Lines Matching +full:boost +full:- +full:bypass
4 This is a high-level summary of the most important changes.
11 ----------------
13 - [OpenSSL 3.0](#openssl-30)
14 - [OpenSSL 1.1.1](#openssl-111)
15 - [OpenSSL 1.1.0](#openssl-110)
16 - [OpenSSL 1.0.2](#openssl-102)
17 - [OpenSSL 1.0.1](#openssl-101)
18 - [OpenSSL 1.0.0](#openssl-100)
19 - [OpenSSL 0.9.x](#openssl-09x)
22 -----------
33 * Fixed timing side-channel in ECDSA signature computation.
38 the NIST P-521 curve is affected. To be able to measure this leak, the
42 ([CVE-2024-13176])
46 * Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic
49 Use of the low-level GF(2^m) elliptic curve APIs with untrusted
50 explicit values for the field polynomial can lead to out-of-bounds memory
58 ([CVE-2024-9143])
72 ([CVE-2024-6119])
82 ([CVE-2024-5535])
107 ([CVE-2024-4741])
124 ([CVE-2024-4603])
136 * Fixed an issue where some non-default TLS server configurations can cause
141 This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option
143 anti-replay protection is in use). In this case, under certain conditions,
150 ([CVE-2024-2511])
178 ([CVE-2024-0727])
195 with the "-pubin" and "-check" options on untrusted data.
200 ([CVE-2023-6237])
205 have the contained AlgorithmIdentifier.algorithm set to id-ecPublicKey
218 be various - from no consequences, if the calling application does not
219 depend on the contents of non-volatile XMM registers at all, to the worst
226 ([CVE-2023-6129])
240 ([CVE-2023-5678])
248 that alter the key or IV length ([CVE-2023-5363]).
257 does not save the contents of non-volatile XMM registers on Windows 64
261 x86_64 processors supporting the AVX512-IFMA instructions.
264 be various - from no consequences, if the calling application does not
265 depend on the contents of non-volatile XMM registers at all, to the worst
272 ([CVE-2023-4807])
281 fixing CVE-2023-3446 it was discovered that a large q parameter value can
291 ([CVE-2023-3817])
310 ([CVE-2023-3446])
314 * Do not ignore empty associated data entries with AES-SIV.
316 The AES-SIV algorithm allows for authentication of multiple associated
320 The AES-SIV implementation in OpenSSL just returns success for such call
322 The empty data thus will not be authenticated. ([CVE-2023-2975])
327 applications that use empty associated data entries with AES-SIV.
337 OBJECT IDENTIFIER sub-identifiers to canonical numeric text form.
340 numeric text form. For gigantic sub-identifiers, this would take a very
342 sub-identifier. ([CVE-2023-2650])
350 most 128 sub-identifiers, and that the maximum value that each sub-
351 identifier may have is 2^32-1 (4294967295 decimal).
353 For each byte of every sub-identifier, only the 7 lower bits are part of
360 * Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms which
362 trigger a crash of an application using AES-XTS decryption if the memory
365 ([CVE-2023-1255])
369 * Reworked the Fix for the Timing Oracle in RSA Decryption ([CVE-2022-4304]).
371 a severe 2-3x performance regression in the typical use case
383 ([CVE-2023-0466])
392 ([CVE-2023-0465])
397 against CVE-2023-0464. The default limit is set to 1000 nodes, which
402 ([CVE-2023-0464])
417 ([CVE-2023-0401])
440 ([CVE-2023-0286])
455 security requirements imposed by standards such as FIPS 140-3.
456 ([CVE-2023-0217])
470 ([CVE-2023-0216])
474 * Fixed Use-after-free following BIO_new_NDEF.
489 then a use-after-free will occur. This will most likely result in a crash.
490 ([CVE-2023-0215])
515 ([CVE-2022-4450])
526 modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
527 ([CVE-2022-4304])
539 ([CVE-2022-4203])
551 ([CVE-2022-3996])
561 For symmetry, our implementation of `EVP_PKEY_ASN1_METHOD->export_to`
588 ([CVE-2022-3786])
591 attacker-controlled bytes on the stack. This buffer overflow could
594 ([CVE-2022-3602])
654 ([CVE-2022-3358])
663 * Fixed the linux-mips64 Configure target which was missing the
678 * Fixed detection of ktls support in cross-compile environment on Linux
714 implementation prior to commit 2621751 ("aes/asm/aesv8-armx.pl: avoid
715 32-bit lane assignment in CTR mode") for 64bit targets only, since it is
716 reportedly 2-17% slower and the silicon errata only affects 32bit targets.
739 ([CVE-2022-2274])
743 * AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised
751 ([CVE-2022-2097])
758 CVE-2022-1292, further bugs where the c_rehash script does not
762 When the CVE-2022-1292 was fixed it was not discovered that there
772 (CVE-2022-2068)
783 * Case insensitive string comparison is reimplemented via new locale-agnostic
798 (CVE-2022-1292)
804 where the (non-default) flag OCSP_NOCHECKS is used to return a postivie
815 verifying an ocsp response with the "-no_cert_checks" option the command line
820 ([CVE-2022-1343])
824 * Fixed a bug where the RC4-MD5 ciphersuite incorrectly used the
827 An attacker could exploit this issue by performing a man-in-the-middle attack
831 Note that data sent from an OpenSSL 3.0 endpoint to a non-OpenSSL 3.0
835 3.0 server would be impacted when talking to a non-OpenSSL 3.0 client.
842 endpoint communicating with a non-OpenSSL 3.0 endpoint will fail to complete
846 cannot decrypt data that has been encrypted using this ciphersuite - they can
850 the RC4-MD5 ciphersuite. This ciphersuite is not compiled by default in
856 1) OpenSSL must have been compiled with the (non-default) compile time option
857 enable-weak-ssl-ciphers
868 6) Both endpoints must negotiate the RC4-MD5 ciphersuite in preference to any
870 (CVE-2022-1434)
885 (CVE-2022-1473)
899 for non-prime moduli.
916 - TLS clients consuming server certificates
917 - TLS servers consuming client certificates
918 - Hosting providers taking certificates or private keys from customers
919 - Certificate authorities parsing certification requests from subscribers
920 - Anything else which parses ASN.1 elliptic curve parameters
924 ([CVE-2022-0778])
934 * Made the AES constant time code for no-asm configurations
937 builds, with: ./config no-asm -DOPENSSL_AES_CONST_TIME
975 ([CVE-2021-4044])
1039 * Encrypting more than 2^64 TLS records with AES-GCM is disallowed
1040 as per FIPS 140-2 IG A.5 "Key/IV Pair Uniqueness Requirements from
1041 SP 800-38D". The communication will fail at this point.
1051 beginning of a PEM-formatted file.
1071 "AES-128-SIV", "AES-128-CBC-CTS" and "CAMELLIA-128-CBC-CTS" which were
1082 `--libdir=lib` to override the libdir if adding the postfix is
1104 be suppressed if the undocumented -DI_CAN_LIVE_WITH_LNK4049 was set.
1109 * Rework and make DEBUG macros consistent. Remove unused -DCONF_DEBUG,
1110 -DBN_CTX_DEBUG, and REF_PRINT. Add a new tracing category and use it for
1111 printing reference counts. Rename -DDEBUG_UNUSED to -DUNUSED_RESULT_DEBUG
1128 * Client-initiated renegotiation is disabled by default. To allow it, use
1129 the -client_renegotiation option, the SSL_OP_ALLOW_CLIENT_RENEGOTIATION
1139 * OpenSSL includes a cryptographic module that is intended to be FIPS 140-2
1140 validated. Please consult the README-FIPS and
1141 README-PROVIDERS files, as well as the migration guide.
1251 RIPEMD-160 have been moved to the legacy provider.
1268 * A number of functions handling low-level keys or engines were deprecated
1279 - NID_pbeWithMD2AndDES_CBC
1280 - NID_pbeWithMD5AndDES_CBC
1281 - NID_pbeWithSHA1AndRC2_CBC
1282 - NID_pbeWithMD2AndRC2_CBC
1283 - NID_pbeWithMD5AndRC2_CBC
1284 - NID_pbeWithSHA1AndDES_CBC
1307 algorithms. This is enabled by including the no-cached-fetch option
1312 * pkcs12 now uses defaults of PBKDF2, AES and SHA-256, with a MAC iteration
1317 * The openssl speed command does not use low-level API calls anymore.
1321 * Parallel dual-prime 1024-bit modular exponentiation for AVX512_IFMA
1326 * Combining the Configure options no-ec and no-dh no longer disables TLSv1.3.
1347 RSA_padding_add_SSLv23() and the `-ssl` option in the deprecated
1365 * The default key generation method for the regular 2-prime RSA keys was
1366 changed to the FIPS 186-4 B.3.6 method.
1396 * Behavior of the `pkey` app is changed, when using the `-check` or `-pubcheck`
1407 * The `-cipher-commands` and `-digest-commands` options
1409 Instead use the `-cipher-algorithms` and `-digest-algorithms` options.
1414 The 'quick' one-shot (yet somewhat limited) function L<EVP_PKEY_Q_keygen(3)>
1434 * The `-crypt` option to the `passwd` command line tool has been removed.
1438 * The -C option to the `x509`, `dhparam`, `dsaparam`, and `ecparam` commands
1463 * Added new option for 'openssl list', '-providers', which will display the
1494 ignore TLS protocol version bounds when configuring DTLS-based contexts, and
1496 TLS-based contexts. The commands can be repeated to set bounds of both
1498 "max_protocol" command-line switches, in case some application uses both TLS
1504 error. Now only the "version-flexible" SSL_CTX instances are subject to
1505 limits in configuration files in command-line options.
1524 * Added ciphertext stealing algorithms AES-128-CBC-CTS, AES-192-CBC-CTS and
1525 AES-256-CBC-CTS to the providers. CS1, CS2 and CS3 variants are supported.
1543 a non-default `OSSL_LIB_CTX`.
1574 * Add CAdES-BES signature verification support, mostly derived
1579 * Add CAdES-BES signature scheme and attributes support (RFC 5126) to CMS API.
1583 * Added the AuthEnvelopedData content type structure (RFC 5083) with AES-GCM
1656 [ATX headings]: https://github.github.com/gfm/#atx-headings
1657 [setext headings]: https://github.github.com/gfm/#setext-headings
1658 [inline links]: https://github.github.com/gfm/#inline-link
1659 [reference links]: https://github.github.com/gfm/#reference-link
1660 [fenced code blocks]: https://github.github.com/gfm/#fenced-code-blocks
1661 [indented code blocks]: https://github.github.com/gfm/#indented-code-blocks
1666 A new directory test-runs/ with subdirectories named like the
1673 See L<openssl-cmp(1)> and L<OSSL_CMP_exec_IR_ses(3)> as starting points.
1680 user-defined BIOs (allowing implicit connections), persistent connections,
1682 The legacy OCSP-focused (and only partly documented) API
1687 * Added `util/check-format.pl`, a tool for checking adherence to the
1762 - Common options (such as -rand/-writerand, TLS version control, etc)
1763 were refactored and point to newly-enhanced descriptions in openssl.pod.
1764 - Added style conformance for all options (with help from Richard Levitte),
1768 - Documented some internals, such as all use of environment variables.
1769 - Addressed all internal broken L<> references.
1777 * The low-level MD2, MD4, MD5, MDC2, RIPEMD160 and Whirlpool digest
1818 used in exponentiation with 512-bit moduli. No EC algorithms are
1819 affected. Analysis suggests that attacks against 2-prime RSA1024,
1820 3-prime RSA1536, and DSA1024 as a result of this defect would be very
1823 have to re-use the DH512 private key, which is not recommended anyway.
1824 Also applications directly using the low-level API BN_mod_exp may be
1826 ([CVE-2019-1551])
1830 * Most memory-debug features have been deprecated, and the functionality
1831 replaced with no-ops.
1872 * Change the interpretation of the '--api' configuration option to
1876 the given version, no requires that 'no-deprecated' is also used
1882 value is valid as before, such as -DOPENSSL_API_COMPAT=0x10100000L.
1890 -DOPENSSL_API_COMPAT=30000 For 3.0
1891 -DOPENSSL_API_COMPAT=30200 For 3.2
1894 given API compatibility level, -DOPENSSL_NO_DEPRECATED must be
1905 - X509_LOOKUP_store()
1906 - X509_STORE_load_file()
1907 - X509_STORE_load_path()
1908 - X509_STORE_load_store()
1909 - SSL_add_store_cert_subjects_to_stack()
1910 - SSL_CTX_set_default_verify_store()
1911 - SSL_CTX_load_verify_file()
1912 - SSL_CTX_load_verify_dir()
1913 - SSL_CTX_load_verify_store()
1918 The presence of this system service is determined at run-time.
1927 of application written for pre-3.0 OpenSSL easier.
1949 * s390x assembly pack: add hardware-support for P-256, P-384, P-521,
1987 * Added the `-copy_extensions` option to the `x509` command for use with
1988 `-req` and `-x509toreq`. When given with the `copy` or `copyall` argument,
1993 * Added the `-copy_extensions` option to the `req` command for use with
1994 `-x509`. When given with the `copy` or `copyall` argument,
2002 and for not self-signed certs there is an authorityKeyIdentifier extension
2011 (which may be done by using the CLI option `-x509_strict`):
2023 unless they are self-signed.
2033 * For built-in EC curves, ensure an EC_GROUP built from the curve name is
2037 This prevents bypass of security hardening and performance gains,
2049 ([CVE-2019-1547])
2063 The old behaviour can be re-enabled in the CMS code by setting the
2078 * Revised BN_generate_prime_ex to not avoid factors 2..17863 in p-1
2081 the 2-prime and 3-prime RSA modules were easy to distinguish, since
2083 2-prime vs. 3-prime RSA keys was possible by computing N mod 3.
2089 fix TLS connections between an EBCDIC system and a non-EBCDIC system that
2133 * `{CRYPTO,OPENSSL}_mem_debug_{push,pop}` are now no-ops and have been
2182 * Change PBKDF2 to conform to SP800-132 instead of the older PKCS5 RFC2898.
2191 * Add target VC-WIN32-UWP, VC-WIN64A-UWP, VC-WIN32-ARM-UWP and
2192 VC-WIN64-ARM-UWP in Windows OneCore target for making building libraries
2193 for Windows Store apps easier. Also, the "no-uplink" option has been added.
2209 * Added OPENSSL_info() to get diverse built-in OpenSSL data, such
2224 * Limit the number of blocks in a data unit for AES-XTS to 2^20 as
2225 mandated by IEEE Std 1619-2018.
2256 'enable-buildtest-c++'.
2291 (scrypt, TLS1 PRF and HKDF). The low-level KDF functions for PBKDF2
2304 * Fix a bug in the computation of the endpoint-pair shared secret used
2312 re-used X509_PUBKEY object if the second PUBKEY is malformed.
