Lines Matching +full:fine +full:- +full:ctr +full:- +full:bits
4 This is a detailed breakdown of significant changes. For a high-level overview
13 ----------------
15 - [OpenSSL 3.5](#openssl-35)
16 - [OpenSSL 3.4](#openssl-34)
17 - [OpenSSL 3.3](#openssl-33)
18 - [OpenSSL 3.2](#openssl-32)
19 - [OpenSSL 3.1](#openssl-31)
20 - [OpenSSL 3.0](#openssl-30)
21 - [OpenSSL 1.1.1](#openssl-111)
22 - [OpenSSL 1.1.0](#openssl-110)
23 - [OpenSSL 1.0.2](#openssl-102)
24 - [OpenSSL 1.0.1](#openssl-101)
25 - [OpenSSL 1.0.0](#openssl-100)
26 - [OpenSSL 0.9.x](#openssl-09x)
29 -----------
33 * Fix Out-of-bounds read & write in RFC 3211 KEK Unwrap
36 password based encryption can trigger an out-of-bounds read and write.
38 Impact summary: This out-of-bounds read may trigger a crash which leads to
39 Denial of Service for an application. The out-of-bounds write can cause
41 a Denial of Service or Execution of attacker-supplied code.
45 ([CVE-2025-9230])
49 * Fix Timing side-channel in SM2 algorithm on 64 bit ARM
51 Issue summary: A timing side-channel which could potentially allow remote
55 Impact summary: A timing side-channel in SM2 signature computations on
60 ([CVE-2025-9231])
64 * Fix Out-of-bounds read in HTTP client no_proxy handling
67 may trigger an out-of-bounds read if the "no_proxy" environment variable is
71 Impact summary: An out-of-bounds read can trigger a crash which leads to
76 ([CVE-2025-9232])
82 on that requirement in FIPS 140-3 IG 10.3.A additional comment 1.
86 * Fixed the length of the ASN.1 sequence for the SM3 digests of RSA-encrypted
108 on that requirement in FIPS 140-3 IG 10.3.A additional comment 1.
127 operation to add a missing check that the caller-indicated output buffer
134 RSA public encryption into a buffer that is too small, an out-of-bounds
139 * Added FIPS 140-3 PCT on DH key generation.
150 This is mandated by FIPS 140-3 IG 10.3.A additional comment 1.
158 Issue summary: Use of -addreject option with the openssl x509 application adds
164 ([CVE-2025-4575])
189 Examples of such schemes are ED25519 or ML-DSA.
193 * The TLS Signature algorithms defaults now include all three ML-DSA variants as
198 * Added a `no-tls-deprecated-ec` configuration option.
200 The `no-tls-deprecated-ec` option disables support for TLS elliptic curve
203 compiled in, but, as before, they are not included in the default run-time
206 With the `enable-tls-deprecated-ec` option these TLS groups remain enabled at
212 * Added new API to enable 0-RTT for 3rd party QUIC stacks.
225 * Add SLH-DSA as specified in FIPS 205.
229 * ML-KEM as specified in FIPS 203.
234 TLS hybrid key post-quantum/classical key agreement schemes.
238 * Add ML-DSA as specified in FIPS 204.
258 replace the ad-hoc byte arrays that are pervasive throughout the library.
267 bits are no longer enabled by default.
275 server-side key exchange group selection.
277 Extend the server-side key exchange group selection algorithm and related
279 (hybrid-)KEMs.
291 16-bit, 32-bit and 64-bit integers in either little-endian or big-endian
292 form, regardless of the host byte-order. See the `OPENSSL_load_u16_le(3)`
303 * Support DEFAULT keyword and '-' prefix in `SSL_CTX_set1_groups_list()`.
305 available groups to the default selection. The '-' prefix allows the calling
308 *Frederik Wedel-Heinen*
311 from `des-ede3-cbc` to `aes-256-cbc`.
313 AES-256 provides a stronger 256-bit key encryption than legacy 3DES.
330 * The `-rawin` option of the `pkeyutl` command is now implied (and thus no
331 longer required) when using `-digest` or when signing or verifying with an
333 The `-digest` and `-rawin` option may only be given with `-sign` or `verify`.
355 configuration option `enable-fips-jitter`.
360 feature/capability bits in leaf `0x7` (Extended Feature Flags) as well
371 currently no built-in ciphers that support pipelining. This new API replaces
380 …However, there is a use case (PAdES signatures [ETSI EN 319 142-1](https://www.etsi.org/deliver/et…
384 The new `-no_signing_time` option of the `cms` command enables this flag.
388 * Parallel dual-prime 1024/1536/2048-bit modular exponentiation for
392 times, for the sign/decryption operations of rsaz-2k/3k/4k (`openssl speed rsa`)
397 * VAES/AVX-512 support for AES-XTS.
400 vectorized implementation of AES-XTS with a throughput improvement
412 every 4 input bytes. Such behaviour could cause writes to a non-allocated
417 in the initial non-encoded message.
427 * Added a new CLI option `-provparam` and API functions for setting of
441 * Added a build configuration option `enable-sslkeylog` for enabling support
452 -----------
470 ([CVE-2024-12797])
474 * Fixed timing side-channel in ECDSA signature computation.
479 the NIST P-521 curve is affected. To be able to measure this leak, the
483 ([CVE-2024-13176])
505 RSA-SHA2-256 including new API functions in the EVP_PKEY_sign,
527 FIPS 140-3 requires indicators to be used if the FIPS provider allows
528 non-approved algorithms. An algorithm is approved if it passes all
539 Note that new FIPS 140-3 restrictions have been enforced such as
546 *Shane Lontis, Paul Dale, Po-Hsing Wu and Dimitri John Ledkov*
583 with registry keys. See NOTES-WINDOWS.md.
587 * Added options `-not_before` and `-not_after` for explicit setting
590 `-startdate` and `-enddate` options.
599 * SHAKE-128 and SHAKE-256 implementations have no default digest length
621 * Added support for integrity-only cipher suites TLS_SHA256_SHA256 and
629 with the respective CLI options `-template`,
630 `-crlcert`, `-oldcrl`, `-crlout`, `-crlform>`, and `-rsp_crl`.
645 public API. There is no command-line tool support at this time.
647 *Damian Hobson-Garcia*
650 option `enable-pie` configures the cflag '-fPIE' and ldflag '-pie' to
658 which are Y2038-safe.
663 precomputed values. This is used by the P-256 implementation.
668 -----------
672 * Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic
675 Use of the low-level GF(2^m) elliptic curve APIs with untrusted
676 explicit values for the field polynomial can lead to out-of-bounds memory
684 ([CVE-2024-9143])
698 ([CVE-2024-6119])
708 ([CVE-2024-5535])
733 ([CVE-2024-4741])
750 ([CVE-2024-4603])
764 * The `-verify` option to the `openssl crl` and `openssl req` will make
771 error of -1 once it is exhausted. Users may need to reserve using this
785 the input string, in accordance with ITU-T X.690 section 11.7 and 11.8.
804 OSSL_PKEY_PARAM_RSA_DERIVE_FROM_PQ param in the EVP_PKEY-RSA documentation.
816 * Added `-set_issuer` and `-set_subject` options to `openssl x509` to
817 override the Issuer and Subject when creating a certificate. The `-subj`
818 option now is an alias for `-set_subject`.
822 * OPENSSL_sk_push() and sk_<TYPE>_push() functions now return 0 instead of -1
833 - `certProfile` request message header and respective `-profile` CLI option
834 - support for delayed delivery of all types of response messages
840 * The build of exporters (such as `.pc` files for pkg-config) cleaned up to
853 server to prefer session resumption using PSK-only key exchange over PSK
858 * New API `SSL_write_ex2`, which can be used to send an end-of-stream (FIN)
872 The qlog output from OpenSSL currently uses a pre-standard draft version of
876 disabled with the build-time option `no-unstable-qlog`. See the
877 openssl-qlog(7) manpage for details.
894 non-blocking manner. Refer to the SSL_poll(3) manpage for details.
911 * Applied AES-GCM unroll8 optimisation to Microsoft Azure Cobalt 100
916 X509_STORE_get0_objects API in multi-threaded applications. Refer to the
925 * Optimized AES-CTR for ARM Neoverse V1 and V2
929 * Enable AES and SHA3 optimisations on Apple Silicon M3-based MacOS systems
939 * Various optimizations for cryptographic routines using RISC-V vector crypto
955 -----------
959 * Fixed an issue where some non-default TLS server configurations can cause
964 This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option
966 anti-replay protection is in use). In this case, under certain conditions,
973 ([CVE-2024-2511])
1000 ([CVE-2024-0727])
1017 with the "-pubin" and "-check" options on untrusted data.
1022 ([CVE-2023-6237])
1027 have the contained AlgorithmIdentifier.algorithm set to id-ecPublicKey
1040 be various - from no consequences, if the calling application does not
1041 depend on the contents of non-volatile XMM registers at all, to the worst
1048 ([CVE-2023-6129])
1053 `no-apps`.
1069 ([CVE-2023-5678])
1082 * Added a function to delete objects from store by URI - OSSL_STORE_delete()
1083 and the corresponding provider-storemgmt API function
1088 * Added OSSL_FUNC_store_open_ex() provider-storemgmt API function to pass
1096 recommends a minimum of 64 bits for PBES2. For FIPS compliance PBKDF2
1097 requires a salt length of 128 bits. This affects OpenSSL command line
1115 libcrypto from 4.4 MB to 4.9 MB. A new configure option `no-sm2-precomp` has
1130 speed of the NIST P-384 elliptic curve. To enable the implementation
1131 the build option `enable-ec_nistp_64_gcc_128` must be used.
1158 * Provide a new configure option `no-http` that can be used to disable the
1159 HTTP support. Provide new configure options `no-apps` and `no-docs` to
1164 * Provide a new configure option `no-ecx` that can be used to disable the
1180 * TLS round-trip time calculation was added by a Brigham Young University
1187 * Added the "-quic" option to s_client to enable connectivity to QUIC servers.
1188 QUIC requires the use of ALPN, so this must be specified via the "-alpn"
1189 option. Use of the "advanced" s_client command command via the "-adv" option
1194 * Added an "advanced" command mode to s_client. Use this with the "-adv"
1198 escaping mechanism. After starting s_client with "-adv" type "{help}"
1216 * Added further assembler code for the RISC-V architecture.
1225 * Improved support for non-default library contexts and property queries
1242 * Implemented SM4-XTS support.
1246 * Added platform-agnostic OSSL_sleep() function.
1254 * Implemented AES-GCM-SIV (RFC8452) support.
1258 * Added support for pluggable (provider-based) TLS signature algorithms.
1262 for example suitable providers to deliver post-quantum or quantum-safe
1267 * Added support for pluggable (provider-based) CMS signature algorithms.
1329 SSL_get0_iana_groups() function-like macro, retrieves the list of
1332 a caller-supplied array with the list of extension types present in the
1342 * The PKCS12_parse() function now supports MAC-less PKCS12 files.
1349 *Arran Cudbard-Bell*
1361 DSA and DH keys of 1024 bits and above and less than 2048 bits and ECC keys
1362 of 160 bits and above and less than 224 bits were previously accepted by
1385 * Subject or issuer names in X.509 objects are now displayed as UTF-8 strings
1396 The `-x509v1` option of `req` prefers generation of X.509 v1 certificates.
1410 as well as the `-srvcertout` and `-serial` CLI options.
1432 * Fixed and extended `util/check-format.pl` for checking adherence to the
1433 coding style <https://www.openssl.org/policies/technical/coding-style.html>.
1438 * Added BIO_s_dgram_pair() and BIO_s_dgram_mem() that provide memory-based
1454 compile-time option `no-winstore`. This store is not currently used by
1468 * Added `-ktls` option to `s_server` and `s_client` commands to enable the
1481 * New parameter `-digest` for openssl cms command allowing signing
1482 pre-computed digests and new CMS API functions supporting that
1494 decryption as a protection against Bleichenbacher-like attacks.
1498 issues like CVE-2020-25659 and CVE-2020-25657. This protection can be
1505 * Added support for Brainpool curves in TLS-1.3.
1519 -----------
1525 that alter the key or IV length ([CVE-2023-5363]).
1534 does not save the contents of non-volatile XMM registers on Windows 64
1538 x86_64 processors supporting the AVX512-IFMA instructions.
1541 be various - from no consequences, if the calling application does not
1542 depend on the contents of non-volatile XMM registers at all, to the worst
1549 ([CVE-2023-4807])
1558 fixing CVE-2023-3446 it was discovered that a large q parameter value can
1568 ([CVE-2023-3817])
1577 a modulus which is over 10,000 bits in length.
1583 A new limit has been added to DH_check of 32,768 bits. Supplying a
1587 ([CVE-2023-3446])
1591 * Do not ignore empty associated data entries with AES-SIV.
1593 The AES-SIV algorithm allows for authentication of multiple associated
1597 The AES-SIV implementation in OpenSSL just returns success for such call
1599 The empty data thus will not be authenticated. ([CVE-2023-2975])
1604 applications that use empty associated data entries with AES-SIV.
1611 * When building with the `enable-fips` option and using the resulting
1613 master secret (FIPS 140-3 IG G.Q) and the Hash and HMAC DRBGs will
1614 not operate with truncated digests (FIPS 140-3 IG G.R).
1621 OBJECT IDENTIFIER sub-identifiers to canonical numeric text form.
1624 numeric text form. For gigantic sub-identifiers, this would take a very
1626 sub-identifier. ([CVE-2023-2650])
1634 most 128 sub-identifiers, and that the maximum value that each sub-
1635 identifier may have is 2^32-1 (4294967295 decimal).
1637 For each byte of every sub-identifier, only the 7 lower bits are part of
1646 *Liu-ErMeng*
1648 * Added a -pedantic option to fipsinstall that adjusts the various
1654 * Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms which
1656 trigger a crash of an application using AES-XTS decryption if the memory
1659 ([CVE-2023-1255])
1663 * Reworked the Fix for the Timing Oracle in RSA Decryption ([CVE-2022-4304]).
1665 a severe 2-3x performance regression in the typical use case
1675 truncated digests with Hash and HMAC DRBGs (q.v. FIPS 140-3 IG D.R.).
1676 The option '-no_drbg_truncated_digests' can optionally be
1684 ([CVE-2023-0466])
1693 ([CVE-2023-0465])
1698 against CVE-2023-0464. The default limit is set to 1000 nodes, which
1703 ([CVE-2023-0464])
1711 The option '-ems_check' can optionally be supplied to
1716 * The FIPS provider includes a few non-approved algorithms for
1741 * AES-GCM enabled with AVX512 vAES and vPCLMULQDQ.
1749 * Parallel dual-prime 1536/2048-bit modular exponentiation for
1761 `DEFINE_LHASH_OF_EX`, which omits the corresponding type-specific function
1771 * When generating safe-prime DH parameters set the recommended private key
1776 * Change the default salt length for PKCS#1 RSASSA-PSS signatures to the
1778 FIPS 186-4 section 5. This is implemented by a new option
1779 `OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX` ("auto-digestmax") for the
1786 -----------
1806 ([CVE-2023-0401])
1829 ([CVE-2023-0286])
1844 security requirements imposed by standards such as FIPS 140-3.
1845 ([CVE-2023-0217])
1859 ([CVE-2023-0216])
1863 * Fixed Use-after-free following BIO_new_NDEF.
1878 then a use-after-free will occur. This will most likely result in a crash.
1879 ([CVE-2023-0215])
1904 ([CVE-2022-4450])
1915 modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
1916 ([CVE-2022-4304])
1928 ([CVE-2022-4203])
1940 ([CVE-2022-3996])
1950 For symmetry, our implementation of `EVP_PKEY_ASN1_METHOD->export_to`
1977 ([CVE-2022-3786])
1980 attacker-controlled bytes on the stack. This buffer overflow could
1983 ([CVE-2022-3602])
2043 ([CVE-2022-3358])
2052 * Fixed the linux-mips64 Configure target which was missing the
2067 * Fixed detection of ktls support in cross-compile environment on Linux
2103 implementation prior to commit 2621751 ("aes/asm/aesv8-armx.pl: avoid
2104 32-bit lane assignment in CTR mode") for 64bit targets only, since it is
2105 reportedly 2-17% slower and the silicon errata only affects 32bit targets.
2128 ([CVE-2022-2274])
2132 * AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised
2140 ([CVE-2022-2097])
2147 CVE-2022-1292, further bugs where the c_rehash script does not
2151 When the CVE-2022-1292 was fixed it was not discovered that there
2161 (CVE-2022-2068)
2172 * Case insensitive string comparison is reimplemented via new locale-agnostic
2187 (CVE-2022-1292)
2193 where the (non-default) flag OCSP_NOCHECKS is used to return a postivie
2204 verifying an ocsp response with the "-no_cert_checks" option the command line
2209 ([CVE-2022-1343])
2213 * Fixed a bug where the RC4-MD5 ciphersuite incorrectly used the
2216 An attacker could exploit this issue by performing a man-in-the-middle attack
2220 Note that data sent from an OpenSSL 3.0 endpoint to a non-OpenSSL 3.0
2224 3.0 server would be impacted when talking to a non-OpenSSL 3.0 client.
