contexts, and
2652 TLS-based contexts. The commands can be repeated to set bounds of both
2654 "max_protocol" command-line switches, in case some application uses both TLS
2660 error. Now only the "version-flexible" SSL_CTX instances are subject to
2661 limits in configuration files in command-line options.
2681 ([CVE-2020-1967])
2685 * Added AES consttime code for no-asm configurations
2687 when building openssl for no-asm.
2688 Enable with: ./config no-asm -DOPENSSL_AES_CONST_TIME
2689 Disable with: ./config no-asm -DOPENSSL_NO_AES_CONST_TIME
2705 * Revised BN_generate_prime_ex to not avoid factors 3..17863 in p-1
2708 the 2-prime and 3-prime RSA modules were easy to distinguish, since
2710 2-prime vs. 3-prime RSA keys was possible by computing N mod 3.
2754 The presence of this system service is determined at run-time.
2777 ([CVE-2019-1549])
2781 * For built-in EC curves, ensure an EC_GROUP built from the curve name is
2797 ([CVE-2019-1547])
2811 The old behaviour can be re-enabled in the CMS code by setting the
2813 ([CVE-2019-1563])
2828 fix TLS connections between an EBCDIC system and a non-EBCDIC system that
2839 ([CVE-2019-1552])
2875 'enable-buildtest-c++'.
2879 * Enable SHA3 pre-hashing for ECDSA and DSA.
2892 util/fix-doc-nits accordingly.
2913 * Prevent over long nonces in ChaCha20-Poly1305.
2915 ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input
2936 applications that use this cipher directly and set a non-default nonce
2941 ([CVE-2019-1543])
2961 * Change the info callback signals for the start and end of a post-handshake
2982 ([CVE-2018-0734])
2993 ([CVE-2018-0735])
3012 callback can adjust the supported TLS versions in response to the contents
3021 * s390x assembly pack: add (improved) hardware-support for the following
3022 cryptographic primitives: sha3, shake, aes-gcm, aes-ccm, aes-ctr, aes-ofb,
3023 aes-cfb/cfb8, aes-ecb.
3035 differential addition-and-doubling in homogeneous projective coordinates
3036 from Izu-Takagi "A fast parallel elliptic curve multiplication resistant
3037 against side channel attacks" and Brier-Joye "Weierstrass Elliptic Curves
3038 and Side-Channel Attacks" Eq. (8) for y-coordinate recovery, modified
3045 For larger primes this will result in more rounds of Miller-Rabin.
3047 to 2^-128.
3051 * Increase the number of Miller-Rabin rounds for DSA key generating to 64.
3063 length-invariant. Switch even to fixed-length Montgomery multiplication.
3069 differential addition-and-doubling in mixed Lopez-Dahab projective
3078 differential addition-and-doubling algorithms.
3090 * Numerous side-channel attack mitigations have been applied. This may have
3100 mitigate conflict between 1.0 and 1.1 side-by-side installations. It
3102 multi-version installation is managed.
3110 EC cryptosystem implementations are then safer-by-default.
3126 length does not exceed the maximum supported digest length when performing
3134 Many applications do not properly handle non-application data records, and
3193 * Fixed X509_NAME_ENTRY_set to get multi-valued RDNs right in all cases.
3247 in responder mode now supports the new "-multi" option, which
3249 requests. The "-timeout" option now also limits the OCSP
3254 as a long-running service, making the OpenSSL CA somewhat more
3255 feature-complete. In this mode, most diagnostic messages logged
3282 The default RAND method now utilizes an AES-CTR DRBG according to
3283 NIST standard SP 800-90Ar1. The new random generator is essentially
3286 using an AES-CTR bit stream and which seeds and reseeds itself
3290 - Support for multiple DRBG instances with seed chaining.
3291 - The default RAND method makes use of a DRBG.
3292 - There is a public and private DRBG instance.
3293 - The DRBG instances are fork-safe.
3294 - Keep all global DRBG instances on the secure heap if it is enabled.
3295 - The public and private DRBG instance are per thread for lock free
3331 * Add multi-prime RSA (RFC 8017) support.
3335 * Add SM3 implemented according to GB/T 32905-2016
3346 * Add SM4 implemented according to GB/T 32907-2016.
3351 * Reimplement -newreq-nodes and ERR_error_string_n; the
3385 To disable, configure with 'no-ui-console'. 'no-ui' is still
3402 * Add devcrypto engine. This has been implemented against cryptodev-linux,
3404 Enable by configuring with 'enable-devcryptoeng'. This is done by default
3438 * Ignore the '-named_curve auto' value for compatibility of applications
3444 bytes long. In theory it is permissible in SSLv3 - TLSv1.2 to fragment such
3462 'z' is to be used for [s]size_t, and 'j' - with [u]int64_t.
3471 * Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
3489 Also remove OPENSSL_GLOBAL entirely, as it became a no-op.
3493 * Remove the VMS-specific reimplementation of gmtime from crypto/o_times.c.
3510 default unless the new "-noservername" option is used. The server name is
3511 based on the host provided to the "-connect" option unless overridden by
3512 using "-servername".
3529 <https://www.akkadia.org/drepper/SHA-crypt.txt>
3541 * The RSA "null" method, which was partially supported to avoid patent
3547 -------------
3551 * For built-in EC curves, ensure an EC_GROUP built from the curve name is
3567 ([CVE-2019-1547])
3581 The old behaviour can be re-enabled in the CMS code by setting the
3583 ([CVE-2019-1563])
3591 ([CVE-2019-1552])
3604 * Prevent over long nonces in ChaCha20-Poly1305.
3606 ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input
3627 applications that use this cipher directly and set a non-default nonce
3632 ([CVE-2019-1543])
3644 re-used X509_PUBKEY object if the second PUBKEY is malformed.
3667 ([CVE-2018-0734])
3678 ([CVE-2018-0735])
3699 ([CVE-2018-0732])
3712 ([CVE-2018-0737])
3723 length-invariant. Switch even to fixed-length Montgomery multiplication.
3729 For larger primes this will result in more rounds of Miller-Rabin.
3731 to 2^-128.
3735 * Increase the number of Miller-Rabin rounds for DSA key generating to 64.
3762 some characters, such as form-feed, were incorrectly treated as whitespace
3768 and use the "-binary" flag (for the "cms" command line application) or set
3783 This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz
3785 ([CVE-2018-0739])
3789 * Incorrect CRYPTO_memcmp on HP-UX PA-RISC
3791 Because of an implementation bug the PA-RISC CRYPTO_memcmp function is
3796 HP-UX assembler, so that only HP-UX PA-RISC targets are affected.
3800 ([CVE-2018-0733])
3816 SSL_OP_NO_RENEGOTIATION option from 1.1.1-dev has been backported to
3825 * Removed the OS390-Unix config target. It relied on a script that doesn't
3833 used in exponentiation with 1024-bit moduli. No EC algorithms are affected.
3841 no longer an option since CVE-2016-0701.
3847 was originally found via the OSS-Fuzz project.
3848 ([CVE-2017-3738])
3871 This issue was reported to OpenSSL by the OSS-Fuzz project.
3872 ([CVE-2017-3736])
3879 OpenSSL could do a one-byte buffer overread. The most likely result
3882 This issue was reported to OpenSSL by the OSS-Fuzz project.
3883 ([CVE-2017-3735])
3889 * Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
3894 * Remove the VMS-specific reimplementation of gmtime from crypto/o_times.c.
3902 * Encrypt-Then-Mac renegotiation crash
3904 During a renegotiation handshake if the Encrypt-Then-Mac extension is
3905 negotiated where it was not in the original handshake (or vice-versa) then
3910 ([CVE-2017-3733])
3918 If one side of an SSL/TLS path is running on a 32-bit host and a specific
3920 perform an out-of-bounds read, usually resulting in a crash.
3923 ([CVE-2017-3731])
3935 ([CVE-2017-3730])
3953 similar to CVE-2015-3193 but must be treated as a separate problem.
3955 This issue was reported to OpenSSL by the OSS-Fuzz project.
3956 ([CVE-2017-3732])
3962 * ChaCha20/Poly1305 heap-buffer-overflow
3964 TLS connections using `*-CHACHA20-POLY1305` ciphersuites are susceptible to
3969 ([CVE-2016-7054])
3983 ([CVE-2016-7053])
3989 There is a carry propagating bug in the Broadwell-specific Montgomery
3996 erroneous outcome of public-key operations with specially crafted input.
3997 Among EC algorithms only Brainpool P-512 curves are affected and one
3999 detail, because pre-requisites for attack are considered unlikely. Namely
4007 ([CVE-2016-7055])
4020 The patch applied to address CVE-2016-6307 resulted in an issue where if a
4030 ([CVE-2016-6309])
4044 the "no-ocsp" build time option are not affected.
4047 ([CVE-2016-6304])
4058 ([CVE-2016-6305])
4096 memory - which would then mean a more serious Denial of Service.
4099 (CVE-2016-6307 and CVE-2016-6308)
4103 * solaris-x86-cc, i.e. 32-bit configuration with vendor compiler,
4105 assemble our modules with -KPIC flag. As result it, assembly
4107 lack of side-channel resistant code, which is incompatible with
4115 * Windows command-line tool supports UTF-8 opt-in option for arguments
4118 with Windows CryptoAPI and protected with non-ASCII password, as well
4119 as files generated under UTF-8 locale on Linux also protected with
4120 non-ASCII password.
4124 * To mitigate the SWEET32 attack ([CVE-2016-2183]), 3DES cipher suites
4126 See the RC4 item below to re-enable both.
4146 no-ops and deprecated.
4151 calling CryptGenRandom(). Various other RAND-related tickets
4200 * Triple-DES ciphers have been moved from HIGH to MEDIUM.
4206 OPENSSL_LOCAL_CONFIG_DIR as well as the in-source Configurations/
4219 the "no-shared" Configure option.
4223 * Remove the no-aes, no-hmac, no-rsa, no-sha and no-md5 Configure options.
4229 * Make various cleanup routines no-ops and mark them as deprecated. Most
4231 via auto-deinit (see OPENSSL_init_crypto and OPENSSL_init_ssl man pages).
4232 Explicitly de-initing can cause problems (e.g. where a library that uses
4233 OpenSSL de-inits, but an application is still using it). The affected
4241 * --strict-warnings no longer enables runtime debugging options
4243 enabled with '--debug' builds.
4271 * Removed no-rijndael as a config option. Rijndael is an old name for AES.
4284 * Removed the aged BC-32 config and all its supporting scripts
4302 encryptions/decryptions simultaneously. There are currently no built-in
4312 AES128-CBC. The kernel must be version 4.1.0 or greater.
4317 set locking callbacks to use OpenSSL in a multi-threaded environment. There
4318 are two supported threading models: pthreads and windows threads. It is
4319 also possible to configure OpenSSL at compile time for "no-threads". The
4321 replaced with "no-op" compatibility macros.
4330 * Add SSL_CIPHER queries for authentication and key-exchange.
4335 - Prefer (EC)DHE handshakes over plain RSA.
4336 - Prefer AEAD ciphers over legacy ciphers.
4337 - Prefer ECDSA over RSA when both certificates are available.
4338 - Prefer TLSv1.2 ciphers/PRF.
4339 - Remove DSS, SEED, IDEA, CAMELLIA, and AES-CCM from the
4350 disabled by default. They can be re-enabled using the
4351 enable-weak-ssl-ciphers option to Configure.
4365 draft-ietf-curdle-pkix-02. The corresponding EVP_PKEY method supports
4368 TLS support complies with draft-ietf-tls-rfc4492bis-08 and uses
4375 In order to fix an unavoidable memory leak ([CVE-2016-0798]),
4395 the configuration option "disable-dynamic-engine".
4400 with "disable-dso" or "disable-pic".
4415 If this isn't desirable, the configuration options "disable-pic"
4416 or "no-pic" can be used to disable the use of PIC. This will
4427 is for. Also, the configuration option --install_prefix is
4433 for DTLS; configure with enable-heartbeats. Code that uses the
4454 template in Configurations, like unix-Makefile.tmpl or
4467 * Added support for auto-initialisation and de-initialisation of the library.
4489 the leading 0-byte.
4501 SSL_CTX_sess_set_get_cb was changed. The read-only input buffer
4508 RNG, and other conditional uses of DPURIFY. This makes -DPURIFY a no-op.
4541 --prefix and --openssldir change their semantics, and become more
4544 --prefix shall be used exclusively to give the location INSTALLTOP
4548 --openssldir shall be used exclusively to give the default
4553 values of both the --prefix value and the --openssldir value will
4555 The default for --openssldir is INSTALLTOP/ssl.
4557 Anyone who uses --openssldir to specify where OpenSSL is to be
4558 installed MUST change to use --prefix instead.
4570 * EGD is no longer supported by default; use enable-egd when
4594 example, be used to implement local end-entity certificate or
4595 trust-anchor "pinning", where the "pin" data takes the form
4604 source files with -DOPENSSL_API_COMPAT=0x10100000L, which hides
4610 should be used with the --api=1.1.0 option to entirely remove
4613 Essentially the same effect can be achieved with the "no-deprecated"
4619 they should update their compile-time OPENSSL_API_COMPAT define
4631 * Add support for setting the minimum and maximum supported protocol.
