Lines Matching +full:int +full:- +full:clock +full:- +full:stable +full:- +full:broken
4 This is a detailed breakdown of significant changes. For a high-level overview
13 ----------------
15 - [OpenSSL 3.5](#openssl-35)
16 - [OpenSSL 3.4](#openssl-34)
17 - [OpenSSL 3.3](#openssl-33)
18 - [OpenSSL 3.2](#openssl-32)
19 - [OpenSSL 3.1](#openssl-31)
20 - [OpenSSL 3.0](#openssl-30)
21 - [OpenSSL 1.1.1](#openssl-111)
22 - [OpenSSL 1.1.0](#openssl-110)
23 - [OpenSSL 1.0.2](#openssl-102)
24 - [OpenSSL 1.0.1](#openssl-101)
25 - [OpenSSL 1.0.0](#openssl-100)
26 - [OpenSSL 0.9.x](#openssl-09x)
29 -----------
33 * Fix Out-of-bounds read & write in RFC 3211 KEK Unwrap
36 password based encryption can trigger an out-of-bounds read and write.
38 Impact summary: This out-of-bounds read may trigger a crash which leads to
39 Denial of Service for an application. The out-of-bounds write can cause
41 a Denial of Service or Execution of attacker-supplied code.
45 ([CVE-2025-9230])
49 * Fix Timing side-channel in SM2 algorithm on 64 bit ARM
51 Issue summary: A timing side-channel which could potentially allow remote
55 Impact summary: A timing side-channel in SM2 signature computations on
60 ([CVE-2025-9231])
64 * Fix Out-of-bounds read in HTTP client no_proxy handling
67 may trigger an out-of-bounds read if the "no_proxy" environment variable is
71 Impact summary: An out-of-bounds read can trigger a crash which leads to
76 ([CVE-2025-9232])
82 on that requirement in FIPS 140-3 IG 10.3.A additional comment 1.
86 * Fixed the length of the ASN.1 sequence for the SM3 digests of RSA-encrypted
108 on that requirement in FIPS 140-3 IG 10.3.A additional comment 1.
127 operation to add a missing check that the caller-indicated output buffer
134 RSA public encryption into a buffer that is too small, an out-of-bounds
139 * Added FIPS 140-3 PCT on DH key generation.
150 This is mandated by FIPS 140-3 IG 10.3.A additional comment 1.
158 Issue summary: Use of -addreject option with the openssl x509 application adds
164 ([CVE-2025-4575])
189 Examples of such schemes are ED25519 or ML-DSA.
193 * The TLS Signature algorithms defaults now include all three ML-DSA variants as
198 * Added a `no-tls-deprecated-ec` configuration option.
200 The `no-tls-deprecated-ec` option disables support for TLS elliptic curve
203 compiled in, but, as before, they are not included in the default run-time
206 With the `enable-tls-deprecated-ec` option these TLS groups remain enabled at
212 * Added new API to enable 0-RTT for 3rd party QUIC stacks.
225 * Add SLH-DSA as specified in FIPS 205.
229 * ML-KEM as specified in FIPS 203.
234 TLS hybrid key post-quantum/classical key agreement schemes.
238 * Add ML-DSA as specified in FIPS 204.
258 replace the ad-hoc byte arrays that are pervasive throughout the library.
275 server-side key exchange group selection.
277 Extend the server-side key exchange group selection algorithm and related
279 (hybrid-)KEMs.
291 16-bit, 32-bit and 64-bit integers in either little-endian or big-endian
292 form, regardless of the host byte-order. See the `OPENSSL_load_u16_le(3)`
303 * Support DEFAULT keyword and '-' prefix in `SSL_CTX_set1_groups_list()`.
305 available groups to the default selection. The '-' prefix allows the calling
308 *Frederik Wedel-Heinen*
311 from `des-ede3-cbc` to `aes-256-cbc`.
313 AES-256 provides a stronger 256-bit key encryption than legacy 3DES.
330 * The `-rawin` option of the `pkeyutl` command is now implied (and thus no
331 longer required) when using `-digest` or when signing or verifying with an
333 The `-digest` and `-rawin` option may only be given with `-sign` or `verify`.
355 configuration option `enable-fips-jitter`.
371 currently no built-in ciphers that support pipelining. This new API replaces
380 …However, there is a use case (PAdES signatures [ETSI EN 319 142-1](https://www.etsi.org/deliver/et…
384 The new `-no_signing_time` option of the `cms` command enables this flag.
388 * Parallel dual-prime 1024/1536/2048-bit modular exponentiation for
392 times, for the sign/decryption operations of rsaz-2k/3k/4k (`openssl speed rsa`)
397 * VAES/AVX-512 support for AES-XTS.
400 vectorized implementation of AES-XTS with a throughput improvement
412 every 4 input bytes. Such behaviour could cause writes to a non-allocated
417 in the initial non-encoded message.
427 * Added a new CLI option `-provparam` and API functions for setting of
441 * Added a build configuration option `enable-sslkeylog` for enabling support
452 -----------
470 ([CVE-2024-12797])
474 * Fixed timing side-channel in ECDSA signature computation.
479 the NIST P-521 curve is affected. To be able to measure this leak, the
483 ([CVE-2024-13176])
505 RSA-SHA2-256 including new API functions in the EVP_PKEY_sign,
527 FIPS 140-3 requires indicators to be used if the FIPS provider allows
528 non-approved algorithms. An algorithm is approved if it passes all
539 Note that new FIPS 140-3 restrictions have been enforced such as
546 *Shane Lontis, Paul Dale, Po-Hsing Wu and Dimitri John Ledkov*
583 with registry keys. See NOTES-WINDOWS.md.
587 * Added options `-not_before` and `-not_after` for explicit setting
590 `-startdate` and `-enddate` options.
599 * SHAKE-128 and SHAKE-256 implementations have no default digest length
621 * Added support for integrity-only cipher suites TLS_SHA256_SHA256 and
629 with the respective CLI options `-template`,
630 `-crlcert`, `-oldcrl`, `-crlout`, `-crlform>`, and `-rsp_crl`.
645 public API. There is no command-line tool support at this time.
647 *Damian Hobson-Garcia*
650 option `enable-pie` configures the cflag '-fPIE' and ldflag '-pie' to
658 which are Y2038-safe.
663 precomputed values. This is used by the P-256 implementation.
668 -----------
672 * Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic
675 Use of the low-level GF(2^m) elliptic curve APIs with untrusted
676 explicit values for the field polynomial can lead to out-of-bounds memory
684 ([CVE-2024-9143])
698 ([CVE-2024-6119])
708 ([CVE-2024-5535])
733 ([CVE-2024-4741])
750 ([CVE-2024-4603])
764 * The `-verify` option to the `openssl crl` and `openssl req` will make
771 error of -1 once it is exhausted. Users may need to reserve using this
785 the input string, in accordance with ITU-T X.690 section 11.7 and 11.8.
804 OSSL_PKEY_PARAM_RSA_DERIVE_FROM_PQ param in the EVP_PKEY-RSA documentation.
816 * Added `-set_issuer` and `-set_subject` options to `openssl x509` to
817 override the Issuer and Subject when creating a certificate. The `-subj`
818 option now is an alias for `-set_subject`.
822 * OPENSSL_sk_push() and sk_<TYPE>_push() functions now return 0 instead of -1
833 - `certProfile` request message header and respective `-profile` CLI option
834 - support for delayed delivery of all types of response messages
840 * The build of exporters (such as `.pc` files for pkg-config) cleaned up to
853 server to prefer session resumption using PSK-only key exchange over PSK
858 * New API `SSL_write_ex2`, which can be used to send an end-of-stream (FIN)
872 The qlog output from OpenSSL currently uses a pre-standard draft version of
876 disabled with the build-time option `no-unstable-qlog`. See the
877 openssl-qlog(7) manpage for details.