2326 - Major releases (indicated by incrementing the MAJOR release number)
2328 - Minor releases (indicated by incrementing the MINOR release number)
2330 - Patch releases (indicated by incrementing the PATCH number)
2337 * Add support for RFC5297 SIV mode (siv128), including AES-SIV.
2347 * Recreate the OS390-Unix config target. It no longer relies on a
2348 special script like it did for OpenSSL pre-1.1.0.
2353 a 'build.info' keyword SUBDIRS to indicate what sub-directories to
2383 * AES-XTS mode now enforces that its two keys are different to mitigate
2397 * Added new option for 'openssl list', '-objects', which will display the
2402 * Added the options `-crl_lastupdate` and `-crl_nextupdate` to `openssl ca`,
2408 * Added support for Linux Kernel TLS data-path. The Linux Kernel data-path
2410 applications with zero-copy system calls such as sendfile and splice.
2442 doc/man7/provider.pod, doc/man7/provider-base.pod, and they in turn
2449 -------------
2477 again, but this time passing a non-NULL value for the "out" parameter.
2492 ([CVE-2021-3711])
2536 ([CVE-2021-3712])
2553 that non-CA certificates must not be able to issue other certificates.
2567 ([CVE-2021-3450])
2581 ([CVE-2021-3449])
2594 ([CVE-2021-23841])
2601 CVE-2021-23839.
2611 ([CVE-2021-23840])
2638 ([CVE-2020-1971])
2650 ignore TLS protocol version bounds when configuring DTLS-based contexts, and
2652 TLS-based contexts. The commands can be repeated to set bounds of both
2654 "max_protocol" command-line switches, in case some application uses both TLS
2660 error. Now only the "version-flexible" SSL_CTX instances are subject to
2661 limits in configuration files in command-line options.
2681 ([CVE-2020-1967])
2685 * Added AES consttime code for no-asm configurations
2687 when building openssl for no-asm.
2688 Enable with: ./config no-asm -DOPENSSL_AES_CONST_TIME
2689 Disable with: ./config no-asm -DOPENSSL_NO_AES_CONST_TIME
2705 * Revised BN_generate_prime_ex to not avoid factors 3..17863 in p-1
2708 the 2-prime and 3-prime RSA modules were easy to distinguish, since
2710 2-prime vs. 3-prime RSA keys was possible by computing N mod 3.
2754 The presence of this system service is determined at run-time.
2777 ([CVE-2019-1549])
2781 * For built-in EC curves, ensure an EC_GROUP built from the curve name is
2785 This prevents bypass of security hardening and performance gains,
2797 ([CVE-2019-1547])
2811 The old behaviour can be re-enabled in the CMS code by setting the
2813 ([CVE-2019-1563])
2828 fix TLS connections between an EBCDIC system and a non-EBCDIC system that
2839 ([CVE-2019-1552])
2875 'enable-buildtest-c++'.
2879 * Enable SHA3 pre-hashing for ECDSA and DSA.
2892 util/fix-doc-nits accordingly.
2913 * Prevent over long nonces in ChaCha20-Poly1305.
2915 ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input
2936 applications that use this cipher directly and set a non-default nonce
2941 ([CVE-2019-1543])
2961 * Change the info callback signals for the start and end of a post-handshake
2982 ([CVE-2018-0734])
2993 ([CVE-2018-0735])
3021 * s390x assembly pack: add (improved) hardware-support for the following
3022 cryptographic primitives: sha3, shake, aes-gcm, aes-ccm, aes-ctr, aes-ofb,
3023 aes-cfb/cfb8, aes-ecb.
3035 differential addition-and-doubling in homogeneous projective coordinates
3036 from Izu-Takagi "A fast parallel elliptic curve multiplication resistant
3037 against side channel attacks" and Brier-Joye "Weierstrass Elliptic Curves
3038 and Side-Channel Attacks" Eq. (8) for y-coordinate recovery, modified
3045 For larger primes this will result in more rounds of Miller-Rabin.
3047 to 2^-128.
3051 * Increase the number of Miller-Rabin rounds for DSA key generating to 64.
3063 length-invariant. Switch even to fixed-length Montgomery multiplication.
3069 differential addition-and-doubling in mixed Lopez-Dahab projective
3078 differential addition-and-doubling algorithms.
3090 * Numerous side-channel attack mitigations have been applied. This may have
3100 mitigate conflict between 1.0 and 1.1 side-by-side installations. It
3102 multi-version installation is managed.
3110 EC cryptosystem implementations are then safer-by-default.
3134 Many applications do not properly handle non-application data records, and
3193 * Fixed X509_NAME_ENTRY_set to get multi-valued RDNs right in all cases.
3247 in responder mode now supports the new "-multi" option, which
3249 requests. The "-timeout" option now also limits the OCSP
3254 as a long-running service, making the OpenSSL CA somewhat more
3255 feature-complete. In this mode, most diagnostic messages logged
3282 The default RAND method now utilizes an AES-CTR DRBG according to
3283 NIST standard SP 800-90Ar1. The new random generator is essentially
3286 using an AES-CTR bit stream and which seeds and reseeds itself
3290 - Support for multiple DRBG instances with seed chaining.
3291 - The default RAND method makes use of a DRBG.
3292 - There is a public and private DRBG instance.
3293 - The DRBG instances are fork-safe.
3294 - Keep all global DRBG instances on the secure heap if it is enabled.
3295 - The public and private DRBG instance are per thread for lock free
3331 * Add multi-prime RSA (RFC 8017) support.
3335 * Add SM3 implemented according to GB/T 32905-2016
3346 * Add SM4 implemented according to GB/T 32907-2016.
3351 * Reimplement -newreq-nodes and ERR_error_string_n; the
3385 To disable, configure with 'no-ui-console'. 'no-ui' is still
3402 * Add devcrypto engine. This has been implemented against cryptodev-linux,
3404 Enable by configuring with 'enable-devcryptoeng'. This is done by default
3438 * Ignore the '-named_curve auto' value for compatibility of applications
3444 bytes long. In theory it is permissible in SSLv3 - TLSv1.2 to fragment such
3462 'z' is to be used for [s]size_t, and 'j' - with [u]int64_t.
3471 * Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
3489 Also remove OPENSSL_GLOBAL entirely, as it became a no-op.
3493 * Remove the VMS-specific reimplementation of gmtime from crypto/o_times.c.
3510 default unless the new "-noservername" option is used. The server name is
3511 based on the host provided to the "-connect" option unless overridden by
3512 using "-servername".
3529 <https://www.akkadia.org/drepper/SHA-crypt.txt>
3547 -------------
3551 * For built-in EC curves, ensure an EC_GROUP built from the curve name is
3555 This prevents bypass of security hardening and performance gains,
3567 ([CVE-2019-1547])
3581 The old behaviour can be re-enabled in the CMS code by setting the
3583 ([CVE-2019-1563])
3591 ([CVE-2019-1552])
3604 * Prevent over long nonces in ChaCha20-Poly1305.
3606 ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input
3627 applications that use this cipher directly and set a non-default nonce
3632 ([CVE-2019-1543])
3644 re-used X509_PUBKEY object if the second PUBKEY is malformed.
3667 ([CVE-2018-0734])
3678 ([CVE-2018-0735])
3699 ([CVE-2018-0732])
3712 ([CVE-2018-0737])
3723 length-invariant. Switch even to fixed-length Montgomery multiplication.
3729 For larger primes this will result in more rounds of Miller-Rabin.
3731 to 2^-128.
3735 * Increase the number of Miller-Rabin rounds for DSA key generating to 64.
3762 some characters, such as form-feed, were incorrectly treated as whitespace
3768 and use the "-binary" flag (for the "cms" command line application) or set
3783 This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz
3785 ([CVE-2018-0739])
3789 * Incorrect CRYPTO_memcmp on HP-UX PA-RISC
3791 Because of an implementation bug the PA-RISC CRYPTO_memcmp function is
3796 HP-UX assembler, so that only HP-UX PA-RISC targets are affected.
3800 ([CVE-2018-0733])
3816 SSL_OP_NO_RENEGOTIATION option from 1.1.1-dev has been backported to
3825 * Removed the OS390-Unix config target. It relied on a script that doesn't
3833 used in exponentiation with 1024-bit moduli. No EC algorithms are affected.
3841 no longer an option since CVE-2016-0701.
3847 was originally found via the OSS-Fuzz project.
3848 ([CVE-2017-3738])
3871 This issue was reported to OpenSSL by the OSS-Fuzz project.
3872 ([CVE-2017-3736])
3879 OpenSSL could do a one-byte buffer overread. The most likely result
3882 This issue was reported to OpenSSL by the OSS-Fuzz project.
3883 ([CVE-2017-3735])
3889 * Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
3894 * Remove the VMS-specific reimplementation of gmtime from crypto/o_times.c.
3902 * Encrypt-Then-Mac renegotiation crash
3904 During a renegotiation handshake if the Encrypt-Then-Mac extension is
3905 negotiated where it was not in the original handshake (or vice-versa) then
3910 ([CVE-2017-3733])
3918 If one side of an SSL/TLS path is running on a 32-bit host and a specific
3920 perform an out-of-bounds read, usually resulting in a crash.
3923 ([CVE-2017-3731])
3935 ([CVE-2017-3730])
3953 similar to CVE-2015-3193 but must be treated as a separate problem.
3955 This issue was reported to OpenSSL by the OSS-Fuzz project.
3956 ([CVE-2017-3732])
3962 * ChaCha20/Poly1305 heap-buffer-overflow
3964 TLS connections using `*-CHACHA20-POLY1305` ciphersuites are susceptible to
3969 ([CVE-2016-7054])
3983 ([CVE-2016-7053])
3989 There is a carry propagating bug in the Broadwell-specific Montgomery
3996 erroneous outcome of public-key operations with specially crafted input.
3997 Among EC algorithms only Brainpool P-512 curves are affected and one
3999 detail, because pre-requisites for attack are considered unlikely. Namely
4007 ([CVE-2016-7055])
4020 The patch applied to address CVE-2016-6307 resulted in an issue where if a
4030 ([CVE-2016-6309])
4044 the "no-ocsp" build time option are not affected.
4047 ([CVE-2016-6304])
4058 ([CVE-2016-6305])
4096 memory - which would then mean a more serious Denial of Service.
4099 (CVE-2016-6307 and CVE-2016-6308)
4103 * solaris-x86-cc, i.e. 32-bit configuration with vendor compiler,
4105 assemble our modules with -KPIC flag. As result it, assembly
4107 lack of side-channel resistant code, which is incompatible with
4115 * Windows command-line tool supports UTF-8 opt-in option for arguments
4118 with Windows CryptoAPI and protected with non-ASCII password, as well
4119 as files generated under UTF-8 locale on Linux also protected with
4120 non-ASCII password.
4124 * To mitigate the SWEET32 attack ([CVE-2016-2183]), 3DES cipher suites
4126 See the RC4 item below to re-enable both.
4146 no-ops and deprecated.
4151 calling CryptGenRandom(). Various other RAND-related tickets
4200 * Triple-DES ciphers have been moved from HIGH to MEDIUM.
4206 OPENSSL_LOCAL_CONFIG_DIR as well as the in-source Configurations/
4219 the "no-shared" Configure option.
4223 * Remove the no-aes, no-hmac, no-rsa, no-sha and no-md5 Configure options.
4229 * Make various cleanup routines no-ops and mark them as deprecated. Most
4231 via auto-deinit (see OPENSSL_init_crypto and OPENSSL_init_ssl man pages).
4232 Explicitly de-initing can cause problems (e.g. where a library that uses
4233 OpenSSL de-inits, but an application is still using it). The affected
4241 * --strict-warnings no longer enables runtime debugging options
4243 enabled with '--debug' builds.
4271 * Removed no-rijndael as a config option. Rijndael is an old name for AES.
4284 * Removed the aged BC-32 config and all its supporting scripts
4302 encryptions/decryptions simultaneously. There are currently no built-in
4312 AES128-CBC. The kernel must be version 4.1.0 or greater.
4317 set locking callbacks to use OpenSSL in a multi-threaded environment. There
4319 also possible to configure OpenSSL at compile time for "no-threads". The
4321 replaced with "no-op" compatibility macros.
4330 * Add SSL_CIPHER queries for authentication and key-exchange.
4335 - Prefer (EC)DHE handshakes over plain RSA.
4336 - Prefer AEAD ciphers over legacy ciphers.
4337 - Prefer ECDSA over RSA when both certificates are available.
4338 - Prefer TLSv1.2 ciphers/PRF.
4339 - Remove DSS, SEED, IDEA, CAMELLIA, and AES-CCM from the
4350 disabled by default. They can be re-enabled using the
4351 enable-weak-ssl-ciphers option to Configure.
4365 draft-ietf-curdle-pkix-02. The corresponding EVP_PKEY method supports
4368 TLS support complies with draft-ietf-tls-rfc4492bis-08 and uses
4375 In order to fix an unavoidable memory leak ([CVE-2016-0798]),
4395 the configuration option "disable-dynamic-engine".
4400 with "disable-dso" or "disable-pic".
4415 If this isn't desirable, the configuration options "disable-pic"
4416 or "no-pic" can be used to disable the use of PIC. This will
4427 is for. Also, the configuration option --install_prefix is
4433 for DTLS; configure with enable-heartbeats. Code that uses the
4454 template in Configurations, like unix-Makefile.tmpl or
4467 * Added support for auto-initialisation and de-initialisation of the library.
4489 the leading 0-byte.
4501 SSL_CTX_sess_set_get_cb was changed. The read-only input buffer
4508 RNG, and other conditional uses of DPURIFY. This makes -DPURIFY a no-op.
4541 --prefix and --openssldir change their semantics, and become more
4544 --prefix shall be used exclusively to give the location INSTALLTOP
4548 --openssldir shall be used exclusively to give the default
4553 values of both the --prefix value and the --openssldir value will
4555 The default for --openssldir is INSTALLTOP/ssl.
4557 Anyone who uses --openssldir to specify where OpenSSL is to be
4558 installed MUST change to use --prefix instead.
4570 * EGD is no longer supported by default; use enable-egd when
4594 example, be used to implement local end-entity certificate or
4595 trust-anchor "pinning", where the "pin" data takes the form
4604 source files with -DOPENSSL_API_COMPAT=0x10100000L, which hides
4610 should be used with the --api=1.1.0 option to entirely remove
4613 Essentially the same effect can be achieved with the "no-deprecated"
4619 they should update their compile-time OPENSSL_API_COMPAT define
4685 * Added ASYNC support. Libcrypto now includes the async sub-library to enable
4698 "-no_ecdhe" option has been removed from s_server.