2231 endpoint communicating with a non-OpenSSL 3.0 endpoint will fail to complete
2235 cannot decrypt data that has been encrypted using this ciphersuite - they can
2239 the RC4-MD5 ciphersuite. This ciphersuite is not compiled by default in
2245 1) OpenSSL must have been compiled with the (non-default) compile time option
2246 enable-weak-ssl-ciphers
2257 6) Both endpoints must negotiate the RC4-MD5 ciphersuite in preference to any
2259 (CVE-2022-1434)
2274 (CVE-2022-1473)
2288 for non-prime moduli.
2305 - TLS clients consuming server certificates
2306 - TLS servers consuming client certificates
2307 - Hosting providers taking certificates or private keys from customers
2308 - Certificate authorities parsing certification requests from subscribers
2309 - Anything else which parses ASN.1 elliptic curve parameters
2313 ([CVE-2022-0778])
2323 * Made the AES constant time code for no-asm configurations
2326 builds, with: ./config no-asm -DOPENSSL_AES_CONST_TIME
2364 ([CVE-2021-4044])
2422 * The `OPENSSL_s390xcap` environment variable can be used to set bits in the
2428 * Encrypting more than 2^64 TLS records with AES-GCM is disallowed
2429 as per FIPS 140-2 IG A.5 "Key/IV Pair Uniqueness Requirements from
2430 SP 800-38D". The communication will fail at this point.
2440 beginning of a PEM-formatted file.
2460 "AES-128-SIV", "AES-128-CBC-CTS" and "CAMELLIA-128-CBC-CTS" which were
2461 previously only accessible via low-level interfaces. Use EVP_CIPHER_fetch()
2471 `--libdir=lib` to override the libdir if adding the postfix is
2493 be suppressed if the undocumented -DI_CAN_LIVE_WITH_LNK4049 was set.
2498 * Rework and make DEBUG macros consistent. Remove unused -DCONF_DEBUG,
2499 -DBN_CTX_DEBUG, and REF_PRINT. Add a new tracing category and use it for
2500 printing reference counts. Rename -DDEBUG_UNUSED to -DUNUSED_RESULT_DEBUG
2517 * Client-initiated renegotiation is disabled by default. To allow it, use
2518 the -client_renegotiation option, the SSL_OP_ALLOW_CLIENT_RENEGOTIATION
2528 * OpenSSL includes a cryptographic module that is intended to be FIPS 140-2
2529 validated. Please consult the README-FIPS and
2530 README-PROVIDERS files, as well as the migration guide.
2640 RIPEMD-160 have been moved to the legacy provider.
2657 * A number of functions handling low-level keys or engines were deprecated
2668 - NID_pbeWithMD2AndDES_CBC
2669 - NID_pbeWithMD5AndDES_CBC
2670 - NID_pbeWithSHA1AndRC2_CBC
2671 - NID_pbeWithMD2AndRC2_CBC
2672 - NID_pbeWithMD5AndRC2_CBC
2673 - NID_pbeWithSHA1AndDES_CBC
2696 algorithms. This is enabled by including the no-cached-fetch option
2701 * pkcs12 now uses defaults of PBKDF2, AES and SHA-256, with a MAC iteration
2706 * The openssl speed command does not use low-level API calls anymore.
2710 * Parallel dual-prime 1024-bit modular exponentiation for AVX512_IFMA
2715 * Combining the Configure options no-ec and no-dh no longer disables TLSv1.3.
2736 RSA_padding_add_SSLv23() and the `-ssl` option in the deprecated
2754 * The default key generation method for the regular 2-prime RSA keys was
2755 changed to the FIPS 186-4 B.3.6 method.
2786 when using the `-check` or `-pubcheck`
2797 * The `-cipher-commands` and `-digest-commands` options
2799 Instead use the `-cipher-algorithms` and `-digest-algorithms` options.
2804 The 'quick' one-shot (yet somewhat limited) function L<EVP_PKEY_Q_keygen(3)>
2809 * All of the low-level EC_KEY functions have been deprecated.
2824 * The `-crypt` option to the `passwd` command line tool has been removed.
2828 * The -C option to the `x509`, `dhparam`, `dsaparam`, and `ecparam` commands
2853 * Added new option for 'openssl list', '-providers', which will display the
2884 ignore TLS protocol version bounds when configuring DTLS-based contexts, and
2886 TLS-based contexts. The commands can be repeated to set bounds of both
2888 "max_protocol" command-line switches, in case some application uses both TLS
2894 error. Now only the "version-flexible" SSL_CTX instances are subject to
2895 limits in configuration files in command-line options.
2914 * Added ciphertext stealing algorithms AES-128-CBC-CTS, AES-192-CBC-CTS and
2915 AES-256-CBC-CTS to the providers. CS1, CS2 and CS3 variants are supported.
2933 a non-default `OSSL_LIB_CTX`.
2964 * Add CAdES-BES signature verification support, mostly derived
2969 * Add CAdES-BES signature scheme and attributes support (RFC 5126) to CMS API.
2973 * Added the AuthEnvelopedData content type structure (RFC 5083) with AES-GCM
3046 [ATX headings]: https://github.github.com/gfm/#atx-headings
3047 [setext headings]: https://github.github.com/gfm/#setext-headings
3048 [inline links]: https://github.github.com/gfm/#inline-link
3049 [reference links]: https://github.github.com/gfm/#reference-link
3050 [fenced code blocks]: https://github.github.com/gfm/#fenced-code-blocks
3051 [indented code blocks]: https://github.github.com/gfm/#indented-code-blocks
3056 A new directory test-runs/ with subdirectories named like the
3063 See L<openssl-cmp(1)> and L<OSSL_CMP_exec_IR_ses(3)> as starting points.
3070 user-defined BIOs (allowing implicit connections), persistent connections,
3072 The legacy OCSP-focused (and only partly documented) API
3077 * Added `util/check-format.pl`, a tool for checking adherence to the
3090 * All of the low-level RSA functions have been deprecated.
3115 * All of the low-level DH functions have been deprecated.
3119 * All of the low-level DSA functions have been deprecated.
3128 * Deprecated low-level ECDH and ECDSA functions.
3147 * All of the low-level HMAC functions have been deprecated.
3152 - Common options (such as -rand/-writerand, TLS version control, etc)
3153 were refactored and point to newly-enhanced descriptions in openssl.pod.
3154 - Added style conformance for all options (with help from Richard Levitte),
3158 - Documented some internals, such as all use of environment variables.
3159 - Addressed all internal broken L<> references.
3163 * All of the low-level CMAC functions have been deprecated.
3167 * The low-level MD2, MD4, MD5, MDC2, RIPEMD160 and Whirlpool digest
3182 * All of the low-level cipher functions have been deprecated.
3208 used in exponentiation with 512-bit moduli. No EC algorithms are
3209 affected. Analysis suggests that attacks against 2-prime RSA1024,
3210 3-prime RSA1536, and DSA1024 as a result of this defect would be very
3214 Also applications directly using the low-level API BN_mod_exp may be
3216 ([CVE-2019-1551])
3220 * Most memory-debug features have been deprecated, and the functionality
3221 replaced with no-ops.
3262 * Change the interpretation of the '--api' configuration option to
3266 the given version, no requires that 'no-deprecated' is also used
3272 value is valid as before, such as -DOPENSSL_API_COMPAT=0x10100000L.
3280 -DOPENSSL_API_COMPAT=30000 For 3.0
3281 -DOPENSSL_API_COMPAT=30200 For 3.2
3284 given API compatibility level, -DOPENSSL_NO_DEPRECATED must be
3295 - X509_LOOKUP_store()
3296 - X509_STORE_load_file()
3297 - X509_STORE_load_path()
3298 - X509_STORE_load_store()
3299 - SSL_add_store_cert_subjects_to_stack()
3300 - SSL_CTX_set_default_verify_store()
3301 - SSL_CTX_load_verify_file()
3302 - SSL_CTX_load_verify_dir()
3303 - SSL_CTX_load_verify_store()
3308 The presence of this system service is determined at run-time.
3317 of application written for pre-3.0 OpenSSL easier.
3339 * s390x assembly pack: add hardware-support for P-256, P-384, P-521,
3377 * Added the `-copy_extensions` option to the `x509` command for use with
3378 `-req` and `-x509toreq`. When given with the `copy` or `copyall` argument,
3383 * Added the `-copy_extensions` option to the `req` command for use with
3384 `-x509`. When given with the `copy` or `copyall` argument,
3392 and for not self-signed certs there is an authorityKeyIdentifier extension
3401 (which may be done by using the CLI option `-x509_strict`):
3413 unless they are self-signed.
3423 * For built-in EC curves, ensure an EC_GROUP built from the curve name is
3439 ([CVE-2019-1547])
3453 The old behaviour can be re-enabled in the CMS code by setting the
3468 * Revised BN_generate_prime_ex to not avoid factors 2..17863 in p-1
3471 the 2-prime and 3-prime RSA modules were easy to distinguish, since
3473 2-prime vs. 3-prime RSA keys was possible by computing N mod 3.
3479 fix TLS connections between an EBCDIC system and a non-EBCDIC system that
3508 * Enforce a minimum DH modulus size of 512 bits.
3523 * `{CRYPTO,OPENSSL}_mem_debug_{push,pop}` are now no-ops and have been
3572 * Change PBKDF2 to conform to SP800-132 instead of the older PKCS5 RFC2898.
3581 * Add target VC-WIN32-UWP, VC-WIN64A-UWP, VC-WIN32-ARM-UWP and
3582 VC-WIN64-ARM-UWP in Windows OneCore target for making building libraries
3583 for Windows Store apps easier. Also, the "no-uplink" option has been added.
3599 * Added OPENSSL_info() to get diverse built-in OpenSSL data, such
3614 * Limit the number of blocks in a data unit for AES-XTS to 2^20 as
3615 mandated by IEEE Std 1619-2018.
3646 'enable-buildtest-c++'.
3681 (scrypt, TLS1 PRF and HKDF). The low-level KDF functions for PBKDF2
3694 * Fix a bug in the computation of the endpoint-pair shared secret used
3716 - Major releases (indicated by incrementing the MAJOR release number)
3718 - Minor releases (indicated by incrementing the MINOR release number)
3720 - Patch releases (indicated by incrementing the PATCH number)
3727 * Add support for RFC5297 SIV mode (siv128), including AES-SIV.
3737 * Recreate the OS390-Unix config target. It no longer relies on a
3738 special script like it did for OpenSSL pre-1.1.0.
3743 a 'build.info' keyword SUBDIRS to indicate what sub-directories to
3773 * AES-XTS mode now enforces that its two keys are different to mitigate
3787 * Added new option for 'openssl list', '-objects', which will display the
3792 * Added the options `-crl_lastupdate` and `-crl_nextupdate` to `openssl ca`,
3798 * Added support for Linux Kernel TLS data-path. The Linux Kernel data-path
3800 applications with zero-copy system calls such as sendfile and splice.
3832 doc/man7/provider.pod, doc/man7/provider-base.pod, and they in turn
3839 -------------
3869 again, but this time passing a non-NULL value for the "out" parameter.
3884 ([CVE-2021-3711])
3928 ([CVE-2021-3712])
3945 that non-CA certificates must not be able to issue other certificates.
3959 ([CVE-2021-3450])
3973 ([CVE-2021-3449])
3986 ([CVE-2021-23841])
3993 CVE-2021-23839.
4003 ([CVE-2021-23840])
4030 ([CVE-2020-1971])
4042 ignore TLS protocol version bounds when configuring DTLS-based contexts, and
4044 TLS-based contexts. The commands can be repeated to set bounds of both
4046 "max_protocol" command-line switches, in case some application uses both TLS
4052 error. Now only the "version-flexible" SSL_CTX instances are subject to
4053 limits in configuration files in command-line options.
4073 ([CVE-2020-1967])
4077 * Added AES consttime code for no-asm configurations
4079 when building openssl for no-asm.
4080 Enable with: ./config no-asm -DOPENSSL_AES_CONST_TIME
4081 Disable with: ./config no-asm -DOPENSSL_NO_AES_CONST_TIME
4097 * Revised BN_generate_prime_ex to not avoid factors 3..17863 in p-1
4100 the 2-prime and 3-prime RSA modules were easy to distinguish, since
4102 2-prime vs. 3-prime RSA keys was possible by computing N mod 3.
4146 The presence of this system service is determined at run-time.
4169 ([CVE-2019-1549])
4173 * For built-in EC curves, ensure an EC_GROUP built from the curve name is
4189 ([CVE-2019-1547])
4203 The old behaviour can be re-enabled in the CMS code by setting the
4205 ([CVE-2019-1563])
4220 fix TLS connections between an EBCDIC system and a non-EBCDIC system that
4231 ([CVE-2019-1552])
4267 'enable-buildtest-c++'.
4271 * Enable SHA3 pre-hashing for ECDSA and DSA.
4278 generation commands to use 2048 bits by default.
4284 util/fix-doc-nits accordingly.
4305 * Prevent over long nonces in ChaCha20-Poly1305.
4307 ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input
4309 (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length
4328 applications that use this cipher directly and set a non-default nonce
4333 ([CVE-2019-1543])
4353 * Change the info callback signals for the start and end of a post-handshake
4374 ([CVE-2018-0734])
4385 ([CVE-2018-0735])
4413 * s390x assembly pack: add (improved) hardware-support for the following
4414 cryptographic primitives: sha3, shake, aes-gcm, aes-ccm, aes-ctr, aes-ofb,
4415 aes-cfb/cfb8, aes-ecb.
4427 differential addition-and-doubling in homogeneous projective coordinates
4428 from Izu-Takagi "A fast parallel elliptic curve multiplication resistant
4429 against side channel attacks" and Brier-Joye "Weierstrass Elliptic Curves
4430 and Side-Channel Attacks" Eq. (8) for y-coordinate recovery, modified
4437 For larger primes this will result in more rounds of Miller-Rabin.
4438 The maximal error rate for primes with more than 1080 bits is lowered
4439 to 2^-128.
4443 * Increase the number of Miller-Rabin rounds for DSA key generating to 64.
4455 length-invariant. Switch even to fixed-length Montgomery multiplication.
4461 differential addition-and-doubling in mixed Lopez-Dahab projective
4470 differential addition-and-doubling algorithms.
4482 * Numerous side-channel attack mitigations have been applied. This may have
4492 mitigate conflict between 1.0 and 1.1 side-by-side installations. It
4494 multi-version installation is managed.
4502 EC cryptosystem implementations are then safer-by-default.
4526 Many applications do not properly handle non-application data records, and
4585 * Fixed X509_NAME_ENTRY_set to get multi-valued RDNs right in all cases.
4639 in responder mode now supports the new "-multi" option, which
4641 requests. The "-timeout" option now also limits the OCSP
4646 as a long-running service, making the OpenSSL CA somewhat more
4647 feature-complete. In this mode, most diagnostic messages logged
4674 The default RAND method now utilizes an AES-CTR DRBG according to
4675 NIST standard SP 800-90Ar1. The new random generator is essentially
4678 using an AES-CTR bit stream and which seeds and reseeds itself
4682 - Support for multiple DRBG instances with seed chaining.
4683 - The default RAND method makes use of a DRBG.
4684 - There is a public and private DRBG instance.
4685 - The DRBG instances are fork-safe.
4686 - Keep all global DRBG instances on the secure heap if it is enabled.
4687 - The public and private DRBG instance are per thread for lock free
4723 * Add multi-prime RSA (RFC 8017) support.
4727 * Add SM3 implemented according to GB/T 32905-2016
4738 * Add SM4 implemented according to GB/T 32907-2016.
4743 * Reimplement -newreq-nodes and ERR_error_string_n; the
4777 To disable, configure with 'no-ui-console'. 'no-ui' is still
4794 * Add devcrypto engine. This has been implemented against cryptodev-linux,
4796 Enable by configuring with 'enable-devcryptoeng'. This is done by default
4830 * Ignore the '-named_curve auto' value for compatibility of applications
4836 bytes long. In theory it is permissible in SSLv3 - TLSv1.2 to fragment such
4854 'z' is to be used for [s]size_t, and 'j' - with [u]int64_t.
4863 * Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
4881 Also remove OPENSSL_GLOBAL entirely, as it became a no-op.
4885 * Remove the VMS-specific reimplementation of gmtime from crypto/o_times.c.