894 non-blocking manner. Refer to the SSL_poll(3) manpage for details.
911 * Applied AES-GCM unroll8 optimisation to Microsoft Azure Cobalt 100
916 X509_STORE_get0_objects API in multi-threaded applications. Refer to the
925 * Optimized AES-CTR for ARM Neoverse V1 and V2
929 * Enable AES and SHA3 optimisations on Apple Silicon M3-based MacOS systems
939 * Various optimizations for cryptographic routines using RISC-V vector crypto
955 -----------
959 * Fixed an issue where some non-default TLS server configurations can cause
964 This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option
966 anti-replay protection is in use). In this case, under certain conditions,
973 ([CVE-2024-2511])
1000 ([CVE-2024-0727])
1017 with the "-pubin" and "-check" options on untrusted data.
1022 ([CVE-2023-6237])
1027 have the contained AlgorithmIdentifier.algorithm set to id-ecPublicKey
1040 be various - from no consequences, if the calling application does not
1041 depend on the contents of non-volatile XMM registers at all, to the worst
1048 ([CVE-2023-6129])
1053 `no-apps`.
1069 ([CVE-2023-5678])
1082 * Added a function to delete objects from store by URI - OSSL_STORE_delete()
1083 and the corresponding provider-storemgmt API function
1088 * Added OSSL_FUNC_store_open_ex() provider-storemgmt API function to pass
1115 libcrypto from 4.4 MB to 4.9 MB. A new configure option `no-sm2-precomp` has
1130 speed of the NIST P-384 elliptic curve. To enable the implementation
1131 the build option `enable-ec_nistp_64_gcc_128` must be used.
1158 * Provide a new configure option `no-http` that can be used to disable the
1159 HTTP support. Provide new configure options `no-apps` and `no-docs` to
1164 * Provide a new configure option `no-ecx` that can be used to disable the
1180 * TLS round-trip time calculation was added by a Brigham Young University
1187 * Added the "-quic" option to s_client to enable connectivity to QUIC servers.
1188 QUIC requires the use of ALPN, so this must be specified via the "-alpn"
1189 option. Use of the "advanced" s_client command command via the "-adv" option
1194 * Added an "advanced" command mode to s_client. Use this with the "-adv"
1198 escaping mechanism. After starting s_client with "-adv" type "{help}"
1216 * Added further assembler code for the RISC-V architecture.
1225 * Improved support for non-default library contexts and property queries
1242 * Implemented SM4-XTS support.
1246 * Added platform-agnostic OSSL_sleep() function.
1254 * Implemented AES-GCM-SIV (RFC8452) support.
1258 * Added support for pluggable (provider-based) TLS signature algorithms.
1262 for example suitable providers to deliver post-quantum or quantum-safe
1267 * Added support for pluggable (provider-based) CMS signature algorithms.
1329 SSL_get0_iana_groups() function-like macro, retrieves the list of
1332 a caller-supplied array with the list of extension types present in the
1342 * The PKCS12_parse() function now supports MAC-less PKCS12 files.
1349 *Arran Cudbard-Bell*
1385 * Subject or issuer names in X.509 objects are now displayed as UTF-8 strings
1396 The `-x509v1` option of `req` prefers generation of X.509 v1 certificates.
1410 as well as the `-srvcertout` and `-serial` CLI options.
1432 * Fixed and extended `util/check-format.pl` for checking adherence to the
1433 coding style <https://www.openssl.org/policies/technical/coding-style.html>.
1438 * Added BIO_s_dgram_pair() and BIO_s_dgram_mem() that provide memory-based
1454 compile-time option `no-winstore`. This store is not currently used by
1462 has been fixed in stable releases starting from 5.4.164, 5.10.84, 5.15.7,
1468 * Added `-ktls` option to `s_server` and `s_client` commands to enable the
1481 * New parameter `-digest` for openssl cms command allowing signing
1482 pre-computed digests and new CMS API functions supporting that
1494 decryption as a protection against Bleichenbacher-like attacks.
1498 issues like CVE-2020-25659 and CVE-2020-25657. This protection can be
1505 * Added support for Brainpool curves in TLS-1.3.
1519 -----------
1525 that alter the key or IV length ([CVE-2023-5363]).
1534 does not save the contents of non-volatile XMM registers on Windows 64
1538 x86_64 processors supporting the AVX512-IFMA instructions.
1541 be various - from no consequences, if the calling application does not
1542 depend on the contents of non-volatile XMM registers at all, to the worst
1549 ([CVE-2023-4807])
1558 fixing CVE-2023-3446 it was discovered that a large q parameter value can
1568 ([CVE-2023-3817])
1587 ([CVE-2023-3446])
1591 * Do not ignore empty associated data entries with AES-SIV.
1593 The AES-SIV algorithm allows for authentication of multiple associated
1597 The AES-SIV implementation in OpenSSL just returns success for such call
1599 The empty data thus will not be authenticated. ([CVE-2023-2975])
1604 applications that use empty associated data entries with AES-SIV.
1611 * When building with the `enable-fips` option and using the resulting
1613 master secret (FIPS 140-3 IG G.Q) and the Hash and HMAC DRBGs will
1614 not operate with truncated digests (FIPS 140-3 IG G.R).
1621 OBJECT IDENTIFIER sub-identifiers to canonical numeric text form.
1624 numeric text form. For gigantic sub-identifiers, this would take a very
1626 sub-identifier. ([CVE-2023-2650])
1634 most 128 sub-identifiers, and that the maximum value that each sub-
1635 identifier may have is 2^32-1 (4294967295 decimal).
1637 For each byte of every sub-identifier, only the 7 lower bits are part of
1646 *Liu-ErMeng*
1648 * Added a -pedantic option to fipsinstall that adjusts the various
1654 * Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms which
1656 trigger a crash of an application using AES-XTS decryption if the memory
1659 ([CVE-2023-1255])
1663 * Reworked the Fix for the Timing Oracle in RSA Decryption ([CVE-2022-4304]).
1665 a severe 2-3x performance regression in the typical use case
1675 truncated digests with Hash and HMAC DRBGs (q.v. FIPS 140-3 IG D.R.).
1676 The option '-no_drbg_truncated_digests' can optionally be
1684 ([CVE-2023-0466])
1693 ([CVE-2023-0465])
1698 against CVE-2023-0464. The default limit is set to 1000 nodes, which
1703 ([CVE-2023-0464])
1711 The option '-ems_check' can optionally be supplied to
1716 * The FIPS provider includes a few non-approved algorithms for
1741 * AES-GCM enabled with AVX512 vAES and vPCLMULQDQ.
1749 * Parallel dual-prime 1536/2048-bit modular exponentiation for
1761 `DEFINE_LHASH_OF_EX`, which omits the corresponding type-specific function
1771 * When generating safe-prime DH parameters set the recommended private key
1776 * Change the default salt length for PKCS#1 RSASSA-PSS signatures to the
1778 FIPS 186-4 section 5. This is implemented by a new option
1779 `OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX` ("auto-digestmax") for the
1786 -----------
1806 ([CVE-2023-0401])
1829 ([CVE-2023-0286])
1844 security requirements imposed by standards such as FIPS 140-3.
1845 ([CVE-2023-0217])
1859 ([CVE-2023-0216])
1863 * Fixed Use-after-free following BIO_new_NDEF.
1878 then a use-after-free will occur. This will most likely result in a crash.