4724 with OpenSSL (case-matching; e.g., OPENSSL_VERSION for #define's)
4759 * Remove EVP_CHECK_DES_KEY, a compile-time option that never compiled.
4777 * Fix no-stdio build.
4796 * Revamped memory debug; only -DCRYPTO_MDEBUG and -DCRYPTO_MDEBUG_ABORT
4850 EXP-DH-RSA-DES-CBC-SHA and EXP-DH-DSS-DES-CBC-SHA. These two ciphersuites
4868 code and the associated standard is no longer considered fit-for-purpose.
4895 draft-ietf-tls-session-hash-03.txt. Thanks for Alfredo Pironti for an
4908 Access to deprecated functions can be re-enabled by running config with
4909 "enable-deprecated". In addition applications wishing to use deprecated
4918 at <https://www.openssl.org/source/OCB-patent-grant-OpenSSL.pdf>. Support
4919 for OCB can be removed by calling config with no-ocb.
4929 done while fixing the error code for the key-too-small case.
4931 *Annie Yousar <a.yousar@informatik.hu-berlin.de>*
4952 16-bit platforms such as WIN16
4957 - Use setbuf() and remove OPENSSL_NO_SETVBUF_IONBF
4958 - Rename OPENSSL_SYSNAME_xxx to OPENSSL_SYS_xxx
4959 - OPENSSL_NO_EC{DH,DSA} merged into OPENSSL_NO_EC
4960 - OPENSSL_NO_RIPEMD160, OPENSSL_NO_RIPEMD merged into OPENSSL_NO_RMD160
4961 - OPENSSL_NO_FP_API merged into OPENSSL_NO_STDIO
4962 - Remove OPENSSL_NO_BIO OPENSSL_NO_BUFFER OPENSSL_NO_CHAIN_VERIFY
4966 - Remove MS_STATIC; it's a relic from platforms <32 bits.
4977 NULL. Remove the non-null checks from callers. Save much code.
4997 * Harmonize version and its documentation. -f flag is used to display
5017 preparing the fix ([CVE-2014-0160])
5022 ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
5027 flaw and to Yuval Yarom for supplying a fix ([CVE-2014-0076])
5036 * Experimental encrypt-then-mac support.
5039 draft-gutmann-tls-encrypt-then-mac-02.txt
5042 server) using e.g. -DTLSEXT_TYPE_encrypt_then_mac=0x42
5044 For non-compliant peers (i.e. just about everything) this should have no
5058 * Extend CMS code to support RSA-PSS signatures and RSA-OAEP for
5098 * Add FIPS selftest for ECDH algorithm using P-224 and B-233 curves.
5122 FIPS 186-3 A.2.3.
5124 * Add support for HMAC DRBG from SP800-90. Update DRBG algorithm test and
5150 information in FIPS186-3, SP800-57 and SP800-131A.
5186 anyway as the X9.31 PRNG is now deprecated by FIPS 140-2
5190 * Extensive self tests and health checking required by SP800-90 DRBG.
5205 leading zeroes if needed: this complies with SP800-56A et al.
5209 * Initial implementation of SP800-90 DRBGs for Hash and CTR. Not used by
5227 * Add selftest checks and algorithm block of non-fips algorithms in
5238 * New build option no-ec2m to disable characteristic 2 code.
5253 * Initial, experimental EVP support for AES-GCM. AAD can be input by
5279 * Improve forward-security support: add functions
5300 * New -verify_name option in command line utilities to set verification
5310 * Experimental renegotiation in s_server -www mode. If the client
5318 multi-process servers.
5337 * New -noct, -requestct, -requirect and -ctlogfile options for s_client.
5344 -------------
5348 * For built-in EC curves, ensure an EC_GROUP built from the curve name is
5352 This prevents bypass of security hardening and performance gains,
5364 ([CVE-2019-1547])
5378 The old behaviour can be re-enabled in the CMS code by setting the
5380 ([CVE-2019-1563])
5387 binaries and run-time config file.
5388 ([CVE-2019-1552])
5401 * Add FIPS support for Android Arm 64-bit
5403 Support for Android Arm 64-bit was added to the OpenSSL FIPS Object
5405 'android64-aarch64' was missing OpenSSL 1.0.2, whence it could not be
5406 built with FIPS support on Android Arm 64-bit. This omission has been
5413 * 0-byte record padding oracle
5423 In order for this to be exploitable "non-stitched" ciphersuites must be in
5432 ([CVE-2019-1559])
5452 ([CVE-2018-5407])
5463 ([CVE-2018-0734])
5484 ([CVE-2018-0732])
5497 ([CVE-2018-0737])
5508 length-invariant. Switch even to fixed-length Montgomery multiplication.
5514 For larger primes this will result in more rounds of Miller-Rabin.
5516 to 2^-128.
5520 * Increase the number of Miller-Rabin rounds for DSA key generating to 64.
5550 This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz
5552 ([CVE-2018-0739])
5577 ([CVE-2017-3737])
5584 used in exponentiation with 1024-bit moduli. No EC algorithms are affected.
5592 no longer an option since CVE-2016-0701.
5598 was originally found via the OSS-Fuzz project.
5599 ([CVE-2017-3738])
5622 This issue was reported to OpenSSL by the OSS-Fuzz project.
5623 ([CVE-2017-3736])
5630 OpenSSL could do a one-byte buffer overread. The most likely result
5633 This issue was reported to OpenSSL by the OSS-Fuzz project.
5639 * Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
5648 If one side of an SSL/TLS path is running on a 32-bit host and a specific
5650 perform an out-of-bounds read, usually resulting in a crash.
5653 ([CVE-2017-3731])
5671 similar to CVE-2015-3193 but must be treated as a separate problem.
5673 This issue was reported to OpenSSL by the OSS-Fuzz project.
5674 ([CVE-2017-3732])
5680 There is a carry propagating bug in the Broadwell-specific Montgomery
5687 erroneous outcome of public-key operations with specially crafted input.
5688 Among EC algorithms only Brainpool P-512 curves are affected and one
5690 detail, because pre-requisites for attack are considered unlikely. Namely
5698 ([CVE-2016-7055])
5718 ([CVE-2016-7052])
5732 the "no-ocsp" build time option are not affected.
5735 ([CVE-2016-6304])
5744 ([CVE-2016-2183])
5760 ([CVE-2016-6303])
5774 ([CVE-2016-6302])
5787 ([CVE-2016-2182])
5799 ([CVE-2016-2180])
5825 ([CVE-2016-2177])
5833 implementation means that a non-constant time codepath is followed for
5834 certain operations. This has been demonstrated through a cache-timing
5840 ([CVE-2016-2178])
5846 In a DTLS connection where handshake messages are delivered out-of-order
5858 ([CVE-2016-2179])
5873 ([CVE-2016-2181])
5889 ([CVE-2016-6306])
5895 * Prevent padding oracle in AES-NI CBC MAC check
5899 AES-NI.
5902 attack ([CVE-2013-0169]). The padding check was rewritten to be in
5908 This issue was reported by Juraj Somorovsky using TLS-Attacker.
5927 ([CVE-2016-2105])
5951 ([CVE-2016-2106])
5967 ([CVE-2016-2109])
5978 ([CVE-2016-2176])
5992 * Only remove the SSLv2 methods with the no-ssl2-method option. When the
6000 Builds that are not configured with "enable-weak-ssl-ciphers" will not
6006 is by default disabled at build-time. Builds that are not configured with
6007 "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used,
6008 users who want to negotiate SSLv2 via the version-flexible SSLv23_method()
6016 explicitly uses the version-specific SSLv2_method() or its client and
6018 recovery have been removed. Specifically, the SSLv2 40-bit EXPORT
6019 ciphers, and SSLv2 56-bit DES are no longer available.
6020 ([CVE-2016-0800])
6024 * Fix a double-free in DSA code
6033 ([CVE-2016-0705])
6053 ([CVE-2016-0798])
6078 ([CVE-2016-0797])
6099 functions when printing out human-readable dumps of ASN.1 data. Therefore
6110 ([CVE-2016-0799])
6116 A side-channel attack was found which makes use of cache-bank conflicts on
6117 the Intel Sandy-Bridge microarchitecture which could lead to the recovery
6120 hyper-threaded core as the victim thread which is performing decryptions.
6126 ([CVE-2016-0702])
6130 * Change the `req` command to generate a 2048-bit RSA/DSA key by default,
6167 ([CVE-2016-0701])
6180 ([CVE-2015-3197])
6202 ([CVE-2015-3193])
6218 ([CVE-2015-3194])
6231 ([CVE-2015-3195])
6284 This issue was reported to OpenSSL by Joseph Barr-Pixton.
6285 ([CVE-2015-1788])
6289 * Exploitable out-of-bounds read in X509_cmp_time
6305 ([CVE-2015-1789])
6312 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
6320 ([CVE-2015-1790])
6331 ([CVE-2015-1792])
6337 If a NewSessionTicket is received by a multi-threaded client when attempting to
6340 ([CVE-2015-1791])
6344 * Only support 256-bit or stronger elliptic curves with the
6346 curves, prefer P-256 (both).
6360 ([CVE-2015-0291])
6370 using non-blocking IO. Typically, when the user application is using a
6376 ([CVE-2015-0290])
6393 ([CVE-2015-0207])
6405 ([CVE-2015-0286])
6420 ([CVE-2015-0208])
6434 ([CVE-2015-0287])
6441 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
6449 ([CVE-2015-0289])
6457 a specially crafted SSLv2 CLIENT-MASTER-KEY message.
6461 ([CVE-2015-0293])
6470 ([CVE-2015-1787])
6478 - The client is on a platform where the PRNG has not been seeded
6480 - A protocol specific client method version has been used (i.e. not
6482 - A ciphersuite is used that does not require additional random data from
6483 the PRNG beyond the initial ClientHello client random (e.g. PSK-RC4-SHA).
6492 openssl s_client -psk 1a2b3c4d -tls1_2 -cipher PSK-RC4-SHA
6493 ([CVE-2015-0285])
6508 ([CVE-2015-0209])
6518 ([CVE-2015-0288])
6533 near-optimal performance even on newer platforms.
6537 * Accelerated NIST P-256 elliptic curve implementation for x86_64
6549 bogus results, with non-infinity inputs mapped to infinity too.)
6560 * Add support for little-endian ppc64 Linux target.
6567 Both 32- and 64-bit modes are supported.
6588 implementations, AESNI-SHA256 and GCM, and multi-buffer support
6628 * Add -rev test option to s_server to just reverse order of characters
6634 * New option -brief for s_client and s_server to print out a brief summary
6643 * New option -crl_download in several openssl utilities to download CRLs
6648 * New options -CRL and -CRLform for s_client and s_server for CRLs.
6684 "enable-ssl-trace". New options to s_client and s_server to enable
6826 * Initial experimental support for explicitly trusted non-root CAs.
6829 setting is used: whether to trust (e.g., -addtrust option to the x509
6834 * Add -trusted_first option which attempts to find certificates in the
6844 * Support for linux-x32, ILP32 environment in x86_64 framework.
6848 * Experimental multi-implementation support for FIPS capable OpenSSL.
6894 between NIDs and the more common NIST names such as "P-256". Enhance
6914 * New function i2d_re_X509_tbs for re-encoding the TBS portion of
6916 Note: Related 1.0.2-beta specific macros X509_get_cert_info,
6921 -------------
6933 the "no-ocsp" build time option are not affected.
6936 ([CVE-2016-6304])
6945 ([CVE-2016-2183])
6961 ([CVE-2016-6303])
6975 ([CVE-2016-6302])
6988 ([CVE-2016-2182])
7000 ([CVE-2016-2180])
7026 ([CVE-2016-2177])
7034 implementation means that a non-constant time codepath is followed for
7035 certain operations. This has been demonstrated through a cache-timing
7041 ([CVE-2016-2178])
7047 In a DTLS connection where handshake messages are delivered out-of-order
7059 ([CVE-2016-2179])
7074 ([CVE-2016-2181])
7090 ([CVE-2016-6306])
7096 * Prevent padding oracle in AES-NI CBC MAC check
7100 AES-NI.
7103 attack ([CVE-2013-0169]). The padding check was rewritten to be in
7109 This issue was reported by Juraj Somorovsky using TLS-Attacker.
7110 ([CVE-2016-2107])
7129 ([CVE-2016-2105])
7153 ([CVE-2016-2106])
7169 ([CVE-2016-2109])
7180 ([CVE-2016-2176])
7194 * Only remove the SSLv2 methods with the no-ssl2-method option. When the
7202 Builds that are not configured with "enable-weak-ssl-ciphers" will not
7208 is by default disabled at build-time. Builds that are not configured with
7209 "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used,
7210 users who want to negotiate SSLv2 via the version-flexible SSLv23_method()
7218 explicitly uses the version-specific SSLv2_method() or its client and
7220 recovery have been removed. Specifically, the SSLv2 40-bit EXPORT
7221 ciphers, and SSLv2 56-bit DES are no longer available.
7222 ([CVE-2016-0800])
7226 * Fix a double-free in DSA code
7235 ([CVE-2016-0705])
7255 ([CVE-2016-0798])
7280 ([CVE-2016-0797])
7301 functions when printing out human-readable dumps of ASN.1 data. Therefore
7312 ([CVE-2016-0799])
7318 A side-channel attack was found which makes use of cache-bank conflicts on
7319 the Intel Sandy-Bridge microarchitecture which could lead to the recovery
7322 hyper-threaded core as the victim thread which is performing decryptions.
7328 ([CVE-2016-0702])
7332 * Change the req command to generate a 2048-bit RSA/DSA key by default,
7358 ([CVE-2015-3197])
7380 ([CVE-2015-3194])
7393 ([CVE-2015-3195])
7422 ([CVE-2015-1793])
7428 If PSK identity hints are received by a multi-threaded client then
7432 ([CVE-2015-3196])
7455 This issue was reported to OpenSSL by Joseph Barr-Pixton.
7456 ([CVE-2015-1788])
7460 * Exploitable out-of-bounds read in X509_cmp_time
7476 ([CVE-2015-1789])
7483 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
7491 ([CVE-2015-1790])
7502 ([CVE-2015-1792])
7508 If a NewSessionTicket is received by a multi-threaded client when attempting to
7511 ([CVE-2015-1791])
7519 * dhparam: generate 2048-bit parameters by default.
7533 ([CVE-2015-0286])
7547 ([CVE-2015-0287])
7554 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
7562 ([CVE-2015-0289])
7570 a specially crafted SSLv2 CLIENT-MASTER-KEY message.