4902 default unless the new "-noservername" option is used. The server name is
4903 based on the host provided to the "-connect" option unless overridden by
4904 using "-servername".
4921 <https://www.akkadia.org/drepper/SHA-crypt.txt>
4939 -------------
4943 * For built-in EC curves, ensure an EC_GROUP built from the curve name is
4959 ([CVE-2019-1547])
4973 The old behaviour can be re-enabled in the CMS code by setting the
4975 ([CVE-2019-1563])
4983 ([CVE-2019-1552])
4992 generation commands to use 2048 bits by default.
4996 * Prevent over long nonces in ChaCha20-Poly1305.
4998 ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input
5000 (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length
5019 applications that use this cipher directly and set a non-default nonce
5024 ([CVE-2019-1543])
5059 ([CVE-2018-0734])
5070 ([CVE-2018-0735])
5091 ([CVE-2018-0732])
5104 ([CVE-2018-0737])
5115 length-invariant. Switch even to fixed-length Montgomery multiplication.
5121 For larger primes this will result in more rounds of Miller-Rabin.
5122 The maximal error rate for primes with more than 1080 bits is lowered
5123 to 2^-128.
5127 * Increase the number of Miller-Rabin rounds for DSA key generating to 64.
5154 some characters, such as form-feed, were incorrectly treated as whitespace
5160 and use the "-binary" flag (for the "cms" command line application) or set
5175 This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz
5177 ([CVE-2018-0739])
5181 * Incorrect CRYPTO_memcmp on HP-UX PA-RISC
5183 Because of an implementation bug the PA-RISC CRYPTO_memcmp function is
5188 HP-UX assembler, so that only HP-UX PA-RISC targets are affected.
5192 ([CVE-2018-0733])
5208 SSL_OP_NO_RENEGOTIATION option from 1.1.1-dev has been backported to
5217 * Removed the OS390-Unix config target. It relied on a script that doesn't
5225 used in exponentiation with 1024-bit moduli. No EC algorithms are affected.
5233 no longer an option since CVE-2016-0701.
5239 was originally found via the OSS-Fuzz project.
5240 ([CVE-2017-3738])
5263 This issue was reported to OpenSSL by the OSS-Fuzz project.
5264 ([CVE-2017-3736])
5271 OpenSSL could do a one-byte buffer overread. The most likely result
5274 This issue was reported to OpenSSL by the OSS-Fuzz project.
5275 ([CVE-2017-3735])
5281 * Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
5286 * Remove the VMS-specific reimplementation of gmtime from crypto/o_times.c.
5294 * Encrypt-Then-Mac renegotiation crash
5296 During a renegotiation handshake if the Encrypt-Then-Mac extension is
5297 negotiated where it was not in the original handshake (or vice-versa) then
5302 ([CVE-2017-3733])
5310 If one side of an SSL/TLS path is running on a 32-bit host and a specific
5312 perform an out-of-bounds read, usually resulting in a crash.
5315 ([CVE-2017-3731])
5327 ([CVE-2017-3730])
5345 similar to CVE-2015-3193 but must be treated as a separate problem.
5347 This issue was reported to OpenSSL by the OSS-Fuzz project.
5348 ([CVE-2017-3732])
5354 * ChaCha20/Poly1305 heap-buffer-overflow
5356 TLS connections using `*-CHACHA20-POLY1305` ciphersuites are susceptible to
5361 ([CVE-2016-7054])
5375 ([CVE-2016-7053])
5381 There is a carry propagating bug in the Broadwell-specific Montgomery
5383 longer than 256 bits. Analysis suggests that attacks against RSA, DSA
5388 erroneous outcome of public-key operations with specially crafted input.
5389 Among EC algorithms only Brainpool P-512 curves are affected and one
5391 detail, because pre-requisites for attack are considered unlikely. Namely
5399 ([CVE-2016-7055])
5412 The patch applied to address CVE-2016-6307 resulted in an issue where if a
5422 ([CVE-2016-6309])
5436 the "no-ocsp" build time option are not affected.
5439 ([CVE-2016-6304])
5450 ([CVE-2016-6305])
5488 memory - which would then mean a more serious Denial of Service.
5491 (CVE-2016-6307 and CVE-2016-6308)
5495 * solaris-x86-cc, i.e. 32-bit configuration with vendor compiler,
5497 assemble our modules with -KPIC flag. As result it, assembly
5499 lack of side-channel resistant code, which is incompatible with
5507 * Windows command-line tool supports UTF-8 opt-in option for arguments
5510 with Windows CryptoAPI and protected with non-ASCII password, as well
5511 as files generated under UTF-8 locale on Linux also protected with
5512 non-ASCII password.
5516 * To mitigate the SWEET32 attack ([CVE-2016-2183]), 3DES cipher suites
5518 See the RC4 item below to re-enable both.
5538 no-ops and deprecated.
5543 calling CryptGenRandom(). Various other RAND-related tickets
5592 * Triple-DES ciphers have been moved from HIGH to MEDIUM.
5598 OPENSSL_LOCAL_CONFIG_DIR as well as the in-source Configurations/
5611 the "no-shared" Configure option.
5615 * Remove the no-aes, no-hmac, no-rsa, no-sha and no-md5 Configure options.
5621 * Make various cleanup routines no-ops and mark them as deprecated. Most
5623 via auto-deinit (see OPENSSL_init_crypto and OPENSSL_init_ssl man pages).
5624 Explicitly de-initing can cause problems (e.g. where a library that uses
5625 OpenSSL de-inits, but an application is still using it). The affected
5633 * --strict-warnings no longer enables runtime debugging options
5635 enabled with '--debug' builds.
5663 * Removed no-rijndael as a config option. Rijndael is an old name for AES.
5676 * Removed the aged BC-32 config and all its supporting scripts
5694 encryptions/decryptions simultaneously. There are currently no built-in
5704 AES128-CBC. The kernel must be version 4.1.0 or greater.
5709 set locking callbacks to use OpenSSL in a multi-threaded environment. There
5711 also possible to configure OpenSSL at compile time for "no-threads". The
5713 replaced with "no-op" compatibility macros.
5722 * Add SSL_CIPHER queries for authentication and key-exchange.
5727 - Prefer (EC)DHE handshakes over plain RSA.
5728 - Prefer AEAD ciphers over legacy ciphers.
5729 - Prefer ECDSA over RSA when both certificates are available.
5730 - Prefer TLSv1.2 ciphers/PRF.
5731 - Remove DSS, SEED, IDEA, CAMELLIA, and AES-CCM from the
5742 disabled by default. They can be re-enabled using the
5743 enable-weak-ssl-ciphers option to Configure.
5757 draft-ietf-curdle-pkix-02. The corresponding EVP_PKEY method supports
5760 TLS support complies with draft-ietf-tls-rfc4492bis-08 and uses
5767 In order to fix an unavoidable memory leak ([CVE-2016-0798]),
5787 the configuration option "disable-dynamic-engine".
5792 with "disable-dso" or "disable-pic".
5807 If this isn't desirable, the configuration options "disable-pic"
5808 or "no-pic" can be used to disable the use of PIC. This will
5819 is for. Also, the configuration option --install_prefix is
5825 for DTLS; configure with enable-heartbeats. Code that uses the
5846 template in Configurations, like unix-Makefile.tmpl or
5859 * Added support for auto-initialisation and de-initialisation of the library.
5881 the leading 0-byte.
5893 SSL_CTX_sess_set_get_cb was changed. The read-only input buffer
5900 RNG, and other conditional uses of DPURIFY. This makes -DPURIFY a no-op.
5933 --prefix and --openssldir change their semantics, and become more
5936 --prefix shall be used exclusively to give the location INSTALLTOP
5940 --openssldir shall be used exclusively to give the default
5945 values of both the --prefix value and the --openssldir value will
5947 The default for --openssldir is INSTALLTOP/ssl.
5949 Anyone who uses --openssldir to specify where OpenSSL is to be
5950 installed MUST change to use --prefix instead.
5962 * EGD is no longer supported by default; use enable-egd when
5986 example, be used to implement local end-entity certificate or
5987 trust-anchor "pinning", where the "pin" data takes the form
5996 source files with -DOPENSSL_API_COMPAT=0x10100000L, which hides
6002 should be used with the --api=1.1.0 option to entirely remove
6005 Essentially the same effect can be achieved with the "no-deprecated"
6011 they should update their compile-time OPENSSL_API_COMPAT define
6077 * Added ASYNC support. Libcrypto now includes the async sub-library to enable
6090 "-no_ecdhe" option has been removed from s_server.
6116 with OpenSSL (case-matching; e.g., OPENSSL_VERSION for #define's)
6151 * Remove EVP_CHECK_DES_KEY, a compile-time option that never compiled.
6169 * Fix no-stdio build.
6188 * Revamped memory debug; only -DCRYPTO_MDEBUG and -DCRYPTO_MDEBUG_ABORT
6229 long is 32 bits (e.g. Windows) these counters could overflow if >4Gb is
6242 EXP-DH-RSA-DES-CBC-SHA and EXP-DH-DSS-DES-CBC-SHA. These two ciphersuites
6260 code and the associated standard is no longer considered fit-for-purpose.
6287 draft-ietf-tls-session-hash-03.txt. Thanks for Alfredo Pironti for an
6300 Access to deprecated functions can be re-enabled by running config with
6301 "enable-deprecated". In addition applications wishing to use deprecated
6310 at <https://www.openssl.org/source/OCB-patent-grant-OpenSSL.pdf>. Support
6311 for OCB can be removed by calling config with no-ocb.
6320 * Increased the minimal RSA keysize from 256 to 512 bits [Rich Salz],
6321 done while fixing the error code for the key-too-small case.
6323 *Annie Yousar <a.yousar@informatik.hu-berlin.de>*
6344 16-bit platforms such as WIN16
6349 - Use setbuf() and remove OPENSSL_NO_SETVBUF_IONBF
6350 - Rename OPENSSL_SYSNAME_xxx to OPENSSL_SYS_xxx
6351 - OPENSSL_NO_EC{DH,DSA} merged into OPENSSL_NO_EC
6352 - OPENSSL_NO_RIPEMD160, OPENSSL_NO_RIPEMD merged into OPENSSL_NO_RMD160
6353 - OPENSSL_NO_FP_API merged into OPENSSL_NO_STDIO
6354 - Remove OPENSSL_NO_BIO OPENSSL_NO_BUFFER OPENSSL_NO_CHAIN_VERIFY
6358 - Remove MS_STATIC; it's a relic from platforms <32 bits.
6369 NULL. Remove the non-null checks from callers. Save much code.
6389 * Harmonize version and its documentation. -f flag is used to display
6409 preparing the fix ([CVE-2014-0160])
6414 ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
6419 flaw and to Yuval Yarom for supplying a fix ([CVE-2014-0076])
6428 * Experimental encrypt-then-mac support.
6431 draft-gutmann-tls-encrypt-then-mac-02.txt
6434 server) using e.g. -DTLSEXT_TYPE_encrypt_then_mac=0x42
6436 For non-compliant peers (i.e. just about everything) this should have no
6450 * Extend CMS code to support RSA-PSS signatures and RSA-OAEP for
6490 * Add FIPS selftest for ECDH algorithm using P-224 and B-233 curves.
6514 FIPS 186-3 A.2.3.
6516 * Add support for HMAC DRBG from SP800-90. Update DRBG algorithm test and
6542 information in FIPS186-3, SP800-57 and SP800-131A.
6578 anyway as the X9.31 PRNG is now deprecated by FIPS 140-2
6582 * Extensive self tests and health checking required by SP800-90 DRBG.
6597 leading zeroes if needed: this complies with SP800-56A et al.
6601 * Initial implementation of SP800-90 DRBGs for Hash and CTR. Not used by
6619 * Add selftest checks and algorithm block of non-fips algorithms in
6630 * New build option no-ec2m to disable characteristic 2 code.
6645 * Initial, experimental EVP support for AES-GCM. AAD can be input by
6649 bytes (96 bits) but can be set to an alternative value. If the IV
6671 * Improve forward-security support: add functions
6692 * New -verify_name option in command line utilities to set verification
6702 * Experimental renegotiation in s_server -www mode. If the client
6710 multi-process servers.
6729 * New -noct, -requestct, -requirect and -ctlogfile options for s_client.
6735 * SSLv3 is by default disabled at build-time. Builds that are not
6736 configured with "enable-ssl3" will not support SSLv3.
6741 -------------
6745 * For built-in EC curves, ensure an EC_GROUP built from the curve name is
6761 ([CVE-2019-1547])
6775 The old behaviour can be re-enabled in the CMS code by setting the
6777 ([CVE-2019-1563])
6784 binaries and run-time config file.
6785 ([CVE-2019-1552])
6794 generation commands to use 2048 bits by default.
6798 * Add FIPS support for Android Arm 64-bit
6800 Support for Android Arm 64-bit was added to the OpenSSL FIPS Object
6802 'android64-aarch64' was missing OpenSSL 1.0.2, whence it could not be
6803 built with FIPS support on Android Arm 64-bit. This omission has been
6810 * 0-byte record padding oracle
6820 In order for this to be exploitable "non-stitched" ciphersuites must be in
6829 ([CVE-2019-1559])
6849 ([CVE-2018-5407])
6860 ([CVE-2018-0734])
6881 ([CVE-2018-0732])
6894 ([CVE-2018-0737])
6905 length-invariant. Switch even to fixed-length Montgomery multiplication.
6911 For larger primes this will result in more rounds of Miller-Rabin.
6912 The maximal error rate for primes with more than 1080 bits is lowered
6913 to 2^-128.
6917 * Increase the number of Miller-Rabin rounds for DSA key generating to 64.
6947 This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz
6949 ([CVE-2018-0739])
6974 ([CVE-2017-3737])
6981 used in exponentiation with 1024-bit moduli. No EC algorithms are affected.
6989 no longer an option since CVE-2016-0701.
6995 was originally found via the OSS-Fuzz project.
6996 ([CVE-2017-3738])
7019 This issue was reported to OpenSSL by the OSS-Fuzz project.
7020 ([CVE-2017-3736])
7027 OpenSSL could do a one-byte buffer overread. The most likely result
7030 This issue was reported to OpenSSL by the OSS-Fuzz project.
7036 * Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
7045 If one side of an SSL/TLS path is running on a 32-bit host and a specific
7047 perform an out-of-bounds read, usually resulting in a crash.
7050 ([CVE-2017-3731])
7068 similar to CVE-2015-3193 but must be treated as a separate problem.
7070 This issue was reported to OpenSSL by the OSS-Fuzz project.
7071 ([CVE-2017-3732])
7077 There is a carry propagating bug in the Broadwell-specific Montgomery
7079 longer than 256 bits. Analysis suggests that attacks against RSA, DSA
7084 erroneous outcome of public-key operations with specially crafted input.
7085 Among EC algorithms only Brainpool P-512 curves are affected and one
7087 detail, because pre-requisites for attack are considered unlikely. Namely
7095 ([CVE-2016-7055])
7115 ([CVE-2016-7052])
7129 the "no-ocsp" build time option are not affected.
7132 ([CVE-2016-6304])
7141 ([CVE-2016-2183])
7157 ([CVE-2016-6303])
7171 ([CVE-2016-6302])
7184 ([CVE-2016-2182])
7196 ([CVE-2016-2180])
7222 ([CVE-2016-2177])
7230 implementation means that a non-constant time codepath is followed for
7231 certain operations. This has been demonstrated through a cache-timing
7237 ([CVE-2016-2178])
7243 In a DTLS connection where handshake messages are delivered out-of-order
7255 ([CVE-2016-2179])
7270 ([CVE-2016-2181])
7286 ([CVE-2016-6306])
7292 * Prevent padding oracle in AES-NI CBC MAC check
7296 AES-NI.
7299 attack ([CVE-2013-0169]). The padding check was rewritten to be in
7305 This issue was reported by Juraj Somorovsky using TLS-Attacker.
7324 ([CVE-2016-2105])
7348 ([CVE-2016-2106])
7364 ([CVE-2016-2109])
7375 ([CVE-2016-2176])
7389 * Only remove the SSLv2 methods with the no-ssl2-method option. When the
7397 Builds that are not configured with "enable-weak-ssl-ciphers" will not
7403 is by default disabled at build-time. Builds that are not configured with
7404 "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used,
7405 users who want to negotiate SSLv2 via the version-flexible SSLv23_method()
7413 explicitly uses the version-specific SSLv2_method() or its client and
7415 recovery have been removed. Specifically, the SSLv2 40-bit EXPORT
7416 ciphers, and SSLv2 56-bit DES are no longer available.