1879 ([CVE-2023-0215])
1904 ([CVE-2022-4450])
1915 modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
1916 ([CVE-2022-4304])
1928 ([CVE-2022-4203])
1940 ([CVE-2022-3996])
1950 For symmetry, our implementation of `EVP_PKEY_ASN1_METHOD->export_to`
1977 ([CVE-2022-3786])
1980 attacker-controlled bytes on the stack. This buffer overflow could
1983 ([CVE-2022-3602])
2043 ([CVE-2022-3358])
2052 * Fixed the linux-mips64 Configure target which was missing the
2067 * Fixed detection of ktls support in cross-compile environment on Linux
2103 implementation prior to commit 2621751 ("aes/asm/aesv8-armx.pl: avoid
2104 32-bit lane assignment in CTR mode") for 64bit targets only, since it is
2105 reportedly 2-17% slower and the silicon errata only affects 32bit targets.
2128 ([CVE-2022-2274])
2132 * AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised
2140 ([CVE-2022-2097])
2147 CVE-2022-1292, further bugs where the c_rehash script does not
2151 When the CVE-2022-1292 was fixed it was not discovered that there
2161 (CVE-2022-2068)
2172 * Case insensitive string comparison is reimplemented via new locale-agnostic
2187 (CVE-2022-1292)
2193 where the (non-default) flag OCSP_NOCHECKS is used to return a postivie
2204 verifying an ocsp response with the "-no_cert_checks" option the command line
2209 ([CVE-2022-1343])
2213 * Fixed a bug where the RC4-MD5 ciphersuite incorrectly used the
2216 An attacker could exploit this issue by performing a man-in-the-middle attack
2220 Note that data sent from an OpenSSL 3.0 endpoint to a non-OpenSSL 3.0
2224 3.0 server would be impacted when talking to a non-OpenSSL 3.0 client.
2231 endpoint communicating with a non-OpenSSL 3.0 endpoint will fail to complete
2235 cannot decrypt data that has been encrypted using this ciphersuite - they can
2239 the RC4-MD5 ciphersuite. This ciphersuite is not compiled by default in
2245 1) OpenSSL must have been compiled with the (non-default) compile time option
2246 enable-weak-ssl-ciphers
2257 6) Both endpoints must negotiate the RC4-MD5 ciphersuite in preference to any
2259 (CVE-2022-1434)
2274 (CVE-2022-1473)
2288 for non-prime moduli.
2305 - TLS clients consuming server certificates
2306 - TLS servers consuming client certificates
2307 - Hosting providers taking certificates or private keys from customers
2308 - Certificate authorities parsing certification requests from subscribers
2309 - Anything else which parses ASN.1 elliptic curve parameters
2313 ([CVE-2022-0778])
2323 * Made the AES constant time code for no-asm configurations
2326 builds, with: ./config no-asm -DOPENSSL_AES_CONST_TIME
2364 ([CVE-2021-4044])
2428 * Encrypting more than 2^64 TLS records with AES-GCM is disallowed
2429 as per FIPS 140-2 IG A.5 "Key/IV Pair Uniqueness Requirements from
2430 SP 800-38D". The communication will fail at this point.
2440 beginning of a PEM-formatted file.
2460 "AES-128-SIV", "AES-128-CBC-CTS" and "CAMELLIA-128-CBC-CTS" which were
2461 previously only accessible via low-level interfaces. Use EVP_CIPHER_fetch()
2471 `--libdir=lib` to override the libdir if adding the postfix is
2493 be suppressed if the undocumented -DI_CAN_LIVE_WITH_LNK4049 was set.
2498 * Rework and make DEBUG macros consistent. Remove unused -DCONF_DEBUG,
2499 -DBN_CTX_DEBUG, and REF_PRINT. Add a new tracing category and use it for
2500 printing reference counts. Rename -DDEBUG_UNUSED to -DUNUSED_RESULT_DEBUG
2517 * Client-initiated renegotiation is disabled by default. To allow it, use
2518 the -client_renegotiation option, the SSL_OP_ALLOW_CLIENT_RENEGOTIATION
2528 * OpenSSL includes a cryptographic module that is intended to be FIPS 140-2
2529 validated. Please consult the README-FIPS and
2530 README-PROVIDERS files, as well as the migration guide.
2640 RIPEMD-160 have been moved to the legacy provider.
2657 * A number of functions handling low-level keys or engines were deprecated
2668 - NID_pbeWithMD2AndDES_CBC
2669 - NID_pbeWithMD5AndDES_CBC
2670 - NID_pbeWithSHA1AndRC2_CBC
2671 - NID_pbeWithMD2AndRC2_CBC
2672 - NID_pbeWithMD5AndRC2_CBC
2673 - NID_pbeWithSHA1AndDES_CBC
2696 algorithms. This is enabled by including the no-cached-fetch option
2701 * pkcs12 now uses defaults of PBKDF2, AES and SHA-256, with a MAC iteration
2706 * The openssl speed command does not use low-level API calls anymore.
2710 * Parallel dual-prime 1024-bit modular exponentiation for AVX512_IFMA
2715 * Combining the Configure options no-ec and no-dh no longer disables TLSv1.3.
2736 RSA_padding_add_SSLv23() and the `-ssl` option in the deprecated
2754 * The default key generation method for the regular 2-prime RSA keys was
2755 changed to the FIPS 186-4 B.3.6 method.
2786 when using the `-check` or `-pubcheck`
2797 * The `-cipher-commands` and `-digest-commands` options
2799 Instead use the `-cipher-algorithms` and `-digest-algorithms` options.
2804 The 'quick' one-shot (yet somewhat limited) function L<EVP_PKEY_Q_keygen(3)>
2809 * All of the low-level EC_KEY functions have been deprecated.
2824 * The `-crypt` option to the `passwd` command line tool has been removed.
2828 * The -C option to the `x509`, `dhparam`, `dsaparam`, and `ecparam` commands
2853 * Added new option for 'openssl list', '-providers', which will display the
2884 ignore TLS protocol version bounds when configuring DTLS-based contexts, and
2886 TLS-based contexts. The commands can be repeated to set bounds of both
2888 "max_protocol" command-line switches, in case some application uses both TLS
2894 error. Now only the "version-flexible" SSL_CTX instances are subject to
2895 limits in configuration files in command-line options.
2914 * Added ciphertext stealing algorithms AES-128-CBC-CTS, AES-192-CBC-CTS and
2915 AES-256-CBC-CTS to the providers. CS1, CS2 and CS3 variants are supported.
2933 a non-default `OSSL_LIB_CTX`.
2964 * Add CAdES-BES signature verification support, mostly derived
2969 * Add CAdES-BES signature scheme and attributes support (RFC 5126) to CMS API.
2973 * Added the AuthEnvelopedData content type structure (RFC 5083) with AES-GCM
3046 [ATX headings]: https://github.github.com/gfm/#atx-headings
3047 [setext headings]: https://github.github.com/gfm/#setext-headings
3048 [inline links]: https://github.github.com/gfm/#inline-link
3049 [reference links]: https://github.github.com/gfm/#reference-link
3050 [fenced code blocks]: https://github.github.com/gfm/#fenced-code-blocks
3051 [indented code blocks]: https://github.github.com/gfm/#indented-code-blocks
3056 A new directory test-runs/ with subdirectories named like the
3063 See L<openssl-cmp(1)> and L<OSSL_CMP_exec_IR_ses(3)> as starting points.
3070 user-defined BIOs (allowing implicit connections), persistent connections,
3072 The legacy OCSP-focused (and only partly documented) API
3077 * Added `util/check-format.pl`, a tool for checking adherence to the
3090 * All of the low-level RSA functions have been deprecated.
3115 * All of the low-level DH functions have been deprecated.
3119 * All of the low-level DSA functions have been deprecated.
3128 * Deprecated low-level ECDH and ECDSA functions.
3147 * All of the low-level HMAC functions have been deprecated.
3152 - Common options (such as -rand/-writerand, TLS version control, etc)
3153 were refactored and point to newly-enhanced descriptions in openssl.pod.