4657 ciphers who are no longer supported and drops support the ephemeral RSA key
4685 * Added ASYNC support. Libcrypto now includes the async sub-library to enable
4697 exclude it using the list of supported ciphers. This also means that the
4698 "-no_ecdhe" option has been removed from s_server.
4724 with OpenSSL (case-matching; e.g., OPENSSL_VERSION for #define's)
4759 * Remove EVP_CHECK_DES_KEY, a compile-time option that never compiled.
4777 * Fix no-stdio build.
4796 * Revamped memory debug; only -DCRYPTO_MDEBUG and -DCRYPTO_MDEBUG_ABORT
4850 EXP-DH-RSA-DES-CBC-SHA and EXP-DH-DSS-DES-CBC-SHA. These two ciphersuites
4868 code and the associated standard is no longer considered fit-for-purpose.
4895 draft-ietf-tls-session-hash-03.txt. Thanks for Alfredo Pironti for an
4908 Access to deprecated functions can be re-enabled by running config with
4909 "enable-deprecated". In addition applications wishing to use deprecated
4918 at <https://www.openssl.org/source/OCB-patent-grant-OpenSSL.pdf>. Support
4919 for OCB can be removed by calling config with no-ocb.
4929 done while fixing the error code for the key-too-small case.
4931 *Annie Yousar <a.yousar@informatik.hu-berlin.de>*
4952 16-bit platforms such as WIN16
4957 - Use setbuf() and remove OPENSSL_NO_SETVBUF_IONBF
4958 - Rename OPENSSL_SYSNAME_xxx to OPENSSL_SYS_xxx
4959 - OPENSSL_NO_EC{DH,DSA} merged into OPENSSL_NO_EC
4960 - OPENSSL_NO_RIPEMD160, OPENSSL_NO_RIPEMD merged into OPENSSL_NO_RMD160
4961 - OPENSSL_NO_FP_API merged into OPENSSL_NO_STDIO
4962 - Remove OPENSSL_NO_BIO OPENSSL_NO_BUFFER OPENSSL_NO_CHAIN_VERIFY
4966 - Remove MS_STATIC; it's a relic from platforms <32 bits.
4977 NULL. Remove the non-null checks from callers. Save much code.
4997 * Harmonize version and its documentation. -f flag is used to display
5017 preparing the fix ([CVE-2014-0160])
5022 ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
5027 flaw and to Yuval Yarom for supplying a fix ([CVE-2014-0076])
5036 * Experimental encrypt-then-mac support.
5039 draft-gutmann-tls-encrypt-then-mac-02.txt
5042 server) using e.g. -DTLSEXT_TYPE_encrypt_then_mac=0x42
5044 For non-compliant peers (i.e. just about everything) this should have no
5058 * Extend CMS code to support RSA-PSS signatures and RSA-OAEP for
5098 * Add FIPS selftest for ECDH algorithm using P-224 and B-233 curves.
5110 * New function FIPS_get_cipherbynid() to lookup FIPS supported ciphers
5122 FIPS 186-3 A.2.3.
5124 * Add support for HMAC DRBG from SP800-90. Update DRBG algorithm test and
5150 information in FIPS186-3, SP800-57 and SP800-131A.
5186 anyway as the X9.31 PRNG is now deprecated by FIPS 140-2
5190 * Extensive self tests and health checking required by SP800-90 DRBG.
5192 instantiate at maximum supported strength.
5205 leading zeroes if needed: this complies with SP800-56A et al.
5209 * Initial implementation of SP800-90 DRBGs for Hash and CTR. Not used by
5227 * Add selftest checks and algorithm block of non-fips algorithms in
5238 * New build option no-ec2m to disable characteristic 2 code.
5253 * Initial, experimental EVP support for AES-GCM. AAD can be input by
5279 * Improve forward-security support: add functions
5300 * New -verify_name option in command line utilities to set verification
5310 * Experimental renegotiation in s_server -www mode. If the client
5318 multi-process servers.
5337 * New -noct, -requestct, -requirect and -ctlogfile options for s_client.
5344 -------------
5348 * For built-in EC curves, ensure an EC_GROUP built from the curve name is
5364 ([CVE-2019-1547])
5378 The old behaviour can be re-enabled in the CMS code by setting the
5380 ([CVE-2019-1563])
5387 binaries and run-time config file.
5388 ([CVE-2019-1552])
5401 * Add FIPS support for Android Arm 64-bit
5403 Support for Android Arm 64-bit was added to the OpenSSL FIPS Object
5405 'android64-aarch64' was missing OpenSSL 1.0.2, whence it could not be
5406 built with FIPS support on Android Arm 64-bit. This omission has been
5413 * 0-byte record padding oracle
5423 In order for this to be exploitable "non-stitched" ciphersuites must be in
5432 ([CVE-2019-1559])
5452 ([CVE-2018-5407])
5463 ([CVE-2018-0734])
5484 ([CVE-2018-0732])
5497 ([CVE-2018-0737])
5508 length-invariant. Switch even to fixed-length Montgomery multiplication.
5514 For larger primes this will result in more rounds of Miller-Rabin.
5516 to 2^-128.
5520 * Increase the number of Miller-Rabin rounds for DSA key generating to 64.
5550 This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz
5552 ([CVE-2018-0739])
5577 ([CVE-2017-3737])
5584 used in exponentiation with 1024-bit moduli. No EC algorithms are affected.
5592 no longer an option since CVE-2016-0701.
5598 was originally found via the OSS-Fuzz project.
5599 ([CVE-2017-3738])
5622 This issue was reported to OpenSSL by the OSS-Fuzz project.
5623 ([CVE-2017-3736])
5630 OpenSSL could do a one-byte buffer overread. The most likely result
5633 This issue was reported to OpenSSL by the OSS-Fuzz project.
5639 * Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
5648 If one side of an SSL/TLS path is running on a 32-bit host and a specific
5650 perform an out-of-bounds read, usually resulting in a crash.
5653 ([CVE-2017-3731])
5671 similar to CVE-2015-3193 but must be treated as a separate problem.
5673 This issue was reported to OpenSSL by the OSS-Fuzz project.
5674 ([CVE-2017-3732])
5680 There is a carry propagating bug in the Broadwell-specific Montgomery
5687 erroneous outcome of public-key operations with specially crafted input.
5688 Among EC algorithms only Brainpool P-512 curves are affected and one
5690 detail, because pre-requisites for attack are considered unlikely. Namely
5698 ([CVE-2016-7055])
5718 ([CVE-2016-7052])
5732 the "no-ocsp" build time option are not affected.
5735 ([CVE-2016-6304])
5744 ([CVE-2016-2183])
5760 ([CVE-2016-6303])
5774 ([CVE-2016-6302])
5787 ([CVE-2016-2182])
5799 ([CVE-2016-2180])
5825 ([CVE-2016-2177])
5833 implementation means that a non-constant time codepath is followed for
5834 certain operations. This has been demonstrated through a cache-timing
5840 ([CVE-2016-2178])
5846 In a DTLS connection where handshake messages are delivered out-of-order
5858 ([CVE-2016-2179])
5873 ([CVE-2016-2181])
5889 ([CVE-2016-6306])
5895 * Prevent padding oracle in AES-NI CBC MAC check
5899 AES-NI.
5902 attack ([CVE-2013-0169]). The padding check was rewritten to be in
5908 This issue was reported by Juraj Somorovsky using TLS-Attacker.
5927 ([CVE-2016-2105])
5951 ([CVE-2016-2106])
5967 ([CVE-2016-2109])
5978 ([CVE-2016-2176])
5992 * Only remove the SSLv2 methods with the no-ssl2-method option. When the
6000 Builds that are not configured with "enable-weak-ssl-ciphers" will not
6006 is by default disabled at build-time. Builds that are not configured with
6007 "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used,
6008 users who want to negotiate SSLv2 via the version-flexible SSLv23_method()
6016 explicitly uses the version-specific SSLv2_method() or its client and
6018 recovery have been removed. Specifically, the SSLv2 40-bit EXPORT
6019 ciphers, and SSLv2 56-bit DES are no longer available.
6020 ([CVE-2016-0800])
6024 * Fix a double-free in DSA code
6033 ([CVE-2016-0705])
6053 ([CVE-2016-0798])
6078 ([CVE-2016-0797])
6099 functions when printing out human-readable dumps of ASN.1 data. Therefore
6110 ([CVE-2016-0799])
6116 A side-channel attack was found which makes use of cache-bank conflicts on
6117 the Intel Sandy-Bridge microarchitecture which could lead to the recovery
6120 hyper-threaded core as the victim thread which is performing decryptions.
6126 ([CVE-2016-0702])
6130 * Change the `req` command to generate a 2048-bit RSA/DSA key by default,
6167 ([CVE-2016-0701])
6180 ([CVE-2015-3197])
6202 ([CVE-2015-3193])
6218 ([CVE-2015-3194])
6231 ([CVE-2015-3195])
6284 This issue was reported to OpenSSL by Joseph Barr-Pixton.
6285 ([CVE-2015-1788])
6289 * Exploitable out-of-bounds read in X509_cmp_time
6305 ([CVE-2015-1789])
6312 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
6320 ([CVE-2015-1790])
6331 ([CVE-2015-1792])
6337 If a NewSessionTicket is received by a multi-threaded client when attempting to
6340 ([CVE-2015-1791])
6344 * Only support 256-bit or stronger elliptic curves with the
6345 'ecdh_auto' setting (server) or by default (client). Of supported
6346 curves, prefer P-256 (both).
6360 ([CVE-2015-0291])
6370 using non-blocking IO. Typically, when the user application is using a
6376 ([CVE-2015-0290])
6393 ([CVE-2015-0207])
6405 ([CVE-2015-0286])
6420 ([CVE-2015-0208])
6434 ([CVE-2015-0287])
6441 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
6449 ([CVE-2015-0289])
6457 a specially crafted SSLv2 CLIENT-MASTER-KEY message.
6461 ([CVE-2015-0293])
6470 ([CVE-2015-1787])
6478 - The client is on a platform where the PRNG has not been seeded
6480 - A protocol specific client method version has been used (i.e. not
6482 - A ciphersuite is used that does not require additional random data from
6483 the PRNG beyond the initial ClientHello client random (e.g. PSK-RC4-SHA).
6492 openssl s_client -psk 1a2b3c4d -tls1_2 -cipher PSK-RC4-SHA
6493 ([CVE-2015-0285])
6508 ([CVE-2015-0209])
6518 ([CVE-2015-0288])
6533 near-optimal performance even on newer platforms.
6537 * Accelerated NIST P-256 elliptic curve implementation for x86_64
6549 bogus results, with non-infinity inputs mapped to infinity too.)
6560 * Add support for little-endian ppc64 Linux target.
6567 Both 32- and 64-bit modes are supported.
6588 implementations, AESNI-SHA256 and GCM, and multi-buffer support
6628 * Add -rev test option to s_server to just reverse order of characters
6634 * New option -brief for s_client and s_server to print out a brief summary
6643 * New option -crl_download in several openssl utilities to download CRLs
6648 * New options -CRL and -CRLform for s_client and s_server for CRLs.
6684 "enable-ssl-trace". New options to s_client and s_server to enable
6689 * New ctrl and macro to retrieve supported points extensions.
6756 supported signature algorithms.
6760 * Support for distinct client and server supported signature algorithms.
6767 supported signature algorithms. Add very simple example to s_server.
6781 certificate signature algorithms contained in the supported algorithms
6794 * Add new functions to allow customised supported signature algorithms
6826 * Initial experimental support for explicitly trusted non-root CAs.
6829 setting is used: whether to trust (e.g., -addtrust option to the x509
6834 * Add -trusted_first option which attempts to find certificates in the
6844 * Support for linux-x32, ILP32 environment in x86_64 framework.
6848 * Experimental multi-implementation support for FIPS capable OpenSSL.
6883 to set list of supported curves.
6887 * New ctrls to retrieve supported signature algorithms and
6888 supported curve values as an array of NIDs. Extend openssl utility
6894 between NIDs and the more common NIST names such as "P-256". Enhance
6914 * New function i2d_re_X509_tbs for re-encoding the TBS portion of
6916 Note: Related 1.0.2-beta specific macros X509_get_cert_info,
6921 -------------
6933 the "no-ocsp" build time option are not affected.