7574 ([CVE-2015-0293])
7589 ([CVE-2015-0209])
7599 ([CVE-2015-0288])
7619 ([CVE-2014-3571])
7629 ([CVE-2015-0206])
7633 * Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
7634 built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl
7637 ([CVE-2014-3569])
7646 ([CVE-2014-3572])
7650 * Remove non-export ephemeral RSA code on client and server. This code
7652 non-export ciphersuites and could be used by a server to effectively
7656 ([CVE-2015-0204])
7668 ([CVE-2015-0205])
7682 By using non-DER or invalid encodings outside the signed portion of a
7703 Re-encode DSA/ECDSA signatures and compare with the original received
7714 ([CVE-2014-8275])
7726 ([CVE-2014-3570])
7743 * Tighten client-side session ticket handling during renegotiation:
7768 ([CVE-2014-3513])
7780 ([CVE-2014-3567])
7784 * Build option no-ssl3 is incomplete.
7786 When OpenSSL is configured with "no-ssl3" as a build option, servers
7789 ([CVE-2014-3568])
7796 ([CVE-2014-3566])
7802 Re-encode DigestInto in DER and check against the original when
7818 ([CVE-2014-3512])
7824 is badly fragmented. This allows a man-in-the-middle attacker to force a
7830 ([CVE-2014-3511])
7841 ([CVE-2014-3510])
7848 ([CVE-2014-3507])
7856 ([CVE-2014-3506])
7863 Thanks to Adam Langley and Wan-Teh Chang for discovering and researching
7865 ([CVE-2014-3505])
7875 ([CVE-2014-3509])
7886 ([CVE-2014-5139])
7896 ([CVE-2014-3508])
7902 bogus results, with non-infinity inputs mapped to infinity too.)
7913 researching this issue. ([CVE-2014-0224])
7921 Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
7922 ([CVE-2014-0221])
7931 Thanks to Jüri Aedla for reporting this issue. ([CVE-2014-0195])
7939 this issue. ([CVE-2014-3470])
7943 * Harmonize version and its documentation. -f flag is used to display
7965 preparing the fix ([CVE-2014-0160])
7970 ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
7975 flaw and to Yuval Yarom for supplying a fix ([CVE-2014-0076])
7979 * TLS pad extension: draft-agl-tls-padding-03
7993 ([CVE-2013-4353])
7997 to be resent. ([CVE-2013-6450])
8002 avoids preferring ECDHE-ECDSA ciphers when the client appears to be
8004 several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug
8012 * Correct fix for CVE-2013-0169. The original didn't work on AES-NI
8029 ([CVE-2013-0169])
8038 ([CVE-2012-2686])
8043 This fixes a DoS attack. ([CVE-2013-0166])
8072 Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
8074 ([CVE-2012-2333])
8121 ([CVE-2012-2110])
8125 * Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections.
8137 -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure.
8173 *Robin Seggelmann <seggelmann@fh-muenster.de>*
8177 *Robin Seggelmann <seggelmann@fh-muenster.de>*
8185 - x86[_64]: AES-NI, PCLMULQDQ, RDRAND support;
8186 - x86[_64]: SSSE3 support (SHA1, vector-permutation AES);
8187 - x86_64: bit-sliced AES implementation;
8188 - ARM: NEON support, contemporary platforms optimizations;
8189 - s390x: z196 support;
8190 - `*`: GHASH and GF(2^m) multiplication implementations;
8194 * Make TLS-SRP code conformant with RFC 5054 API cleanup
8203 * Add DTLS-SRTP negotiation from RFC 5764.
8208 <http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-00>. Can be
8209 disabled with a no-npn flag to config or Configure. Code donated
8214 * Add optional 64-bit optimized implementations of elliptic curves NIST-P224,
8215 NIST-P256, NIST-P521, with constant-time single point multiplication on
8217 required to use this (present in gcc 4.4 and later, for 64-bit builds).
8220 Specify "enable-ec_nistp_64_gcc_128" on the Configure (or config) command
8240 * New -sigopt option to the ca, req and x509 utilities. Additional
8253 New function ASN1_item_sign_ctx() signs a pre-initialised
8292 * Session-handling fixes:
8293 - Fix handling of connections that are resuming with a session ID,
8295 - Fix a bug that suppressed issuing of a new ticket if the client
8297 - Try to set the ticket lifetime hint to something reasonable.
8298 - Make tickets shorter by excluding irrelevant information.
8299 - On the client side, don't ignore renewed tickets.
8307 * Add RC4-MD5 and AESNI-SHA1 "stitched" implementations.
8335 switch between FIPS and non-FIPS modes.
8341 keep original code iff non-FIPS operations are allowed.
8345 * Add -attime option to openssl utilities.
8358 * New build option no-ec2m to disable characteristic 2 code.
8362 * Backport libcrypto audit of return value checking from 1.1.0-dev; not
8372 * Add similar low-level API blocking to ciphers.
8376 * low-level digest APIs are not approved in FIPS mode: any attempt
8405 * Add support for FIPS mode in ssl library: disable SSLv3, non-FIPS ciphers
8464 *Robin Seggelmann <seggelmann@fh-muenster.de>*
8474 *Robin Seggelmann <seggelmann@fh-muenster.de>, Steve Henson*
8488 -------------
8501 ([CVE-2015-3195])
8507 If PSK identity hints are received by a multi-threaded client then
8511 ([CVE-2015-3196])
8528 This issue was reported to OpenSSL by Joseph Barr-Pixton.
8529 ([CVE-2015-1788])
8533 * Exploitable out-of-bounds read in X509_cmp_time
8549 ([CVE-2015-1789])
8556 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
8564 ([CVE-2015-1790])
8575 ([CVE-2015-1792])
8581 If a NewSessionTicket is received by a multi-threaded client when attempting to
8584 ([CVE-2015-1791])
8598 ([CVE-2015-0286])
8612 ([CVE-2015-0287])
8619 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
8627 ([CVE-2015-0289])
8635 a specially crafted SSLv2 CLIENT-MASTER-KEY message.
8639 ([CVE-2015-0293])
8654 ([CVE-2015-0209])
8664 ([CVE-2015-0288])
8684 ([CVE-2014-3571])
8694 ([CVE-2015-0206])
8698 * Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
8699 built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl
8702 ([CVE-2014-3569])
8711 ([CVE-2014-3572])
8715 * Remove non-export ephemeral RSA code on client and server. This code
8717 non-export ciphersuites and could be used by a server to effectively
8721 ([CVE-2015-0204])
8733 ([CVE-2015-0205])
8745 ([CVE-2014-3570])
8751 By using non-DER or invalid encodings outside the signed portion of a
8783 ([CVE-2014-8275])
8797 ([CVE-2014-3567])
8801 * Build option no-ssl3 is incomplete.
8803 When OpenSSL is configured with "no-ssl3" as a build option, servers
8806 ([CVE-2014-3568])
8813 ([CVE-2014-3566])
8836 ([CVE-2014-3510])
8843 ([CVE-2014-3507])
8851 ([CVE-2014-3506])
8858 Thanks to Adam Langley and Wan-Teh Chang for discovering and researching
8860 ([CVE-2014-3505])
8870 ([CVE-2014-3509])
8880 ([CVE-2014-3508])
8886 bogus results, with non-infinity inputs mapped to infinity too.)
8897 researching this issue. ([CVE-2014-0224])
8905 Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
8906 ([CVE-2014-0221])
8915 Thanks to Jüri Aedla for reporting this issue. ([CVE-2014-0195])
8923 this issue. ([CVE-2014-3470])
8927 * Harmonize version and its documentation. -f flag is used to display
8942 ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
8947 flaw and to Yuval Yarom for supplying a fix ([CVE-2014-0076])
8955 to be resent. ([CVE-2013-6450])
8960 avoids preferring ECDHE-ECDSA ciphers when the client appears to be
8962 several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug
8980 ([CVE-2013-0169])
8985 This fixes a DoS attack. ([CVE-2013-0166])
9009 Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
9011 ([CVE-2012-2333])
9028 ([CVE-2012-2110])
9038 old behaviour can be re-enabled in the CMS code by setting the
9042 this issue. ([CVE-2012-0884])
9046 * Fix CVE-2011-4619: make sure we really are receiving a
9054 * Fix for DTLS DoS issue introduced by fix for CVE-2011-4109.
9057 preparing a fix. ([CVE-2012-0050])
9073 <seggelmann@fh-muenster.de> and Michael Tuexen <tuexen@fh-muenster.de>
9074 for preparing the fix. ([CVE-2011-4108])
9079 ([CVE-2011-4576])
9085 Adam Langley for preparing the fix. ([CVE-2011-4619])
9089 * Check parameters are not NULL in GOST ENGINE. ([CVE-2012-0027])
9095 and Rob Austein <sra@hactrn.net> for fixing it. ([CVE-2011-4577])
9103 * Fix ssl_ciph.c set-up race.
9127 * In ssl3_clear, preserve s3->init_extra along with s3->rbuf.
9134 by initialising X509_STORE_CTX properly. ([CVE-2011-3207])
9139 for multi-threaded use of ECDH. ([CVE-2011-3210])
9161 * Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014
9175 Thanks to Martin Rex for discovering this bug. CVE-2010-4180
9179 * Fixed J-PAKE implementation error, originally discovered by
9181 Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252
9189 be shared by multiple threads. CVE-2010-3864
9201 ([CVE-2010-1633])
9203 *Steve Henson, Peter-Michael Hager <hager@dortmund.net>*
9217 * Add new -subject_hash_old and -issuer_hash_old options to x509 utility to
9272 *Michael Tuexen <tuexen@fh-muenster.de>*
9311 openssl dgst -sha256 foo
9344 * Add session ticket override functionality for use by EAP-FAST.
9353 * Type-checked OBJ_bsearch_ex.
9357 * Type-checked OBJ_bsearch. Also some constification necessitated
9358 by type-checking. Still to come: TXT_DB, bsearch(?),
9437 * To cater for systems that provide a pointer-based thread ID rather
9444 as a pointer-based thread ID to distinguish between threads.
9457 OpenSSL 0.9.9-dev between June 2006 and August 2008. Also, if an
9479 * Revamp of STACK to provide stronger type-checking. Still to come:
9490 * Revamp of LHASH to provide stronger type-checking. Still to come:
9509 files from Configure script, currently only included in VC-WIN32.
9530 draft-rescorla-tls-opaque-prf-input-00.txt. Since this is not an
9536 -DTLSEXT_TYPE_opaque_prf_input=0x9527
9547 an internal copy of the length-'len' string at 'src', and will
9548 return non-zero for success.
9566 has to return non-zero to report success: usually 1 to use opaque
9626 * Add option -stream to use PKCS#7 streaming in smime utility. New
9635 ENGINE support for HMAC keys which are unextractable. New -mac and
9636 -macopt options to dgst utility.
9640 * New option -sigopt to dgst utility. Update dgst to use
9649 ("foo+bar"), moving ("+foo+bar"), disabling ("-foo+bar", or
9657 This means that you can now say, e.g., "PSK:-PSK:HIGH" to enable
9685 away into the non-exported interface ssl/ssl_locl.h, so this
9703 * Add support for dsa-with-SHA224 and dsa-with-SHA256.
9714 * Add support for the ecdsa-with-SHA224/256/384/512 signature types.
9737 -verify_return_error to s_client and s_server. This causes real errors
9780 * Non-blocking OCSP request processing. Add -timeout option to ocsp
9806 list-message-digest-algorithms and list-cipher-algorithms.
9811 of degrees of non-zero coefficients is now terminated with -1.
9837 kECDHr - ECDH cert, signed with RSA
9838 kECDHe - ECDH cert, signed with ECDSA
9839 kECDH - ECDH cert (signed with either RSA or ECDSA)
9840 kEECDH - ephemeral ECDH
9841 ECDH - ECDH cert or ephemeral ECDH
9843 aECDH - ECDH cert
9844 aECDSA - ECDSA cert
9845 ECDSA - ECDSA cert
9847 AECDH - anonymous ECDH
9848 EECDH - non-anonymous ephemeral ECDH (equivalent to "kEECDH:-AECDH")
9874 * New -resign option to smime utility. This adds one or more signers
9875 to an existing PKCS#7 signedData structure. Also -md option to use an
9886 * New -macalg option to pkcs12 utility to allow setting of an alternative
9989 "list-public-key-algorithms" to print out info.
9994 ECC ciphersuites from draft-ietf-tls-ecc-12.txt.
10017 De-spaghettify the public key ASN1 handling. Move public and private
10026 ECC ciphersuites from draft-ietf-tls-ecc-12.txt.
10035 PSK-RC4-SHA, PSK-3DES-EDE-CBC-SHA, PSK-AES128-CBC-SHA,
10036 PSK-AES256-CBC-SHA
10068 - SSL_CTX_set_tlsext_servername_callback()
10070 - SSL_CTX_set_tlsext_servername_arg()
10071 SSL_CTRL_SET_TLSEXT_HOSTNAME - SSL_set_tlsext_host_name()
10073 openssl s_client has a new '-servername ...' option.
10075 openssl s_server has new options '-servername_host ...', '-cert2 ...',
10076 '-key2 ...', '-servername_fatal' (subject to change). This allows
10077 testing the HostName extension for a specific single host name ('-cert'
10078 and '-key' remain fallbacks for handshakes without HostName
10080 default is a warning; it becomes fatal with the '-servername_fatal'
10089 * BIGNUM code on 64-bit SPARCv9 targets is switched from bn(64,64) to
10093 implementations, between 32- and 64-bit builds without hassle.
10106 "64-bit" performance on certain 32-bit targets.
10117 * New option -V for 'openssl ciphers'. This prints the ciphersuite code
10165 -------------
10170 update s->server with a new major version number. As of
10171 - OpenSSL 0.9.8m if 'short' is a 16-bit type,
10172 - OpenSSL 0.9.8f if 'short' is longer than 16 bits,
10175 protection is active. ([CVE-2010-0740])
10179 * Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL
10186 * Always check bn_wexpand() return values for failure. ([CVE-2009-3245])
10220 This results in significant per-connection memory leaks and
10221 has caused some security issues including CVE-2008-1678 and
10222 CVE-2009-4355.
10264 * Implement RFC5746. Re-enable renegotiation but require the extension
10275 servername handling. Use a non-zero length session ID when attempting
10290 * Add --strict-warnings option to Configure script to include devteam
10295 * Add support for --libdir option and LIBDIR variable in makefiles. This
10326 it used to have an ad-hoc builder which was unable to cope with anything
10334 with non-FIPS digests are now usable in FIPS mode.
10345 buffered. ([CVE-2009-1378])
10355 ([CVE-2009-1377])
10359 * Keep a copy of frag->msg_header.frag_len so it can be used after the
10360 parent structure is freed. ([CVE-2009-1379])
10364 * Handle non-blocking I/O properly in SSL_shutdown() call.
10366 *Darryl Miles <darryl-mailinglists@netbauds.net>*
10374 * Disable renegotiation completely - this fixes a severe security
10375 problem ([CVE-2009-3555]) at the cost of breaking all
10376 renegotiation. Renegotiation can be re-enabled by setting
10377 SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s3->flags at
10378 run-time. This is really not recommended unless you know what
10387 zeroing past the valid field. ([CVE-2009-0789])
10393 appear to verify correctly. ([CVE-2009-0591])
10399 a legal length. ([CVE-2009-0590])
10419 * New -hex option for openssl rand.