3154 - Added style conformance for all options (with help from Richard Levitte),
3158 - Documented some internals, such as all use of environment variables.
3159 - Addressed all internal broken L<> references.
3163 * All of the low-level CMAC functions have been deprecated.
3167 * The low-level MD2, MD4, MD5, MDC2, RIPEMD160 and Whirlpool digest
3182 * All of the low-level cipher functions have been deprecated.
3208 used in exponentiation with 512-bit moduli. No EC algorithms are
3209 affected. Analysis suggests that attacks against 2-prime RSA1024,
3210 3-prime RSA1536, and DSA1024 as a result of this defect would be very
3214 Also applications directly using the low-level API BN_mod_exp may be
3216 ([CVE-2019-1551])
3220 * Most memory-debug features have been deprecated, and the functionality
3221 replaced with no-ops.
3262 * Change the interpretation of the '--api' configuration option to
3266 the given version, no requires that 'no-deprecated' is also used
3272 value is valid as before, such as -DOPENSSL_API_COMPAT=0x10100000L.
3280 -DOPENSSL_API_COMPAT=30000 For 3.0
3281 -DOPENSSL_API_COMPAT=30200 For 3.2
3284 given API compatibility level, -DOPENSSL_NO_DEPRECATED must be
3295 - X509_LOOKUP_store()
3296 - X509_STORE_load_file()
3297 - X509_STORE_load_path()
3298 - X509_STORE_load_store()
3299 - SSL_add_store_cert_subjects_to_stack()
3300 - SSL_CTX_set_default_verify_store()
3301 - SSL_CTX_load_verify_file()
3302 - SSL_CTX_load_verify_dir()
3303 - SSL_CTX_load_verify_store()
3308 The presence of this system service is determined at run-time.
3317 of application written for pre-3.0 OpenSSL easier.
3339 * s390x assembly pack: add hardware-support for P-256, P-384, P-521,
3377 * Added the `-copy_extensions` option to the `x509` command for use with
3378 `-req` and `-x509toreq`. When given with the `copy` or `copyall` argument,
3383 * Added the `-copy_extensions` option to the `req` command for use with
3384 `-x509`. When given with the `copy` or `copyall` argument,
3392 and for not self-signed certs there is an authorityKeyIdentifier extension
3401 (which may be done by using the CLI option `-x509_strict`):
3413 unless they are self-signed.
3423 * For built-in EC curves, ensure an EC_GROUP built from the curve name is
3439 ([CVE-2019-1547])
3453 The old behaviour can be re-enabled in the CMS code by setting the
3468 * Revised BN_generate_prime_ex to not avoid factors 2..17863 in p-1
3471 the 2-prime and 3-prime RSA modules were easy to distinguish, since
3473 2-prime vs. 3-prime RSA keys was possible by computing N mod 3.
3479 fix TLS connections between an EBCDIC system and a non-EBCDIC system that
3523 * `{CRYPTO,OPENSSL}_mem_debug_{push,pop}` are now no-ops and have been
3557 * RC5_32_set_key has been changed to return an int type, with 0 indicating
3572 * Change PBKDF2 to conform to SP800-132 instead of the older PKCS5 RFC2898.
3581 * Add target VC-WIN32-UWP, VC-WIN64A-UWP, VC-WIN32-ARM-UWP and
3582 VC-WIN64-ARM-UWP in Windows OneCore target for making building libraries
3583 for Windows Store apps easier. Also, the "no-uplink" option has been added.
3599 * Added OPENSSL_info() to get diverse built-in OpenSSL data, such
3614 * Limit the number of blocks in a data unit for AES-XTS to 2^20 as
3615 mandated by IEEE Std 1619-2018.
3646 'enable-buildtest-c++'.
3681 (scrypt, TLS1 PRF and HKDF). The low-level KDF functions for PBKDF2
3694 * Fix a bug in the computation of the endpoint-pair shared secret used
3698 interoperability with such broken implementations. However, enabling
3716 - Major releases (indicated by incrementing the MAJOR release number)
3718 - Minor releases (indicated by incrementing the MINOR release number)
3720 - Patch releases (indicated by incrementing the PATCH number)
3727 * Add support for RFC5297 SIV mode (siv128), including AES-SIV.
3737 * Recreate the OS390-Unix config target. It no longer relies on a
3738 special script like it did for OpenSSL pre-1.1.0.
3743 a 'build.info' keyword SUBDIRS to indicate what sub-directories to
3773 * AES-XTS mode now enforces that its two keys are different to mitigate
3787 * Added new option for 'openssl list', '-objects', which will display the
3792 * Added the options `-crl_lastupdate` and `-crl_nextupdate` to `openssl ca`,
3798 * Added support for Linux Kernel TLS data-path. The Linux Kernel data-path
3800 applications with zero-copy system calls such as sendfile and splice.
3832 doc/man7/provider.pod, doc/man7/provider-base.pod, and they in turn
3839 -------------
3869 again, but this time passing a non-NULL value for the "out" parameter.
3884 ([CVE-2021-3711])
3928 ([CVE-2021-3712])
3945 that non-CA certificates must not be able to issue other certificates.
3959 ([CVE-2021-3450])
3973 ([CVE-2021-3449])
3986 ([CVE-2021-23841])
3993 CVE-2021-23839.
4003 ([CVE-2021-23840])
4030 ([CVE-2020-1971])
4042 ignore TLS protocol version bounds when configuring DTLS-based contexts, and
4044 TLS-based contexts. The commands can be repeated to set bounds of both
4046 "max_protocol" command-line switches, in case some application uses both TLS
4052 error. Now only the "version-flexible" SSL_CTX instances are subject to
4053 limits in configuration files in command-line options.
4073 ([CVE-2020-1967])
4077 * Added AES consttime code for no-asm configurations
4079 when building openssl for no-asm.
4080 Enable with: ./config no-asm -DOPENSSL_AES_CONST_TIME
4081 Disable with: ./config no-asm -DOPENSSL_NO_AES_CONST_TIME
4097 * Revised BN_generate_prime_ex to not avoid factors 3..17863 in p-1
4100 the 2-prime and 3-prime RSA modules were easy to distinguish, since
4102 2-prime vs. 3-prime RSA keys was possible by computing N mod 3.
4146 The presence of this system service is determined at run-time.
4169 ([CVE-2019-1549])
4173 * For built-in EC curves, ensure an EC_GROUP built from the curve name is
4189 ([CVE-2019-1547])
4203 The old behaviour can be re-enabled in the CMS code by setting the
4205 ([CVE-2019-1563])
4220 fix TLS connections between an EBCDIC system and a non-EBCDIC system that
4231 ([CVE-2019-1552])
4267 'enable-buildtest-c++'.
4271 * Enable SHA3 pre-hashing for ECDSA and DSA.
4284 util/fix-doc-nits accordingly.
4305 * Prevent over long nonces in ChaCha20-Poly1305.
4307 ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input
4328 applications that use this cipher directly and set a non-default nonce
4333 ([CVE-2019-1543])
4353 * Change the info callback signals for the start and end of a post-handshake
4374 ([CVE-2018-0734])
4385 ([CVE-2018-0735])
4413 * s390x assembly pack: add (improved) hardware-support for the following
4414 cryptographic primitives: sha3, shake, aes-gcm, aes-ccm, aes-ctr, aes-ofb,
4415 aes-cfb/cfb8, aes-ecb.
4427 differential addition-and-doubling in homogeneous projective coordinates
4428 from Izu-Takagi "A fast parallel elliptic curve multiplication resistant
4429 against side channel attacks" and Brier-Joye "Weierstrass Elliptic Curves
4430 and Side-Channel Attacks" Eq. (8) for y-coordinate recovery, modified
4437 For larger primes this will result in more rounds of Miller-Rabin.
4439 to 2^-128.