6936 ([CVE-2016-6304])
6945 ([CVE-2016-2183])
6961 ([CVE-2016-6303])
6975 ([CVE-2016-6302])
6988 ([CVE-2016-2182])
7000 ([CVE-2016-2180])
7026 ([CVE-2016-2177])
7034 implementation means that a non-constant time codepath is followed for
7035 certain operations. This has been demonstrated through a cache-timing
7041 ([CVE-2016-2178])
7047 In a DTLS connection where handshake messages are delivered out-of-order
7059 ([CVE-2016-2179])
7074 ([CVE-2016-2181])
7090 ([CVE-2016-6306])
7096 * Prevent padding oracle in AES-NI CBC MAC check
7100 AES-NI.
7103 attack ([CVE-2013-0169]). The padding check was rewritten to be in
7109 This issue was reported by Juraj Somorovsky using TLS-Attacker.
7110 ([CVE-2016-2107])
7129 ([CVE-2016-2105])
7153 ([CVE-2016-2106])
7169 ([CVE-2016-2109])
7180 ([CVE-2016-2176])
7194 * Only remove the SSLv2 methods with the no-ssl2-method option. When the
7202 Builds that are not configured with "enable-weak-ssl-ciphers" will not
7208 is by default disabled at build-time. Builds that are not configured with
7209 "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used,
7210 users who want to negotiate SSLv2 via the version-flexible SSLv23_method()
7218 explicitly uses the version-specific SSLv2_method() or its client and
7220 recovery have been removed. Specifically, the SSLv2 40-bit EXPORT
7221 ciphers, and SSLv2 56-bit DES are no longer available.
7222 ([CVE-2016-0800])
7226 * Fix a double-free in DSA code
7235 ([CVE-2016-0705])
7255 ([CVE-2016-0798])
7280 ([CVE-2016-0797])
7301 functions when printing out human-readable dumps of ASN.1 data. Therefore
7312 ([CVE-2016-0799])
7318 A side-channel attack was found which makes use of cache-bank conflicts on
7319 the Intel Sandy-Bridge microarchitecture which could lead to the recovery
7322 hyper-threaded core as the victim thread which is performing decryptions.
7328 ([CVE-2016-0702])
7332 * Change the req command to generate a 2048-bit RSA/DSA key by default,
7358 ([CVE-2015-3197])
7380 ([CVE-2015-3194])
7393 ([CVE-2015-3195])
7422 ([CVE-2015-1793])
7428 If PSK identity hints are received by a multi-threaded client then
7432 ([CVE-2015-3196])
7455 This issue was reported to OpenSSL by Joseph Barr-Pixton.
7456 ([CVE-2015-1788])
7460 * Exploitable out-of-bounds read in X509_cmp_time
7476 ([CVE-2015-1789])
7483 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
7491 ([CVE-2015-1790])
7502 ([CVE-2015-1792])
7508 If a NewSessionTicket is received by a multi-threaded client when attempting to
7511 ([CVE-2015-1791])
7519 * dhparam: generate 2048-bit parameters by default.
7533 ([CVE-2015-0286])
7547 ([CVE-2015-0287])
7554 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
7562 ([CVE-2015-0289])
7570 a specially crafted SSLv2 CLIENT-MASTER-KEY message.
7574 ([CVE-2015-0293])
7589 ([CVE-2015-0209])
7599 ([CVE-2015-0288])
7619 ([CVE-2014-3571])
7629 ([CVE-2015-0206])
7633 * Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
7634 built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl
7637 ([CVE-2014-3569])
7646 ([CVE-2014-3572])
7650 * Remove non-export ephemeral RSA code on client and server. This code
7652 non-export ciphersuites and could be used by a server to effectively
7656 ([CVE-2015-0204])
7668 ([CVE-2015-0205])
7682 By using non-DER or invalid encodings outside the signed portion of a
7703 Re-encode DSA/ECDSA signatures and compare with the original received
7714 ([CVE-2014-8275])
7726 ([CVE-2014-3570])
7743 * Tighten client-side session ticket handling during renegotiation:
7768 ([CVE-2014-3513])
7780 ([CVE-2014-3567])
7784 * Build option no-ssl3 is incomplete.
7786 When OpenSSL is configured with "no-ssl3" as a build option, servers
7789 ([CVE-2014-3568])
7796 ([CVE-2014-3566])
7802 Re-encode DigestInto in DER and check against the original when
7818 ([CVE-2014-3512])
7824 is badly fragmented. This allows a man-in-the-middle attacker to force a
7830 ([CVE-2014-3511])
7841 ([CVE-2014-3510])
7848 ([CVE-2014-3507])
7856 ([CVE-2014-3506])
7863 Thanks to Adam Langley and Wan-Teh Chang for discovering and researching
7865 ([CVE-2014-3505])
7875 ([CVE-2014-3509])
7886 ([CVE-2014-5139])
7896 ([CVE-2014-3508])
7902 bogus results, with non-infinity inputs mapped to infinity too.)
7913 researching this issue. ([CVE-2014-0224])
7921 Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
7922 ([CVE-2014-0221])
7931 Thanks to Jüri Aedla for reporting this issue. ([CVE-2014-0195])
7939 this issue. ([CVE-2014-3470])
7943 * Harmonize version and its documentation. -f flag is used to display
7965 preparing the fix ([CVE-2014-0160])
7970 ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
7975 flaw and to Yuval Yarom for supplying a fix ([CVE-2014-0076])
7979 * TLS pad extension: draft-agl-tls-padding-03
7993 ([CVE-2013-4353])
7997 to be resent. ([CVE-2013-6450])
8002 avoids preferring ECDHE-ECDSA ciphers when the client appears to be
8004 several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug
8012 * Correct fix for CVE-2013-0169. The original didn't work on AES-NI
8029 ([CVE-2013-0169])
8038 ([CVE-2012-2686])
8043 This fixes a DoS attack. ([CVE-2013-0166])
8072 Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
8074 ([CVE-2012-2333])
8121 ([CVE-2012-2110])
8125 * Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections.
8137 -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure.
8173 *Robin Seggelmann <seggelmann@fh-muenster.de>*
8177 *Robin Seggelmann <seggelmann@fh-muenster.de>*
8185 - x86[_64]: AES-NI, PCLMULQDQ, RDRAND support;
8186 - x86[_64]: SSSE3 support (SHA1, vector-permutation AES);
8187 - x86_64: bit-sliced AES implementation;
8188 - ARM: NEON support, contemporary platforms optimizations;
8189 - s390x: z196 support;
8190 - `*`: GHASH and GF(2^m) multiplication implementations;
8194 * Make TLS-SRP code conformant with RFC 5054 API cleanup
8203 * Add DTLS-SRTP negotiation from RFC 5764.
8208 <http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-00>. Can be
8209 disabled with a no-npn flag to config or Configure. Code donated
8214 * Add optional 64-bit optimized implementations of elliptic curves NIST-P224,
8215 NIST-P256, NIST-P521, with constant-time single point multiplication on
8217 required to use this (present in gcc 4.4 and later, for 64-bit builds).
8220 Specify "enable-ec_nistp_64_gcc_128" on the Configure (or config) command
8240 * New -sigopt option to the ca, req and x509 utilities. Additional
8253 New function ASN1_item_sign_ctx() signs a pre-initialised
8292 * Session-handling fixes:
8293 - Fix handling of connections that are resuming with a session ID,
8295 - Fix a bug that suppressed issuing of a new ticket if the client
8297 - Try to set the ticket lifetime hint to something reasonable.
8298 - Make tickets shorter by excluding irrelevant information.
8299 - On the client side, don't ignore renewed tickets.
8307 * Add RC4-MD5 and AESNI-SHA1 "stitched" implementations.
8315 portions. This adds all GCM ciphersuites supported by RFC5288 and
8335 switch between FIPS and non-FIPS modes.
8341 keep original code iff non-FIPS operations are allowed.
8345 * Add -attime option to openssl utilities.
8358 * New build option no-ec2m to disable characteristic 2 code.
8362 * Backport libcrypto audit of return value checking from 1.1.0-dev; not
8372 * Add similar low-level API blocking to ciphers.
8376 * low-level digest APIs are not approved in FIPS mode: any attempt
8395 * Output TLS supported curves in preference order instead of numerical
8405 * Add support for FIPS mode in ssl library: disable SSLv3, non-FIPS ciphers
8464 *Robin Seggelmann <seggelmann@fh-muenster.de>*
8474 *Robin Seggelmann <seggelmann@fh-muenster.de>, Steve Henson*
8488 -------------
8501 ([CVE-2015-3195])
8507 If PSK identity hints are received by a multi-threaded client then
8511 ([CVE-2015-3196])
8528 This issue was reported to OpenSSL by Joseph Barr-Pixton.
8529 ([CVE-2015-1788])
8533 * Exploitable out-of-bounds read in X509_cmp_time
8549 ([CVE-2015-1789])
8556 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
8564 ([CVE-2015-1790])
8575 ([CVE-2015-1792])
8581 If a NewSessionTicket is received by a multi-threaded client when attempting to
8584 ([CVE-2015-1791])
8598 ([CVE-2015-0286])
8612 ([CVE-2015-0287])
8619 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
8627 ([CVE-2015-0289])
8635 a specially crafted SSLv2 CLIENT-MASTER-KEY message.
8639 ([CVE-2015-0293])
8654 ([CVE-2015-0209])
8664 ([CVE-2015-0288])
8684 ([CVE-2014-3571])
8694 ([CVE-2015-0206])
8698 * Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
8699 built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl
8702 ([CVE-2014-3569])
8711 ([CVE-2014-3572])
8715 * Remove non-export ephemeral RSA code on client and server. This code
8717 non-export ciphersuites and could be used by a server to effectively
8721 ([CVE-2015-0204])
8733 ([CVE-2015-0205])
8745 ([CVE-2014-3570])
8751 By using non-DER or invalid encodings outside the signed portion of a
8783 ([CVE-2014-8275])
8797 ([CVE-2014-3567])
8801 * Build option no-ssl3 is incomplete.
8803 When OpenSSL is configured with "no-ssl3" as a build option, servers
8806 ([CVE-2014-3568])
8813 ([CVE-2014-3566])
8836 ([CVE-2014-3510])
8843 ([CVE-2014-3507])
8851 ([CVE-2014-3506])
8858 Thanks to Adam Langley and Wan-Teh Chang for discovering and researching
8860 ([CVE-2014-3505])
8870 ([CVE-2014-3509])
8880 ([CVE-2014-3508])
8886 bogus results, with non-infinity inputs mapped to infinity too.)
8897 researching this issue. ([CVE-2014-0224])
8905 Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
8906 ([CVE-2014-0221])
8915 Thanks to Jüri Aedla for reporting this issue. ([CVE-2014-0195])
8923 this issue. ([CVE-2014-3470])
8927 * Harmonize version and its documentation. -f flag is used to display
8942 ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
8947 flaw and to Yuval Yarom for supplying a fix ([CVE-2014-0076])
8955 to be resent. ([CVE-2013-6450])
8960 avoids preferring ECDHE-ECDSA ciphers when the client appears to be
8962 several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug
8980 ([CVE-2013-0169])
8985 This fixes a DoS attack. ([CVE-2013-0166])
9009 Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
9011 ([CVE-2012-2333])
9028 ([CVE-2012-2110])
9038 old behaviour can be re-enabled in the CMS code by setting the
9042 this issue. ([CVE-2012-0884])
9046 * Fix CVE-2011-4619: make sure we really are receiving a
9054 * Fix for DTLS DoS issue introduced by fix for CVE-2011-4109.
9057 preparing a fix. ([CVE-2012-0050])
9073 <seggelmann@fh-muenster.de> and Michael Tuexen <tuexen@fh-muenster.de>
9074 for preparing the fix. ([CVE-2011-4108])
9079 ([CVE-2011-4576])
9085 Adam Langley for preparing the fix. ([CVE-2011-4619])
9089 * Check parameters are not NULL in GOST ENGINE. ([CVE-2012-0027])
9095 and Rob Austein <sra@hactrn.net> for fixing it. ([CVE-2011-4577])
9103 * Fix ssl_ciph.c set-up race.
9127 * In ssl3_clear, preserve s3->init_extra along with s3->rbuf.
9134 by initialising X509_STORE_CTX properly. ([CVE-2011-3207])
9139 for multi-threaded use of ECDH. ([CVE-2011-3210])
9161 * Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014
9175 Thanks to Martin Rex for discovering this bug. CVE-2010-4180
9179 * Fixed J-PAKE implementation error, originally discovered by
9181 Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252
9189 be shared by multiple threads. CVE-2010-3864
9201 ([CVE-2010-1633])
9203 *Steve Henson, Peter-Michael Hager <hager@dortmund.net>*
9217 * Add new -subject_hash_old and -issuer_hash_old options to x509 utility to
9272 *Michael Tuexen <tuexen@fh-muenster.de>*
9311 openssl dgst -sha256 foo
9344 * Add session ticket override functionality for use by EAP-FAST.
9353 * Type-checked OBJ_bsearch_ex.
9357 * Type-checked OBJ_bsearch. Also some constification necessitated
9358 by type-checking. Still to come: TXT_DB, bsearch(?),
9399 * Initial indirect CRL support. Currently only supported in the CRLs
9431 and URI types are currently supported.
9437 * To cater for systems that provide a pointer-based thread ID rather
9444 as a pointer-based thread ID to distinguish between threads.
9457 OpenSSL 0.9.9-dev between June 2006 and August 2008. Also, if an
9479 * Revamp of STACK to provide stronger type-checking. Still to come:
9490 * Revamp of LHASH to provide stronger type-checking. Still to come:
9509 files from Configure script, currently only included in VC-WIN32.
9530 draft-rescorla-tls-opaque-prf-input-00.txt. Since this is not an
9536 -DTLSEXT_TYPE_opaque_prf_input=0x9527
9547 an internal copy of the length-'len' string at 'src', and will
9548 return non-zero for success.