7417 ([CVE-2016-0800])
7421 * Fix a double-free in DSA code
7430 ([CVE-2016-0705])
7450 ([CVE-2016-0798])
7475 ([CVE-2016-0797])
7496 functions when printing out human-readable dumps of ASN.1 data. Therefore
7507 ([CVE-2016-0799])
7513 A side-channel attack was found which makes use of cache-bank conflicts on
7514 the Intel Sandy-Bridge microarchitecture which could lead to the recovery
7517 hyper-threaded core as the victim thread which is performing decryptions.
7523 ([CVE-2016-0702])
7527 * Change the `req` command to generate a 2048-bit RSA/DSA key by default,
7530 commands to use 2048 bits by default.
7564 ([CVE-2016-0701])
7577 ([CVE-2015-3197])
7599 ([CVE-2015-3193])
7615 ([CVE-2015-3194])
7628 ([CVE-2015-3195])
7681 This issue was reported to OpenSSL by Joseph Barr-Pixton.
7682 ([CVE-2015-1788])
7686 * Exploitable out-of-bounds read in X509_cmp_time
7702 ([CVE-2015-1789])
7709 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
7717 ([CVE-2015-1790])
7728 ([CVE-2015-1792])
7734 If a NewSessionTicket is received by a multi-threaded client when attempting to
7737 ([CVE-2015-1791])
7741 * Only support 256-bit or stronger elliptic curves with the
7743 curves, prefer P-256 (both).
7757 ([CVE-2015-0291])
7767 using non-blocking IO. Typically, when the user application is using a
7773 ([CVE-2015-0290])
7790 ([CVE-2015-0207])
7802 ([CVE-2015-0286])
7817 ([CVE-2015-0208])
7831 ([CVE-2015-0287])
7838 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
7846 ([CVE-2015-0289])
7854 a specially crafted SSLv2 CLIENT-MASTER-KEY message.
7858 ([CVE-2015-0293])
7867 ([CVE-2015-1787])
7875 - The client is on a platform where the PRNG has not been seeded
7877 - A protocol specific client method version has been used (i.e. not
7879 - A ciphersuite is used that does not require additional random data from
7880 the PRNG beyond the initial ClientHello client random (e.g. PSK-RC4-SHA).
7889 openssl s_client -psk 1a2b3c4d -tls1_2 -cipher PSK-RC4-SHA
7890 ([CVE-2015-0285])
7905 ([CVE-2015-0209])
7915 ([CVE-2015-0288])
7930 near-optimal performance even on newer platforms.
7934 * Accelerated NIST P-256 elliptic curve implementation for x86_64
7946 bogus results, with non-infinity inputs mapped to infinity too.)
7957 * Add support for little-endian ppc64 Linux target.
7964 Both 32- and 64-bit modes are supported.
7985 implementations, AESNI-SHA256 and GCM, and multi-buffer support
8025 * Add -rev test option to s_server to just reverse order of characters
8031 * New option -brief for s_client and s_server to print out a brief summary
8040 * New option -crl_download in several openssl utilities to download CRLs
8045 * New options -CRL and -CRLform for s_client and s_server for CRLs.
8081 "enable-ssl-trace". New options to s_client and s_server to enable
8223 * Initial experimental support for explicitly trusted non-root CAs.
8226 setting is used: whether to trust (e.g., -addtrust option to the x509
8231 * Add -trusted_first option which attempts to find certificates in the
8241 * Support for linux-x32, ILP32 environment in x86_64 framework.
8245 * Experimental multi-implementation support for FIPS capable OpenSSL.
8291 between NIDs and the more common NIST names such as "P-256". Enhance
8311 * New function i2d_re_X509_tbs for re-encoding the TBS portion of
8313 Note: Related 1.0.2-beta specific macros X509_get_cert_info,
8318 -------------
8330 the "no-ocsp" build time option are not affected.
8333 ([CVE-2016-6304])
8342 ([CVE-2016-2183])
8358 ([CVE-2016-6303])
8372 ([CVE-2016-6302])
8385 ([CVE-2016-2182])
8397 ([CVE-2016-2180])
8423 ([CVE-2016-2177])
8431 implementation means that a non-constant time codepath is followed for
8432 certain operations. This has been demonstrated through a cache-timing
8438 ([CVE-2016-2178])
8444 In a DTLS connection where handshake messages are delivered out-of-order
8456 ([CVE-2016-2179])
8471 ([CVE-2016-2181])
8487 ([CVE-2016-6306])
8493 * Prevent padding oracle in AES-NI CBC MAC check
8497 AES-NI.
8500 attack ([CVE-2013-0169]). The padding check was rewritten to be in
8506 This issue was reported by Juraj Somorovsky using TLS-Attacker.
8507 ([CVE-2016-2107])
8526 ([CVE-2016-2105])
8550 ([CVE-2016-2106])
8566 ([CVE-2016-2109])
8577 ([CVE-2016-2176])
8591 * Only remove the SSLv2 methods with the no-ssl2-method option. When the
8599 Builds that are not configured with "enable-weak-ssl-ciphers" will not
8605 is by default disabled at build-time. Builds that are not configured with
8606 "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used,
8607 users who want to negotiate SSLv2 via the version-flexible SSLv23_method()
8615 explicitly uses the version-specific SSLv2_method() or its client and
8617 recovery have been removed. Specifically, the SSLv2 40-bit EXPORT
8618 ciphers, and SSLv2 56-bit DES are no longer available.
8619 ([CVE-2016-0800])
8623 * Fix a double-free in DSA code
8632 ([CVE-2016-0705])
8652 ([CVE-2016-0798])
8677 ([CVE-2016-0797])
8698 functions when printing out human-readable dumps of ASN.1 data. Therefore
8709 ([CVE-2016-0799])
8715 A side-channel attack was found which makes use of cache-bank conflicts on
8716 the Intel Sandy-Bridge microarchitecture which could lead to the recovery
8719 hyper-threaded core as the victim thread which is performing decryptions.
8725 ([CVE-2016-0702])
8729 * Change the req command to generate a 2048-bit RSA/DSA key by default,
8732 commands to use 2048 bits by default.
8755 ([CVE-2015-3197])
8759 * Reject DH handshakes with parameters shorter than 1024 bits.
8777 ([CVE-2015-3194])
8790 ([CVE-2015-3195])
8819 ([CVE-2015-1793])
8825 If PSK identity hints are received by a multi-threaded client then
8829 ([CVE-2015-3196])
8852 This issue was reported to OpenSSL by Joseph Barr-Pixton.
8853 ([CVE-2015-1788])
8857 * Exploitable out-of-bounds read in X509_cmp_time
8873 ([CVE-2015-1789])
8880 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
8888 ([CVE-2015-1790])
8899 ([CVE-2015-1792])
8905 If a NewSessionTicket is received by a multi-threaded client when attempting to
8908 ([CVE-2015-1791])
8912 * Reject DH handshakes with parameters shorter than 768 bits.
8916 * dhparam: generate 2048-bit parameters by default.
8930 ([CVE-2015-0286])
8944 ([CVE-2015-0287])
8951 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
8959 ([CVE-2015-0289])
8967 a specially crafted SSLv2 CLIENT-MASTER-KEY message.
8971 ([CVE-2015-0293])
8986 ([CVE-2015-0209])
8996 ([CVE-2015-0288])
9016 ([CVE-2014-3571])
9026 ([CVE-2015-0206])
9030 * Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
9031 built with the no-ssl3 option and an SSL v3 ClientHello is received the ssl
9034 ([CVE-2014-3569])
9043 ([CVE-2014-3572])
9047 * Remove non-export ephemeral RSA code on client and server. This code
9049 non-export ciphersuites and could be used by a server to effectively
9053 ([CVE-2015-0204])
9065 ([CVE-2015-0205])
9079 By using non-DER or invalid encodings outside the signed portion of a
9085 1. Reject signatures with non zero unused bits.
9087 If the BIT STRING containing the signature has non zero unused bits reject
9088 the signature. All current signature algorithms require zero unused bits.
9100 Re-encode DSA/ECDSA signatures and compare with the original received
9111 ([CVE-2014-8275])
9123 ([CVE-2014-3570])
9140 * Tighten client-side session ticket handling during renegotiation:
9165 ([CVE-2014-3513])
9177 ([CVE-2014-3567])
9181 * Build option no-ssl3 is incomplete.
9183 When OpenSSL is configured with "no-ssl3" as a build option, servers
9186 ([CVE-2014-3568])
9193 ([CVE-2014-3566])
9199 Re-encode DigestInto in DER and check against the original when
9215 ([CVE-2014-3512])
9221 is badly fragmented. This allows a man-in-the-middle attacker to force a
9227 ([CVE-2014-3511])
9238 ([CVE-2014-3510])
9245 ([CVE-2014-3507])
9253 ([CVE-2014-3506])
9260 Thanks to Adam Langley and Wan-Teh Chang for discovering and researching
9262 ([CVE-2014-3505])
9272 ([CVE-2014-3509])
9283 ([CVE-2014-5139])
9293 ([CVE-2014-3508])
9299 bogus results, with non-infinity inputs mapped to infinity too.)
9310 researching this issue. ([CVE-2014-0224])
9318 Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
9319 ([CVE-2014-0221])
9328 Thanks to Jüri Aedla for reporting this issue. ([CVE-2014-0195])
9336 this issue. ([CVE-2014-3470])
9340 * Harmonize version and its documentation. -f flag is used to display
9362 preparing the fix ([CVE-2014-0160])
9367 ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
9372 flaw and to Yuval Yarom for supplying a fix ([CVE-2014-0076])
9376 * TLS pad extension: draft-agl-tls-padding-03
9390 ([CVE-2013-4353])
9394 to be resent. ([CVE-2013-6450])
9399 avoids preferring ECDHE-ECDSA ciphers when the client appears to be
9401 several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug
9409 * Correct fix for CVE-2013-0169. The original didn't work on AES-NI
9426 ([CVE-2013-0169])
9435 ([CVE-2012-2686])
9440 This fixes a DoS attack. ([CVE-2013-0166])
9469 Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
9471 ([CVE-2012-2333])
9518 ([CVE-2012-2110])
9522 * Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections.
9534 -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure.
9570 *Robin Seggelmann <seggelmann@fh-muenster.de>*
9574 *Robin Seggelmann <seggelmann@fh-muenster.de>*
9582 - x86[_64]: AES-NI, PCLMULQDQ, RDRAND support;
9583 - x86[_64]: SSSE3 support (SHA1, vector-permutation AES);
9584 - x86_64: bit-sliced AES implementation;
9585 - ARM: NEON support, contemporary platforms optimizations;
9586 - s390x: z196 support;
9587 - `*`: GHASH and GF(2^m) multiplication implementations;
9591 * Make TLS-SRP code conformant with RFC 5054 API cleanup
9600 * Add DTLS-SRTP negotiation from RFC 5764.
9605 <http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-00>. Can be
9606 disabled with a no-npn flag to config or Configure. Code donated
9611 * Add optional 64-bit optimized implementations of elliptic curves NIST-P224,
9612 NIST-P256, NIST-P521, with constant-time single point multiplication on
9614 required to use this (present in gcc 4.4 and later, for 64-bit builds).
9617 Specify "enable-ec_nistp_64_gcc_128" on the Configure (or config) command
9637 * New -sigopt option to the ca, req and x509 utilities. Additional
9650 New function ASN1_item_sign_ctx() signs a pre-initialised
9689 * Session-handling fixes:
9690 - Fix handling of connections that are resuming with a session ID,
9692 - Fix a bug that suppressed issuing of a new ticket if the client
9694 - Try to set the ticket lifetime hint to something reasonable.
9695 - Make tickets shorter by excluding irrelevant information.
9696 - On the client side, don't ignore renewed tickets.
9704 * Add RC4-MD5 and AESNI-SHA1 "stitched" implementations.
9732 switch between FIPS and non-FIPS modes.
9738 keep original code iff non-FIPS operations are allowed.
9742 * Add -attime option to openssl utilities.
9755 * New build option no-ec2m to disable characteristic 2 code.
9759 * Backport libcrypto audit of return value checking from 1.1.0-dev; not
9769 * Add similar low-level API blocking to ciphers.
9773 * low-level digest APIs are not approved in FIPS mode: any attempt
9802 * Add support for FIPS mode in ssl library: disable SSLv3, non-FIPS ciphers
9861 *Robin Seggelmann <seggelmann@fh-muenster.de>*
9871 *Robin Seggelmann <seggelmann@fh-muenster.de>, Steve Henson*
9885 -------------
9898 ([CVE-2015-3195])
9904 If PSK identity hints are received by a multi-threaded client then
9908 ([CVE-2015-3196])
9925 This issue was reported to OpenSSL by Joseph Barr-Pixton.
9926 ([CVE-2015-1788])
9930 * Exploitable out-of-bounds read in X509_cmp_time
9946 ([CVE-2015-1789])
9953 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
9961 ([CVE-2015-1790])
9972 ([CVE-2015-1792])
9978 If a NewSessionTicket is received by a multi-threaded client when attempting to
9981 ([CVE-2015-1791])
9995 ([CVE-2015-0286])
10009 ([CVE-2015-0287])
10016 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
10024 ([CVE-2015-0289])
10032 a specially crafted SSLv2 CLIENT-MASTER-KEY message.
10036 ([CVE-2015-0293])
10051 ([CVE-2015-0209])
10061 ([CVE-2015-0288])
10081 ([CVE-2014-3571])
10091 ([CVE-2015-0206])
10095 * Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
10096 built with the no-ssl3 option and an SSL v3 ClientHello is received the ssl
10099 ([CVE-2014-3569])
10108 ([CVE-2014-3572])
10112 * Remove non-export ephemeral RSA code on client and server. This code
10114 non-export ciphersuites and could be used by a server to effectively
10118 ([CVE-2015-0204])
10130 ([CVE-2015-0205])
10142 ([CVE-2014-3570])
10148 By using non-DER or invalid encodings outside the signed portion of a
10154 1. Reject signatures with non zero unused bits.
10156 If the BIT STRING containing the signature has non zero unused bits reject
10157 the signature. All current signature algorithms require zero unused bits.
10169 Re-encode DSA/ECDSA signatures and compare with the original received
10180 ([CVE-2014-8275])
10194 ([CVE-2014-3567])
10198 * Build option no-ssl3 is incomplete.
10200 When OpenSSL is configured with "no-ssl3" as a build option, servers
10203 ([CVE-2014-3568])
10210 ([CVE-2014-3566])
10216 Re-encode DigestInto in DER and check against the original when
10233 ([CVE-2014-3510])
10240 ([CVE-2014-3507])
10248 ([CVE-2014-3506])
10255 Thanks to Adam Langley and Wan-Teh Chang for discovering and researching
10257 ([CVE-2014-3505])
10267 ([CVE-2014-3509])
10277 ([CVE-2014-3508])
10283 bogus results, with non-infinity inputs mapped to infinity too.)
10294 researching this issue. ([CVE-2014-0224])
10302 Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
10303 ([CVE-2014-0221])
10312 Thanks to Jüri Aedla for reporting this issue. ([CVE-2014-0195])
10320 this issue. ([CVE-2014-3470])
10324 * Harmonize version and its documentation. -f flag is used to display
10339 ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
10344 flaw and to Yuval Yarom for supplying a fix ([CVE-2014-0076])
10352 to be resent. ([CVE-2013-6450])
10357 avoids preferring ECDHE-ECDSA ciphers when the client appears to be
10359 several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug
10377 ([CVE-2013-0169])
10382 This fixes a DoS attack. ([CVE-2013-0166])
10406 Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
10408 ([CVE-2012-2333])
10425 ([CVE-2012-2110])
10435 old behaviour can be re-enabled in the CMS code by setting the
10439 this issue. ([CVE-2012-0884])
10443 * Fix CVE-2011-4619: make sure we really are receiving a
10451 * Fix for DTLS DoS issue introduced by fix for CVE-2011-4109.
10454 preparing a fix. ([CVE-2012-0050])
10470 <seggelmann@fh-muenster.de> and Michael Tuexen <tuexen@fh-muenster.de>
10471 for preparing the fix. ([CVE-2011-4108])
10476 ([CVE-2011-4576])
10482 Adam Langley for preparing the fix. ([CVE-2011-4619])
10486 * Check parameters are not NULL in GOST ENGINE. ([CVE-2012-0027])
10492 and Rob Austein <sra@hactrn.net> for fixing it. ([CVE-2011-4577])
10500 * Fix ssl_ciph.c set-up race.
10524 * In ssl3_clear, preserve s3->init_extra along with s3->rbuf.