4443 * Increase the number of Miller-Rabin rounds for DSA key generating to 64.
4455 length-invariant. Switch even to fixed-length Montgomery multiplication.
4461 differential addition-and-doubling in mixed Lopez-Dahab projective
4470 differential addition-and-doubling algorithms.
4482 * Numerous side-channel attack mitigations have been applied. This may have
4492 mitigate conflict between 1.0 and 1.1 side-by-side installations. It
4494 multi-version installation is managed.
4502 EC cryptosystem implementations are then safer-by-default.
4526 Many applications do not properly handle non-application data records, and
4585 * Fixed X509_NAME_ENTRY_set to get multi-valued RDNs right in all cases.
4639 in responder mode now supports the new "-multi" option, which
4641 requests. The "-timeout" option now also limits the OCSP
4646 as a long-running service, making the OpenSSL CA somewhat more
4647 feature-complete. In this mode, most diagnostic messages logged
4674 The default RAND method now utilizes an AES-CTR DRBG according to
4675 NIST standard SP 800-90Ar1. The new random generator is essentially
4678 using an AES-CTR bit stream and which seeds and reseeds itself
4682 - Support for multiple DRBG instances with seed chaining.
4683 - The default RAND method makes use of a DRBG.
4684 - There is a public and private DRBG instance.
4685 - The DRBG instances are fork-safe.
4686 - Keep all global DRBG instances on the secure heap if it is enabled.
4687 - The public and private DRBG instance are per thread for lock free
4723 * Add multi-prime RSA (RFC 8017) support.
4727 * Add SM3 implemented according to GB/T 32905-2016
4738 * Add SM4 implemented according to GB/T 32907-2016.
4743 * Reimplement -newreq-nodes and ERR_error_string_n; the
4777 To disable, configure with 'no-ui-console'. 'no-ui' is still
4794 * Add devcrypto engine. This has been implemented against cryptodev-linux,
4796 Enable by configuring with 'enable-devcryptoeng'. This is done by default
4830 * Ignore the '-named_curve auto' value for compatibility of applications
4836 bytes long. In theory it is permissible in SSLv3 - TLSv1.2 to fragment such
4854 'z' is to be used for [s]size_t, and 'j' - with [u]int64_t.
4863 * Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
4881 Also remove OPENSSL_GLOBAL entirely, as it became a no-op.
4885 * Remove the VMS-specific reimplementation of gmtime from crypto/o_times.c.
4902 default unless the new "-noservername" option is used. The server name is
4903 based on the host provided to the "-connect" option unless overridden by
4904 using "-servername".
4921 <https://www.akkadia.org/drepper/SHA-crypt.txt>
4939 -------------
4943 * For built-in EC curves, ensure an EC_GROUP built from the curve name is
4959 ([CVE-2019-1547])
4973 The old behaviour can be re-enabled in the CMS code by setting the
4975 ([CVE-2019-1563])
4983 ([CVE-2019-1552])
4996 * Prevent over long nonces in ChaCha20-Poly1305.
4998 ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input
5019 applications that use this cipher directly and set a non-default nonce
5024 ([CVE-2019-1543])
5059 ([CVE-2018-0734])
5070 ([CVE-2018-0735])
5091 ([CVE-2018-0732])
5104 ([CVE-2018-0737])
5115 length-invariant. Switch even to fixed-length Montgomery multiplication.
5121 For larger primes this will result in more rounds of Miller-Rabin.
5123 to 2^-128.
5127 * Increase the number of Miller-Rabin rounds for DSA key generating to 64.
5154 some characters, such as form-feed, were incorrectly treated as whitespace
5160 and use the "-binary" flag (for the "cms" command line application) or set
5175 This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz
5177 ([CVE-2018-0739])
5181 * Incorrect CRYPTO_memcmp on HP-UX PA-RISC
5183 Because of an implementation bug the PA-RISC CRYPTO_memcmp function is
5188 HP-UX assembler, so that only HP-UX PA-RISC targets are affected.
5192 ([CVE-2018-0733])
5208 SSL_OP_NO_RENEGOTIATION option from 1.1.1-dev has been backported to
5217 * Removed the OS390-Unix config target. It relied on a script that doesn't
5225 used in exponentiation with 1024-bit moduli. No EC algorithms are affected.
5233 no longer an option since CVE-2016-0701.
5239 was originally found via the OSS-Fuzz project.
5240 ([CVE-2017-3738])
5263 This issue was reported to OpenSSL by the OSS-Fuzz project.
5264 ([CVE-2017-3736])
5271 OpenSSL could do a one-byte buffer overread. The most likely result
5274 This issue was reported to OpenSSL by the OSS-Fuzz project.
5275 ([CVE-2017-3735])
5281 * Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
5286 * Remove the VMS-specific reimplementation of gmtime from crypto/o_times.c.
5294 * Encrypt-Then-Mac renegotiation crash
5296 During a renegotiation handshake if the Encrypt-Then-Mac extension is
5297 negotiated where it was not in the original handshake (or vice-versa) then
5302 ([CVE-2017-3733])
5310 If one side of an SSL/TLS path is running on a 32-bit host and a specific
5312 perform an out-of-bounds read, usually resulting in a crash.
5315 ([CVE-2017-3731])
5327 ([CVE-2017-3730])
5345 similar to CVE-2015-3193 but must be treated as a separate problem.
5347 This issue was reported to OpenSSL by the OSS-Fuzz project.
5348 ([CVE-2017-3732])
5354 * ChaCha20/Poly1305 heap-buffer-overflow
5356 TLS connections using `*-CHACHA20-POLY1305` ciphersuites are susceptible to
5361 ([CVE-2016-7054])
5375 ([CVE-2016-7053])
5381 There is a carry propagating bug in the Broadwell-specific Montgomery
5388 erroneous outcome of public-key operations with specially crafted input.
5389 Among EC algorithms only Brainpool P-512 curves are affected and one
5391 detail, because pre-requisites for attack are considered unlikely. Namely
5399 ([CVE-2016-7055])
5412 The patch applied to address CVE-2016-6307 resulted in an issue where if a
5422 ([CVE-2016-6309])
5436 the "no-ocsp" build time option are not affected.
5439 ([CVE-2016-6304])
5450 ([CVE-2016-6305])
5488 memory - which would then mean a more serious Denial of Service.
5491 (CVE-2016-6307 and CVE-2016-6308)
5495 * solaris-x86-cc, i.e. 32-bit configuration with vendor compiler,
5497 assemble our modules with -KPIC flag. As result it, assembly
5499 lack of side-channel resistant code, which is incompatible with
5507 * Windows command-line tool supports UTF-8 opt-in option for arguments
5510 with Windows CryptoAPI and protected with non-ASCII password, as well
5511 as files generated under UTF-8 locale on Linux also protected with
5512 non-ASCII password.
5516 * To mitigate the SWEET32 attack ([CVE-2016-2183]), 3DES cipher suites
5518 See the RC4 item below to re-enable both.
5530 to int. A return of 0 indicates and error while a return of 1 indicates
5538 no-ops and deprecated.
5543 calling CryptGenRandom(). Various other RAND-related tickets
5557 int (instead of void) like all others TYPE_up_ref() methods.
5592 * Triple-DES ciphers have been moved from HIGH to MEDIUM.
5598 OPENSSL_LOCAL_CONFIG_DIR as well as the in-source Configurations/
5611 the "no-shared" Configure option.
5615 * Remove the no-aes, no-hmac, no-rsa, no-sha and no-md5 Configure options.
5621 * Make various cleanup routines no-ops and mark them as deprecated. Most
5623 via auto-deinit (see OPENSSL_init_crypto and OPENSSL_init_ssl man pages).