9566 has to return non-zero to report success: usually 1 to use opaque
9595 supported.
9626 * Add option -stream to use PKCS#7 streaming in smime utility. New
9635 ENGINE support for HMAC keys which are unextractable. New -mac and
9636 -macopt options to dgst utility.
9640 * New option -sigopt to dgst utility. Update dgst to use
9649 ("foo+bar"), moving ("+foo+bar"), disabling ("-foo+bar", or
9657 This means that you can now say, e.g., "PSK:-PSK:HIGH" to enable
9685 away into the non-exported interface ssl/ssl_locl.h, so this
9703 * Add support for dsa-with-SHA224 and dsa-with-SHA256.
9714 * Add support for the ecdsa-with-SHA224/256/384/512 signature types.
9737 -verify_return_error to s_client and s_server. This causes real errors
9780 * Non-blocking OCSP request processing. Add -timeout option to ocsp
9806 list-message-digest-algorithms and list-cipher-algorithms.
9811 of degrees of non-zero coefficients is now terminated with -1.
9837 kECDHr - ECDH cert, signed with RSA
9838 kECDHe - ECDH cert, signed with ECDSA
9839 kECDH - ECDH cert (signed with either RSA or ECDSA)
9840 kEECDH - ephemeral ECDH
9841 ECDH - ECDH cert or ephemeral ECDH
9843 aECDH - ECDH cert
9844 aECDSA - ECDSA cert
9845 ECDSA - ECDSA cert
9847 AECDH - anonymous ECDH
9848 EECDH - non-anonymous ephemeral ECDH (equivalent to "kEECDH:-AECDH")
9852 * Add additional S/MIME capabilities for AES and GOST ciphers if supported.
9874 * New -resign option to smime utility. This adds one or more signers
9875 to an existing PKCS#7 signedData structure. Also -md option to use an
9886 * New -macalg option to pkcs12 utility to allow setting of an alternative
9905 supported by any public key method supporting the encrypt operation. A
9916 2 is mandatory (that is it is the only supported type). Modify
9989 "list-public-key-algorithms" to print out info.
9993 * Implement the Supported Elliptic Curves Extension for
9994 ECC ciphersuites from draft-ietf-tls-ecc-12.txt.
10017 De-spaghettify the public key ASN1 handling. Move public and private
10025 * Implement the Supported Point Formats Extension for
10026 ECC ciphersuites from draft-ietf-tls-ecc-12.txt.
10035 PSK-RC4-SHA, PSK-3DES-EDE-CBC-SHA, PSK-AES128-CBC-SHA,
10036 PSK-AES256-CBC-SHA
10068 - SSL_CTX_set_tlsext_servername_callback()
10070 - SSL_CTX_set_tlsext_servername_arg()
10071 SSL_CTRL_SET_TLSEXT_HOSTNAME - SSL_set_tlsext_host_name()
10073 openssl s_client has a new '-servername ...' option.
10075 openssl s_server has new options '-servername_host ...', '-cert2 ...',
10076 '-key2 ...', '-servername_fatal' (subject to change). This allows
10077 testing the HostName extension for a specific single host name ('-cert'
10078 and '-key' remain fallbacks for handshakes without HostName
10080 default is a warning; it becomes fatal with the '-servername_fatal'
10089 * BIGNUM code on 64-bit SPARCv9 targets is switched from bn(64,64) to
10093 implementations, between 32- and 64-bit builds without hassle.
10106 "64-bit" performance on certain 32-bit targets.
10117 * New option -V for 'openssl ciphers'. This prints the ciphersuite code
10165 -------------
10170 update s->server with a new major version number. As of
10171 - OpenSSL 0.9.8m if 'short' is a 16-bit type,
10172 - OpenSSL 0.9.8f if 'short' is longer than 16 bits,
10175 protection is active. ([CVE-2010-0740])
10179 * Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL
10186 * Always check bn_wexpand() return values for failure. ([CVE-2009-3245])
10211 highest version of TLS/SSL supported. Although TLS >= 2.0 is some way
10220 This results in significant per-connection memory leaks and
10221 has caused some security issues including CVE-2008-1678 and
10222 CVE-2009-4355.
10264 * Implement RFC5746. Re-enable renegotiation but require the extension
10275 servername handling. Use a non-zero length session ID when attempting
10290 * Add --strict-warnings option to Configure script to include devteam
10295 * Add support for --libdir option and LIBDIR variable in makefiles. This
10326 it used to have an ad-hoc builder which was unable to cope with anything
10334 with non-FIPS digests are now usable in FIPS mode.
10345 buffered. ([CVE-2009-1378])
10355 ([CVE-2009-1377])
10359 * Keep a copy of frag->msg_header.frag_len so it can be used after the
10360 parent structure is freed. ([CVE-2009-1379])
10364 * Handle non-blocking I/O properly in SSL_shutdown() call.
10366 *Darryl Miles <darryl-mailinglists@netbauds.net>*
10374 * Disable renegotiation completely - this fixes a severe security
10375 problem ([CVE-2009-3555]) at the cost of breaking all
10376 renegotiation. Renegotiation can be re-enabled by setting
10377 SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s3->flags at
10378 run-time. This is really not recommended unless you know what
10387 zeroing past the valid field. ([CVE-2009-0789])
10393 appear to verify correctly. ([CVE-2009-0591])
10399 a legal length. ([CVE-2009-0590])
10419 * New -hex option for openssl rand.
10440 ([CVE-2008-5077]).
10458 * Tweak Configure so that you need to say "experimental-jpake" to enable
10459 JPAKE, and need to use -DOPENSSL_EXPERIMENTAL_JPAKE in applications.
10476 * Change the server-side SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG behavior
10487 ChangeCipherSpec as first record ([CVE-2009-1386]).
10497 double-checked locking was incomplete for RSA blinding,
10499 doubly unsafe triple-checked locking.
10508 - Avoid size_t integer overflow in HASH_UPDATE (md32_common.h).
10510 - Avoid a buffer overflow in d2i_SSL_SESSION() (ssl_asn1.c).
10514 - Change bn_nist.c so that it will properly handle input BIGNUMs
10517 - Enforce the 'num' check in BN_div() (bn_div.c) for non-BN_DEBUG
10522 * Allow engines to be "soft loaded" - i.e. optionally don't die if
10531 * Fix BN_GF2m_mod_arr() top-bit cleanup code.
10543 Not compiled unless enable-capieng specified to Configure.
10560 Codenomicon TLS test suite ([CVE-2008-1672])
10565 a remote crash found by Codenomicon TLS test suite ([CVE-2008-0891])
10589 the 'db' section contains nothing but zeroes (there is a one-byte
10594 * Partial backport from 0.9.9-dev:
10598 While 0.9.9-dev uses assembler for various architectures, only
10600 32-bit x86 is available through a compile-time setting.
10602 To try the 32-bit x86 assembler implementation, use Configure
10603 option "enable-montasm" (which exists only for this backport).
10605 As "enable-montasm" for 32-bit x86 disclaims code stability
10607 backported from 0.9.9-dev for further performance improvements,
10609 e.g. x86_64, try `-DMONT_FROM_WORD___NON_DEFAULT_0_9_8_BUILD`.)
10620 * Reverse ENGINE-internal logic for caching default ENGINE handles.
10627 'uptodate' flag is reset so that auto-discovery will be used next
10640 only supported if data is detached: setting the streaming flag is
10644 with the enable-cms configuration option.
10681 - fixed wrong usage of ioctlsocket() when build for LIBC BSD sockets
10682 - fixed do_tests.pl to run the test suite with CLIB builds too (CLIB_OPT)
10683 - added some more tests to do_tests.pl
10684 - fixed RunningProcess usage so that it works with newer LIBC NDKs too
10685 - removed usage of BN_LLONG for CLIB builds to avoid runtime dependency
10686 - added new Configure targets netware-clib-bsdsock, netware-clib-gcc,
10687 netware-clib-bsdsock-gcc, netware-libc-bsdsock-gcc
10688 - various changes to netware.pl to enable gcc-cross builds on Win32
10690 - changed crypto/bio/b_sock.c to work with macro functions (CLIB BSD)
10691 - various changes to fix missing prototype warnings
10692 - fixed x86nasm.pl to create correct asm files for NASM COFF output
10693 - added AES, WHIRLPOOL and CPUID assembler code to build files
10694 - added missing AES assembler make rules to mk1mf.pl
10695 - fixed order of includes in `apps/ocsp.c` so that `e_os.h` settings apply
10711 + DTLS interoperation with non-compliant servers
10723 pre-0.9.8f clients. To allow for hassle free upgrade post-0.9.8e
10726 This update even addresses CVE-2007-4995.
10738 supported.
10775 - SSL_CTX_set_tlsext_servername_callback()
10777 - SSL_CTX_set_tlsext_servername_arg()
10778 SSL_CTRL_SET_TLSEXT_HOSTNAME - SSL_set_tlsext_host_name()
10780 openssl s_client has a new '-servername ...' option.
10782 openssl s_server has new options '-servername_host ...', '-cert2 ...',
10783 '-key2 ...', '-servername_fatal' (subject to change). This allows
10784 testing the HostName extension for a specific single host name ('-cert'
10785 and '-key' remain fallbacks for handshakes without HostName
10787 default is a warning; it becomes fatal with the '-servername_fatal'
10813 * Add the Korean symmetric 128-bit cipher SEED (see
10817 TLS_RSA_WITH_SEED_CBC_SHA = "SEED-SHA"
10818 TLS_DHE_DSS_WITH_SEED_CBC_SHA = "DHE-DSS-SEED-SHA"
10819 TLS_DHE_RSA_WITH_SEED_CBC_SHA = "DHE-RSA-SEED-SHA"
10820 TLS_DH_anon_WITH_SEED_CBC_SHA = "ADH-SEED-SHA"
10824 is configured with 'enable-seed'.
10832 J.-P. Seifert, "New Branch Prediction Vulnerabilities in OpenSSL
10836 respectively, which are slower, but avoid the security-relevant
10851 constant-time implementations for more than just exponentiation.
10868 out-of-context reuse was forbidden only if SSL_VERIFY_PEER was
10879 authentication-only ciphersuites.
10883 * Update the SSL_get_shared_ciphers() fix CVE-2006-3738 which was
10885 ([CVE-2007-5135]) [Ben Laurie]
10927 *Goetz Babin-Ebell*
10932 cause a denial of service. ([CVE-2006-2940])
10937 in a denial of service. ([CVE-2006-2937]) [Steve Henson]
10940 ([CVE-2006-3738]) [Tavis Ormandy and Will Drewry, Google Security Team]
10943 malicious SSLv2 server. ([CVE-2006-4343])
10948 match only those. Before that, "AES256-SHA" would be interpreted
10949 as a pattern and match "AES128-SHA" too (since AES128-SHA got
10953 "RC4-MD5" that intentionally matched multiple ciphersuites --
10960 Thus, "RC4-MD5" again will properly select both the SSL 2.0
10977 ([CVE-2006-4339]) [Ben Laurie and Google Security Team]
10992 However, please upgrade to OpenSSL 0.9.9[-dev] for
10993 non-experimental use of the ECC ciphersuites to get TLS extension
11001 - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
11002 - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
11003 - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")
11006 draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really
11010 draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as
11016 dual-core machines) and other potential thread-safety issues.
11020 * Add the symmetric cipher Camellia (128-bit, 192-bit, 256-bit key
11021 versions), which is now available for royalty-free use
11027 is configured with 'enable-camellia'.
11051 * Update support for ECC-based TLS ciphersuites according to
11052 draft-ietf-tls-ecc-12.txt with proposed changes (but without
11053 TLS extensions, which are supported starting with the 0.9.9
11067 Static zlib linking now works on Windows and the new --with-zlib-include
11068 --with-zlib-lib options to Configure can be used to supply the location
11095 countermeasure against man-in-the-middle protocol-version
11097 idea. ([CVE-2005-2969])
11112 * Avoid some small subgroup attacks in Diffie-Hellman.
11116 * Add functions for well-known primes.
11153 * Add -utf8 command line and config file option to 'ca'.
11163 involves renaming the source and generated shared-libs for
11172 use it. Make -CSP option work again in pkcs12 utility.
11177 - automatic re-creation of the BN_BLINDING parameters after
11179 - add new function for parameter creation
11180 - introduce flags to control the update behaviour of the
11182 - hide BN_BLINDING structure
11203 * Use SHA-1 instead of MD5 as the default digest algorithm for
11208 * Compile clean with "-Wall -Wmissing-prototypes
11209 -Wstrict-prototypes -Wmissing-declarations -Werror". Currently
11215 The new counterpiece to "no-xxx" is "enable-xxx".
11218 "enable-rc5" and "enable-mdc2", respectively, are specified.
11222 fee for non-commercial use. As before, "no-idea" can be used to
11229 EGEE (Enabling Grids for E-science in Europe).
11234 as Intel P4, IA-64 and AMD64.