10440 ([CVE-2008-5077]).
10458 * Tweak Configure so that you need to say "experimental-jpake" to enable
10459 JPAKE, and need to use -DOPENSSL_EXPERIMENTAL_JPAKE in applications.
10476 * Change the server-side SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG behavior
10487 ChangeCipherSpec as first record ([CVE-2009-1386]).
10497 double-checked locking was incomplete for RSA blinding,
10499 doubly unsafe triple-checked locking.
10508 - Avoid size_t integer overflow in HASH_UPDATE (md32_common.h).
10510 - Avoid a buffer overflow in d2i_SSL_SESSION() (ssl_asn1.c).
10514 - Change bn_nist.c so that it will properly handle input BIGNUMs
10517 - Enforce the 'num' check in BN_div() (bn_div.c) for non-BN_DEBUG
10522 * Allow engines to be "soft loaded" - i.e. optionally don't die if
10531 * Fix BN_GF2m_mod_arr() top-bit cleanup code.
10543 Not compiled unless enable-capieng specified to Configure.
10560 Codenomicon TLS test suite ([CVE-2008-1672])
10565 a remote crash found by Codenomicon TLS test suite ([CVE-2008-0891])
10589 the 'db' section contains nothing but zeroes (there is a one-byte
10594 * Partial backport from 0.9.9-dev:
10598 While 0.9.9-dev uses assembler for various architectures, only
10600 32-bit x86 is available through a compile-time setting.
10602 To try the 32-bit x86 assembler implementation, use Configure
10603 option "enable-montasm" (which exists only for this backport).
10605 As "enable-montasm" for 32-bit x86 disclaims code stability
10607 backported from 0.9.9-dev for further performance improvements,
10609 e.g. x86_64, try `-DMONT_FROM_WORD___NON_DEFAULT_0_9_8_BUILD`.)
10620 * Reverse ENGINE-internal logic for caching default ENGINE handles.
10627 'uptodate' flag is reset so that auto-discovery will be used next
10644 with the enable-cms configuration option.
10681 - fixed wrong usage of ioctlsocket() when build for LIBC BSD sockets
10682 - fixed do_tests.pl to run the test suite with CLIB builds too (CLIB_OPT)
10683 - added some more tests to do_tests.pl
10684 - fixed RunningProcess usage so that it works with newer LIBC NDKs too
10685 - removed usage of BN_LLONG for CLIB builds to avoid runtime dependency
10686 - added new Configure targets netware-clib-bsdsock, netware-clib-gcc,
10687 netware-clib-bsdsock-gcc, netware-libc-bsdsock-gcc
10688 - various changes to netware.pl to enable gcc-cross builds on Win32
10690 - changed crypto/bio/b_sock.c to work with macro functions (CLIB BSD)
10691 - various changes to fix missing prototype warnings
10692 - fixed x86nasm.pl to create correct asm files for NASM COFF output
10693 - added AES, WHIRLPOOL and CPUID assembler code to build files
10694 - added missing AES assembler make rules to mk1mf.pl
10695 - fixed order of includes in `apps/ocsp.c` so that `e_os.h` settings apply
10711 + DTLS interoperation with non-compliant servers
10723 pre-0.9.8f clients. To allow for hassle free upgrade post-0.9.8e
10726 This update even addresses CVE-2007-4995.
10775 - SSL_CTX_set_tlsext_servername_callback()
10777 - SSL_CTX_set_tlsext_servername_arg()
10778 SSL_CTRL_SET_TLSEXT_HOSTNAME - SSL_set_tlsext_host_name()
10780 openssl s_client has a new '-servername ...' option.
10782 openssl s_server has new options '-servername_host ...', '-cert2 ...',
10783 '-key2 ...', '-servername_fatal' (subject to change). This allows
10784 testing the HostName extension for a specific single host name ('-cert'
10785 and '-key' remain fallbacks for handshakes without HostName
10787 default is a warning; it becomes fatal with the '-servername_fatal'
10813 * Add the Korean symmetric 128-bit cipher SEED (see
10817 TLS_RSA_WITH_SEED_CBC_SHA = "SEED-SHA"
10818 TLS_DHE_DSS_WITH_SEED_CBC_SHA = "DHE-DSS-SEED-SHA"
10819 TLS_DHE_RSA_WITH_SEED_CBC_SHA = "DHE-RSA-SEED-SHA"
10820 TLS_DH_anon_WITH_SEED_CBC_SHA = "ADH-SEED-SHA"
10824 is configured with 'enable-seed'.
10832 J.-P. Seifert, "New Branch Prediction Vulnerabilities in OpenSSL
10836 respectively, which are slower, but avoid the security-relevant
10851 constant-time implementations for more than just exponentiation.
10868 out-of-context reuse was forbidden only if SSL_VERIFY_PEER was
10879 authentication-only ciphersuites.
10883 * Update the SSL_get_shared_ciphers() fix CVE-2006-3738 which was
10885 ([CVE-2007-5135]) [Ben Laurie]
10927 *Goetz Babin-Ebell*
10932 cause a denial of service. ([CVE-2006-2940])
10937 in a denial of service. ([CVE-2006-2937]) [Steve Henson]
10940 ([CVE-2006-3738]) [Tavis Ormandy and Will Drewry, Google Security Team]
10943 malicious SSLv2 server. ([CVE-2006-4343])
10948 match only those. Before that, "AES256-SHA" would be interpreted
10949 as a pattern and match "AES128-SHA" too (since AES128-SHA got
10953 "RC4-MD5" that intentionally matched multiple ciphersuites --
10960 Thus, "RC4-MD5" again will properly select both the SSL 2.0
10977 ([CVE-2006-4339]) [Ben Laurie and Google Security Team]
10992 However, please upgrade to OpenSSL 0.9.9[-dev] for
10993 non-experimental use of the ECC ciphersuites to get TLS extension
11001 - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
11002 - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
11003 - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")
11006 draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really
11010 draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as
11016 dual-core machines) and other potential thread-safety issues.
11020 * Add the symmetric cipher Camellia (128-bit, 192-bit, 256-bit key
11021 versions), which is now available for royalty-free use
11027 is configured with 'enable-camellia'.
11051 * Update support for ECC-based TLS ciphersuites according to
11052 draft-ietf-tls-ecc-12.txt with proposed changes (but without
11067 Static zlib linking now works on Windows and the new --with-zlib-include
11068 --with-zlib-lib options to Configure can be used to supply the location
11095 countermeasure against man-in-the-middle protocol-version
11097 idea. ([CVE-2005-2969])
11112 * Avoid some small subgroup attacks in Diffie-Hellman.
11116 * Add functions for well-known primes.
11153 * Add -utf8 command line and config file option to 'ca'.
11163 involves renaming the source and generated shared-libs for
11172 use it. Make -CSP option work again in pkcs12 utility.
11177 - automatic re-creation of the BN_BLINDING parameters after
11179 - add new function for parameter creation
11180 - introduce flags to control the update behaviour of the
11182 - hide BN_BLINDING structure
11203 * Use SHA-1 instead of MD5 as the default digest algorithm for
11208 * Compile clean with "-Wall -Wmissing-prototypes
11209 -Wstrict-prototypes -Wmissing-declarations -Werror". Currently
11215 The new counterpiece to "no-xxx" is "enable-xxx".
11218 "enable-rc5" and "enable-mdc2", respectively, are specified.
11222 fee for non-commercial use. As before, "no-idea" can be used to
11229 EGEE (Enabling Grids for E-science in Europe).
11234 as Intel P4, IA-64 and AMD64.
11238 * New utility extract-section.pl. This can be used specify an alternative
11249 * New arguments -certform, -keyform and -pass for s_client and s_server
11274 * New FIPS 180-2 algorithms, SHA-224/-256/-384/-512 are implemented.
11290 moved from CA.pl to the 'ca' utility with a new option -create_serial.
11295 patchlevels, 0.9.7e employed 'openssl x509 -next_serial' in
11303 give fewer recursive includes, which could break lazy source code - so
11307 backwards-compatible behaviour prevails when this isn't defined.
11344 static array of bignums, BN_CTX now uses a linked-list of such arrays
11380 * BN_CTX_get() should return zero-valued bignums, providing the same
11413 * Because of the callback-based approach for implementing LHASH as a
11414 template type, lh_insert() adds opaque objects to hash-tables and
11417 (and losing the object pointers). So some over-zealous constifications in
11431 aren't necessarily the greatest nomenclatures - but this is what was used
11438 the self-tests were still using deprecated key-generation functions so
11459 modulus operations are not performed. The (pre-generated) prime
11461 re-generated on some platforms because of the "division by zero"
11466 * Update support for ECC-based TLS ciphersuites according to
11467 draft-ietf-tls-ecc-03.txt: the KDF1 key derivation function with
11468 SHA-1 now is only used for "small" curves (where the
11482 *Götz Babin-Ebell <babin-ebell@trustcenter.de> via Richard Levitte*
11494 to certificate and key stores, be they simple file-based stores, or
11495 HSM-type store, or LDAP stores, or...
11508 a string. The copy gets NUL-terminated. BUF_memdup() duplicates
11516 searched-for key would be inserted to preserve sorting order.
11537 * Make it possible to create self-signed certificates with 'openssl ca'
11538 in such a way that the self-signed certificate becomes part of the
11540 as all other certificate signing. The new flag '-selfsign' enables
11547 request can be signed by that key (self-signing).
11560 * Generate multi-valued AVAs using '+' notation in config files for
11578 dsa_mod_exp() and/or bn_mod_exp() handlers if they are non-NULL,
11607 * Add full support for -rpath/-R, both in shared libraries and
11634 provide a boost. This ENGINE is not built in by default, but it can be
11637 ./config -DOPENSSL_USE_GMP -lgmp
11642 testing availability of engines with "-t" - the old behaviour is
11643 produced by increasing the feature's verbosity with "-tt".
11654 * Key-generation can now be implemented in RSA_METHOD, DSA_METHOD
11661 * Change the "progress" mechanism used in key-generation and
11667 migrate to the new functions. Also, the new key-generation API
11668 functions operate on a caller-supplied key-structure and return
11669 success/failure rather than returning a key or NULL - this is to
11683 * cb will point to my_cb; my_arg can be retrieved as cb->arg.
11692 draft-ietf-tls-compression-04.txt.
11702 -- at least one of the pair shall be present -- }
11723 to avoid the need to access 'a->neg' directly in applications.
11727 * Implement fast modular reduction for pseudo-Mersenne primes
11748 the usual use of --prefix and/or --openssldir, and at run
11764 files while avoiding the low-level API.
11768 algorithm NIDs can be set to -1 for no encryption, the mac
11771 Enhance pkcs12 utility by making the -nokeys and -nocerts
11772 options work when creating a PKCS#12 file. New option -nomac
11775 instead of the low-level API.
11791 * Let 'openssl req' fail if an argument to '-newkey' is not
11796 * Add support for ECC-based ciphersuites from draft-ietf-tls-ecc-01.txt.
11932 functionality is disabled at compile-time.
11939 Modify asn1_parse2 (crypto/asn1/asn1_par.c) so that in non-'dump'
11940 mode the content of non-printable OCTET STRINGs is output in a
11953 - Curves (i.e., groups) are encoded explicitly unless asn1_flag
11955 - Points are encoded in uncompressed form by default; options for
12004 EC_METHOD) that verifies that the curve discriminant is non-zero.
12019 - 'openssl req' now has a '-newkey ecdsa:file' option;
12020 - EVP_PKCS82PKEY (crypto/evp/evp_pkey.c) now can handle ECDSA;
12021 - X509_PUBKEY_get (crypto/asn1/x_pubkey.c) and
12025 - ECDSA engine support has been added.
12061 authentication-only ciphersuites.
12105 cause a denial of service. ([CVE-2006-2940])
12110 in a denial of service. ([CVE-2006-2937]) [Steve Henson]
12113 ([CVE-2006-3738]) [Tavis Ormandy and Will Drewry, Google Security Team]
12116 malicious SSLv2 server. ([CVE-2006-4343])
12121 ciphersuite selects this one ciphersuite (so that "AES256-SHA"
12122 will no longer include "AES128-SHA"), and any other similar
12124 "RC4-MD5" will still include both the SSL 2.0 ciphersuite and the
12133 ([CVE-2006-4339]) [Ben Laurie and Google Security Team]
12143 - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
12144 - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
12145 - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")
12148 draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really
12152 draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as
12158 dual-core machines) and other potential thread-safety issues.
12173 * Add new Windows build target VC-32-GMAKE for VC++. This uses GNU make
12185 safely run with a non-FIPSed libcrypto, as it may crash because of
12194 countermeasure against man-in-the-middle protocol-version
12196 idea. ([CVE-2005-2969])
12208 the exponentiation using a fixed-length exponent. (Otherwise,
12215 * Make a new fixed-window mod_exp implementation the default for
12216 RSA, DSA, and DH private-key operations so that the sequence of
12219 cache-timing and potential related attacks.
12238 * Add support for smime-type MIME parameter in S/MIME messages which some
12275 they must be explicitly allowed in run-time. See
12282 * Use (SSL_RANDOM_VALUE - 4) bytes of pseudo random data when generating
12284 (SSL_RANDOM_VALUE - sizeof(time_t)) would be used which would result in
12317 * Back-port of selected performance improvements from development
12327 * Add new -passin argument to dgst.
12332 this is needed for some certificates that re-encode DNs into UTF8Strings
12343 - if there is an unhandled critical extension (unless the user
12345 - if the path length has been exceeded (if one is set at all)
12346 - that certain extensions fit the associated purpose (if one has
12373 certificate is created using 'openssl req -x509'. The initial serial
12374 number file is created using 'openssl x509 -next_serial' in CA.pl
12381 * Fix null-pointer assignment in do_change_cipher_spec() revealed
12382 by using the Codenomicon TLS Test Tool ([CVE-2004-0079])
12387 ([CVE-2004-0112])
12437 invalid tags (CVE-2003-0543 and CVE-2003-0544).
12439 Free up ASN1_TYPE correctly if ANY type is invalid ([CVE-2003-0545]).
12446 * New -ignore_err option in ocsp application to stop the server
12492 * Countermeasure against the Klima-Pokorny-Rosa extension of
12502 They would be ill-advised to do so in most cases.
12508 an unpredictable seed -- if it is not unpredictable, there
12509 is no point in blinding anyway). Make RSA blinding thread-safe
12510 by remembering the creator's thread ID in rsa->blinding and
12511 having all other threads use local one-time blinding factors
12512 (this requires more computation than sharing rsa->blinding, but
12536 between bad padding and a MAC verification error. ([CVE-2003-0078])
12542 * Make the no-err option work as intended. The intention with no-err
12550 used by default when no-err is given.