5624 Explicitly de-initing can cause problems (e.g. where a library that uses
5625 OpenSSL de-inits, but an application is still using it). The affected
5633 * --strict-warnings no longer enables runtime debugging options
5635 enabled with '--debug' builds.
5663 * Removed no-rijndael as a config option. Rijndael is an old name for AES.
5676 * Removed the aged BC-32 config and all its supporting scripts
5694 encryptions/decryptions simultaneously. There are currently no built-in
5704 AES128-CBC. The kernel must be version 4.1.0 or greater.
5709 set locking callbacks to use OpenSSL in a multi-threaded environment. There
5711 also possible to configure OpenSSL at compile time for "no-threads". The
5713 replaced with "no-op" compatibility macros.
5722 * Add SSL_CIPHER queries for authentication and key-exchange.
5727 - Prefer (EC)DHE handshakes over plain RSA.
5728 - Prefer AEAD ciphers over legacy ciphers.
5729 - Prefer ECDSA over RSA when both certificates are available.
5730 - Prefer TLSv1.2 ciphers/PRF.
5731 - Remove DSS, SEED, IDEA, CAMELLIA, and AES-CCM from the
5742 disabled by default. They can be re-enabled using the
5743 enable-weak-ssl-ciphers option to Configure.
5757 draft-ietf-curdle-pkix-02. The corresponding EVP_PKEY method supports
5760 TLS support complies with draft-ietf-tls-rfc4492bis-08 and uses
5767 In order to fix an unavoidable memory leak ([CVE-2016-0798]),
5787 the configuration option "disable-dynamic-engine".
5792 with "disable-dso" or "disable-pic".
5807 If this isn't desirable, the configuration options "disable-pic"
5808 or "no-pic" can be used to disable the use of PIC. This will
5819 is for. Also, the configuration option --install_prefix is
5825 for DTLS; configure with enable-heartbeats. Code that uses the
5846 template in Configurations, like unix-Makefile.tmpl or
5859 * Added support for auto-initialisation and de-initialisation of the library.
5881 the leading 0-byte.
5893 SSL_CTX_sess_set_get_cb was changed. The read-only input buffer
5900 RNG, and other conditional uses of DPURIFY. This makes -DPURIFY a no-op.
5933 --prefix and --openssldir change their semantics, and become more
5936 --prefix shall be used exclusively to give the location INSTALLTOP
5940 --openssldir shall be used exclusively to give the default
5945 values of both the --prefix value and the --openssldir value will
5947 The default for --openssldir is INSTALLTOP/ssl.
5949 Anyone who uses --openssldir to specify where OpenSSL is to be
5950 installed MUST change to use --prefix instead.
5962 * EGD is no longer supported by default; use enable-egd when
5986 example, be used to implement local end-entity certificate or
5987 trust-anchor "pinning", where the "pin" data takes the form
5996 source files with -DOPENSSL_API_COMPAT=0x10100000L, which hides
6002 should be used with the --api=1.1.0 option to entirely remove
6005 Essentially the same effect can be achieved with the "no-deprecated"
6011 they should update their compile-time OPENSSL_API_COMPAT define
6077 * Added ASYNC support. Libcrypto now includes the async sub-library to enable
6090 "-no_ecdhe" option has been removed from s_server.
6109 SSL_get_state which now returns an "OSSL_HANDSHAKE_STATE" instead of an int.
6116 with OpenSSL (case-matching; e.g., OPENSSL_VERSION for #define's)
6151 * Remove EVP_CHECK_DES_KEY, a compile-time option that never compiled.
6169 * Fix no-stdio build.
6188 * Revamped memory debug; only -DCRYPTO_MDEBUG and -DCRYPTO_MDEBUG_ABORT
6242 EXP-DH-RSA-DES-CBC-SHA and EXP-DH-DSS-DES-CBC-SHA. These two ciphersuites
6260 code and the associated standard is no longer considered fit-for-purpose.
6287 draft-ietf-tls-session-hash-03.txt. Thanks for Alfredo Pironti for an
6300 Access to deprecated functions can be re-enabled by running config with
6301 "enable-deprecated". In addition applications wishing to use deprecated
6310 at <https://www.openssl.org/source/OCB-patent-grant-OpenSSL.pdf>. Support
6311 for OCB can be removed by calling config with no-ocb.
6321 done while fixing the error code for the key-too-small case.
6323 *Annie Yousar <a.yousar@informatik.hu-berlin.de>*
6344 16-bit platforms such as WIN16
6349 - Use setbuf() and remove OPENSSL_NO_SETVBUF_IONBF
6350 - Rename OPENSSL_SYSNAME_xxx to OPENSSL_SYS_xxx
6351 - OPENSSL_NO_EC{DH,DSA} merged into OPENSSL_NO_EC
6352 - OPENSSL_NO_RIPEMD160, OPENSSL_NO_RIPEMD merged into OPENSSL_NO_RMD160
6353 - OPENSSL_NO_FP_API merged into OPENSSL_NO_STDIO
6354 - Remove OPENSSL_NO_BIO OPENSSL_NO_BUFFER OPENSSL_NO_CHAIN_VERIFY
6358 - Remove MS_STATIC; it's a relic from platforms <32 bits.
6369 NULL. Remove the non-null checks from callers. Save much code.
6389 * Harmonize version and its documentation. -f flag is used to display
6409 preparing the fix ([CVE-2014-0160])
6414 ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
6419 flaw and to Yuval Yarom for supplying a fix ([CVE-2014-0076])
6428 * Experimental encrypt-then-mac support.
6431 draft-gutmann-tls-encrypt-then-mac-02.txt
6434 server) using e.g. -DTLSEXT_TYPE_encrypt_then_mac=0x42
6436 For non-compliant peers (i.e. just about everything) this should have no
6450 * Extend CMS code to support RSA-PSS signatures and RSA-OAEP for
6490 * Add FIPS selftest for ECDH algorithm using P-224 and B-233 curves.
6514 FIPS 186-3 A.2.3.
6516 * Add support for HMAC DRBG from SP800-90. Update DRBG algorithm test and
6542 information in FIPS186-3, SP800-57 and SP800-131A.
6578 anyway as the X9.31 PRNG is now deprecated by FIPS 140-2
6582 * Extensive self tests and health checking required by SP800-90 DRBG.
6597 leading zeroes if needed: this complies with SP800-56A et al.
6601 * Initial implementation of SP800-90 DRBGs for Hash and CTR. Not used by
6619 * Add selftest checks and algorithm block of non-fips algorithms in
6630 * New build option no-ec2m to disable characteristic 2 code.
6645 * Initial, experimental EVP support for AES-GCM. AAD can be input by
6671 * Improve forward-security support: add functions
6674 SSL_CTX *ctx, int (*cb)(SSL *ssl, int is_forward_secure))
6676 SSL *ssl, int (*cb)(SSL *ssl, int is_forward_secure))
6692 * New -verify_name option in command line utilities to set verification
6702 * Experimental renegotiation in s_server -www mode. If the client
6710 multi-process servers.
6729 * New -noct, -requestct, -requirect and -ctlogfile options for s_client.
6735 * SSLv3 is by default disabled at build-time. Builds that are not
6736 configured with "enable-ssl3" will not support SSLv3.
6741 -------------
6745 * For built-in EC curves, ensure an EC_GROUP built from the curve name is
6761 ([CVE-2019-1547])
6775 The old behaviour can be re-enabled in the CMS code by setting the
6777 ([CVE-2019-1563])
6784 binaries and run-time config file.