11238 * New utility extract-section.pl. This can be used specify an alternative
11249 * New arguments -certform, -keyform and -pass for s_client and s_server
11274 * New FIPS 180-2 algorithms, SHA-224/-256/-384/-512 are implemented.
11290 moved from CA.pl to the 'ca' utility with a new option -create_serial.
11295 patchlevels, 0.9.7e employed 'openssl x509 -next_serial' in
11303 give fewer recursive includes, which could break lazy source code - so
11307 backwards-compatible behaviour prevails when this isn't defined.
11344 static array of bignums, BN_CTX now uses a linked-list of such arrays
11380 * BN_CTX_get() should return zero-valued bignums, providing the same
11413 * Because of the callback-based approach for implementing LHASH as a
11414 template type, lh_insert() adds opaque objects to hash-tables and
11417 (and losing the object pointers). So some over-zealous constifications in
11431 aren't necessarily the greatest nomenclatures - but this is what was used
11438 the self-tests were still using deprecated key-generation functions so
11459 modulus operations are not performed. The (pre-generated) prime
11461 re-generated on some platforms because of the "division by zero"
11466 * Update support for ECC-based TLS ciphersuites according to
11467 draft-ietf-tls-ecc-03.txt: the KDF1 key derivation function with
11468 SHA-1 now is only used for "small" curves (where the
11482 *Götz Babin-Ebell <babin-ebell@trustcenter.de> via Richard Levitte*
11494 to certificate and key stores, be they simple file-based stores, or
11495 HSM-type store, or LDAP stores, or...
11508 a string. The copy gets NUL-terminated. BUF_memdup() duplicates
11516 searched-for key would be inserted to preserve sorting order.
11537 * Make it possible to create self-signed certificates with 'openssl ca'
11538 in such a way that the self-signed certificate becomes part of the
11540 as all other certificate signing. The new flag '-selfsign' enables
11547 request can be signed by that key (self-signing).
11560 * Generate multi-valued AVAs using '+' notation in config files for
11578 dsa_mod_exp() and/or bn_mod_exp() handlers if they are non-NULL,
11607 * Add full support for -rpath/-R, both in shared libraries and
11637 ./config -DOPENSSL_USE_GMP -lgmp
11642 testing availability of engines with "-t" - the old behaviour is
11643 produced by increasing the feature's verbosity with "-tt".
11654 * Key-generation can now be implemented in RSA_METHOD, DSA_METHOD
11661 * Change the "progress" mechanism used in key-generation and
11667 migrate to the new functions. Also, the new key-generation API
11668 functions operate on a caller-supplied key-structure and return
11669 success/failure rather than returning a key or NULL - this is to
11683 * cb will point to my_cb; my_arg can be retrieved as cb->arg.
11692 draft-ietf-tls-compression-04.txt.
11702 -- at least one of the pair shall be present -- }
11723 to avoid the need to access 'a->neg' directly in applications.
11727 * Implement fast modular reduction for pseudo-Mersenne primes
11748 the usual use of --prefix and/or --openssldir, and at run
11764 files while avoiding the low-level API.
11768 algorithm NIDs can be set to -1 for no encryption, the mac
11771 Enhance pkcs12 utility by making the -nokeys and -nocerts
11772 options work when creating a PKCS#12 file. New option -nomac
11775 instead of the low-level API.
11791 * Let 'openssl req' fail if an argument to '-newkey' is not
11796 * Add support for ECC-based ciphersuites from draft-ietf-tls-ecc-01.txt.
11932 functionality is disabled at compile-time.
11939 Modify asn1_parse2 (crypto/asn1/asn1_par.c) so that in non-'dump'
11940 mode the content of non-printable OCTET STRINGs is output in a
11953 - Curves (i.e., groups) are encoded explicitly unless asn1_flag
11955 - Points are encoded in uncompressed form by default; options for
12004 EC_METHOD) that verifies that the curve discriminant is non-zero.
12019 - 'openssl req' now has a '-newkey ecdsa:file' option;
12020 - EVP_PKCS82PKEY (crypto/evp/evp_pkey.c) now can handle ECDSA;
12021 - X509_PUBKEY_get (crypto/asn1/x_pubkey.c) and
12025 - ECDSA engine support has been added.
12061 authentication-only ciphersuites.
12105 cause a denial of service. ([CVE-2006-2940])
12110 in a denial of service. ([CVE-2006-2937]) [Steve Henson]
12113 ([CVE-2006-3738]) [Tavis Ormandy and Will Drewry, Google Security Team]
12116 malicious SSLv2 server. ([CVE-2006-4343])
12121 ciphersuite selects this one ciphersuite (so that "AES256-SHA"
12122 will no longer include "AES128-SHA"), and any other similar
12124 "RC4-MD5" will still include both the SSL 2.0 ciphersuite and the
12133 ([CVE-2006-4339]) [Ben Laurie and Google Security Team]
12143 - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
12144 - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
12145 - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")
12148 draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really
12152 draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as
12158 dual-core machines) and other potential thread-safety issues.
12173 * Add new Windows build target VC-32-GMAKE for VC++. This uses GNU make
12185 safely run with a non-FIPSed libcrypto, as it may crash because of
12194 countermeasure against man-in-the-middle protocol-version
12196 idea. ([CVE-2005-2969])
12208 the exponentiation using a fixed-length exponent. (Otherwise,
12215 * Make a new fixed-window mod_exp implementation the default for
12216 RSA, DSA, and DH private-key operations so that the sequence of
12219 cache-timing and potential related attacks.
12238 * Add support for smime-type MIME parameter in S/MIME messages which some
12275 they must be explicitly allowed in run-time. See
12282 * Use (SSL_RANDOM_VALUE - 4) bytes of pseudo random data when generating
12284 (SSL_RANDOM_VALUE - sizeof(time_t)) would be used which would result in
12317 * Back-port of selected performance improvements from development
12327 * Add new -passin argument to dgst.
12332 this is needed for some certificates that re-encode DNs into UTF8Strings
12343 - if there is an unhandled critical extension (unless the user
12345 - if the path length has been exceeded (if one is set at all)
12346 - that certain extensions fit the associated purpose (if one has
12373 certificate is created using 'openssl req -x509'. The initial serial
12374 number file is created using 'openssl x509 -next_serial' in CA.pl
12381 * Fix null-pointer assignment in do_change_cipher_spec() revealed
12382 by using the Codenomicon TLS Test Tool ([CVE-2004-0079])
12387 ([CVE-2004-0112])
12437 invalid tags (CVE-2003-0543 and CVE-2003-0544).
12439 Free up ASN1_TYPE correctly if ANY type is invalid ([CVE-2003-0545]).
12446 * New -ignore_err option in ocsp application to stop the server
12492 * Countermeasure against the Klima-Pokorny-Rosa extension of
12502 They would be ill-advised to do so in most cases.
12508 an unpredictable seed -- if it is not unpredictable, there
12509 is no point in blinding anyway). Make RSA blinding thread-safe
12510 by remembering the creator's thread ID in rsa->blinding and
12511 having all other threads use local one-time blinding factors
12512 (this requires more computation than sharing rsa->blinding, but
12519 ENGINE as defaults for all supported algorithms irrespective of
12536 between bad padding and a MAC verification error. ([CVE-2003-0078])
12542 * Make the no-err option work as intended. The intention with no-err
12550 used by default when no-err is given.
12610 * IA-32 assembler support enhancements: unified ELF targets, support
12616 FreeBSD on non-x86 processors is separate from x86 processors on
12637 instead of the special (and badly supported) LIBKRB5. LIBKRB5 is
12665 warnings and a request that patches get sent to openssl-dev.
12669 * Add the VC-CE target, introduce the WINCE sysname, and add
12674 * Change the DLL names for Cygwin to cygcrypto-x.y.z.dll and
12675 cygssl-x.y.z.dll, where x, y and z are the major, minor and
12685 * Avoid using fixed-size buffers for one-line DNs.
12744 * Add assertions to prevent user-supplied crypto functions from
12762 * Fix off-by-one error in EGD path.
12792 Remote buffer overflow in SSL3 protocol - an attacker could
12793 supply an oversized master key in Kerberos-enabled versions.
12794 ([CVE-2002-0657])
12802 * Make -nameopt work fully for req and add -reqopt switch.
12804 *Michael Bell <michael.bell@rz.hu-berlin.de>, Steve Henson*
12818 which may be activated as a side-effect of selecting a single cipher.
12826 * Add appropriate support for separate platform-dependent build
12827 directories. The recommended way to make a platform-dependent
12834 mkdir -p objtree/"`uname -s`-`uname -r`-`uname -m`"
12835 cd objtree/"`uname -s`-`uname -r`-`uname -m`"
12836 (cd $OPENSSL_SOURCE; find . -type f) | while read F; do
12837 mkdir -p `dirname $F`
12838 ln -s $OPENSSL_SOURCE/$F $F
12852 *Götz Babin-Ebell <babinebell@trustcenter.de>*
12854 * Improve diagnostics in file reading and command-line digests.
12859 error in AES-CFB decryption.
12878 * Fix escaping of non-ASCII characters when using the -subj option
12889 Some more OID additions. (Michael Bell <michael.bell@rz.hu-berlin.de>)
12902 * Fix the 'app_verify_callback' interface so that the user-defined
12910 i=s->ctx->app_verify_callback(&ctx)
12912 i=s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg).
12945 the same as the utility itself: that is the -config
12976 * Have the CHIL engine fork-safe (as defined by nCipher) and actually
12985 * Add the configuration target debug-linux-ppro.
12997 * Add -keyform to rsautl, and document -engine.
13050 (up to about 10% better than before for P-192 and P-224).
13074 SSL object, and 'arg' is the application-defined value set by
13077 'openssl s_client' and 'openssl s_server' have new '-msg' options
13108 * Add -multi and -mr options to "openssl speed" - giving multiple parallel
13109 runs for the former and machine-readable output for the latter.
13113 * Add '-noemailDN' option to 'openssl ca'. This prevents inclusion
13114 of the e-mail address in the DN (i.e., it will go into a certificate
13156 particular extension is supported.
13193 support for symmetric ciphers and digest implementations - so ENGINEs
13198 API changes worth noting - some RSA, DSA, DH, and RAND functions that
13200 reverted back - the hooking from this code to ENGINE is now a good
13201 deal more passive and at run-time, operations deal directly with
13204 functions dealing with `BN_MOD_EXP[_CRT]` handlers have been removed -
13255 * Add support for shared libraries for Unixware-7
13269 makes them more flexible to be built both as statically-linked ENGINEs
13270 and self-contained shared-libraries loadable via the "dynamic" ENGINE.
13271 Also, add stub code to each that makes building them as self-contained
13272 shared-libraries easier (see [README-Engine.md](README-Engine.md)).
13278 self-contained shared-libraries. The "dynamic" ENGINE exposes control
13279 commands that can be used to configure what shared-library to load and
13281 the [README-Engine.md](README-Engine.md) file
13282 that brings its information up-to-date and
13284 (ie. how to use it, how to build "dynamic"-loadable ENGINEs, etc).
13313 ex_data state - it's now all inside ex_data.c and all "class" code (eg.
13314 RSA, BIO, SSL_CTX, etc) no longer stores its own STACKS and per-class
13319 thread-safety problems that existed, and (b) makes it possible to clean
13445 Added openssl-style ASN.1 macros for Kerberos ticket, ap_req,
13452 * Cause 'openssl speed' to use fully hard-coded DSA keys as it
13463 s-cbc 4408.85k 5560.51k 5778.46k 5862.20k 5825.16k
13464 s-cbc 4389.55k 5571.17k 5792.23k 5846.91k 5832.11k
13465 s-cbc 4394.32k 5575.92k 5807.44k 5848.37k 5841.30k
13467 s-cbc 3482.66k 5069.49k 5496.39k 5614.16k 5639.28k
13468 s-cbc 3480.74k 5068.76k 5510.34k 5609.87k 5635.52k
13469 s-cbc 3483.72k 5067.62k 5504.60k 5708.01k 5724.80k
13472 s-cbc 4660.16k 5650.19k 5807.19k 5827.13k 5783.32k
13474 s-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
13478 * Added the OS2-EMX target.
13497 * Change all calls to low-level digest routines in the library and
13514 dialog box interfaces, application-defined prompts, the possibility
13521 attribute in PKCS#12 files, add new -CSP option to pkcs12 utility.
13607 per-structure level rather than having to store it globally.
13619 by ENGINE_by_id() normally, when it is incremented on the pre-existing
13631 - verbosity levels ('-v', '-vv', and '-vvv') that provide information
13633 - executing control commands from command line arguments using the
13634 '-pre' and '-post' switches. '-post' is only used if '-t' is
13636 the individual commands are colon-separated, for example;
13637 openssl engine chil -pre FORK_CHECK:0 -pre SO_PATH:/lib/test.so
13643 and input types for run-time discovery by calling applications. A
13646 the new string-based API function ENGINE_ctrl_cmd_string(). (Eg. this
13655 OpenSSL-based application. Commands have been added to all the
13656 existing hardware-supporting ENGINEs, noticeably "SO_PATH" to allow
13657 control over shared-library paths without source code alterations.