10531 by initialising X509_STORE_CTX properly. ([CVE-2011-3207])
10536 for multi-threaded use of ECDH. ([CVE-2011-3210])
10558 * Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014
10572 Thanks to Martin Rex for discovering this bug. CVE-2010-4180
10576 * Fixed J-PAKE implementation error, originally discovered by
10578 Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252
10586 be shared by multiple threads. CVE-2010-3864
10598 ([CVE-2010-1633])
10600 *Steve Henson, Peter-Michael Hager <hager@dortmund.net>*
10614 * Add new -subject_hash_old and -issuer_hash_old options to x509 utility to
10669 *Michael Tuexen <tuexen@fh-muenster.de>*
10708 openssl dgst -sha256 foo
10741 * Add session ticket override functionality for use by EAP-FAST.
10750 * Type-checked OBJ_bsearch_ex.
10754 * Type-checked OBJ_bsearch. Also some constification necessitated
10755 by type-checking. Still to come: TXT_DB, bsearch(?),
10834 * To cater for systems that provide a pointer-based thread ID rather
10841 as a pointer-based thread ID to distinguish between threads.
10854 OpenSSL 0.9.9-dev between June 2006 and August 2008. Also, if an
10876 * Revamp of STACK to provide stronger type-checking. Still to come:
10887 * Revamp of LHASH to provide stronger type-checking. Still to come:
10906 files from Configure script, currently only included in VC-WIN32.
10927 draft-rescorla-tls-opaque-prf-input-00.txt. Since this is not an
10933 -DTLSEXT_TYPE_opaque_prf_input=0x9527
10944 an internal copy of the length-'len' string at 'src', and will
10945 return non-zero for success.
10963 has to return non-zero to report success: usually 1 to use opaque
11023 * Add option -stream to use PKCS#7 streaming in smime utility. New
11032 ENGINE support for HMAC keys which are unextractable. New -mac and
11033 -macopt options to dgst utility.
11037 * New option -sigopt to dgst utility. Update dgst to use
11046 ("foo+bar"), moving ("+foo+bar"), disabling ("-foo+bar", or
11054 This means that you can now say, e.g., "PSK:-PSK:HIGH" to enable
11079 "SSL_MKEY_MASK" bits, "SSL_AUTH_MASK" bits, "SSL_ENC_MASK",
11080 "SSL_MAC_MASK", and "SSL_SSL_MASK" bits all in a single integer.
11082 away into the non-exported interface ssl/ssl_locl.h, so this
11084 affect applications.) This give us more bits for each of these
11100 * Add support for dsa-with-SHA224 and dsa-with-SHA256.
11111 * Add support for the ecdsa-with-SHA224/256/384/512 signature types.
11134 -verify_return_error to s_client and s_server. This causes real errors
11177 * Non-blocking OCSP request processing. Add -timeout option to ocsp
11203 list-message-digest-algorithms and list-cipher-algorithms.
11208 of degrees of non-zero coefficients is now terminated with -1.
11234 kECDHr - ECDH cert, signed with RSA
11235 kECDHe - ECDH cert, signed with ECDSA
11236 kECDH - ECDH cert (signed with either RSA or ECDSA)
11237 kEECDH - ephemeral ECDH
11238 ECDH - ECDH cert or ephemeral ECDH
11240 aECDH - ECDH cert
11241 aECDSA - ECDSA cert
11242 ECDSA - ECDSA cert
11244 AECDH - anonymous ECDH
11245 EECDH - non-anonymous ephemeral ECDH (equivalent to "kEECDH:-AECDH")
11271 * New -resign option to smime utility. This adds one or more signers
11272 to an existing PKCS#7 signedData structure. Also -md option to use an
11283 * New -macalg option to pkcs12 utility to allow setting of an alternative
11386 "list-public-key-algorithms" to print out info.
11391 ECC ciphersuites from draft-ietf-tls-ecc-12.txt.
11414 De-spaghettify the public key ASN1 handling. Move public and private
11423 ECC ciphersuites from draft-ietf-tls-ecc-12.txt.
11432 PSK-RC4-SHA, PSK-3DES-EDE-CBC-SHA, PSK-AES128-CBC-SHA,
11433 PSK-AES256-CBC-SHA
11465 - SSL_CTX_set_tlsext_servername_callback()
11467 - SSL_CTX_set_tlsext_servername_arg()
11468 SSL_CTRL_SET_TLSEXT_HOSTNAME - SSL_set_tlsext_host_name()
11470 openssl s_client has a new '-servername ...' option.
11472 openssl s_server has new options '-servername_host ...', '-cert2 ...',
11473 '-key2 ...', '-servername_fatal' (subject to change). This allows
11474 testing the HostName extension for a specific single hostname ('-cert'
11475 and '-key' remain fallbacks for handshakes without HostName
11477 default is a warning; it becomes fatal with the '-servername_fatal'
11486 * BIGNUM code on 64-bit SPARCv9 targets is switched from bn(64,64) to
11490 implementations, between 32- and 64-bit builds without hassle.
11503 "64-bit" performance on certain 32-bit targets.
11514 * New option -V for 'openssl ciphers'. This prints the ciphersuite code
11562 -------------
11567 update s->server with a new major version number. As of
11568 - OpenSSL 0.9.8m if 'short' is a 16-bit type,
11569 - OpenSSL 0.9.8f if 'short' is longer than 16 bits,
11572 protection is active. ([CVE-2010-0740])
11576 * Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL
11583 * Always check bn_wexpand() return values for failure. ([CVE-2009-3245])
11603 This should be fine since flushing with no data to flush is a no op.
11617 This results in significant per-connection memory leaks and
11618 has caused some security issues including CVE-2008-1678 and
11619 CVE-2009-4355.
11661 * Implement RFC5746. Re-enable renegotiation but require the extension
11672 servername handling. Use a non-zero length session ID when attempting
11687 * Add --strict-warnings option to Configure script to include devteam
11692 * Add support for --libdir option and LIBDIR variable in makefiles. This
11723 it used to have an ad-hoc builder which was unable to cope with anything
11731 with non-FIPS digests are now usable in FIPS mode.
11742 buffered. ([CVE-2009-1378])
11752 ([CVE-2009-1377])
11756 * Keep a copy of frag->msg_header.frag_len so it can be used after the
11757 parent structure is freed. ([CVE-2009-1379])
11761 * Handle non-blocking I/O properly in SSL_shutdown() call.
11763 *Darryl Miles <darryl-mailinglists@netbauds.net>*
11771 * Disable renegotiation completely - this fixes a severe security
11772 problem ([CVE-2009-3555]) at the cost of breaking all
11773 renegotiation. Renegotiation can be re-enabled by setting
11774 SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s3->flags at
11775 run-time. This is really not recommended unless you know what
11784 zeroing past the valid field. ([CVE-2009-0789])
11790 appear to verify correctly. ([CVE-2009-0591])
11796 a legal length. ([CVE-2009-0590])
11816 * New -hex option for openssl rand.
11837 ([CVE-2008-5077]).
11855 * Tweak Configure so that you need to say "experimental-jpake" to enable
11856 JPAKE, and need to use -DOPENSSL_EXPERIMENTAL_JPAKE in applications.
11873 * Change the server-side SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG behavior
11884 ChangeCipherSpec as first record ([CVE-2009-1386]).
11894 double-checked locking was incomplete for RSA blinding,
11896 doubly unsafe triple-checked locking.
11905 - Avoid size_t integer overflow in HASH_UPDATE (md32_common.h).
11907 - Avoid a buffer overflow in d2i_SSL_SESSION() (ssl_asn1.c).
11911 - Change bn_nist.c so that it will properly handle input BIGNUMs
11914 - Enforce the 'num' check in BN_div() (bn_div.c) for non-BN_DEBUG
11919 * Allow engines to be "soft loaded" - i.e. optionally don't die if
11928 * Fix BN_GF2m_mod_arr() top-bit cleanup code.
11940 Not compiled unless enable-capieng specified to Configure.
11957 Codenomicon TLS test suite ([CVE-2008-1672])
11962 a remote crash found by Codenomicon TLS test suite ([CVE-2008-0891])
11986 the 'db' section contains nothing but zeroes (there is a one-byte
11991 * Partial backport from 0.9.9-dev:
11995 While 0.9.9-dev uses assembler for various architectures, only
11997 32-bit x86 is available through a compile-time setting.
11999 To try the 32-bit x86 assembler implementation, use Configure
12000 option "enable-montasm" (which exists only for this backport).
12002 As "enable-montasm" for 32-bit x86 disclaims code stability
12004 backported from 0.9.9-dev for further performance improvements,
12006 e.g. x86_64, try `-DMONT_FROM_WORD___NON_DEFAULT_0_9_8_BUILD`.)
12017 * Reverse ENGINE-internal logic for caching default ENGINE handles.
12024 'uptodate' flag is reset so that auto-discovery will be used next
12041 with the enable-cms configuration option.
12078 - fixed wrong usage of ioctlsocket() when build for LIBC BSD sockets
12079 - fixed do_tests.pl to run the test suite with CLIB builds too (CLIB_OPT)
12080 - added some more tests to do_tests.pl
12081 - fixed RunningProcess usage so that it works with newer LIBC NDKs too
12082 - removed usage of BN_LLONG for CLIB builds to avoid runtime dependency
12083 - added new Configure targets netware-clib-bsdsock, netware-clib-gcc,
12084 netware-clib-bsdsock-gcc, netware-libc-bsdsock-gcc
12085 - various changes to netware.pl to enable gcc-cross builds on Win32
12087 - changed crypto/bio/b_sock.c to work with macro functions (CLIB BSD)
12088 - various changes to fix missing prototype warnings
12089 - fixed x86nasm.pl to create correct asm files for NASM COFF output
12090 - added AES, WHIRLPOOL and CPUID assembler code to build files
12091 - added missing AES assembler make rules to mk1mf.pl
12092 - fixed order of includes in `apps/ocsp.c` so that `e_os.h` settings apply
12108 + DTLS interoperation with non-compliant servers
12120 pre-0.9.8f clients. To allow for hassle free upgrade post-0.9.8e
12123 This update even addresses CVE-2007-4995.
12172 - SSL_CTX_set_tlsext_servername_callback()
12174 - SSL_CTX_set_tlsext_servername_arg()
12175 SSL_CTRL_SET_TLSEXT_HOSTNAME - SSL_set_tlsext_host_name()
12177 openssl s_client has a new '-servername ...' option.
12179 openssl s_server has new options '-servername_host ...', '-cert2 ...',
12180 '-key2 ...', '-servername_fatal' (subject to change). This allows
12181 testing the HostName extension for a specific single hostname ('-cert'
12182 and '-key' remain fallbacks for handshakes without HostName
12184 default is a warning; it becomes fatal with the '-servername_fatal'
12210 * Add the Korean symmetric 128-bit cipher SEED (see
12214 TLS_RSA_WITH_SEED_CBC_SHA = "SEED-SHA"
12215 TLS_DHE_DSS_WITH_SEED_CBC_SHA = "DHE-DSS-SEED-SHA"
12216 TLS_DHE_RSA_WITH_SEED_CBC_SHA = "DHE-RSA-SEED-SHA"
12217 TLS_DH_anon_WITH_SEED_CBC_SHA = "ADH-SEED-SHA"
12221 is configured with 'enable-seed'.
12229 J.-P. Seifert, "New Branch Prediction Vulnerabilities in OpenSSL
12233 respectively, which are slower, but avoid the security-relevant
12248 constant-time implementations for more than just exponentiation.
12265 out-of-context reuse was forbidden only if SSL_VERIFY_PEER was
12276 authentication-only ciphersuites.
12280 * Update the SSL_get_shared_ciphers() fix CVE-2006-3738 which was
12282 ([CVE-2007-5135]) [Ben Laurie]
12297 prevent the removal of trailing zero bits to get the proper DER
12299 of a NamedBitList, for which trailing 0 bits need to be removed.)
12324 *Goetz Babin-Ebell*
12329 cause a denial of service. ([CVE-2006-2940])
12334 in a denial of service. ([CVE-2006-2937]) [Steve Henson]
12337 ([CVE-2006-3738]) [Tavis Ormandy and Will Drewry, Google Security Team]
12340 malicious SSLv2 server. ([CVE-2006-4343])
12345 match only those. Before that, "AES256-SHA" would be interpreted
12346 as a pattern and match "AES128-SHA" too (since AES128-SHA got
12350 "RC4-MD5" that intentionally matched multiple ciphersuites --
12357 Thus, "RC4-MD5" again will properly select both the SSL 2.0
12362 The proper fix will be to use different bits for AES128 and
12364 however, bits are scarce, so we can only do this in a new release
12374 ([CVE-2006-4339]) [Ben Laurie and Google Security Team]
12389 However, please upgrade to OpenSSL 0.9.9[-dev] for
12390 non-experimental use of the ECC ciphersuites to get TLS extension
12398 - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
12399 - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
12400 - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")
12403 draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really
12407 draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as
12413 dual-core machines) and other potential thread-safety issues.
12417 * Add the symmetric cipher Camellia (128-bit, 192-bit, 256-bit key
12418 versions), which is now available for royalty-free use
12424 is configured with 'enable-camellia'.
12448 * Update support for ECC-based TLS ciphersuites according to
12449 draft-ietf-tls-ecc-12.txt with proposed changes (but without
12464 Static zlib linking now works on Windows and the new --with-zlib-include
12465 --with-zlib-lib options to Configure can be used to supply the location
12492 countermeasure against man-in-the-middle protocol-version
12494 idea. ([CVE-2005-2969])
12509 * Avoid some small subgroup attacks in Diffie-Hellman.
12513 * Add functions for well-known primes.
12550 * Add -utf8 command line and config file option to 'ca'.
12560 involves renaming the source and generated shared-libs for
12569 use it. Make -CSP option work again in pkcs12 utility.
12574 - automatic re-creation of the BN_BLINDING parameters after
12576 - add new function for parameter creation
12577 - introduce flags to control the update behaviour of the
12579 - hide BN_BLINDING structure
12600 * Use SHA-1 instead of MD5 as the default digest algorithm for
12605 * Compile clean with "-Wall -Wmissing-prototypes
12606 -Wstrict-prototypes -Wmissing-declarations -Werror". Currently
12612 The new counterpiece to "no-xxx" is "enable-xxx".
12615 "enable-rc5" and "enable-mdc2", respectively, are specified.
12619 fee for non-commercial use. As before, "no-idea" can be used to
12626 EGEE (Enabling Grids for E-science in Europe).
12631 as Intel P4, IA-64 and AMD64.
12635 * New utility extract-section.pl. This can be used specify an alternative
12646 * New arguments -certform, -keyform and -pass for s_client and s_server
12671 * New FIPS 180-2 algorithms, SHA-224/-256/-384/-512 are implemented.
12687 moved from CA.pl to the 'ca' utility with a new option -create_serial.
12692 patchlevels, 0.9.7e employed 'openssl x509 -next_serial' in
12700 give fewer recursive includes, which could break lazy source code - so
12704 backwards-compatible behaviour prevails when this isn't defined.
12741 static array of bignums, BN_CTX now uses a linked-list of such arrays
12777 * BN_CTX_get() should return zero-valued bignums, providing the same
12810 * Because of the callback-based approach for implementing LHASH as a
12811 template type, lh_insert() adds opaque objects to hash-tables and
12814 (and losing the object pointers). So some over-zealous constifications in
12828 aren't necessarily the greatest nomenclatures - but this is what was used
12835 the self-tests were still using deprecated key-generation functions so
12856 modulus operations are not performed. The (pre-generated) prime
12858 re-generated on some platforms because of the "division by zero"
12863 * Update support for ECC-based TLS ciphersuites according to
12864 draft-ietf-tls-ecc-03.txt: the KDF1 key derivation function with
12865 SHA-1 now is only used for "small" curves (where the
12879 *Götz Babin-Ebell <babin-ebell@trustcenter.de> via Richard Levitte*
12891 to certificate and key stores, be they simple file-based stores, or
12892 HSM-type store, or LDAP stores, or...
12905 a string. The copy gets NUL-terminated. BUF_memdup() duplicates
12913 searched-for key would be inserted to preserve sorting order.
12934 * Make it possible to create self-signed certificates with 'openssl ca'
12935 in such a way that the self-signed certificate becomes part of the
12937 as all other certificate signing. The new flag '-selfsign' enables
12944 request can be signed by that key (self-signing).
12957 * Generate multi-valued AVAs using '+' notation in config files for
12975 dsa_mod_exp() and/or bn_mod_exp() handlers if they are non-NULL,
13004 * Add full support for -rpath/-R, both in shared libraries and
13034 ./config -DOPENSSL_USE_GMP -lgmp
13039 testing availability of engines with "-t" - the old behaviour is
13040 produced by increasing the feature's verbosity with "-tt".
13051 * Key-generation can now be implemented in RSA_METHOD, DSA_METHOD
13058 * Change the "progress" mechanism used in key-generation and
13064 migrate to the new functions. Also, the new key-generation API
13065 functions operate on a caller-supplied key-structure and return
13066 success/failure rather than returning a key or NULL - this is to
13080 * cb will point to my_cb; my_arg can be retrieved as cb->arg.