12610 * IA-32 assembler support enhancements: unified ELF targets, support
12616 FreeBSD on non-x86 processors is separate from x86 processors on
12665 warnings and a request that patches get sent to openssl-dev.
12669 * Add the VC-CE target, introduce the WINCE sysname, and add
12674 * Change the DLL names for Cygwin to cygcrypto-x.y.z.dll and
12675 cygssl-x.y.z.dll, where x, y and z are the major, minor and
12685 * Avoid using fixed-size buffers for one-line DNs.
12744 * Add assertions to prevent user-supplied crypto functions from
12762 * Fix off-by-one error in EGD path.
12792 Remote buffer overflow in SSL3 protocol - an attacker could
12793 supply an oversized master key in Kerberos-enabled versions.
12794 ([CVE-2002-0657])
12802 * Make -nameopt work fully for req and add -reqopt switch.
12804 *Michael Bell <michael.bell@rz.hu-berlin.de>, Steve Henson*
12818 which may be activated as a side-effect of selecting a single cipher.
12826 * Add appropriate support for separate platform-dependent build
12827 directories. The recommended way to make a platform-dependent
12834 mkdir -p objtree/"`uname -s`-`uname -r`-`uname -m`"
12835 cd objtree/"`uname -s`-`uname -r`-`uname -m`"
12836 (cd $OPENSSL_SOURCE; find . -type f) | while read F; do
12837 mkdir -p `dirname $F`
12838 ln -s $OPENSSL_SOURCE/$F $F
12852 *Götz Babin-Ebell <babinebell@trustcenter.de>*
12854 * Improve diagnostics in file reading and command-line digests.
12859 error in AES-CFB decryption.
12878 * Fix escaping of non-ASCII characters when using the -subj option
12889 Some more OID additions. (Michael Bell <michael.bell@rz.hu-berlin.de>)
12902 * Fix the 'app_verify_callback' interface so that the user-defined
12910 i=s->ctx->app_verify_callback(&ctx)
12912 i=s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg).
12945 the same as the utility itself: that is the -config
12976 * Have the CHIL engine fork-safe (as defined by nCipher) and actually
12985 * Add the configuration target debug-linux-ppro.
12997 * Add -keyform to rsautl, and document -engine.
13050 (up to about 10% better than before for P-192 and P-224).
13074 SSL object, and 'arg' is the application-defined value set by
13077 'openssl s_client' and 'openssl s_server' have new '-msg' options
13108 * Add -multi and -mr options to "openssl speed" - giving multiple parallel
13109 runs for the former and machine-readable output for the latter.
13113 * Add '-noemailDN' option to 'openssl ca'. This prevents inclusion
13114 of the e-mail address in the DN (i.e., it will go into a certificate
13193 support for symmetric ciphers and digest implementations - so ENGINEs
13198 API changes worth noting - some RSA, DSA, DH, and RAND functions that
13200 reverted back - the hooking from this code to ENGINE is now a good
13201 deal more passive and at run-time, operations deal directly with
13204 functions dealing with `BN_MOD_EXP[_CRT]` handlers have been removed -
13255 * Add support for shared libraries for Unixware-7
13269 makes them more flexible to be built both as statically-linked ENGINEs
13270 and self-contained shared-libraries loadable via the "dynamic" ENGINE.
13271 Also, add stub code to each that makes building them as self-contained
13272 shared-libraries easier (see [README-Engine.md](README-Engine.md)).
13278 self-contained shared-libraries. The "dynamic" ENGINE exposes control
13279 commands that can be used to configure what shared-library to load and
13281 the [README-Engine.md](README-Engine.md) file
13282 that brings its information up-to-date and
13284 (ie. how to use it, how to build "dynamic"-loadable ENGINEs, etc).
13313 ex_data state - it's now all inside ex_data.c and all "class" code (eg.
13314 RSA, BIO, SSL_CTX, etc) no longer stores its own STACKS and per-class
13319 thread-safety problems that existed, and (b) makes it possible to clean
13445 Added openssl-style ASN.1 macros for Kerberos ticket, ap_req,
13452 * Cause 'openssl speed' to use fully hard-coded DSA keys as it
13463 s-cbc 4408.85k 5560.51k 5778.46k 5862.20k 5825.16k
13464 s-cbc 4389.55k 5571.17k 5792.23k 5846.91k 5832.11k
13465 s-cbc 4394.32k 5575.92k 5807.44k 5848.37k 5841.30k
13467 s-cbc 3482.66k 5069.49k 5496.39k 5614.16k 5639.28k
13468 s-cbc 3480.74k 5068.76k 5510.34k 5609.87k 5635.52k
13469 s-cbc 3483.72k 5067.62k 5504.60k 5708.01k 5724.80k
13472 s-cbc 4660.16k 5650.19k 5807.19k 5827.13k 5783.32k
13474 s-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
13478 * Added the OS2-EMX target.
13497 * Change all calls to low-level digest routines in the library and
13514 dialog box interfaces, application-defined prompts, the possibility
13521 attribute in PKCS#12 files, add new -CSP option to pkcs12 utility.
13607 per-structure level rather than having to store it globally.
13619 by ENGINE_by_id() normally, when it is incremented on the pre-existing
13631 - verbosity levels ('-v', '-vv', and '-vvv') that provide information
13633 - executing control commands from command line arguments using the
13634 '-pre' and '-post' switches. '-post' is only used if '-t' is
13636 the individual commands are colon-separated, for example;
13637 openssl engine chil -pre FORK_CHECK:0 -pre SO_PATH:/lib/test.so
13643 and input types for run-time discovery by calling applications. A
13646 the new string-based API function ENGINE_ctrl_cmd_string(). (Eg. this
13655 OpenSSL-based application. Commands have been added to all the
13656 existing hardware-supporting ENGINEs, noticeably "SO_PATH" to allow
13657 control over shared-library paths without source code alterations.
13671 should already have non-const pointers to it (ie. they should only
13677 - "atalla" and "ubsec" string definitions were moved from header files
13679 rather than hard-coded - allowing parameterisation of these values
13681 - Removed unused "#if 0"'d code.
13682 - Fixed engine list iteration code so it uses ENGINE_free() to release
13684 - Constified the RAND_METHOD element of ENGINE structures.
13685 - Constified various get/set functions as appropriate and added
13686 missing functions (including a catch-all ENGINE_cpy that duplicates
13688 - Removed NULL parameter checks in get/set functions. Setting a method
13692 - Deprecate the ENGINE_FLAGS_MALLOCED define and move the area for
13694 - Changed prototypes for ENGINE handler functions (init(), finish(),
13695 ctrl(), key-load functions, etc) to take an (ENGINE*) parameter.
13701 used only if the modulus is odd. On 32-bit systems, it is faster
13702 only for relatively small moduli (roughly 20-30% for 128-bit moduli,
13703 roughly 5-15% for 256-bit moduli), so we use it only for moduli
13704 up to 450 bits. In 64-bit environments, the binary algorithm
13753 Lenka Fibikova <fibikova@exp-math.uni-essen.de>*
13769 * Add the -HTTP option to s_server. It is similar to -WWW, but requires
13775 change the def and num file printf format specifier from "%-40sXXX"
13776 to "%-39s XXX". The latter will always guarantee a space after the
13823 * New option '-subj arg' for 'openssl req' and 'openssl ca'. This
13830 Add options '-batch' and '-verbose' to 'openssl req'.
13890 checked. Two new options -validity_period and -status_age added to
13924 can be useful for session caching in multiple-server environments. A
13925 command-line switch for testing this (and any client code that wishes
13940 sure e_os2.h will cover all platform-specific cases together with
13942 Additionally, it is now possible to define configuration/platform-
13946 from `OPENSSL_SYSNAME_*` or compiler-specific macros depending on
13951 * New option -set_serial to 'req' and 'x509' this allows the serial
13978 port and path components: primarily to parse OCSP URLs. New -url
13989 the request is nonce-less.
13995 e.g. `(openssl x509 -out cert1; openssl x509 -out cert2) <certs`.
14024 * Add the option -VAfile to 'openssl ocsp', so the user can give the
14096 is initialised to -1 but X509_time_adj() now has to check the value
14142 * New '-extfile ...' option to 'openssl ca' for reading X.509v3
14145 the '-extensions ...' option may be used for specifying the
14158 `openssl ca -status <serial>` prints the status of the cert with
14160 `openssl ca -updatedb` updates the expiry status of certificates
14165 * New '-newreq-nodes' command option to CA.pl. This is like
14166 '-newreq', but calls 'openssl req' with the '-nodes' option
14181 * New SSLeay_version code SSLEAY_DIR to determine the compiled-in
14182 value of OPENSSLDIR. This is available via the new '-d' option
14183 to 'openssl version', and is also included in 'openssl version -a'.
14210 There should no longer be any prototype-casting required when using
14221 The locations /var/run/egd-pool, /dev/egd-pool, /etc/egd-pool, and
14230 (select timeout) and read in non-blocking mode. DEVRANDOM now
14235 For VMS, there's a currently-empty rand_vms.c.
14354 problems: As the program is single-threaded, all we have
14363 during TLS/SSL handshakes so that thread-safety is essential.
14365 for multi-threaded use, so it probably should be abolished.
14419 * Fix BN_uadd and BN_usub: Always return non-negative results instead
14424 * BN_div bugfix: If the result is 0, the sign (res->neg) must not be
14431 that provide type-safety and avoid function pointer casting for the
14432 type-specific callbacks.
14452 (using the probabilistic Tonelli-Shanks algorithm unless
14456 *Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller*
14499 * Change BN_mod_mul so that the result is always non-negative.
14521 These functions always generate non-negative results.
14530 *Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller*
14532 <!--
14546 -->
14549 unless the '-salt' option is used (which usually means that
14552 or the new '-noverify' option is used.
14555 non-interactive use of 'openssl passwd' (passwords on the command
14556 line, '-stdin' option, '-in ...' option) and thus should not
14573 casts back to non-const were required (to be solved at a later
14595 are built-in in OpenSSL shall ever be used or not. The benefit is
14649 * Rework the filename-translation in the DSO code. It is now possible to
14656 * Support threads on FreeBSD-elf in Configure.
14705 * Fix null-pointer assignment in do_change_cipher_spec() revealed
14706 by using the Codenomicon TLS Test Tool ([CVE-2004-0079])
14715 certain ASN.1 tags ([CVE-2003-0851])
14724 invalid tags (CVE-2003-0543 and CVE-2003-0544).
14750 * Countermeasure against the Klima-Pokorny-Rosa extension of
14760 They would be ill-advised to do so in most cases.
14766 an unpredictable seed -- if it is not unpredictable, there
14767 is no point in blinding anyway). Make RSA blinding thread-safe
14768 by remembering the creator's thread ID in rsa->blinding and
14769 having all other threads use local one-time blinding factors
14770 (this requires more computation than sharing rsa->blinding, but
14782 between bad padding and a MAC verification error. ([CVE-2003-0078])
14800 because the session->cipher setting was not restored when reloading
14808 length of the REQUEST-CERTIFICATE message is 18 .. 34, not 17 .. 33.
14810 *Zeev Lieber <zeev-l@yahoo.com>*
14833 the bitwise-OR of the two for use by the majority of applications
14836 changing anyway, so this is more a bug-fix than a behavioural
14841 * Don't impose a 16-byte length minimum on session IDs in ssl/s3_clnt.c
14858 contents. Bug found by Sam Varshavchik <mrsam@courier-mta.com>
14870 * [In 0.9.6g-engine release:]
14879 *Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>,
14915 implementations is desired (e.g. '-bugs' option to 's_client' and
14926 F30602-01-2-0537.
14931 supplied buffer. ([CVE-2002-0659])
14941 too small for 64 bit platforms. ([CVE-2002-0655])
14942 *Matthew Byng-Maddick <mbm@aldigital.co.uk> and Ben Laurie (CHATS)>*
14944 * Remote buffer overflow in SSL3 protocol - an attacker could
14945 supply an oversized session ID to a client. ([CVE-2002-0656])
14949 * Remote buffer overflow in SSL2 protocol - an attacker could
14950 supply an oversized client master key. ([CVE-2002-0656])
14957 encoded as NULL) with id-dsa-with-sha1.
14966 an end-of-file condition would erroneously be flagged, when the CRLF
14969 BASE64-decoding BIO. Bug fund and patch submitted by Pavel Tsekov
14985 * TLS/SSL library bugfix: use s->s3->in_read_app_data differently
14988 processing was enabled when in fact s->s3->in_read_app_data was
15001 * Fix DH_generate_parameters() so that it works for 'non-standard'
15008 a generator of the order-q subgroup is just as good, if not
15019 returning non-zero before the data has been completely received
15020 when using non-blocking I/O.
15056 * [In 0.9.6d-engine release:]
15061 * Add the configuration target linux-s390x.
15063 *Neale Ferguson <Neale.Ferguson@SoftwareAG-USA.com> via Richard Levitte*
15069 invocations of ssl3_accept when using non-blocking I/O, the
15074 To avoid this problem, we now set s->new_session to 2 instead of
15079 * Bugfix: Return -1 from ssl3_get_server_done (ssl3/s3_clnt.c)
15093 type, we must throw them away by setting rr->length to 0.
15111 * Fix crypto/objects/objects.h: "ld-ce" should be "id-ce",
15113 Also some ip-pda OIDs in crypto/objects/objects.txt were
15123 * [In 0.9.6c-engine release:]
15128 * [In 0.9.6c-engine release:]
15136 rearranged (all '-L' options must appear before the first object
15141 * [In 0.9.6c-engine release:]
15147 * [In 0.9.6c-engine release:]
15153 * [In 0.9.6c-engine release:]
15164 messages are stored in a single piece (fixed-length part and
15165 variable-length part combined) and fix various bugs found on the way.
15186 never resets s->method to s->ctx->method when called from within
15235 * Add OpenUNIX-8 support including shared libraries
15252 * Rabin-Miller test analyses assume uniformly distributed witnesses,
15284 configuration target "alpha-cc-rpath", which will never be selected
15296 * Enhanced support for IA-64 Unix platforms (well, Linux and HP-UX).
15317 dh->length and always used
15319 BN_rand_range(priv_key, dh->p).
15321 BN_rand_range() is not necessary for Diffie-Hellman, and this
15322 specific range makes Diffie-Hellman unnecessarily inefficient if
15323 dh->length (recommended exponent length) is much smaller than the
15324 length of dh->p. We could use BN_rand_range() if the order of
15326 dh->length.