6785 ([CVE-2019-1552])
6798 * Add FIPS support for Android Arm 64-bit
6800 Support for Android Arm 64-bit was added to the OpenSSL FIPS Object
6802 'android64-aarch64' was missing OpenSSL 1.0.2, whence it could not be
6803 built with FIPS support on Android Arm 64-bit. This omission has been
6810 * 0-byte record padding oracle
6820 In order for this to be exploitable "non-stitched" ciphersuites must be in
6829 ([CVE-2019-1559])
6849 ([CVE-2018-5407])
6860 ([CVE-2018-0734])
6881 ([CVE-2018-0732])
6894 ([CVE-2018-0737])
6905 length-invariant. Switch even to fixed-length Montgomery multiplication.
6911 For larger primes this will result in more rounds of Miller-Rabin.
6913 to 2^-128.
6917 * Increase the number of Miller-Rabin rounds for DSA key generating to 64.
6947 This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz
6949 ([CVE-2018-0739])
6974 ([CVE-2017-3737])
6981 used in exponentiation with 1024-bit moduli. No EC algorithms are affected.
6989 no longer an option since CVE-2016-0701.
6995 was originally found via the OSS-Fuzz project.
6996 ([CVE-2017-3738])
7019 This issue was reported to OpenSSL by the OSS-Fuzz project.
7020 ([CVE-2017-3736])
7027 OpenSSL could do a one-byte buffer overread. The most likely result
7030 This issue was reported to OpenSSL by the OSS-Fuzz project.
7036 * Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
7045 If one side of an SSL/TLS path is running on a 32-bit host and a specific
7047 perform an out-of-bounds read, usually resulting in a crash.
7050 ([CVE-2017-3731])
7068 similar to CVE-2015-3193 but must be treated as a separate problem.
7070 This issue was reported to OpenSSL by the OSS-Fuzz project.
7071 ([CVE-2017-3732])
7077 There is a carry propagating bug in the Broadwell-specific Montgomery
7084 erroneous outcome of public-key operations with specially crafted input.
7085 Among EC algorithms only Brainpool P-512 curves are affected and one
7087 detail, because pre-requisites for attack are considered unlikely. Namely
7095 ([CVE-2016-7055])
7115 ([CVE-2016-7052])
7129 the "no-ocsp" build time option are not affected.
7132 ([CVE-2016-6304])
7141 ([CVE-2016-2183])
7157 ([CVE-2016-6303])
7171 ([CVE-2016-6302])
7184 ([CVE-2016-2182])
7196 ([CVE-2016-2180])
7222 ([CVE-2016-2177])
7230 implementation means that a non-constant time codepath is followed for
7231 certain operations. This has been demonstrated through a cache-timing
7237 ([CVE-2016-2178])
7243 In a DTLS connection where handshake messages are delivered out-of-order
7255 ([CVE-2016-2179])
7270 ([CVE-2016-2181])
7286 ([CVE-2016-6306])
7292 * Prevent padding oracle in AES-NI CBC MAC check
7296 AES-NI.
7299 attack ([CVE-2013-0169]). The padding check was rewritten to be in
7305 This issue was reported by Juraj Somorovsky using TLS-Attacker.
7324 ([CVE-2016-2105])
7348 ([CVE-2016-2106])
7364 ([CVE-2016-2109])
7375 ([CVE-2016-2176])
7389 * Only remove the SSLv2 methods with the no-ssl2-method option. When the
7397 Builds that are not configured with "enable-weak-ssl-ciphers" will not
7403 is by default disabled at build-time. Builds that are not configured with
7404 "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used,
7405 users who want to negotiate SSLv2 via the version-flexible SSLv23_method()
7413 explicitly uses the version-specific SSLv2_method() or its client and
7415 recovery have been removed. Specifically, the SSLv2 40-bit EXPORT
7416 ciphers, and SSLv2 56-bit DES are no longer available.
7417 ([CVE-2016-0800])
7421 * Fix a double-free in DSA code
7430 ([CVE-2016-0705])
7450 ([CVE-2016-0798])
7457 int value `i`. Later `bn_expand` is called with a value of `i * 4`. For
7475 ([CVE-2016-0797])
7496 functions when printing out human-readable dumps of ASN.1 data. Therefore
7507 ([CVE-2016-0799])
7513 A side-channel attack was found which makes use of cache-bank conflicts on
7514 the Intel Sandy-Bridge microarchitecture which could lead to the recovery
7517 hyper-threaded core as the victim thread which is performing decryptions.
7523 ([CVE-2016-0702])
7527 * Change the `req` command to generate a 2048-bit RSA/DSA key by default,
7564 ([CVE-2016-0701])
7577 ([CVE-2015-3197])
7599 ([CVE-2015-3193])
7615 ([CVE-2015-3194])
7628 ([CVE-2015-3195])
7681 This issue was reported to OpenSSL by Joseph Barr-Pixton.
7682 ([CVE-2015-1788])
7686 * Exploitable out-of-bounds read in X509_cmp_time
7702 ([CVE-2015-1789])
7709 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
7717 ([CVE-2015-1790])
7728 ([CVE-2015-1792])
7734 If a NewSessionTicket is received by a multi-threaded client when attempting to
7737 ([CVE-2015-1791])
7741 * Only support 256-bit or stronger elliptic curves with the
7743 curves, prefer P-256 (both).
7757 ([CVE-2015-0291])
7767 using non-blocking IO. Typically, when the user application is using a
7773 ([CVE-2015-0290])
7790 ([CVE-2015-0207])
7802 ([CVE-2015-0286])
7817 ([CVE-2015-0208])
7831 ([CVE-2015-0287])
7838 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
7846 ([CVE-2015-0289])
7854 a specially crafted SSLv2 CLIENT-MASTER-KEY message.
7858 ([CVE-2015-0293])
7867 ([CVE-2015-1787])
7875 - The client is on a platform where the PRNG has not been seeded
7877 - A protocol specific client method version has been used (i.e. not
7879 - A ciphersuite is used that does not require additional random data from
7880 the PRNG beyond the initial ClientHello client random (e.g. PSK-RC4-SHA).
7889 openssl s_client -psk 1a2b3c4d -tls1_2 -cipher PSK-RC4-SHA
7890 ([CVE-2015-0285])
7905 ([CVE-2015-0209])
7915 ([CVE-2015-0288])
7930 near-optimal performance even on newer platforms.
7934 * Accelerated NIST P-256 elliptic curve implementation for x86_64
7946 bogus results, with non-infinity inputs mapped to infinity too.)
7957 * Add support for little-endian ppc64 Linux target.
7964 Both 32- and 64-bit modes are supported.
7985 implementations, AESNI-SHA256 and GCM, and multi-buffer support
8025 * Add -rev test option to s_server to just reverse order of characters
8031 * New option -brief for s_client and s_server to print out a brief summary
8040 * New option -crl_download in several openssl utilities to download CRLs
8045 * New options -CRL and -CRLform for s_client and s_server for CRLs.
8081 "enable-ssl-trace". New options to s_client and s_server to enable
8223 * Initial experimental support for explicitly trusted non-root CAs.
8226 setting is used: whether to trust (e.g., -addtrust option to the x509
8231 * Add -trusted_first option which attempts to find certificates in the
8241 * Support for linux-x32, ILP32 environment in x86_64 framework.
8245 * Experimental multi-implementation support for FIPS capable OpenSSL.
8291 between NIDs and the more common NIST names such as "P-256". Enhance
8311 * New function i2d_re_X509_tbs for re-encoding the TBS portion of
8313 Note: Related 1.0.2-beta specific macros X509_get_cert_info,
8318 -------------
8330 the "no-ocsp" build time option are not affected.