13671 should already have non-const pointers to it (ie. they should only
13677 - "atalla" and "ubsec" string definitions were moved from header files
13679 rather than hard-coded - allowing parameterisation of these values
13681 - Removed unused "#if 0"'d code.
13682 - Fixed engine list iteration code so it uses ENGINE_free() to release
13684 - Constified the RAND_METHOD element of ENGINE structures.
13685 - Constified various get/set functions as appropriate and added
13686 missing functions (including a catch-all ENGINE_cpy that duplicates
13688 - Removed NULL parameter checks in get/set functions. Setting a method
13692 - Deprecate the ENGINE_FLAGS_MALLOCED define and move the area for
13694 - Changed prototypes for ENGINE handler functions (init(), finish(),
13695 ctrl(), key-load functions, etc) to take an (ENGINE*) parameter.
13701 used only if the modulus is odd. On 32-bit systems, it is faster
13702 only for relatively small moduli (roughly 20-30% for 128-bit moduli,
13703 roughly 5-15% for 256-bit moduli), so we use it only for moduli
13704 up to 450 bits. In 64-bit environments, the binary algorithm
13753 Lenka Fibikova <fibikova@exp-math.uni-essen.de>*
13769 * Add the -HTTP option to s_server. It is similar to -WWW, but requires
13775 change the def and num file printf format specifier from "%-40sXXX"
13776 to "%-39s XXX". The latter will always guarantee a space after the
13823 * New option '-subj arg' for 'openssl req' and 'openssl ca'. This
13830 Add options '-batch' and '-verbose' to 'openssl req'.
13890 checked. Two new options -validity_period and -status_age added to
13924 can be useful for session caching in multiple-server environments. A
13925 command-line switch for testing this (and any client code that wishes
13940 sure e_os2.h will cover all platform-specific cases together with
13942 Additionally, it is now possible to define configuration/platform-
13946 from `OPENSSL_SYSNAME_*` or compiler-specific macros depending on
13951 * New option -set_serial to 'req' and 'x509' this allows the serial
13961 supported. Add new CRL extensions to V3 code and some new objects.
13978 port and path components: primarily to parse OCSP URLs. New -url
13989 the request is nonce-less.
13995 e.g. `(openssl x509 -out cert1; openssl x509 -out cert2) <certs`.
14024 * Add the option -VAfile to 'openssl ocsp', so the user can give the
14031 handle the new API. Currently only ECB, CBC modes supported. Add new
14096 is initialised to -1 but X509_time_adj() now has to check the value
14142 * New '-extfile ...' option to 'openssl ca' for reading X.509v3
14145 the '-extensions ...' option may be used for specifying the
14158 `openssl ca -status <serial>` prints the status of the cert with
14160 `openssl ca -updatedb` updates the expiry status of certificates
14165 * New '-newreq-nodes' command option to CA.pl. This is like
14166 '-newreq', but calls 'openssl req' with the '-nodes' option
14181 * New SSLeay_version code SSLEAY_DIR to determine the compiled-in
14182 value of OPENSSLDIR. This is available via the new '-d' option
14183 to 'openssl version', and is also included in 'openssl version -a'.
14210 There should no longer be any prototype-casting required when using
14221 The locations /var/run/egd-pool, /dev/egd-pool, /etc/egd-pool, and
14230 (select timeout) and read in non-blocking mode. DEVRANDOM now
14235 For VMS, there's a currently-empty rand_vms.c.
14354 problems: As the program is single-threaded, all we have
14363 during TLS/SSL handshakes so that thread-safety is essential.
14365 for multi-threaded use, so it probably should be abolished.
14419 * Fix BN_uadd and BN_usub: Always return non-negative results instead
14424 * BN_div bugfix: If the result is 0, the sign (res->neg) must not be
14431 that provide type-safety and avoid function pointer casting for the
14432 type-specific callbacks.
14452 (using the probabilistic Tonelli-Shanks algorithm unless
14456 *Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller*
14499 * Change BN_mod_mul so that the result is always non-negative.
14521 These functions always generate non-negative results.
14530 *Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller*
14532 <!--
14546 -->
14549 unless the '-salt' option is used (which usually means that
14552 or the new '-noverify' option is used.
14555 non-interactive use of 'openssl passwd' (passwords on the command
14556 line, '-stdin' option, '-in ...' option) and thus should not
14573 casts back to non-const were required (to be solved at a later
14595 are built-in in OpenSSL shall ever be used or not. The benefit is
14649 * Rework the filename-translation in the DSO code. It is now possible to
14656 * Support threads on FreeBSD-elf in Configure.
14705 * Fix null-pointer assignment in do_change_cipher_spec() revealed
14706 by using the Codenomicon TLS Test Tool ([CVE-2004-0079])
14715 certain ASN.1 tags ([CVE-2003-0851])
14724 invalid tags (CVE-2003-0543 and CVE-2003-0544).
14750 * Countermeasure against the Klima-Pokorny-Rosa extension of
14760 They would be ill-advised to do so in most cases.
14766 an unpredictable seed -- if it is not unpredictable, there
14767 is no point in blinding anyway). Make RSA blinding thread-safe
14768 by remembering the creator's thread ID in rsa->blinding and
14769 having all other threads use local one-time blinding factors
14770 (this requires more computation than sharing rsa->blinding, but
14782 between bad padding and a MAC verification error. ([CVE-2003-0078])
14800 because the session->cipher setting was not restored when reloading
14808 length of the REQUEST-CERTIFICATE message is 18 .. 34, not 17 .. 33.
14810 *Zeev Lieber <zeev-l@yahoo.com>*
14833 the bitwise-OR of the two for use by the majority of applications
14836 changing anyway, so this is more a bug-fix than a behavioural
14841 * Don't impose a 16-byte length minimum on session IDs in ssl/s3_clnt.c
14858 contents. Bug found by Sam Varshavchik <mrsam@courier-mta.com>
14870 * [In 0.9.6g-engine release:]
14879 *Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>,
14886 *Arne Ansper <arne@ats.cyber.ee>, Bodo Moeller*
14915 implementations is desired (e.g. '-bugs' option to 's_client' and
14926 F30602-01-2-0537.
14931 supplied buffer. ([CVE-2002-0659])
14941 too small for 64 bit platforms. ([CVE-2002-0655])
14942 *Matthew Byng-Maddick <mbm@aldigital.co.uk> and Ben Laurie (CHATS)>*
14944 * Remote buffer overflow in SSL3 protocol - an attacker could
14945 supply an oversized session ID to a client. ([CVE-2002-0656])
14949 * Remote buffer overflow in SSL2 protocol - an attacker could
14950 supply an oversized client master key. ([CVE-2002-0656])
14957 encoded as NULL) with id-dsa-with-sha1.
14966 an end-of-file condition would erroneously be flagged, when the CRLF
14969 BASE64-decoding BIO. Bug fund and patch submitted by Pavel Tsekov
14985 * TLS/SSL library bugfix: use s->s3->in_read_app_data differently
14988 processing was enabled when in fact s->s3->in_read_app_data was
14991 *Bodo Moeller; problem pointed out by Arne Ansper <arne@ats.cyber.ee>*
15001 * Fix DH_generate_parameters() so that it works for 'non-standard'
15008 a generator of the order-q subgroup is just as good, if not
15019 returning non-zero before the data has been completely received
15020 when using non-blocking I/O.
15056 * [In 0.9.6d-engine release:]
15061 * Add the configuration target linux-s390x.
15063 *Neale Ferguson <Neale.Ferguson@SoftwareAG-USA.com> via Richard Levitte*
15069 invocations of ssl3_accept when using non-blocking I/O, the
15074 To avoid this problem, we now set s->new_session to 2 instead of
15079 * Bugfix: Return -1 from ssl3_get_server_done (ssl3/s3_clnt.c)
15093 type, we must throw them away by setting rr->length to 0.
15111 * Fix crypto/objects/objects.h: "ld-ce" should be "id-ce",
15113 Also some ip-pda OIDs in crypto/objects/objects.txt were
15123 * [In 0.9.6c-engine release:]
15128 * [In 0.9.6c-engine release:]
15136 rearranged (all '-L' options must appear before the first object
15141 * [In 0.9.6c-engine release:]
15147 * [In 0.9.6c-engine release:]
15153 * [In 0.9.6c-engine release:]
15164 messages are stored in a single piece (fixed-length part and
15165 variable-length part combined) and fix various bugs found on the way.
15186 never resets s->method to s->ctx->method when called from within
15235 * Add OpenUNIX-8 support including shared libraries
15252 * Rabin-Miller test analyses assume uniformly distributed witnesses,
15284 configuration target "alpha-cc-rpath", which will never be selected
15296 * Enhanced support for IA-64 Unix platforms (well, Linux and HP-UX).
15317 dh->length and always used
15319 BN_rand_range(priv_key, dh->p).
15321 BN_rand_range() is not necessary for Diffie-Hellman, and this
15322 specific range makes Diffie-Hellman unnecessarily inefficient if
15323 dh->length (recommended exponent length) is much smaller than the
15324 length of dh->p. We could use BN_rand_range() if the order of
15326 dh->length.
15332 where 'l' is dh->length if this is defined, or BN_num_bits(dh->p)-1
15350 * In crypto/rand/md_rand.c, use a new short-time lock CRYPTO_LOCK_RAND2
15365 *Albert Chin-A-Young <china@thewrittenword.com>*
15367 * Add configuration option to build on Linux on both big-endian and
15368 little-endian MIPS.
15370 *Ralf Baechle <ralf@uni-koblenz.de>*
15372 * Add the possibility to create shared libraries on HP-UX.
15380 Markku-Juhani O. Saarinen <markku-juhani.saarinen@nokia.com>:
15383 'md' followed by enough consecutive 1-byte PRNG requests
15394 Markku-Juhani's attack. (Actually it had never occurred
15396 half from which PRNG output bytes were taken -- I had always
15439 when fixing the server behaviour for backwards-compatible 'client
15443 around 2^-40; see section 5 in Bleichenbacher's CRYPTO '98
15499 * Change bctest again: '-x' expressions are not available in all
15519 If SEQUENCE is length is indefinite just set c->slen to the total
15526 * Change bctest to avoid here-documents inside command substitution
15539 * Check the result of RSA-CRT (see D. Boneh, R. DeMillo, R. Lipton:
15541 Computations, J. Cryptology 14 (2001) 2, 101-119,
15608 due to incorrect handling of multi-threading:
15616 inband-signalling in the previous code (which relied on the
15621 * Add "-rand" option also to s_client and s_server.
15626 *Kurt Hockenbury <khockenb@stevens-tech.edu> and
15645 to be set and top=0 forces the highest bit to be set; top=-1 is new
15650 * In the `NCONF_...`-based implementations for `CONF_...` queries
15706 * Fix 'openssl passwd -1'.
15717 * Fix C code generated by 'openssl dsaparam -C': If a BN_bin2bn
15727 * Increase s2->wbuf allocation by one byte in ssl2_new (ssl/s2_lib.c).
15734 obtain lock CRYPTO_LOCK_RSA before setting `rsa->_method_mod_{n,p,q}`.
15764 avoid potential security hole. (Re-used sessions on the client side
15770 * Fix ssl3_pending: If the record in s->s3->rrec is not of type
15778 releases, have been re-implemented by renaming the previous
15789 the method-specific "init()" handler. Also clean up ex_data after
15790 calling the method-specific "finish()" handler. Previously, this was
15809 *Jean-Marc Desperrier <jean-marc.desperrier@certplus.com>*
15813 - Make note of the expected extension for the shared libraries and
15818 - Make as few rebuilds of the shared libraries as possible.
15820 - Still avoid linking the OpenSSL programs with the shared libraries.
15822 - When installing, install the shared libraries separately from the
15886 in a record-oriented fashion. That means that every write() will
15897 Currently, it's a VMS-only method, because that's where it has
15905 but it was in 0.9.6-beta[12].)
15931 documentation and run-time libraries. The devel package contains
15940 *Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>*
16063 In BIO_puts, increment b->num_write as in BIO_write.
16080 used for low-level RSA operations. DER public key
16087 *Andreas Schneider <andreas@ds3.etech.fh-hamburg.de>*
16089 * A demo state-machine implementation was sponsored by
16165 * Add the arguments -CAfile and -CApath to the pkcs12 utility.
16187 * Fix SSL 2.0 rollback checking: Due to an off-by-one error in
16192 In s23_clnt.c, don't use special rollback-attack detection padding
16258 * New options to smime application. -inform and -outform
16260 PEM and DER. The -content option allows the content to be
16285 - New object identifiers are inserted in objects.txt, following
16287 - objects.pl is used to process obj_mac.num and create a new
16289 - obj_dat.pl is used to create a new obj_dat.h, using the data in
16301 * Add BSD-style MD5-based passwords to 'openssl passwd' (option '-1').
16305 * Addition of the command line parameter '-rand file' to 'openssl req'.
16347 an -sgckey command line option to the rsa utility. Thanks to
16349 algorithm to openssl-dev.
16366 * Re-implement BN_mod_exp2_mont using independent (and larger) windows.