13089 draft-ietf-tls-compression-04.txt.
13099 -- at least one of the pair shall be present -- }
13120 to avoid the need to access 'a->neg' directly in applications.
13124 * Implement fast modular reduction for pseudo-Mersenne primes
13145 the usual use of --prefix and/or --openssldir, and at run
13161 files while avoiding the low-level API.
13165 algorithm NIDs can be set to -1 for no encryption, the mac
13168 Enhance pkcs12 utility by making the -nokeys and -nocerts
13169 options work when creating a PKCS#12 file. New option -nomac
13172 instead of the low-level API.
13188 * Let 'openssl req' fail if an argument to '-newkey' is not
13193 * Add support for ECC-based ciphersuites from draft-ietf-tls-ecc-01.txt.
13295 decreasing elements giving the indices of those bits that are set;
13329 functionality is disabled at compile-time.
13336 Modify asn1_parse2 (crypto/asn1/asn1_par.c) so that in non-'dump'
13337 mode the content of non-printable OCTET STRINGs is output in a
13350 - Curves (i.e., groups) are encoded explicitly unless asn1_flag
13352 - Points are encoded in uncompressed form by default; options for
13401 EC_METHOD) that verifies that the curve discriminant is non-zero.
13416 - 'openssl req' now has a '-newkey ecdsa:file' option;
13417 - EVP_PKCS82PKEY (crypto/evp/evp_pkey.c) now can handle ECDSA;
13418 - X509_PUBKEY_get (crypto/asn1/x_pubkey.c) and
13422 - ECDSA engine support has been added.
13458 authentication-only ciphersuites.
13502 cause a denial of service. ([CVE-2006-2940])
13507 in a denial of service. ([CVE-2006-2937]) [Steve Henson]
13510 ([CVE-2006-3738]) [Tavis Ormandy and Will Drewry, Google Security Team]
13513 malicious SSLv2 server. ([CVE-2006-4343])
13518 ciphersuite selects this one ciphersuite (so that "AES256-SHA"
13519 will no longer include "AES128-SHA"), and any other similar
13521 "RC4-MD5" will still include both the SSL 2.0 ciphersuite and the
13530 ([CVE-2006-4339]) [Ben Laurie and Google Security Team]
13540 - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
13541 - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
13542 - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")
13545 draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really
13549 draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as
13555 dual-core machines) and other potential thread-safety issues.
13570 * Add new Windows build target VC-32-GMAKE for VC++. This uses GNU make
13582 safely run with a non-FIPSed libcrypto, as it may crash because of
13591 countermeasure against man-in-the-middle protocol-version
13593 idea. ([CVE-2005-2969])
13605 the exponentiation using a fixed-length exponent. (Otherwise,
13612 * Make a new fixed-window mod_exp implementation the default for
13613 RSA, DSA, and DH private-key operations so that the sequence of
13616 cache-timing and potential related attacks.
13635 * Add support for smime-type MIME parameter in S/MIME messages which some
13672 they must be explicitly allowed in run-time. See
13679 * Use (SSL_RANDOM_VALUE - 4) bytes of pseudo random data when generating
13681 (SSL_RANDOM_VALUE - sizeof(time_t)) would be used which would result in
13714 * Back-port of selected performance improvements from development
13724 * Add new -passin argument to dgst.
13729 this is needed for some certificates that re-encode DNs into UTF8Strings
13740 - if there is an unhandled critical extension (unless the user
13742 - if the path length has been exceeded (if one is set at all)
13743 - that certain extensions fit the associated purpose (if one has
13770 certificate is created using 'openssl req -x509'. The initial serial
13771 number file is created using 'openssl x509 -next_serial' in CA.pl
13778 * Fix null-pointer assignment in do_change_cipher_spec() revealed
13779 by using the Codenomicon TLS Test Tool ([CVE-2004-0079])
13784 ([CVE-2004-0112])
13834 invalid tags (CVE-2003-0543 and CVE-2003-0544).
13836 Free up ASN1_TYPE correctly if ANY type is invalid ([CVE-2003-0545]).
13843 * New -ignore_err option in ocsp application to stop the server
13861 when it's 512 *bits* long, not 512 bytes.
13889 * Countermeasure against the Klima-Pokorny-Rosa extension of
13899 They would be ill-advised to do so in most cases.
13905 an unpredictable seed -- if it is not unpredictable, there
13906 is no point in blinding anyway). Make RSA blinding thread-safe
13907 by remembering the creator's thread ID in rsa->blinding and
13908 having all other threads use local one-time blinding factors
13909 (this requires more computation than sharing rsa->blinding, but
13933 between bad padding and a MAC verification error. ([CVE-2003-0078])
13939 * Make the no-err option work as intended. The intention with no-err
13947 used by default when no-err is given.
14007 * IA-32 assembler support enhancements: unified ELF targets, support
14013 FreeBSD on non-x86 processors is separate from x86 processors on
14062 warnings and a request that patches get sent to openssl-dev.
14066 * Add the VC-CE target, introduce the WINCE sysname, and add
14071 * Change the DLL names for Cygwin to cygcrypto-x.y.z.dll and
14072 cygssl-x.y.z.dll, where x, y and z are the major, minor and
14082 * Avoid using fixed-size buffers for one-line DNs.
14141 * Add assertions to prevent user-supplied crypto functions from
14159 * Fix off-by-one error in EGD path.
14189 Remote buffer overflow in SSL3 protocol - an attacker could
14190 supply an oversized master key in Kerberos-enabled versions.
14191 ([CVE-2002-0657])
14199 * Make -nameopt work fully for req and add -reqopt switch.
14201 *Michael Bell <michael.bell@rz.hu-berlin.de>, Steve Henson*
14215 which may be activated as a side-effect of selecting a single cipher.
14223 * Add appropriate support for separate platform-dependent build
14224 directories. The recommended way to make a platform-dependent
14231 mkdir -p objtree/"`uname -s`-`uname -r`-`uname -m`"
14232 cd objtree/"`uname -s`-`uname -r`-`uname -m`"
14233 (cd $OPENSSL_SOURCE; find . -type f) | while read F; do
14234 mkdir -p `dirname $F`
14235 ln -s $OPENSSL_SOURCE/$F $F
14249 *Götz Babin-Ebell <babinebell@trustcenter.de>*
14251 * Improve diagnostics in file reading and command-line digests.
14256 error in AES-CFB decryption.
14275 * Fix escaping of non-ASCII characters when using the -subj option
14286 Some more OID additions. (Michael Bell <michael.bell@rz.hu-berlin.de>)
14299 * Fix the 'app_verify_callback' interface so that the user-defined
14307 i=s->ctx->app_verify_callback(&ctx)
14309 i=s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg).
14330 * Add the OFB, CFB and CTR (all with 128 bit feedback) to AES.
14342 the same as the utility itself: that is the -config
14373 * Have the CHIL engine fork-safe (as defined by nCipher) and actually
14382 * Add the configuration target debug-linux-ppro.
14394 * Add -keyform to rsautl, and document -engine.
14447 (up to about 10% better than before for P-192 and P-224).
14471 SSL object, and 'arg' is the application-defined value set by
14474 'openssl s_client' and 'openssl s_server' have new '-msg' options
14505 * Add -multi and -mr options to "openssl speed" - giving multiple parallel
14506 runs for the former and machine-readable output for the latter.
14510 * Add '-noemailDN' option to 'openssl ca'. This prevents inclusion
14511 of the e-mail address in the DN (i.e., it will go into a certificate
14590 support for symmetric ciphers and digest implementations - so ENGINEs
14595 API changes worth noting - some RSA, DSA, DH, and RAND functions that
14597 reverted back - the hooking from this code to ENGINE is now a good
14598 deal more passive and at run-time, operations deal directly with
14601 functions dealing with `BN_MOD_EXP[_CRT]` handlers have been removed -
14637 more bits available for options that should not be part of
14652 * Add support for shared libraries for Unixware-7
14666 makes them more flexible to be built both as statically-linked ENGINEs
14667 and self-contained shared-libraries loadable via the "dynamic" ENGINE.
14668 Also, add stub code to each that makes building them as self-contained
14669 shared-libraries easier (see [README-Engine.md](README-Engine.md)).
14675 self-contained shared-libraries. The "dynamic" ENGINE exposes control
14676 commands that can be used to configure what shared-library to load and
14678 the [README-Engine.md](README-Engine.md) file
14679 that brings its information up-to-date and
14681 (ie. how to use it, how to build "dynamic"-loadable ENGINEs, etc).
14710 ex_data state - it's now all inside ex_data.c and all "class" code (eg.
14711 RSA, BIO, SSL_CTX, etc) no longer stores its own STACKS and per-class
14716 thread-safety problems that existed, and (b) makes it possible to clean
14842 Added openssl-style ASN.1 macros for Kerberos ticket, ap_req,
14849 * Cause 'openssl speed' to use fully hard-coded DSA keys as it
14860 s-cbc 4408.85k 5560.51k 5778.46k 5862.20k 5825.16k
14861 s-cbc 4389.55k 5571.17k 5792.23k 5846.91k 5832.11k
14862 s-cbc 4394.32k 5575.92k 5807.44k 5848.37k 5841.30k
14864 s-cbc 3482.66k 5069.49k 5496.39k 5614.16k 5639.28k
14865 s-cbc 3480.74k 5068.76k 5510.34k 5609.87k 5635.52k
14866 s-cbc 3483.72k 5067.62k 5504.60k 5708.01k 5724.80k
14869 s-cbc 4660.16k 5650.19k 5807.19k 5827.13k 5783.32k
14871 s-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
14875 * Added the OS2-EMX target.
14894 * Change all calls to low-level digest routines in the library and
14911 dialog box interfaces, application-defined prompts, the possibility
14918 attribute in PKCS#12 files, add new -CSP option to pkcs12 utility.
15004 per-structure level rather than having to store it globally.
15016 by ENGINE_by_id() normally, when it is incremented on the pre-existing
15028 - verbosity levels ('-v', '-vv', and '-vvv') that provide information
15030 - executing control commands from command line arguments using the
15031 '-pre' and '-post' switches. '-post' is only used if '-t' is
15033 the individual commands are colon-separated, for example;
15034 openssl engine chil -pre FORK_CHECK:0 -pre SO_PATH:/lib/test.so
15040 and input types for run-time discovery by calling applications. A
15043 the new string-based API function ENGINE_ctrl_cmd_string(). (Eg. this
15052 OpenSSL-based application. Commands have been added to all the
15053 existing hardware-supporting ENGINEs, noticeably "SO_PATH" to allow
15054 control over shared-library paths without source code alterations.
15068 should already have non-const pointers to it (ie. they should only
15074 - "atalla" and "ubsec" string definitions were moved from header files
15076 rather than hard-coded - allowing parameterisation of these values
15078 - Removed unused "#if 0"'d code.
15079 - Fixed engine list iteration code so it uses ENGINE_free() to release
15081 - Constified the RAND_METHOD element of ENGINE structures.
15082 - Constified various get/set functions as appropriate and added
15083 missing functions (including a catch-all ENGINE_cpy that duplicates
15085 - Removed NULL parameter checks in get/set functions. Setting a method
15089 - Deprecate the ENGINE_FLAGS_MALLOCED define and move the area for
15091 - Changed prototypes for ENGINE handler functions (init(), finish(),
15092 ctrl(), key-load functions, etc) to take an (ENGINE*) parameter.
15098 used only if the modulus is odd. On 32-bit systems, it is faster
15099 only for relatively small moduli (roughly 20-30% for 128-bit moduli,
15100 roughly 5-15% for 256-bit moduli), so we use it only for moduli
15101 up to 450 bits. In 64-bit environments, the binary algorithm
15103 for moduli up to 2048 bits.
15150 Lenka Fibikova <fibikova@exp-math.uni-essen.de>*
15166 * Add the -HTTP option to s_server. It is similar to -WWW, but requires
15172 change the def and num file printf format specifier from "%-40sXXX"
15173 to "%-39s XXX". The latter will always guarantee a space after the
15220 * New option '-subj arg' for 'openssl req' and 'openssl ca'. This
15227 Add options '-batch' and '-verbose' to 'openssl req'.
15287 checked. Two new options -validity_period and -status_age added to
15321 can be useful for session caching in multiple-server environments. A
15322 command-line switch for testing this (and any client code that wishes
15337 sure e_os2.h will cover all platform-specific cases together with
15339 Additionally, it is now possible to define configuration/platform-
15343 from `OPENSSL_SYSNAME_*` or compiler-specific macros depending on
15348 * New option -set_serial to 'req' and 'x509' this allows the serial
15375 port and path components: primarily to parse OCSP URLs. New -url
15386 the request is nonce-less.
15392 e.g. `(openssl x509 -out cert1; openssl x509 -out cert2) <certs`.
15421 * Add the option -VAfile to 'openssl ocsp', so the user can give the
15493 is initialised to -1 but X509_time_adj() now has to check the value
15539 * New '-extfile ...' option to 'openssl ca' for reading X.509v3
15542 the '-extensions ...' option may be used for specifying the
15555 `openssl ca -status <serial>` prints the status of the cert with
15557 `openssl ca -updatedb` updates the expiry status of certificates
15562 * New '-newreq-nodes' command option to CA.pl. This is like
15563 '-newreq', but calls 'openssl req' with the '-nodes' option
15578 * New SSLeay_version code SSLEAY_DIR to determine the compiled-in
15579 value of OPENSSLDIR. This is available via the new '-d' option
15580 to 'openssl version', and is also included in 'openssl version -a'.
15607 There should no longer be any prototype-casting required when using
15618 The locations /var/run/egd-pool, /dev/egd-pool, /etc/egd-pool, and
15627 (select timeout) and read in non-blocking mode. DEVRANDOM now
15632 For VMS, there's a currently-empty rand_vms.c.
15751 problems: As the program is single-threaded, all we have
15760 during TLS/SSL handshakes so that thread-safety is essential.
15762 for multi-threaded use, so it probably should be abolished.
15816 * Fix BN_uadd and BN_usub: Always return non-negative results instead
15821 * BN_div bugfix: If the result is 0, the sign (res->neg) must not be
15828 that provide type-safety and avoid function pointer casting for the
15829 type-specific callbacks.
15849 (using the probabilistic Tonelli-Shanks algorithm unless
15853 *Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller*
15857 512 bits], about 30% for larger ones [1024 or 2048 bits].)
15896 * Change BN_mod_mul so that the result is always non-negative.
15918 These functions always generate non-negative results.
15927 *Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller*
15929 <!--
15943 -->
15946 unless the '-salt' option is used (which usually means that
15949 or the new '-noverify' option is used.
15952 non-interactive use of 'openssl passwd' (passwords on the command
15953 line, '-stdin' option, '-in ...' option) and thus should not
15970 casts back to non-const were required (to be solved at a later
15992 are built-in in OpenSSL shall ever be used or not. The benefit is
16046 * Rework the filename-translation in the DSO code. It is now possible to
16053 * Support threads on FreeBSD-elf in Configure.
16102 * Fix null-pointer assignment in do_change_cipher_spec() revealed
16103 by using the Codenomicon TLS Test Tool ([CVE-2004-0079])
16112 certain ASN.1 tags ([CVE-2003-0851])
16121 invalid tags (CVE-2003-0543 and CVE-2003-0544).
16141 when it's 512 *bits* long, not 512 bytes.
16147 * Countermeasure against the Klima-Pokorny-Rosa extension of
16157 They would be ill-advised to do so in most cases.
16163 an unpredictable seed -- if it is not unpredictable, there
16164 is no point in blinding anyway). Make RSA blinding thread-safe
16165 by remembering the creator's thread ID in rsa->blinding and
16166 having all other threads use local one-time blinding factors
16167 (this requires more computation than sharing rsa->blinding, but
16179 between bad padding and a MAC verification error. ([CVE-2003-0078])
16197 because the session->cipher setting was not restored when reloading
16205 length of the REQUEST-CERTIFICATE message is 18 .. 34, not 17 .. 33.
16207 *Zeev Lieber <zeev-l@yahoo.com>*
16230 the bitwise-OR of the two for use by the majority of applications
16233 changing anyway, so this is more a bug-fix than a behavioural
16238 * Don't impose a 16-byte length minimum on session IDs in ssl/s3_clnt.c
16255 contents. Bug found by Sam Varshavchik <mrsam@courier-mta.com>
16267 * [In 0.9.6g-engine release:]
16276 *Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>,
16312 implementations is desired (e.g. '-bugs' option to 's_client' and
16323 F30602-01-2-0537.
16328 supplied buffer. ([CVE-2002-0659])
16338 too small for 64 bit platforms. ([CVE-2002-0655])
16339 *Matthew Byng-Maddick <mbm@aldigital.co.uk> and Ben Laurie (CHATS)>*
16341 * Remote buffer overflow in SSL3 protocol - an attacker could
16342 supply an oversized session ID to a client. ([CVE-2002-0656])
16346 * Remote buffer overflow in SSL2 protocol - an attacker could
16347 supply an oversized client master key. ([CVE-2002-0656])
16354 encoded as NULL) with id-dsa-with-sha1.