15332 where 'l' is dh->length if this is defined, or BN_num_bits(dh->p)-1
15350 * In crypto/rand/md_rand.c, use a new short-time lock CRYPTO_LOCK_RAND2
15365 *Albert Chin-A-Young <china@thewrittenword.com>*
15367 * Add configuration option to build on Linux on both big-endian and
15368 little-endian MIPS.
15370 *Ralf Baechle <ralf@uni-koblenz.de>*
15372 * Add the possibility to create shared libraries on HP-UX.
15380 Markku-Juhani O. Saarinen <markku-juhani.saarinen@nokia.com>:
15383 'md' followed by enough consecutive 1-byte PRNG requests
15394 Markku-Juhani's attack. (Actually it had never occurred
15396 half from which PRNG output bytes were taken -- I had always
15439 when fixing the server behaviour for backwards-compatible 'client
15443 around 2^-40; see section 5 in Bleichenbacher's CRYPTO '98
15499 * Change bctest again: '-x' expressions are not available in all
15519 If SEQUENCE is length is indefinite just set c->slen to the total
15526 * Change bctest to avoid here-documents inside command substitution
15539 * Check the result of RSA-CRT (see D. Boneh, R. DeMillo, R. Lipton:
15541 Computations, J. Cryptology 14 (2001) 2, 101-119,
15608 due to incorrect handling of multi-threading:
15616 inband-signalling in the previous code (which relied on the
15621 * Add "-rand" option also to s_client and s_server.
15626 *Kurt Hockenbury <khockenb@stevens-tech.edu> and
15645 to be set and top=0 forces the highest bit to be set; top=-1 is new
15650 * In the `NCONF_...`-based implementations for `CONF_...` queries
15706 * Fix 'openssl passwd -1'.
15717 * Fix C code generated by 'openssl dsaparam -C': If a BN_bin2bn
15727 * Increase s2->wbuf allocation by one byte in ssl2_new (ssl/s2_lib.c).
15734 obtain lock CRYPTO_LOCK_RSA before setting `rsa->_method_mod_{n,p,q}`.
15764 avoid potential security hole. (Re-used sessions on the client side
15770 * Fix ssl3_pending: If the record in s->s3->rrec is not of type
15778 releases, have been re-implemented by renaming the previous
15789 the method-specific "init()" handler. Also clean up ex_data after
15790 calling the method-specific "finish()" handler. Previously, this was
15809 *Jean-Marc Desperrier <jean-marc.desperrier@certplus.com>*
15813 - Make note of the expected extension for the shared libraries and
15818 - Make as few rebuilds of the shared libraries as possible.
15820 - Still avoid linking the OpenSSL programs with the shared libraries.
15822 - When installing, install the shared libraries separately from the
15886 in a record-oriented fashion. That means that every write() will
15897 Currently, it's a VMS-only method, because that's where it has
15905 but it was in 0.9.6-beta[12].)
15931 documentation and run-time libraries. The devel package contains
15940 *Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>*
16032 to bypass the X509_STORE hackery necessary to make this
16063 In BIO_puts, increment b->num_write as in BIO_write.
16080 used for low-level RSA operations. DER public key
16087 *Andreas Schneider <andreas@ds3.etech.fh-hamburg.de>*
16089 * A demo state-machine implementation was sponsored by
16165 * Add the arguments -CAfile and -CApath to the pkcs12 utility.
16187 * Fix SSL 2.0 rollback checking: Due to an off-by-one error in
16192 In s23_clnt.c, don't use special rollback-attack detection padding
16258 * New options to smime application. -inform and -outform
16260 PEM and DER. The -content option allows the content to be
16285 - New object identifiers are inserted in objects.txt, following
16287 - objects.pl is used to process obj_mac.num and create a new
16289 - obj_dat.pl is used to create a new obj_dat.h, using the data in
16301 * Add BSD-style MD5-based passwords to 'openssl passwd' (option '-1').
16305 * Addition of the command line parameter '-rand file' to 'openssl req'.
16347 an -sgckey command line option to the rsa utility. Thanks to
16349 algorithm to openssl-dev.
16366 * Re-implement BN_mod_exp2_mont using independent (and larger) windows.
16397 * The type-safe stack code has been rejigged. It is now only compiled
16399 by default all type-specific stack functions are "#define"d back to
16401 but retains the type-safety checking possibilities of the original
16409 map type-safe stack functions onto their plain stack counterparts.
16449 for CFB and OFB modes they zero ctx->num.
16475 i.e. non-zero for export ciphersuites, zero otherwise.
16493 Added -fingerprint option to crl utility, to support new c_rehash
16498 * Eliminate non-ANSI declarations in crypto.h and stack.h.
16535 * Bugfix for linux-elf makefile.one.
16595 * Add '-tls1' option to 'openssl ciphers', which was already
16603 OpenSSL-based applications) load shared libraries and bind to
16615 * Rename openssl x509 option '-crlext', which was added in 0.9.5,
16616 to '-clrext' (= clear extensions), as intended and documented.
16634 *Ulf Möller, using the problem description in krb4-0.9.7, where
16643 'openssl XXX' exists, the new pseudo-command 'openssl no-XXX'
16645 'no-XXX' is printed in this case, 'XXX' otherwise. In both cases,
16650 the 'no-cipher' compilation switches can be tested this way.
16652 ('openssl no-XXX' is not able to detect pseudo-commands such
16653 as 'quit', 'list-XXX-commands', or 'no-XXX' itself.)
16657 * Update test suite so that 'make test' succeeds in 'no-rsa' configuration.
16665 to parameters -- in previous versions (since OpenSSL 0.9.3) the
16671 * New s_client option -ign_eof: EOF at stdin is ignored, and
16673 This is part of what -quiet does; unlike -quiet, -ign_eof
16710 * Add '-dsaparam' option to 'openssl dhparam' application. This
16717 by 'openssl dhparam -C'.
16743 * New 'rand' application for creating pseudo-random output.
16757 *Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE> and Anonymous*
16817 or -rand.
16849 sections with information on -D... compiler switches used for
16851 one of these sections, a pre-processor symbol `OPENSSL_..._DEFINES`
16899 * HP-UX tune-up: new unified configs, HP C compiler bug workaround.
16903 * Add -rand argument to smime and pkcs12 applications and read/write
16930 equal (it gave wrong results if `(rem=(n1-q*d0)&BN_MASK2) < d0)`.
16959 * Add a new -notext option to 'ca' and a -pubkey option to 'spkac'.
16963 * Use a less unusual form of the Miller-Rabin primality test (it used
16964 a binary algorithm for exponentiation integrated into the Miller-Rabin
16986 using 50 iterations of the Rabin-Miller test.
16989 iterations of the Rabin-Miller test as required by the appendix
16990 to FIPS PUB 186[-1]) instead of DSA_is_prime.
16996 for each positive witness in the Rabin-Miller test, not just
17001 function with an 'iteration count' of -1, meaning that a
17003 from an application-provided seed, trial division is skipped).
17008 division before starting the Rabin-Miller test and has
17011 'callback(1, -1, cb_arg)' is called when a number has passed the
17021 * New -pkcs12 option to CA.pl script to write out a PKCS#12 file.
17043 by stat(). RAND_load_file(..., -1) is new and uses the complete file
17060 Rabin-Miller iterations.
17064 * Diffie-Hellman uses "safe" primes: DH_check() return code renamed to
17086 cipher-strength (using the strength_bits hard coded in the tables).
17089 Fix a bug in the cipher-command parser: when supplying a cipher command
17091 *A-Za-z0-9*, ssl_set_cipher_list used to hang in an endless loop. Now
17094 Due to the strength-sorting extension, the code of the
17096 the readability was also increased :-)
17098 *Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>*
17100 * Minor change to 'x509' utility. The -CAcreateserial option now uses 1
17143 * Do more iterations of Rabin-Miller probable prime test (specifically,
17144 3 for 1024-bit primes, 6 for 512-bit primes, 12 for 256-bit primes
17147 false-positive rate of at most 2^-80 for random input.
17169 -nomaciter option is used. This improves file security and
17174 * Honor the no-xxx Configure options when creating .DEF files.
17231 $PATH. Just exploiting of the BWX extension results in 20-30%
17461 -fingerprint and -x509toreq options. Also -x509toreq choked if a
17489 Two new options to the verify program: -untrusted allows a set of
17490 untrusted certificates to be passed in and -purpose which sets the
17522 Added a -pubkey option to the 'x509' utility to output the public key.
17561 openssl verify -CAfile ss.pem ss.pem
17569 but an application-provided verification callback (set by
17571 anyway (i.e. leaves x509_store_ctx->error != X509_V_OK
17573 ssl->verify_result to the appropriate error code to avoid
17582 *Po-Cheng Chen <pocheng@nst.com.tw>, slightly modified by Steve Henson*
17586 -S option to allow a salt to be input on the command line.
17616 the string plus current file name and line number to a per-thread
17619 Also updated memory leak detection code to be multi-thread-safe.
17623 * Add options -text and -noout to pkcs7 utility and delete the
17639 * Fix the -revoke option in ca. It was freeing up memory twice,
17664 with non-optimised assembler. Even so, this now gives around 95%
17684 X509_NAME_add_entry_by_txt(nm, "CN", MBSTRING_ASC, "Steve", -1, -1, 0);
17687 X509_NAME_add_entry_by_txt(nm, field, MBSTRING_UTF8, str, -1, -1, 0);
17703 - Assure unique random numbers after fork().
17704 - Make sure that concurrent threads access the global counter and
17718 dsaparam -genkey (which also ignored its '-rand' option),
17727 of each file listed in the '-rand' option. The function as previously
17729 that support '-rand'.
17762 verification. Also added a -purpose flag to x509 utility to
17779 * RC4 tune-up featuring 30-40% performance improvement on most RISC
17784 * New -noout option to asn1parse. This causes no output to be produced
17785 its main use is when combined with -strparse and -out to extract data
17795 * New option -dhparam in s_server. This allows a DH parameter file to be
17802 * Add -pubin and -pubout options to the rsa and dsa commands. These allow
17804 openssl rsa -in key.pem -pubout -out pubkey.pem
17845 working at all :-) A dedicated Windows application might handle this
17862 * Add new -verify -CAfile and -CApath options to the crl program, these
17871 * Initialize all non-automatic variables each time one of the openssl
17872 sub-programs is started (this is necessary as they may be started
17885 * Non-copying interface to BIO pairs.
17920 <madwolf@comune.modena.it>. The new option is called -extensions
17921 and can be applied to ca, req and x509. Also -reqexts to override
17922 the request extensions in req and -crlexts to override the crl extensions
17937 config file. They can be printed out with the -text option to req but
17960 library. Also added low-level modexp hooks and CRYPTO_EX structure and
17980 a SSLv2-compatible client hello for SSLv3 or TLSv1 could be read,
18006 * -crlf option to s_client and s_server for sending newlines as
18021 * Fix -startdate and -enddate (which was missing) arguments to 'ca'
18030 For 1024-bit p, DSA_generate_parameters followed by DSA_dup_DH is
18033 much more efficient (160-bit exponentiation instead of 1024-bit
18049 * Allow the -k option to be used more than once in the enc program:
18096 * The -DPLATFORM="\"$(PLATFORM)\"" definition and the similar -DCFLAGS=...
18100 auto-generated file crypto/buildinf.h (created by crypto/Makefile.ssl
18121 * Fix memory leaks in s3_clnt.c: All non-anonymous SSL3/TLS1 connections
18128 * New function RSA_check_key and new openssl rsa option -check
18167 * Memory leak checking (-DCRYPTO_MDEBUG) had some problems.
18176 to disable memory-checking temporarily.
18181 -DCRYPTO_MDEBUG_TIME is new and additionally stores the current time
18185 -DCRYPTO_MDEBUG_THREAD is also new and adds the thread ID.
18187 -DCRYPTO_MDEBUG_ALL enables all of the above, plus any future
18209 * Fix problems with no-hmac etc.
18230 *Steve Henson, reported by Brien Wheeler <bwheeler@authentica-security.com>*
18250 Fixed, now "no-idea no-rc5 -DCRYPTO_MDEBUG" etc. works as intended.
18261 Whoever hopes to achieve shared-library compatibility across versions
18262 must use this, not the compile-time macro.
18265 Note: All this applies only to multi-threaded programs, others don't
18270 * Add missing case to s3_clnt.c state machine -- one of the new SSL tests
18323 name for unistd.h (for pre-POSIX systems); we need this for NeXTstep,
18333 Changing the behaviour of the former might break existing programs --
18339 fails, it needs to cause bc to give a non-zero result or make test carries
18352 yet. Added a -v2 "cipher" option to pkcs8 application to allow the use
18357 * Instead of "mkdir -p", which is not fully portable, use new
18358 Perl script "util/mkdir-p.pl".
18388 * "linux-sparc64" configuration (ultrapenguin).
18391 "linux-sparc" configuration.
18393 *Christian Forster <fo@hawo.stw.uni-erlangen.de>*
18395 * config now generates no-xxx options for missing ciphers.
18404 * Support BS2000/OSD-POSIX.
18420 * New configuration variants "bsdi-elf-gcc" (BSD/OS 4.x).
18426 * New configuration variant "sco5-gcc".
18449 * SHA library changes for irix64-mips4-cc.
18517 * New option -out to asn1parse to allow the parsed structure to be
18518 output to a file. This is most useful when combined with the -strparse
18523 * Make SSL library a little more fool-proof by not requiring any longer
18527 intended anyway -- now it really works as intended).
18535 * Fix various things to let OpenSSL even pass "egcc -pipe -O2 -Wall
18536 -Wshadow -Wpointer-arith -Wcast-align -Wmissing-prototypes
18537 -Wmissing-declarations -Wnested-externs -Winline" with EGCS 1.1.2+
18548 various ways (and thus what used to be known as ctx->default_cert
18549 is now called ctx->cert, since we don't resort to `s->ctx->[default_]cert`
18550 any longer when s->cert does not give us what we need).
18553 we have solved a couple of bugs of the earlier code where s->cert
18563 that holds per-session data (if available); currently, this is
18591 * Add PEDANTIC compiler flag to allow compilation with gcc -pedantic,
18592 without disallowing inline assembler and the like for non-pedantic builds.
18604 * SHA-1 cleanups and performance enhancements.
18612 * Accept any -xxx and +xxx compiler options in Configure.
18627 DER-encoded.)
18632 x509_vfy.c had what can be considered an off-by-one-error:
18660 * New Configure options "threads" and "no-threads". For systems
18671 $(INSTALLTOP)/bin -- they shouldn't clutter directories
18676 * "make linux-shared" to build shared libraries.
18680 * New Configure option `no-<cipher>` (rsa, idea, rc5, ...).
18698 * New Configure options --prefix=DIR and --openssldir=DIR.
18719 * Change behaviour of ssl2_read when facing length-0 packets: Don't return
18737 * Fix new 56-bit DES export ciphersuites: they were using 7 bytes instead of
18815 * Don't auto-generate pem.h.