16397 * The type-safe stack code has been rejigged. It is now only compiled
16399 by default all type-specific stack functions are "#define"d back to
16401 but retains the type-safety checking possibilities of the original
16409 map type-safe stack functions onto their plain stack counterparts.
16449 for CFB and OFB modes they zero ctx->num.
16475 i.e. non-zero for export ciphersuites, zero otherwise.
16493 Added -fingerprint option to crl utility, to support new c_rehash
16498 * Eliminate non-ANSI declarations in crypto.h and stack.h.
16535 * Bugfix for linux-elf makefile.one.
16595 * Add '-tls1' option to 'openssl ciphers', which was already
16603 OpenSSL-based applications) load shared libraries and bind to
16615 * Rename openssl x509 option '-crlext', which was added in 0.9.5,
16616 to '-clrext' (= clear extensions), as intended and documented.
16634 *Ulf Möller, using the problem description in krb4-0.9.7, where
16643 'openssl XXX' exists, the new pseudo-command 'openssl no-XXX'
16645 'no-XXX' is printed in this case, 'XXX' otherwise. In both cases,
16650 the 'no-cipher' compilation switches can be tested this way.
16652 ('openssl no-XXX' is not able to detect pseudo-commands such
16653 as 'quit', 'list-XXX-commands', or 'no-XXX' itself.)
16657 * Update test suite so that 'make test' succeeds in 'no-rsa' configuration.
16665 to parameters -- in previous versions (since OpenSSL 0.9.3) the
16671 * New s_client option -ign_eof: EOF at stdin is ignored, and
16673 This is part of what -quiet does; unlike -quiet, -ign_eof
16710 * Add '-dsaparam' option to 'openssl dhparam' application. This
16717 by 'openssl dhparam -C'.
16743 * New 'rand' application for creating pseudo-random output.
16757 *Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE> and Anonymous*
16817 or -rand.
16849 sections with information on -D... compiler switches used for
16851 one of these sections, a pre-processor symbol `OPENSSL_..._DEFINES`
16899 * HP-UX tune-up: new unified configs, HP C compiler bug workaround.
16903 * Add -rand argument to smime and pkcs12 applications and read/write
16930 equal (it gave wrong results if `(rem=(n1-q*d0)&BN_MASK2) < d0)`.
16959 * Add a new -notext option to 'ca' and a -pubkey option to 'spkac'.
16963 * Use a less unusual form of the Miller-Rabin primality test (it used
16964 a binary algorithm for exponentiation integrated into the Miller-Rabin
16986 using 50 iterations of the Rabin-Miller test.
16989 iterations of the Rabin-Miller test as required by the appendix
16990 to FIPS PUB 186[-1]) instead of DSA_is_prime.
16996 for each positive witness in the Rabin-Miller test, not just
17001 function with an 'iteration count' of -1, meaning that a
17003 from an application-provided seed, trial division is skipped).
17008 division before starting the Rabin-Miller test and has
17011 'callback(1, -1, cb_arg)' is called when a number has passed the
17021 * New -pkcs12 option to CA.pl script to write out a PKCS#12 file.
17043 by stat(). RAND_load_file(..., -1) is new and uses the complete file
17060 Rabin-Miller iterations.
17064 * Diffie-Hellman uses "safe" primes: DH_check() return code renamed to
17086 cipher-strength (using the strength_bits hard coded in the tables).
17089 Fix a bug in the cipher-command parser: when supplying a cipher command
17091 *A-Za-z0-9*, ssl_set_cipher_list used to hang in an endless loop. Now
17094 Due to the strength-sorting extension, the code of the
17096 the readability was also increased :-)
17098 *Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>*
17100 * Minor change to 'x509' utility. The -CAcreateserial option now uses 1
17143 * Do more iterations of Rabin-Miller probable prime test (specifically,
17144 3 for 1024-bit primes, 6 for 512-bit primes, 12 for 256-bit primes
17147 false-positive rate of at most 2^-80 for random input.
17169 -nomaciter option is used. This improves file security and
17174 * Honor the no-xxx Configure options when creating .DEF files.
17231 $PATH. Just exploiting of the BWX extension results in 20-30%
17461 -fingerprint and -x509toreq options. Also -x509toreq choked if a
17489 Two new options to the verify program: -untrusted allows a set of
17490 untrusted certificates to be passed in and -purpose which sets the
17522 Added a -pubkey option to the 'x509' utility to output the public key.
17561 openssl verify -CAfile ss.pem ss.pem
17569 but an application-provided verification callback (set by
17571 anyway (i.e. leaves x509_store_ctx->error != X509_V_OK
17573 ssl->verify_result to the appropriate error code to avoid
17582 *Po-Cheng Chen <pocheng@nst.com.tw>, slightly modified by Steve Henson*
17586 -S option to allow a salt to be input on the command line.
17616 the string plus current file name and line number to a per-thread
17619 Also updated memory leak detection code to be multi-thread-safe.
17623 * Add options -text and -noout to pkcs7 utility and delete the
17639 * Fix the -revoke option in ca. It was freeing up memory twice,
17664 with non-optimised assembler. Even so, this now gives around 95%
17684 X509_NAME_add_entry_by_txt(nm, "CN", MBSTRING_ASC, "Steve", -1, -1, 0);
17687 X509_NAME_add_entry_by_txt(nm, field, MBSTRING_UTF8, str, -1, -1, 0);
17703 - Assure unique random numbers after fork().
17704 - Make sure that concurrent threads access the global counter and
17718 dsaparam -genkey (which also ignored its '-rand' option),
17727 of each file listed in the '-rand' option. The function as previously
17729 that support '-rand'.
17762 verification. Also added a -purpose flag to x509 utility to
17779 * RC4 tune-up featuring 30-40% performance improvement on most RISC
17784 * New -noout option to asn1parse. This causes no output to be produced
17785 its main use is when combined with -strparse and -out to extract data
17795 * New option -dhparam in s_server. This allows a DH parameter file to be
17802 * Add -pubin and -pubout options to the rsa and dsa commands. These allow
17804 openssl rsa -in key.pem -pubout -out pubkey.pem
17819 *Steve Henson, reported by Arne Ansper <arne@ats.cyber.ee>*
17845 working at all :-) A dedicated Windows application might handle this
17862 * Add new -verify -CAfile and -CApath options to the crl program, these
17871 * Initialize all non-automatic variables each time one of the openssl
17872 sub-programs is started (this is necessary as they may be started
17885 * Non-copying interface to BIO pairs.
17920 <madwolf@comune.modena.it>. The new option is called -extensions
17921 and can be applied to ca, req and x509. Also -reqexts to override
17922 the request extensions in req and -crlexts to override the crl extensions
17937 config file. They can be printed out with the -text option to req but
17960 library. Also added low-level modexp hooks and CRYPTO_EX structure and
17980 a SSLv2-compatible client hello for SSLv3 or TLSv1 could be read,
18006 * -crlf option to s_client and s_server for sending newlines as
18021 * Fix -startdate and -enddate (which was missing) arguments to 'ca'
18030 For 1024-bit p, DSA_generate_parameters followed by DSA_dup_DH is
18033 much more efficient (160-bit exponentiation instead of 1024-bit
18049 * Allow the -k option to be used more than once in the enc program:
18096 * The -DPLATFORM="\"$(PLATFORM)\"" definition and the similar -DCFLAGS=...
18100 auto-generated file crypto/buildinf.h (created by crypto/Makefile.ssl
18121 * Fix memory leaks in s3_clnt.c: All non-anonymous SSL3/TLS1 connections
18128 * New function RSA_check_key and new openssl rsa option -check
18167 * Memory leak checking (-DCRYPTO_MDEBUG) had some problems.
18176 to disable memory-checking temporarily.
18181 -DCRYPTO_MDEBUG_TIME is new and additionally stores the current time
18185 -DCRYPTO_MDEBUG_THREAD is also new and adds the thread ID.
18187 -DCRYPTO_MDEBUG_ALL enables all of the above, plus any future
18209 * Fix problems with no-hmac etc.
18230 *Steve Henson, reported by Brien Wheeler <bwheeler@authentica-security.com>*
18250 Fixed, now "no-idea no-rc5 -DCRYPTO_MDEBUG" etc. works as intended.
18261 Whoever hopes to achieve shared-library compatibility across versions
18262 must use this, not the compile-time macro.
18265 Note: All this applies only to multi-threaded programs, others don't
18270 * Add missing case to s3_clnt.c state machine -- one of the new SSL tests
18323 name for unistd.h (for pre-POSIX systems); we need this for NeXTstep,
18333 Changing the behaviour of the former might break existing programs --
18339 fails, it needs to cause bc to give a non-zero result or make test carries
18352 yet. Added a -v2 "cipher" option to pkcs8 application to allow the use
18357 * Instead of "mkdir -p", which is not fully portable, use new
18358 Perl script "util/mkdir-p.pl".
18388 * "linux-sparc64" configuration (ultrapenguin).
18391 "linux-sparc" configuration.
18393 *Christian Forster <fo@hawo.stw.uni-erlangen.de>*
18395 * config now generates no-xxx options for missing ciphers.
18404 * Support BS2000/OSD-POSIX.
18420 * New configuration variants "bsdi-elf-gcc" (BSD/OS 4.x).
18426 * New configuration variant "sco5-gcc".
18449 * SHA library changes for irix64-mips4-cc.
18517 * New option -out to asn1parse to allow the parsed structure to be
18518 output to a file. This is most useful when combined with the -strparse
18523 * Make SSL library a little more fool-proof by not requiring any longer
18527 intended anyway -- now it really works as intended).
18535 * Fix various things to let OpenSSL even pass "egcc -pipe -O2 -Wall
18536 -Wshadow -Wpointer-arith -Wcast-align -Wmissing-prototypes
18537 -Wmissing-declarations -Wnested-externs -Winline" with EGCS 1.1.2+
18548 various ways (and thus what used to be known as ctx->default_cert
18549 is now called ctx->cert, since we don't resort to `s->ctx->[default_]cert`
18550 any longer when s->cert does not give us what we need).
18553 we have solved a couple of bugs of the earlier code where s->cert
18563 that holds per-session data (if available); currently, this is
18591 * Add PEDANTIC compiler flag to allow compilation with gcc -pedantic,
18592 without disallowing inline assembler and the like for non-pedantic builds.
18604 * SHA-1 cleanups and performance enhancements.
18612 * Accept any -xxx and +xxx compiler options in Configure.
18627 DER-encoded.)
18632 x509_vfy.c had what can be considered an off-by-one-error:
18660 * New Configure options "threads" and "no-threads". For systems
18671 $(INSTALLTOP)/bin -- they shouldn't clutter directories
18676 * "make linux-shared" to build shared libraries.
18680 * New Configure option `no-<cipher>` (rsa, idea, rc5, ...).
18698 * New Configure options --prefix=DIR and --openssldir=DIR.
18719 * Change behaviour of ssl2_read when facing length-0 packets: Don't return
18737 * Fix new 56-bit DES export ciphersuites: they were using 7 bytes instead of
18815 * Don't auto-generate pem.h.
18819 * Introduce type-safe ASN.1 SETs.
18823 * Convert various additional casted stacks to type-safe STACK_OF() variants.
18827 * Introduce type-safe STACKs. This will almost certainly break lots of code
18835 * Add `openssl ca -revoke <certfile>` facility which revokes a certificate
18838 revoking a certificate. The -revoke option does the gory details now.
18842 * Fix `openssl crl -noout -text` combination where `-noout` killed the
18843 `-text` option at all and this way the `-noout -text` combination was
18855 ciphers that were excluded, e.g. by -DNO_IDEA. Also, test
18859 `openssl list-cipher-commands` is used.
18897 * New "-showcerts" option for s_client.
18938 * Make sure the RSA OAEP test is skipped under -DRSAref because
18939 OAEP isn't supported when OpenSSL is built with RSAref.
18944 so they no longer are missing under -DNOPROTO.
18974 * Make rsa_oaep_test return non-zero on error.
18979 solaris-sparc-sc4-pic, make, then run shlib/solaris-sc4.sh. It'd be nice
19009 * Let util/clean-depend.pl work also with older Perl 5.00x versions.
19021 * DES quad checksum was broken on big-endian architectures. Fixed.
19082 pre-configured entry in Configure's %table under key `<id>` with value
19084 perform a quick test-compile under FreeBSD 3.1 with pgcc and without
19085 assembler stuff you can use `perl Configure "FreeBSD-elf:pgcc:-O6:::"`
19086 now, which overrides the FreeBSD-elf entry on-the-fly.
19094 * Allow DSO flags like -fpic, -fPIC, -KPIC etc. to be specified
19101 * Remarkably, export ciphers were totally broken and no-one had noticed!
19107 questions now is the OpenSSL core team under openssl-core@openssl.org.
19108 And add a paragraph about the dual-license situation to make sure people
19164 stuff. Fix mk1mf.pl and VC-32.pl to support NT differences also. Various
19175 This means that Apache-SSL and similar packages don't have to mess around
19187 * Get rid of remaining C++-style comments which strict C compilers hate.