16363 an end-of-file condition would erroneously be flagged, when the CRLF
16366 BASE64-decoding BIO. Bug fund and patch submitted by Pavel Tsekov
16382 * TLS/SSL library bugfix: use s->s3->in_read_app_data differently
16385 processing was enabled when in fact s->s3->in_read_app_data was
16398 * Fix DH_generate_parameters() so that it works for 'non-standard'
16405 a generator of the order-q subgroup is just as good, if not
16416 returning non-zero before the data has been completely received
16417 when using non-blocking I/O.
16453 * [In 0.9.6d-engine release:]
16458 * Add the configuration target linux-s390x.
16460 *Neale Ferguson <Neale.Ferguson@SoftwareAG-USA.com> via Richard Levitte*
16466 invocations of ssl3_accept when using non-blocking I/O, the
16471 To avoid this problem, we now set s->new_session to 2 instead of
16476 * Bugfix: Return -1 from ssl3_get_server_done (ssl3/s3_clnt.c)
16490 type, we must throw them away by setting rr->length to 0.
16499 `3*range` is two bits longer than range.)
16508 * Fix crypto/objects/objects.h: "ld-ce" should be "id-ce",
16510 Also some ip-pda OIDs in crypto/objects/objects.txt were
16520 * [In 0.9.6c-engine release:]
16525 * [In 0.9.6c-engine release:]
16533 rearranged (all '-L' options must appear before the first object
16538 * [In 0.9.6c-engine release:]
16544 * [In 0.9.6c-engine release:]
16550 * [In 0.9.6c-engine release:]
16561 messages are stored in a single piece (fixed-length part and
16562 variable-length part combined) and fix various bugs found on the way.
16583 never resets s->method to s->ctx->method when called from within
16632 * Add OpenUNIX-8 support including shared libraries
16649 * Rabin-Miller test analyses assume uniformly distributed witnesses,
16681 configuration target "alpha-cc-rpath", which will never be selected
16693 * Enhanced support for IA-64 Unix platforms (well, Linux and HP-UX).
16714 dh->length and always used
16716 BN_rand_range(priv_key, dh->p).
16718 BN_rand_range() is not necessary for Diffie-Hellman, and this
16719 specific range makes Diffie-Hellman unnecessarily inefficient if
16720 dh->length (recommended exponent length) is much smaller than the
16721 length of dh->p. We could use BN_rand_range() if the order of
16723 dh->length.
16729 where 'l' is dh->length if this is defined, or BN_num_bits(dh->p)-1
16747 * In crypto/rand/md_rand.c, use a new short-time lock CRYPTO_LOCK_RAND2
16762 *Albert Chin-A-Young <china@thewrittenword.com>*
16764 * Add configuration option to build on Linux on both big-endian and
16765 little-endian MIPS.
16767 *Ralf Baechle <ralf@uni-koblenz.de>*
16769 * Add the possibility to create shared libraries on HP-UX.
16777 Markku-Juhani O. Saarinen <markku-juhani.saarinen@nokia.com>:
16780 'md' followed by enough consecutive 1-byte PRNG requests
16791 Markku-Juhani's attack. (Actually it had never occurred
16793 half from which PRNG output bytes were taken -- I had always
16836 when fixing the server behaviour for backwards-compatible 'client
16840 around 2^-40; see section 5 in Bleichenbacher's CRYPTO '98
16896 * Change bctest again: '-x' expressions are not available in all
16916 If SEQUENCE is length is indefinite just set c->slen to the total
16923 * Change bctest to avoid here-documents inside command substitution
16936 * Check the result of RSA-CRT (see D. Boneh, R. DeMillo, R. Lipton:
16938 Computations, J. Cryptology 14 (2001) 2, 101-119,
17005 due to incorrect handling of multi-threading:
17013 inband-signalling in the previous code (which relied on the
17018 * Add "-rand" option also to s_client and s_server.
17023 *Kurt Hockenbury <khockenb@stevens-tech.edu> and
17041 Extend BN_[pseudo_]rand: As before, top=1 forces the highest two bits
17042 to be set and top=0 forces the highest bit to be set; top=-1 is new
17047 * In the `NCONF_...`-based implementations for `CONF_...` queries
17103 * Fix 'openssl passwd -1'.
17114 * Fix C code generated by 'openssl dsaparam -C': If a BN_bin2bn
17124 * Increase s2->wbuf allocation by one byte in ssl2_new (ssl/s2_lib.c).
17131 obtain lock CRYPTO_LOCK_RSA before setting `rsa->_method_mod_{n,p,q}`.
17167 * Fix ssl3_pending: If the record in s->s3->rrec is not of type
17175 releases, have been re-implemented by renaming the previous
17186 the method-specific "init()" handler. Also clean up ex_data after
17187 calling the method-specific "finish()" handler. Previously, this was
17206 *Jean-Marc Desperrier <jean-marc.desperrier@certplus.com>*
17210 - Make note of the expected extension for the shared libraries and
17215 - Make as few rebuilds of the shared libraries as possible.
17217 - Still avoid linking the OpenSSL programs with the shared libraries.
17219 - When installing, install the shared libraries separately from the
17283 in a record-oriented fashion. That means that every write() will
17294 Currently, it's a VMS-only method, because that's where it has
17302 but it was in 0.9.6-beta[12].)
17328 documentation and run-time libraries. The devel package contains
17337 *Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>*
17343 * Don't set the two most significant bits to one when generating a
17460 In BIO_puts, increment b->num_write as in BIO_write.
17477 used for low-level RSA operations. DER public key
17484 *Andreas Schneider <andreas@ds3.etech.fh-hamburg.de>*
17486 * A demo state-machine implementation was sponsored by
17562 * Add the arguments -CAfile and -CApath to the pkcs12 utility.
17584 * Fix SSL 2.0 rollback checking: Due to an off-by-one error in
17589 In s23_clnt.c, don't use special rollback-attack detection padding
17655 * New options to smime application. -inform and -outform
17657 PEM and DER. The -content option allows the content to be
17682 - New object identifiers are inserted in objects.txt, following
17684 - objects.pl is used to process obj_mac.num and create a new
17686 - obj_dat.pl is used to create a new obj_dat.h, using the data in
17698 * Add BSD-style MD5-based passwords to 'openssl passwd' (option '-1').
17702 * Addition of the command line parameter '-rand file' to 'openssl req'.
17744 an -sgckey command line option to the rsa utility. Thanks to
17746 algorithm to openssl-dev.
17763 * Re-implement BN_mod_exp2_mont using independent (and larger) windows.
17768 * Increase maximum window size in `BN_mod_exp_...` to 6 bits instead of 5
17794 * The type-safe stack code has been rejigged. It is now only compiled
17796 by default all type-specific stack functions are "#define"d back to
17798 but retains the type-safety checking possibilities of the original
17806 map type-safe stack functions onto their plain stack counterparts.
17820 of 'md', i.e. 80 bits. ssleay_rand_add, on the other hand, chains
17846 for CFB and OFB modes they zero ctx->num.
17872 i.e. non-zero for export ciphersuites, zero otherwise.
17890 Added -fingerprint option to crl utility, to support new c_rehash
17895 * Eliminate non-ANSI declarations in crypto.h and stack.h.
17932 * Bugfix for linux-elf makefile.one.
17992 * Add '-tls1' option to 'openssl ciphers', which was already
18000 OpenSSL-based applications) load shared libraries and bind to
18012 * Rename openssl x509 option '-crlext', which was added in 0.9.5,
18013 to '-clrext' (= clear extensions), as intended and documented.
18031 *Ulf Möller, using the problem description in krb4-0.9.7, where
18040 'openssl XXX' exists, the new pseudo-command 'openssl no-XXX'
18042 'no-XXX' is printed in this case, 'XXX' otherwise. In both cases,
18047 the 'no-cipher' compilation switches can be tested this way.
18049 ('openssl no-XXX' is not able to detect pseudo-commands such
18050 as 'quit', 'list-XXX-commands', or 'no-XXX' itself.)
18054 * Update test suite so that 'make test' succeeds in 'no-rsa' configuration.
18062 to parameters -- in previous versions (since OpenSSL 0.9.3) the
18068 * New s_client option -ign_eof: EOF at stdin is ignored, and
18070 This is part of what -quiet does; unlike -quiet, -ign_eof
18107 * Add '-dsaparam' option to 'openssl dhparam' application. This
18114 by 'openssl dhparam -C'.
18140 * New 'rand' application for creating pseudo-random output.
18154 *Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE> and Anonymous*
18167 * In bntest.c don't call BN_rand with zero bits argument.
18214 or -rand.
18246 sections with information on -D... compiler switches used for
18248 one of these sections, a pre-processor symbol `OPENSSL_..._DEFINES`
18296 * HP-UX tune-up: new unified configs, HP C compiler bug workaround.
18300 * Add -rand argument to smime and pkcs12 applications and read/write
18314 bits.
18327 equal (it gave wrong results if `(rem=(n1-q*d0)&BN_MASK2) < d0)`.
18356 * Add a new -notext option to 'ca' and a -pubkey option to 'spkac'.
18360 * Use a less unusual form of the Miller-Rabin primality test (it used
18361 a binary algorithm for exponentiation integrated into the Miller-Rabin
18383 using 50 iterations of the Rabin-Miller test.
18386 iterations of the Rabin-Miller test as required by the appendix
18387 to FIPS PUB 186[-1]) instead of DSA_is_prime.
18393 for each positive witness in the Rabin-Miller test, not just
18398 function with an 'iteration count' of -1, meaning that a
18400 from an application-provided seed, trial division is skipped).
18405 division before starting the Rabin-Miller test and has
18408 'callback(1, -1, cb_arg)' is called when a number has passed the
18418 * New -pkcs12 option to CA.pl script to write out a PKCS#12 file.
18440 by stat(). RAND_load_file(..., -1) is new and uses the complete file
18457 Rabin-Miller iterations.
18461 * Diffie-Hellman uses "safe" primes: DH_check() return code renamed to
18483 cipher-strength (using the strength_bits hard coded in the tables).
18486 Fix a bug in the cipher-command parser: when supplying a cipher command
18488 *A-Za-z0-9*, ssl_set_cipher_list used to hang in an endless loop. Now
18491 Due to the strength-sorting extension, the code of the
18493 the readability was also increased :-)
18495 *Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>*
18497 * Minor change to 'x509' utility. The -CAcreateserial option now uses 1
18540 * Do more iterations of Rabin-Miller probable prime test (specifically,
18541 3 for 1024-bit primes, 6 for 512-bit primes, 12 for 256-bit primes
18544 false-positive rate of at most 2^-80 for random input.
18566 -nomaciter option is used. This improves file security and
18571 * Honor the no-xxx Configure options when creating .DEF files.
18620 (with a total of 192 bits for TLS 1.0 and more for SSL 3.0), they can
18628 $PATH. Just exploiting of the BWX extension results in 20-30%
18858 -fingerprint and -x509toreq options. Also -x509toreq choked if a
18886 Two new options to the verify program: -untrusted allows a set of
18887 untrusted certificates to be passed in and -purpose which sets the
18919 Added a -pubkey option to the 'x509' utility to output the public key.
18958 openssl verify -CAfile ss.pem ss.pem
18966 but an application-provided verification callback (set by
18968 anyway (i.e. leaves x509_store_ctx->error != X509_V_OK
18970 ssl->verify_result to the appropriate error code to avoid
18979 *Po-Cheng Chen <pocheng@nst.com.tw>, slightly modified by Steve Henson*
18983 -S option to allow a salt to be input on the command line.
19013 the string plus current file name and line number to a per-thread
19016 Also updated memory leak detection code to be multi-thread-safe.
19020 * Add options -text and -noout to pkcs7 utility and delete the
19036 * Fix the -revoke option in ca. It was freeing up memory twice,
19061 with non-optimised assembler. Even so, this now gives around 95%
19067 handling. Most clients have the effective key size in bits equal to
19068 the key length in bits: so a 40 bit RC2 key uses a 40 bit (5 byte) key.
19072 be 40 bits but the key length can be 168 bits for example. This is fixed
19081 X509_NAME_add_entry_by_txt(nm, "CN", MBSTRING_ASC, "Steve", -1, -1, 0);
19084 X509_NAME_add_entry_by_txt(nm, field, MBSTRING_UTF8, str, -1, -1, 0);
19100 - Assure unique random numbers after fork().
19101 - Make sure that concurrent threads access the global counter and
19115 dsaparam -genkey (which also ignored its '-rand' option),
19124 of each file listed in the '-rand' option. The function as previously
19126 that support '-rand'.
19159 verification. Also added a -purpose flag to x509 utility to
19176 * RC4 tune-up featuring 30-40% performance improvement on most RISC
19181 * New -noout option to asn1parse. This causes no output to be produced
19182 its main use is when combined with -strparse and -out to extract data
19192 * New option -dhparam in s_server. This allows a DH parameter file to be
19199 * Add -pubin and -pubout options to the rsa and dsa commands. These allow
19201 openssl rsa -in key.pem -pubout -out pubkey.pem
19242 working at all :-) A dedicated Windows application might handle this
19259 * Add new -verify -CAfile and -CApath options to the crl program, these
19268 * Initialize all non-automatic variables each time one of the openssl
19269 sub-programs is started (this is necessary as they may be started
19282 * Non-copying interface to BIO pairs.
19317 <madwolf@comune.modena.it>. The new option is called -extensions
19318 and can be applied to ca, req and x509. Also -reqexts to override
19319 the request extensions in req and -crlexts to override the crl extensions
19334 config file. They can be printed out with the -text option to req but
19357 library. Also added low-level modexp hooks and CRYPTO_EX structure and
19377 an SSLv2-compatible client hello for SSLv3 or TLSv1 could be read,
19403 * -crlf option to s_client and s_server for sending newlines as
19418 * Fix -startdate and -enddate (which was missing) arguments to 'ca'
19427 For 1024-bit p, DSA_generate_parameters followed by DSA_dup_DH is
19430 much more efficient (160-bit exponentiation instead of 1024-bit
19446 * Allow the -k option to be used more than once in the enc program:
19493 * The -DPLATFORM="\"$(PLATFORM)\"" definition and the similar -DCFLAGS=...
19497 auto-generated file crypto/buildinf.h (created by crypto/Makefile.ssl
19518 * Fix memory leaks in s3_clnt.c: All non-anonymous SSL3/TLS1 connections
19525 * New function RSA_check_key and new openssl rsa option -check
19564 * Memory leak checking (-DCRYPTO_MDEBUG) had some problems.
19573 to disable memory-checking temporarily.
19578 -DCRYPTO_MDEBUG_TIME is new and additionally stores the current time
19582 -DCRYPTO_MDEBUG_THREAD is also new and adds the thread ID.
19584 -DCRYPTO_MDEBUG_ALL enables all of the above, plus any future
19606 * Fix problems with no-hmac etc.
19627 *Steve Henson, reported by Brien Wheeler <bwheeler@authentica-security.com>*
19647 Fixed, now "no-idea no-rc5 -DCRYPTO_MDEBUG" etc. works as intended.
19658 Whoever hopes to achieve shared-library compatibility across versions
19659 must use this, not the compile-time macro.
19662 Note: All this applies only to multi-threaded programs, others don't
19667 * Add missing case to s3_clnt.c state machine -- one of the new SSL tests
19720 name for unistd.h (for pre-POSIX systems); we need this for NeXTstep,
19730 Changing the behaviour of the former might break existing programs --
19736 fails, it needs to cause bc to give a non-zero result or make test carries
19749 yet. Added a -v2 "cipher" option to pkcs8 application to allow the use
19754 * Instead of "mkdir -p", which is not fully portable, use new
19755 Perl script "util/mkdir-p.pl".
19785 * "linux-sparc64" configuration (ultrapenguin).
19788 "linux-sparc" configuration.
19790 *Christian Forster <fo@hawo.stw.uni-erlangen.de>*
19792 * config now generates no-xxx options for missing ciphers.
19801 * Support BS2000/OSD-POSIX.
19817 * New configuration variants "bsdi-elf-gcc" (BSD/OS 4.x).
19823 * New configuration variant "sco5-gcc".
19846 * SHA library changes for irix64-mips4-cc.
19914 * New option -out to asn1parse to allow the parsed structure to be
19915 output to a file. This is most useful when combined with the -strparse
19920 * Make SSL library a little more fool-proof by not requiring any longer
19924 intended anyway -- now it really works as intended).