18819 * Introduce type-safe ASN.1 SETs.
18823 * Convert various additional casted stacks to type-safe STACK_OF() variants.
18827 * Introduce type-safe STACKs. This will almost certainly break lots of code
18835 * Add `openssl ca -revoke <certfile>` facility which revokes a certificate
18838 revoking a certificate. The -revoke option does the gory details now.
18842 * Fix `openssl crl -noout -text` combination where `-noout` killed the
18843 `-text` option at all and this way the `-noout -text` combination was
18855 ciphers that were excluded, e.g. by -DNO_IDEA. Also, test
18859 `openssl list-cipher-commands` is used.
18897 * New "-showcerts" option for s_client.
18938 * Make sure the RSA OAEP test is skipped under -DRSAref because
18944 so they no longer are missing under -DNOPROTO.
18974 * Make rsa_oaep_test return non-zero on error.
18979 solaris-sparc-sc4-pic, make, then run shlib/solaris-sc4.sh. It'd be nice
19009 * Let util/clean-depend.pl work also with older Perl 5.00x versions.
19021 * DES quad checksum was broken on big-endian architectures. Fixed.
19082 pre-configured entry in Configure's %table under key `<id>` with value
19084 perform a quick test-compile under FreeBSD 3.1 with pgcc and without
19085 assembler stuff you can use `perl Configure "FreeBSD-elf:pgcc:-O6:::"`
19086 now, which overrides the FreeBSD-elf entry on-the-fly.
19094 * Allow DSO flags like -fpic, -fPIC, -KPIC etc. to be specified
19101 * Remarkably, export ciphers were totally broken and no-one had noticed!
19107 questions now is the OpenSSL core team under openssl-core@openssl.org.
19108 And add a paragraph about the dual-license situation to make sure people
19164 stuff. Fix mk1mf.pl and VC-32.pl to support NT differences also. Various
19175 This means that Apache-SSL and similar packages don't have to mess around
19187 * Get rid of remaining C++-style comments which strict C compilers hate.
19198 their SSL_CTX_xxx() counterparts but work on a per-connection basis. This
19200 per-connection basis (e.g. Apache+mod_ssl) instead of a per-context basis
19210 non-public-API function ssl_cert_instantiate() is used as a helper
19215 * Move s_server -dcert and -dkey options out of the undocumented feature
19238 * Don't hard-code path to Perl interpreter on shebang line of Configure
19239 script. Instead use the usual Shell->Perl transition trick.
19243 * Make `openssl x509 -noout -modulus`' functional also for DSA certificates
19245 -noout -modulus` as it's already the case for `openssl rsa -noout
19246 -modulus`. For RSA the -modulus is the real "modulus" while for DSA
19248 `openssl dsa -modulus` in the past) which serves a similar purpose.
19249 Additionally the NO_RSA no longer completely removes the whole -modulus
19255 * Add Arne Ansper's reliable BIO - this is an encrypted, block-digested
19272 TLS_RSA_EXPORT56_WITH_DES_CBC_SHA, as specified in "56-bit Export Cipher
19273 Suites For TLS", draft-ietf-tls-56-bit-ciphersuites-00.txt.
19303 foundations than the ad-hoc padding used in PKCS #1 v1.5. It is secure
19334 *Lars Weber <3weber@informatik.uni-hamburg.de>*
19387 - ported BN stuff to OpenSSL's different BN library
19388 - made the perl/ source tree CVS-aware
19389 - renamed the package from SSLeay to OpenSSL (the files still contain
19391 - removed obsolete files (the test scripts will be replaced
19403 -rSSLeay_0_8_1b" or they were renamed (as it was definitely the case for
19411 what that's for :-) Fix to ASN1 macro which messed up
19438 * Fixed ms/32all.bat script: `no_asm` -> `no-asm`
19440 *Rainer W. Gerling <gerling@mpg-gv.mpg.de>*
19446 * Modify crl2pkcs7 so it supports multiple -certfile arguments. Fix a
19475 and add a sample to openssl.cnf so req -x509 now adds appropriate
19500 Ad Hoc Way) - Makefile.ssls now all contain local dependencies, which
19505 * Spelling mistake in C version of CAST-128.
19509 * Changes to the error generation code. The perl script err-code.pl
19516 either modify crypto/Makefile.ssl to pass the -regen flag to err_code.pl
19521 * CAST-128 was incorrectly implemented for short keys. The C version has
19523 new assembler HAS NOT BEEN GENERATED FOR WIN32 - the Makefile needs fixing
19525 *Ben Laurie, reported (with fix for C version) by Jun-ichiro itojun
19602 *Bodo Moeller <3moeller@informatik.uni-hamburg.de>*
19604 * Don't blow it for numeric `-newkey` arguments to `apps/req`.
19606 *Bodo Moeller <3moeller@informatik.uni-hamburg.de>*
19638 * Make sure the already existing X509_STORE->depth variable is initialized
19670 * Make the top-level INSTALL documentation easier to understand.
19674 * Makefiles updated to exit if an error occurs in a sub-directory
19689 * Enhanced the err-ins.pl script so it makes the error library number
19726 *Ben Laurie - pointed out by Ulf Möller <ulf@fitug.de>*
19734 ncr-scde
19735 unixware-2.0
19736 unixware-2.0-pentium
19737 sco5-cc.
19750 ### Changes between 0.9.1b and 0.9.1c [23-Dec-1998]
19757 * Some fixups to the top-level documents.
19761 * Fixed the nasty bug where rsaref.h was not found under compile-time
19766 * Incorporated the popular no-RSA/DSA-only patches
19767 which allow to compile an RSA-free SSLeay.
19771 * Fixed nasty rehash problem under `make -f Makefile.ssl links`
19789 * Recompiled the error-definition header files and added
19794 * Cleaned up the top-level documents;
19844 * Add -strparse option to asn1pars program which parses nested
19857 * Added "-genkey" option to "dsaparam" program.
19865 * Added -a (all) option to "ssleay version" command.
19954 <!-- Links -->
19956 [CVE-2024-13176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176
19957 [CVE-2024-9143]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143
19958 [CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
19959 [CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535
19960 [CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
19961 [CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603
19962 [CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511
19963 [CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727
19964 [CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237
19965 [CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129
19966 [CVE-2023-5678]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5678
19967 [CVE-2023-5363]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5363
19968 [CVE-2023-4807]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-4807
19969 [CVE-2023-3817]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3817
19970 [CVE-2023-3446]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3446
19971 [CVE-2023-2975]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2975
19972 [RFC 2578 (STD 58), section 3.5]: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5
19973 [CVE-2023-2650]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2650
19974 [CVE-2023-1255]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-1255
19975 [CVE-2023-0466]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466
19976 [CVE-2023-0465]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0465
19977 [CVE-2023-0464]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0464
19978 [CVE-2023-0401]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0401
19979 [CVE-2023-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0286
19980 [CVE-2023-0217]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0217
19981 [CVE-2023-0216]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0216
19982 [CVE-2023-0215]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0215
19983 [CVE-2022-4450]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4450
19984 [CVE-2022-4304]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4304
19985 [CVE-2022-4203]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4203
19986 [CVE-2022-3996]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-3996
19987 [CVE-2022-2274]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2274
19988 [CVE-2022-2097]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2097
19989 [CVE-2020-1971]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1971
19990 [CVE-2020-1967]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1967
19991 [CVE-2019-1563]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1563
19992 [CVE-2019-1559]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1559
19993 [CVE-2019-1552]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1552
19994 [CVE-2019-1551]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1551
19995 [CVE-2019-1549]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1549
19996 [CVE-2019-1547]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1547
19997 [CVE-2019-1543]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1543
19998 [CVE-2018-5407]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-5407
19999 [CVE-2018-0739]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0739
20000 [CVE-2018-0737]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0737
20001 [CVE-2018-0735]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0735
20002 [CVE-2018-0734]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0734
20003 [CVE-2018-0733]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0733
20004 [CVE-2018-0732]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0732
20005 [CVE-2017-3738]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3738
20006 [CVE-2017-3737]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3737
20007 [CVE-2017-3736]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3736
20008 [CVE-2017-3735]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3735
20009 [CVE-2017-3733]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3733
20010 [CVE-2017-3732]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3732
20011 [CVE-2017-3731]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3731
20012 [CVE-2017-3730]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3730
20013 [CVE-2016-7055]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7055
20014 [CVE-2016-7054]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7054
20015 [CVE-2016-7053]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7053
20016 [CVE-2016-7052]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7052
20017 [CVE-2016-6309]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6309
20018 [CVE-2016-6308]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6308
20019 [CVE-2016-6307]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6307
20020 [CVE-2016-6306]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6306
20021 [CVE-2016-6305]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6305
20022 [CVE-2016-6304]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6304
20023 [CVE-2016-6303]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6303
20024 [CVE-2016-6302]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6302
20025 [CVE-2016-2183]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2183
20026 [CVE-2016-2182]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2182
20027 [CVE-2016-2181]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2181
20028 [CVE-2016-2180]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2180
20029 [CVE-2016-2179]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2179
20030 [CVE-2016-2178]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2178
20031 [CVE-2016-2177]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2177
20032 [CVE-2016-2176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2176
20033 [CVE-2016-2109]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2109
20034 [CVE-2016-2107]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2107
20035 [CVE-2016-2106]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2106
20036 [CVE-2016-2105]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2105
20037 [CVE-2016-0800]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0800
20038 [CVE-2016-0799]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0799
20039 [CVE-2016-0798]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0798
20040 [CVE-2016-0797]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0797
20041 [CVE-2016-0705]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0705
20042 [CVE-2016-0702]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0702
20043 [CVE-2016-0701]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0701
20044 [CVE-2015-3197]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3197
20045 [CVE-2015-3196]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3196
20046 [CVE-2015-3195]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3195
20047 [CVE-2015-3194]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3194
20048 [CVE-2015-3193]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3193
20049 [CVE-2015-1793]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1793
20050 [CVE-2015-1792]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1792
20051 [CVE-2015-1791]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1791
20052 [CVE-2015-1790]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1790
20053 [CVE-2015-1789]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1789
20054 [CVE-2015-1788]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1788
20055 [CVE-2015-1787]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1787
20056 [CVE-2015-0293]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0293
20057 [CVE-2015-0291]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0291
20058 [CVE-2015-0290]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0290
20059 [CVE-2015-0289]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0289
20060 [CVE-2015-0288]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0288
20061 [CVE-2015-0287]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0287
20062 [CVE-2015-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0286
20063 [CVE-2015-0285]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0285
20064 [CVE-2015-0209]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0209
20065 [CVE-2015-0208]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0208
20066 [CVE-2015-0207]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0207
20067 [CVE-2015-0206]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0206
20068 [CVE-2015-0205]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0205
20069 [CVE-2015-0204]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0204
20070 [CVE-2014-8275]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-8275
20071 [CVE-2014-5139]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-5139
20072 [CVE-2014-3572]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3572
20073 [CVE-2014-3571]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3571
20074 [CVE-2014-3570]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3570
20075 [CVE-2014-3569]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3569
20076 [CVE-2014-3568]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3568
20077 [CVE-2014-3567]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3567
20078 [CVE-2014-3566]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3566
20079 [CVE-2014-3513]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3513
20080 [CVE-2014-3512]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3512
20081 [CVE-2014-3511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3511
20082 [CVE-2014-3510]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3510
20083 [CVE-2014-3509]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3509
20084 [CVE-2014-3508]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3508
20085 [CVE-2014-3507]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3507
20086 [CVE-2014-3506]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3506
20087 [CVE-2014-3505]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3505
20088 [CVE-2014-3470]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3470
20089 [CVE-2014-0224]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0224
20090 [CVE-2014-0221]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0221
20091 [CVE-2014-0195]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0195
20092 [CVE-2014-0160]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0160
20093 [CVE-2014-0076]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0076
20094 [CVE-2013-6450]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-6450
20095 [CVE-2013-4353]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-4353
20096 [CVE-2013-0169]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-0169
20097 [CVE-2013-0166]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-0166
20098 [CVE-2012-2686]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2686
20099 [CVE-2012-2333]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2333
20100 [CVE-2012-2110]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2110
20101 [CVE-2012-0884]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0884
20102 [CVE-2012-0050]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0050
20103 [CVE-2012-0027]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0027
20104 [CVE-2011-4619]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4619
20105 [CVE-2011-4577]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4577
20106 [CVE-2011-4576]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4576
20107 [CVE-2011-4109]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4109
20108 [CVE-2011-4108]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4108
20109 [CVE-2011-3210]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-3210
20110 [CVE-2011-3207]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-3207
20111 [CVE-2011-0014]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-0014
20112 [CVE-2010-4252]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-4252
20113 [CVE-2010-4180]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-4180
20114 [CVE-2010-3864]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-3864
20115 [CVE-2010-1633]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-1633
20116 [CVE-2010-0740]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-0740
20117 [CVE-2010-0433]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-0433
20118 [CVE-2009-4355]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-4355
20119 [CVE-2009-3555]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-3555
20120 [CVE-2009-3245]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-3245
20121 [CVE-2009-1386]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1386
20122 [CVE-2009-1379]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1379
20123 [CVE-2009-1378]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1378
20124 [CVE-2009-1377]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1377
20125 [CVE-2009-0789]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0789
20126 [CVE-2009-0591]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0591
20127 [CVE-2009-0590]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0590
20128 [CVE-2008-5077]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-5077
20129 [CVE-2008-1678]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-1678
20130 [CVE-2008-1672]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-1672
20131 [CVE-2008-0891]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-0891
20132 [CVE-2007-5135]: https://www.openssl.org/news/vulnerabilities.html#CVE-2007-5135
20133 [CVE-2007-4995]: https://www.openssl.org/news/vulnerabilities.html#CVE-2007-4995
20134 [CVE-2006-4343]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-4343
20135 [CVE-2006-4339]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-4339
20136 [CVE-2006-3738]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-3738
20137 [CVE-2006-2940]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-2940
20138 [CVE-2006-2937]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-2937
20139 [CVE-2005-2969]: https://www.openssl.org/news/vulnerabilities.html#CVE-2005-2969
20140 [CVE-2004-0112]: https://www.openssl.org/news/vulnerabilities.html#CVE-2004-0112
20141 [CVE-2004-0079]: https://www.openssl.org/news/vulnerabilities.html#CVE-2004-0079
20142 [CVE-2003-0851]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0851
20143 [CVE-2003-0545]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0545
20144 [CVE-2003-0544]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0544
20145 [CVE-2003-0543]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0543
20146 [CVE-2003-0078]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0078
20147 [CVE-2002-0659]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0659
20148 [CVE-2002-0657]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0657
20149 [CVE-2002-0656]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0656
20150 [CVE-2002-0655]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0655