19198 their SSL_CTX_xxx() counterparts but work on a per-connection basis. This
19200 per-connection basis (e.g. Apache+mod_ssl) instead of a per-context basis
19210 non-public-API function ssl_cert_instantiate() is used as a helper
19215 * Move s_server -dcert and -dkey options out of the undocumented feature
19238 * Don't hard-code path to Perl interpreter on shebang line of Configure
19239 script. Instead use the usual Shell->Perl transition trick.
19243 * Make `openssl x509 -noout -modulus`' functional also for DSA certificates
19245 -noout -modulus` as it's already the case for `openssl rsa -noout
19246 -modulus`. For RSA the -modulus is the real "modulus" while for DSA
19248 `openssl dsa -modulus` in the past) which serves a similar purpose.
19249 Additionally the NO_RSA no longer completely removes the whole -modulus
19255 * Add Arne Ansper's reliable BIO - this is an encrypted, block-digested
19258 *Arne Ansper <arne@ats.cyber.ee>*
19268 *Arne Ansper <arne@ats.cyber.ee>, integrated by Ben Laurie*
19272 TLS_RSA_EXPORT56_WITH_DES_CBC_SHA, as specified in "56-bit Export Cipher
19273 Suites For TLS", draft-ietf-tls-56-bit-ciphersuites-00.txt.
19303 foundations than the ad-hoc padding used in PKCS #1 v1.5. It is secure
19334 *Lars Weber <3weber@informatik.uni-hamburg.de>*
19387 - ported BN stuff to OpenSSL's different BN library
19388 - made the perl/ source tree CVS-aware
19389 - renamed the package from SSLeay to OpenSSL (the files still contain
19391 - removed obsolete files (the test scripts will be replaced
19403 -rSSLeay_0_8_1b" or they were renamed (as it was definitely the case for
19411 what that's for :-) Fix to ASN1 macro which messed up
19438 * Fixed ms/32all.bat script: `no_asm` -> `no-asm`
19440 *Rainer W. Gerling <gerling@mpg-gv.mpg.de>*
19446 * Modify crl2pkcs7 so it supports multiple -certfile arguments. Fix a
19475 and add a sample to openssl.cnf so req -x509 now adds appropriate
19500 Ad Hoc Way) - Makefile.ssls now all contain local dependencies, which
19505 * Spelling mistake in C version of CAST-128.
19509 * Changes to the error generation code. The perl script err-code.pl
19516 either modify crypto/Makefile.ssl to pass the -regen flag to err_code.pl
19521 * CAST-128 was incorrectly implemented for short keys. The C version has
19523 new assembler HAS NOT BEEN GENERATED FOR WIN32 - the Makefile needs fixing
19525 *Ben Laurie, reported (with fix for C version) by Jun-ichiro itojun
19602 *Bodo Moeller <3moeller@informatik.uni-hamburg.de>*
19604 * Don't blow it for numeric `-newkey` arguments to `apps/req`.
19606 *Bodo Moeller <3moeller@informatik.uni-hamburg.de>*
19624 *Arne Ansper <arne@ats.cyber.ee>*
19628 *Arne Ansper <arne@ats.cyber.ee>*
19632 *Arne Ansper <arne@ats.cyber.ee>*
19636 *Arne Ansper <arne@ats.cyber.ee>*
19638 * Make sure the already existing X509_STORE->depth variable is initialized
19670 * Make the top-level INSTALL documentation easier to understand.
19674 * Makefiles updated to exit if an error occurs in a sub-directory
19689 * Enhanced the err-ins.pl script so it makes the error library number
19726 *Ben Laurie - pointed out by Ulf Möller <ulf@fitug.de>*
19734 ncr-scde
19735 unixware-2.0
19736 unixware-2.0-pentium
19737 sco5-cc.
19750 ### Changes between 0.9.1b and 0.9.1c [23-Dec-1998]
19757 * Some fixups to the top-level documents.
19761 * Fixed the nasty bug where rsaref.h was not found under compile-time
19766 * Incorporated the popular no-RSA/DSA-only patches
19767 which allow to compile an RSA-free SSLeay.
19771 * Fixed nasty rehash problem under `make -f Makefile.ssl links`
19789 * Recompiled the error-definition header files and added
19794 * Cleaned up the top-level documents;
19844 * Add -strparse option to asn1pars program which parses nested
19857 * Added "-genkey" option to "dsaparam" program.
19865 * Added -a (all) option to "ssleay version" command.
19924 this is key exchange mechanism is not supported by SSLeay at all.
19954 <!-- Links -->
19956 [CVE-2024-13176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176
19957 [CVE-2024-9143]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143
19958 [CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
19959 [CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535
19960 [CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
19961 [CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603
19962 [CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511
19963 [CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727
19964 [CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237
19965 [CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129
19966 [CVE-2023-5678]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5678
19967 [CVE-2023-5363]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5363
19968 [CVE-2023-4807]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-4807
19969 [CVE-2023-3817]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3817
19970 [CVE-2023-3446]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3446
19971 [CVE-2023-2975]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2975
19972 [RFC 2578 (STD 58), section 3.5]: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5
19973 [CVE-2023-2650]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2650
19974 [CVE-2023-1255]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-1255
19975 [CVE-2023-0466]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466
19976 [CVE-2023-0465]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0465
19977 [CVE-2023-0464]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0464
19978 [CVE-2023-0401]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0401
19979 [CVE-2023-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0286
19980 [CVE-2023-0217]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0217
19981 [CVE-2023-0216]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0216
19982 [CVE-2023-0215]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0215
19983 [CVE-2022-4450]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4450
19984 [CVE-2022-4304]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4304
19985 [CVE-2022-4203]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4203
19986 [CVE-2022-3996]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-3996
19987 [CVE-2022-2274]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2274
19988 [CVE-2022-2097]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2097
19989 [CVE-2020-1971]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1971
19990 [CVE-2020-1967]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1967
19991 [CVE-2019-1563]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1563
19992 [CVE-2019-1559]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1559
19993 [CVE-2019-1552]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1552
19994 [CVE-2019-1551]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1551
19995 [CVE-2019-1549]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1549
19996 [CVE-2019-1547]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1547
19997 [CVE-2019-1543]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1543
19998 [CVE-2018-5407]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-5407
19999 [CVE-2018-0739]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0739
20000 [CVE-2018-0737]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0737
20001 [CVE-2018-0735]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0735
20002 [CVE-2018-0734]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0734
20003 [CVE-2018-0733]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0733
20004 [CVE-2018-0732]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0732
20005 [CVE-2017-3738]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3738
20006 [CVE-2017-3737]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3737
20007 [CVE-2017-3736]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3736
20008 [CVE-2017-3735]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3735
20009 [CVE-2017-3733]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3733
20010 [CVE-2017-3732]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3732
20011 [CVE-2017-3731]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3731
20012 [CVE-2017-3730]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3730
20013 [CVE-2016-7055]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7055
20014 [CVE-2016-7054]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7054
20015 [CVE-2016-7053]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7053
20016 [CVE-2016-7052]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7052
20017 [CVE-2016-6309]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6309
20018 [CVE-2016-6308]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6308
20019 [CVE-2016-6307]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6307
20020 [CVE-2016-6306]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6306
20021 [CVE-2016-6305]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6305
20022 [CVE-2016-6304]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6304
20023 [CVE-2016-6303]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6303
20024 [CVE-2016-6302]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6302
20025 [CVE-2016-2183]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2183
20026 [CVE-2016-2182]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2182
20027 [CVE-2016-2181]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2181
20028 [CVE-2016-2180]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2180
20029 [CVE-2016-2179]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2179
20030 [CVE-2016-2178]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2178
20031 [CVE-2016-2177]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2177
20032 [CVE-2016-2176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2176
20033 [CVE-2016-2109]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2109
20034 [CVE-2016-2107]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2107
20035 [CVE-2016-2106]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2106
20036 [CVE-2016-2105]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2105
20037 [CVE-2016-0800]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0800
20038 [CVE-2016-0799]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0799
20039 [CVE-2016-0798]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0798
20040 [CVE-2016-0797]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0797
20041 [CVE-2016-0705]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0705
20042 [CVE-2016-0702]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0702
20043 [CVE-2016-0701]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0701
20044 [CVE-2015-3197]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3197
20045 [CVE-2015-3196]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3196
20046 [CVE-2015-3195]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3195
20047 [CVE-2015-3194]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3194
20048 [CVE-2015-3193]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3193
20049 [CVE-2015-1793]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1793
20050 [CVE-2015-1792]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1792
20051 [CVE-2015-1791]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1791
20052 [CVE-2015-1790]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1790
20053 [CVE-2015-1789]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1789
20054 [CVE-2015-1788]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1788
20055 [CVE-2015-1787]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1787
20056 [CVE-2015-0293]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0293
20057 [CVE-2015-0291]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0291
20058 [CVE-2015-0290]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0290
20059 [CVE-2015-0289]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0289
20060 [CVE-2015-0288]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0288
20061 [CVE-2015-0287]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0287
20062 [CVE-2015-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0286
20063 [CVE-2015-0285]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0285
20064 [CVE-2015-0209]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0209
20065 [CVE-2015-0208]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0208
20066 [CVE-2015-0207]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0207
20067 [CVE-2015-0206]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0206
20068 [CVE-2015-0205]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0205
20069 [CVE-2015-0204]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0204
20070 [CVE-2014-8275]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-8275
20071 [CVE-2014-5139]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-5139
20072 [CVE-2014-3572]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3572
20073 [CVE-2014-3571]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3571
20074 [CVE-2014-3570]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3570
20075 [CVE-2014-3569]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3569
20076 [CVE-2014-3568]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3568
20077 [CVE-2014-3567]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3567
20078 [CVE-2014-3566]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3566
20079 [CVE-2014-3513]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3513
20080 [CVE-2014-3512]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3512
20081 [CVE-2014-3511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3511
20082 [CVE-2014-3510]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3510
20083 [CVE-2014-3509]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3509
20084 [CVE-2014-3508]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3508
20085 [CVE-2014-3507]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3507
20086 [CVE-2014-3506]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3506
20087 [CVE-2014-3505]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3505
20088 [CVE-2014-3470]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3470
20089 [CVE-2014-0224]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0224
20090 [CVE-2014-0221]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0221
20091 [CVE-2014-0195]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0195
20092 [CVE-2014-0160]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0160
20093 [CVE-2014-0076]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0076
20094 [CVE-2013-6450]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-6450
20095 [CVE-2013-4353]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-4353
20096 [CVE-2013-0169]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-0169
20097 [CVE-2013-0166]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-0166
20098 [CVE-2012-2686]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2686
20099 [CVE-2012-2333]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2333
20100 [CVE-2012-2110]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2110
20101 [CVE-2012-0884]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0884
20102 [CVE-2012-0050]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0050
20103 [CVE-2012-0027]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0027
20104 [CVE-2011-4619]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4619
20105 [CVE-2011-4577]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4577
20106 [CVE-2011-4576]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4576
20107 [CVE-2011-4109]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4109
20108 [CVE-2011-4108]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4108
20109 [CVE-2011-3210]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-3210
20110 [CVE-2011-3207]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-3207
20111 [CVE-2011-0014]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-0014
20112 [CVE-2010-4252]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-4252
20113 [CVE-2010-4180]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-4180
20114 [CVE-2010-3864]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-3864
20115 [CVE-2010-1633]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-1633
20116 [CVE-2010-0740]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-0740
20117 [CVE-2010-0433]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-0433
20118 [CVE-2009-4355]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-4355
20119 [CVE-2009-3555]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-3555
20120 [CVE-2009-3245]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-3245
20121 [CVE-2009-1386]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1386
20122 [CVE-2009-1379]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1379
20123 [CVE-2009-1378]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1378
20124 [CVE-2009-1377]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1377
20125 [CVE-2009-0789]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0789
20126 [CVE-2009-0591]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0591
20127 [CVE-2009-0590]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0590
20128 [CVE-2008-5077]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-5077
20129 [CVE-2008-1678]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-1678
20130 [CVE-2008-1672]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-1672
20131 [CVE-2008-0891]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-0891
20132 [CVE-2007-5135]: https://www.openssl.org/news/vulnerabilities.html#CVE-2007-5135
20133 [CVE-2007-4995]: https://www.openssl.org/news/vulnerabilities.html#CVE-2007-4995
20134 [CVE-2006-4343]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-4343
20135 [CVE-2006-4339]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-4339
20136 [CVE-2006-3738]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-3738
20137 [CVE-2006-2940]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-2940
20138 [CVE-2006-2937]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-2937
20139 [CVE-2005-2969]: https://www.openssl.org/news/vulnerabilities.html#CVE-2005-2969
20140 [CVE-2004-0112]: https://www.openssl.org/news/vulnerabilities.html#CVE-2004-0112
20141 [CVE-2004-0079]: https://www.openssl.org/news/vulnerabilities.html#CVE-2004-0079
20142 [CVE-2003-0851]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0851
20143 [CVE-2003-0545]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0545
20144 [CVE-2003-0544]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0544
20145 [CVE-2003-0543]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0543
20146 [CVE-2003-0078]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0078
20147 [CVE-2002-0659]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0659
20148 [CVE-2002-0657]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0657
20149 [CVE-2002-0656]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0656
20150 [CVE-2002-0655]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0655