19932 * Fix various things to let OpenSSL even pass "egcc -pipe -O2 -Wall
19933 -Wshadow -Wpointer-arith -Wcast-align -Wmissing-prototypes
19934 -Wmissing-declarations -Wnested-externs -Winline" with EGCS 1.1.2+
19945 various ways (and thus what used to be known as ctx->default_cert
19946 is now called ctx->cert, since we don't resort to `s->ctx->[default_]cert`
19947 any longer when s->cert does not give us what we need).
19950 we have solved a couple of bugs of the earlier code where s->cert
19960 that holds per-session data (if available); currently, this is
19988 * Add PEDANTIC compiler flag to allow compilation with gcc -pedantic,
19989 without disallowing inline assembler and the like for non-pedantic builds.
20001 * SHA-1 cleanups and performance enhancements.
20009 * Accept any -xxx and +xxx compiler options in Configure.
20024 DER-encoded.)
20029 x509_vfy.c had what can be considered an off-by-one-error:
20057 * New Configure options "threads" and "no-threads". For systems
20068 $(INSTALLTOP)/bin -- they shouldn't clutter directories
20073 * "make linux-shared" to build shared libraries.
20077 * New Configure option `no-<cipher>` (rsa, idea, rc5, ...).
20095 * New Configure options --prefix=DIR and --openssldir=DIR.
20116 * Change behaviour of ssl2_read when facing length-0 packets: Don't return
20134 * Fix new 56-bit DES export ciphersuites: they were using 7 bytes instead of
20212 * Don't auto-generate pem.h.
20216 * Introduce type-safe ASN.1 SETs.
20220 * Convert various additional casted stacks to type-safe STACK_OF() variants.
20224 * Introduce type-safe STACKs. This will almost certainly break lots of code
20232 * Add `openssl ca -revoke <certfile>` facility which revokes a certificate
20235 revoking a certificate. The -revoke option does the gory details now.
20239 * Fix `openssl crl -noout -text` combination where `-noout` killed the
20240 `-text` option at all and this way the `-noout -text` combination was
20252 ciphers that were excluded, e.g. by -DNO_IDEA. Also, test
20256 `openssl list-cipher-commands` is used.
20294 * New "-showcerts" option for s_client.
20335 * Make sure the RSA OAEP test is skipped under -DRSAref because
20341 so they no longer are missing under -DNOPROTO.
20371 * Make rsa_oaep_test return non-zero on error.
20376 solaris-sparc-sc4-pic, make, then run shlib/solaris-sc4.sh. It'd be nice
20406 * Let util/clean-depend.pl work also with older Perl 5.00x versions.
20418 * DES quad checksum was broken on big-endian architectures. Fixed.
20446 fine under Unix and passes some trivial tests I've now added. But the
20479 pre-configured entry in Configure's %table under key `<id>` with value
20481 perform a quick test-compile under FreeBSD 3.1 with pgcc and without
20482 assembler stuff you can use `perl Configure "FreeBSD-elf:pgcc:-O6:::"`
20483 now, which overrides the FreeBSD-elf entry on-the-fly.
20491 * Allow DSO flags like -fpic, -fPIC, -KPIC etc. to be specified
20498 * Remarkably, export ciphers were totally broken and no-one had noticed!
20504 questions now is the OpenSSL core team under openssl-core@openssl.org.
20505 And add a paragraph about the dual-license situation to make sure people
20561 stuff. Fix mk1mf.pl and VC-32.pl to support NT differences also. Various
20572 This means that Apache-SSL and similar packages don't have to mess around
20584 * Get rid of remaining C++-style comments which strict C compilers hate.
20595 their SSL_CTX_xxx() counterparts but work on a per-connection basis. This
20597 per-connection basis (e.g. Apache+mod_ssl) instead of a per-context basis
20607 non-public-API function ssl_cert_instantiate() is used as a helper
20612 * Move s_server -dcert and -dkey options out of the undocumented feature
20618 * Fix the cipher decision scheme for export ciphers: the export bits are
20635 * Don't hard-code path to Perl interpreter on shebang line of Configure
20636 script. Instead use the usual Shell->Perl transition trick.
20640 * Make `openssl x509 -noout -modulus`' functional also for DSA certificates
20642 -noout -modulus` as it's already the case for `openssl rsa -noout
20643 -modulus`. For RSA the -modulus is the real "modulus" while for DSA
20645 `openssl dsa -modulus` in the past) which serves a similar purpose.
20646 Additionally the NO_RSA no longer completely removes the whole -modulus
20652 * Add Arne Ansper's reliable BIO - this is an encrypted, block-digested
20669 TLS_RSA_EXPORT56_WITH_DES_CBC_SHA, as specified in "56-bit Export Cipher
20670 Suites For TLS", draft-ietf-tls-56-bit-ciphersuites-00.txt.
20700 foundations than the ad-hoc padding used in PKCS #1 v1.5. It is secure
20731 *Lars Weber <3weber@informatik.uni-hamburg.de>*
20784 - ported BN stuff to OpenSSL's different BN library
20785 - made the perl/ source tree CVS-aware
20786 - renamed the package from SSLeay to OpenSSL (the files still contain
20788 - removed obsolete files (the test scripts will be replaced
20800 -rSSLeay_0_8_1b" or they were renamed (as it was definitely the case for
20808 what that's for :-) Fix to ASN1 macro which messed up
20835 * Fixed ms/32all.bat script: `no_asm` -> `no-asm`
20837 *Rainer W. Gerling <gerling@mpg-gv.mpg.de>*
20843 * Modify crl2pkcs7 so it supports multiple -certfile arguments. Fix a
20872 and add a sample to openssl.cnf so req -x509 now adds appropriate
20897 Ad Hoc Way) - Makefile.ssls now all contain local dependencies, which
20902 * Spelling mistake in C version of CAST-128.
20906 * Changes to the error generation code. The perl script err-code.pl
20913 either modify crypto/Makefile.ssl to pass the -regen flag to err_code.pl
20918 * CAST-128 was incorrectly implemented for short keys. The C version has
20920 new assembler HAS NOT BEEN GENERATED FOR WIN32 - the Makefile needs fixing
20922 *Ben Laurie, reported (with fix for C version) by Jun-ichiro itojun
20999 *Bodo Moeller <3moeller@informatik.uni-hamburg.de>*
21001 * Don't blow it for numeric `-newkey` arguments to `apps/req`.
21003 *Bodo Moeller <3moeller@informatik.uni-hamburg.de>*
21035 * Make sure the already existing X509_STORE->depth variable is initialized
21059 BIT STRING wrapper always have zero unused bits.
21067 * Make the top-level INSTALL documentation easier to understand.
21071 * Makefiles updated to exit if an error occurs in a sub-directory
21086 * Enhanced the err-ins.pl script so it makes the error library number
21123 *Ben Laurie - pointed out by Ulf Möller <ulf@fitug.de>*
21131 ncr-scde
21132 unixware-2.0
21133 unixware-2.0-pentium
21134 sco5-cc.
21147 ### Changes between 0.9.1b and 0.9.1c [23-Dec-1998]
21154 * Some fixups to the top-level documents.
21158 * Fixed the nasty bug where rsaref.h was not found under compile-time
21163 * Incorporated the popular no-RSA/DSA-only patches
21164 which allow to compile an RSA-free SSLeay.
21168 * Fixed nasty rehash problem under `make -f Makefile.ssl links`
21186 * Recompiled the error-definition header files and added
21191 * Cleaned up the top-level documents;
21241 * Add -strparse option to asn1pars program which parses nested
21254 * Added "-genkey" option to "dsaparam" program.
21262 * Added -a (all) option to "ssleay version" command.
21351 <!-- Links -->
21353 [CVE-2025-9232]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-9232
21354 [CVE-2025-9231]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-9231
21355 [CVE-2025-9230]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-9230
21356 [CVE-2025-4575]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-4575
21357 [CVE-2024-13176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176
21358 [CVE-2024-9143]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143
21359 [CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
21360 [CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535
21361 [CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
21362 [CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603
21363 [CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511
21364 [CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727
21365 [CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237
21366 [CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129
21367 [CVE-2023-5678]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5678
21368 [CVE-2023-5363]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5363
21369 [CVE-2023-4807]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-4807
21370 [CVE-2023-3817]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3817
21371 [CVE-2023-3446]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3446
21372 [CVE-2023-2975]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2975
21373 [RFC 2578 (STD 58), section 3.5]: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5
21374 [CVE-2023-2650]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2650
21375 [CVE-2023-1255]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-1255
21376 [CVE-2023-0466]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466
21377 [CVE-2023-0465]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0465
21378 [CVE-2023-0464]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0464
21379 [CVE-2023-0401]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0401
21380 [CVE-2023-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0286
21381 [CVE-2023-0217]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0217
21382 [CVE-2023-0216]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0216
21383 [CVE-2023-0215]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0215
21384 [CVE-2022-4450]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4450
21385 [CVE-2022-4304]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4304
21386 [CVE-2022-4203]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4203
21387 [CVE-2022-3996]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-3996
21388 [CVE-2022-2274]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2274
21389 [CVE-2022-2097]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2097
21390 [CVE-2020-1971]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1971
21391 [CVE-2020-1967]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1967
21392 [CVE-2019-1563]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1563
21393 [CVE-2019-1559]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1559
21394 [CVE-2019-1552]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1552
21395 [CVE-2019-1551]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1551
21396 [CVE-2019-1549]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1549
21397 [CVE-2019-1547]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1547
21398 [CVE-2019-1543]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1543
21399 [CVE-2018-5407]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-5407
21400 [CVE-2018-0739]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0739
21401 [CVE-2018-0737]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0737
21402 [CVE-2018-0735]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0735
21403 [CVE-2018-0734]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0734
21404 [CVE-2018-0733]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0733
21405 [CVE-2018-0732]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0732
21406 [CVE-2017-3738]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3738
21407 [CVE-2017-3737]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3737
21408 [CVE-2017-3736]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3736
21409 [CVE-2017-3735]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3735
21410 [CVE-2017-3733]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3733
21411 [CVE-2017-3732]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3732
21412 [CVE-2017-3731]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3731
21413 [CVE-2017-3730]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3730
21414 [CVE-2016-7055]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7055
21415 [CVE-2016-7054]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7054
21416 [CVE-2016-7053]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7053
21417 [CVE-2016-7052]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7052
21418 [CVE-2016-6309]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6309
21419 [CVE-2016-6308]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6308
21420 [CVE-2016-6307]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6307
21421 [CVE-2016-6306]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6306
21422 [CVE-2016-6305]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6305
21423 [CVE-2016-6304]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6304
21424 [CVE-2016-6303]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6303
21425 [CVE-2016-6302]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6302
21426 [CVE-2016-2183]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2183
21427 [CVE-2016-2182]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2182
21428 [CVE-2016-2181]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2181
21429 [CVE-2016-2180]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2180
21430 [CVE-2016-2179]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2179
21431 [CVE-2016-2178]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2178
21432 [CVE-2016-2177]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2177
21433 [CVE-2016-2176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2176
21434 [CVE-2016-2109]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2109
21435 [CVE-2016-2107]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2107
21436 [CVE-2016-2106]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2106
21437 [CVE-2016-2105]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2105
21438 [CVE-2016-0800]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0800
21439 [CVE-2016-0799]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0799
21440 [CVE-2016-0798]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0798
21441 [CVE-2016-0797]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0797
21442 [CVE-2016-0705]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0705
21443 [CVE-2016-0702]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0702
21444 [CVE-2016-0701]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0701
21445 [CVE-2015-3197]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3197
21446 [CVE-2015-3196]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3196
21447 [CVE-2015-3195]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3195
21448 [CVE-2015-3194]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3194
21449 [CVE-2015-3193]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3193
21450 [CVE-2015-1793]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1793
21451 [CVE-2015-1792]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1792
21452 [CVE-2015-1791]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1791
21453 [CVE-2015-1790]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1790
21454 [CVE-2015-1789]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1789
21455 [CVE-2015-1788]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1788
21456 [CVE-2015-1787]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1787
21457 [CVE-2015-0293]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0293
21458 [CVE-2015-0291]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0291
21459 [CVE-2015-0290]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0290
21460 [CVE-2015-0289]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0289
21461 [CVE-2015-0288]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0288
21462 [CVE-2015-0287]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0287
21463 [CVE-2015-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0286
21464 [CVE-2015-0285]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0285
21465 [CVE-2015-0209]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0209
21466 [CVE-2015-0208]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0208
21467 [CVE-2015-0207]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0207
21468 [CVE-2015-0206]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0206
21469 [CVE-2015-0205]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0205
21470 [CVE-2015-0204]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0204
21471 [CVE-2014-8275]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-8275
21472 [CVE-2014-5139]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-5139
21473 [CVE-2014-3572]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3572
21474 [CVE-2014-3571]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3571
21475 [CVE-2014-3570]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3570
21476 [CVE-2014-3569]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3569
21477 [CVE-2014-3568]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3568
21478 [CVE-2014-3567]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3567
21479 [CVE-2014-3566]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3566
21480 [CVE-2014-3513]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3513
21481 [CVE-2014-3512]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3512
21482 [CVE-2014-3511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3511
21483 [CVE-2014-3510]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3510
21484 [CVE-2014-3509]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3509
21485 [CVE-2014-3508]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3508
21486 [CVE-2014-3507]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3507
21487 [CVE-2014-3506]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3506
21488 [CVE-2014-3505]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3505
21489 [CVE-2014-3470]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3470
21490 [CVE-2014-0224]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0224
21491 [CVE-2014-0221]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0221
21492 [CVE-2014-0195]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0195
21493 [CVE-2014-0160]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0160
21494 [CVE-2014-0076]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0076
21495 [CVE-2013-6450]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-6450
21496 [CVE-2013-4353]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-4353
21497 [CVE-2013-0169]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-0169
21498 [CVE-2013-0166]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-0166
21499 [CVE-2012-2686]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2686
21500 [CVE-2012-2333]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2333
21501 [CVE-2012-2110]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2110
21502 [CVE-2012-0884]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0884
21503 [CVE-2012-0050]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0050
21504 [CVE-2012-0027]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0027
21505 [CVE-2011-4619]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4619
21506 [CVE-2011-4577]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4577
21507 [CVE-2011-4576]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4576
21508 [CVE-2011-4109]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4109
21509 [CVE-2011-4108]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4108
21510 [CVE-2011-3210]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-3210
21511 [CVE-2011-3207]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-3207
21512 [CVE-2011-0014]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-0014
21513 [CVE-2010-4252]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-4252
21514 [CVE-2010-4180]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-4180
21515 [CVE-2010-3864]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-3864
21516 [CVE-2010-1633]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-1633
21517 [CVE-2010-0740]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-0740
21518 [CVE-2010-0433]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-0433
21519 [CVE-2009-4355]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-4355
21520 [CVE-2009-3555]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-3555
21521 [CVE-2009-3245]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-3245
21522 [CVE-2009-1386]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1386
21523 [CVE-2009-1379]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1379
21524 [CVE-2009-1378]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1378
21525 [CVE-2009-1377]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1377
21526 [CVE-2009-0789]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0789
21527 [CVE-2009-0591]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0591
21528 [CVE-2009-0590]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0590
21529 [CVE-2008-5077]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-5077
21530 [CVE-2008-1678]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-1678
21531 [CVE-2008-1672]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-1672
21532 [CVE-2008-0891]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-0891
21533 [CVE-2007-5135]: https://www.openssl.org/news/vulnerabilities.html#CVE-2007-5135
21534 [CVE-2007-4995]: https://www.openssl.org/news/vulnerabilities.html#CVE-2007-4995
21535 [CVE-2006-4343]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-4343
21536 [CVE-2006-4339]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-4339
21537 [CVE-2006-3738]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-3738
21538 [CVE-2006-2940]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-2940
21539 [CVE-2006-2937]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-2937
21540 [CVE-2005-2969]: https://www.openssl.org/news/vulnerabilities.html#CVE-2005-2969
21541 [CVE-2004-0112]: https://www.openssl.org/news/vulnerabilities.html#CVE-2004-0112
21542 [CVE-2004-0079]: https://www.openssl.org/news/vulnerabilities.html#CVE-2004-0079
21543 [CVE-2003-0851]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0851
21544 [CVE-2003-0545]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0545
21545 [CVE-2003-0544]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0544
21546 [CVE-2003-0543]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0543
21547 [CVE-2003-0078]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0078
21548 [CVE-2002-0659]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0659
21549 [CVE-2002-0657]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0657
21550 [CVE-2002-0656]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0656
21551 [CVE-2002-0655]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0655
21552 [CMVP]: https://csrc.nist.gov/projects/cryptographic-module-validation-program
21553 [ESV]: https://csrc.nist.gov/Projects/cryptographic-module-validation-program/entropy-validations