8333 ([CVE-2016-6304])
8342 ([CVE-2016-2183])
8358 ([CVE-2016-6303])
8372 ([CVE-2016-6302])
8385 ([CVE-2016-2182])
8397 ([CVE-2016-2180])
8423 ([CVE-2016-2177])
8431 implementation means that a non-constant time codepath is followed for
8432 certain operations. This has been demonstrated through a cache-timing
8438 ([CVE-2016-2178])
8444 In a DTLS connection where handshake messages are delivered out-of-order
8456 ([CVE-2016-2179])
8471 ([CVE-2016-2181])
8487 ([CVE-2016-6306])
8493 * Prevent padding oracle in AES-NI CBC MAC check
8497 AES-NI.
8500 attack ([CVE-2013-0169]). The padding check was rewritten to be in
8506 This issue was reported by Juraj Somorovsky using TLS-Attacker.
8507 ([CVE-2016-2107])
8526 ([CVE-2016-2105])
8550 ([CVE-2016-2106])
8566 ([CVE-2016-2109])
8577 ([CVE-2016-2176])
8591 * Only remove the SSLv2 methods with the no-ssl2-method option. When the
8599 Builds that are not configured with "enable-weak-ssl-ciphers" will not
8605 is by default disabled at build-time. Builds that are not configured with
8606 "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used,
8607 users who want to negotiate SSLv2 via the version-flexible SSLv23_method()
8615 explicitly uses the version-specific SSLv2_method() or its client and
8617 recovery have been removed. Specifically, the SSLv2 40-bit EXPORT
8618 ciphers, and SSLv2 56-bit DES are no longer available.
8619 ([CVE-2016-0800])
8623 * Fix a double-free in DSA code
8632 ([CVE-2016-0705])
8652 ([CVE-2016-0798])
8659 int value `i`. Later `bn_expand` is called with a value of `i * 4`. For
8677 ([CVE-2016-0797])
8698 functions when printing out human-readable dumps of ASN.1 data. Therefore
8709 ([CVE-2016-0799])
8715 A side-channel attack was found which makes use of cache-bank conflicts on
8716 the Intel Sandy-Bridge microarchitecture which could lead to the recovery
8719 hyper-threaded core as the victim thread which is performing decryptions.
8725 ([CVE-2016-0702])
8729 * Change the req command to generate a 2048-bit RSA/DSA key by default,
8755 ([CVE-2015-3197])
8777 ([CVE-2015-3194])
8790 ([CVE-2015-3195])
8819 ([CVE-2015-1793])
8825 If PSK identity hints are received by a multi-threaded client then
8829 ([CVE-2015-3196])
8852 This issue was reported to OpenSSL by Joseph Barr-Pixton.
8853 ([CVE-2015-1788])
8857 * Exploitable out-of-bounds read in X509_cmp_time
8873 ([CVE-2015-1789])
8880 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
8888 ([CVE-2015-1790])
8899 ([CVE-2015-1792])
8905 If a NewSessionTicket is received by a multi-threaded client when attempting to
8908 ([CVE-2015-1791])
8916 * dhparam: generate 2048-bit parameters by default.
8930 ([CVE-2015-0286])
8944 ([CVE-2015-0287])
8951 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
8959 ([CVE-2015-0289])
8967 a specially crafted SSLv2 CLIENT-MASTER-KEY message.
8971 ([CVE-2015-0293])
8986 ([CVE-2015-0209])
8996 ([CVE-2015-0288])
9016 ([CVE-2014-3571])
9026 ([CVE-2015-0206])
9030 * Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
9031 built with the no-ssl3 option and an SSL v3 ClientHello is received the ssl
9034 ([CVE-2014-3569])
9043 ([CVE-2014-3572])
9047 * Remove non-export ephemeral RSA code on client and server. This code
9049 non-export ciphersuites and could be used by a server to effectively
9053 ([CVE-2015-0204])
9065 ([CVE-2015-0205])
9079 By using non-DER or invalid encodings outside the signed portion of a
9094 errors for some broken certificates.
9100 Re-encode DSA/ECDSA signatures and compare with the original received
9111 ([CVE-2014-8275])
9123 ([CVE-2014-3570])
9140 * Tighten client-side session ticket handling during renegotiation:
9165 ([CVE-2014-3513])
9177 ([CVE-2014-3567])
9181 * Build option no-ssl3 is incomplete.
9183 When OpenSSL is configured with "no-ssl3" as a build option, servers
9186 ([CVE-2014-3568])
9193 ([CVE-2014-3566])
9199 Re-encode DigestInto in DER and check against the original when
9215 ([CVE-2014-3512])
9221 is badly fragmented. This allows a man-in-the-middle attacker to force a
9227 ([CVE-2014-3511])
9238 ([CVE-2014-3510])
9245 ([CVE-2014-3507])
9253 ([CVE-2014-3506])
9260 Thanks to Adam Langley and Wan-Teh Chang for discovering and researching
9262 ([CVE-2014-3505])
9272 ([CVE-2014-3509])
9283 ([CVE-2014-5139])
9293 ([CVE-2014-3508])
9299 bogus results, with non-infinity inputs mapped to infinity too.)
9310 researching this issue. ([CVE-2014-0224])
9318 Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
9319 ([CVE-2014-0221])
9328 Thanks to Jüri Aedla for reporting this issue. ([CVE-2014-0195])
9336 this issue. ([CVE-2014-3470])
9340 * Harmonize version and its documentation. -f flag is used to display
9362 preparing the fix ([CVE-2014-0160])
9367 ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
9372 flaw and to Yuval Yarom for supplying a fix ([CVE-2014-0076])
9376 * TLS pad extension: draft-agl-tls-padding-03
9390 ([CVE-2013-4353])
9394 to be resent. ([CVE-2013-6450])
9399 avoids preferring ECDHE-ECDSA ciphers when the client appears to be
9401 several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug
9409 * Correct fix for CVE-2013-0169. The original didn't work on AES-NI
9426 ([CVE-2013-0169])
9435 ([CVE-2012-2686])
9440 This fixes a DoS attack. ([CVE-2013-0166])
9469 Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
9471 ([CVE-2012-2333])
9518 ([CVE-2012-2110])
9522 * Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections.
9526 * Workarounds for some broken servers that "hang" if a client hello
9534 -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure.
9535 Most broken servers should now work.
9570 *Robin Seggelmann <seggelmann@fh-muenster.de>*
9574 *Robin Seggelmann <seggelmann@fh-muenster.de>*
9582 - x86[_64]: AES-NI, PCLMULQDQ, RDRAND support;
9583 - x86[_64]: SSSE3 support (SHA1, vector-permutation AES);
9584 - x86_64: bit-sliced AES implementation;
9585 - ARM: NEON support, contemporary platforms optimizations;
9586 - s390x: z196 support;
9587 - `*`: GHASH and GF(2^m) multiplication implementations;
9591 * Make TLS-SRP code conformant with RFC 5054 API cleanup
9600 * Add DTLS-SRTP negotiation from RFC 5764.
9605 <http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-00>. Can be
9606 disabled with a no-npn flag to config or Configure. Code donated
9611 * Add optional 64-bit optimized implementations of elliptic curves NIST-P224,
9612 NIST-P256, NIST-P521, with constant-time single point multiplication on
9614 required to use this (present in gcc 4.4 and later, for 64-bit builds).
9617 Specify "enable-ec_nistp_64_gcc_128" on the Configure (or config) command
9637 * New -sigopt option to the ca, req and x509 utilities. Additional
9650 New function ASN1_item_sign_ctx() signs a pre-initialised
9689 * Session-handling fixes:
9690 - Fix handling of connections that are resuming with a session ID,
9692 - Fix a bug that suppressed issuing of a new ticket if the client
9694 - Try to set the ticket lifetime hint to something reasonable.
9695 - Make tickets shorter by excluding irrelevant information.
9696 - On the client side, don't ignore renewed tickets.
9704 * Add RC4-MD5 and AESNI-SHA1 "stitched" implementations.
9732 switch between FIPS and non-FIPS modes.
9738 keep original code iff non-FIPS operations are allowed.
9742 * Add -attime option to openssl utilities.
9755 * New build option no-ec2m to disable characteristic 2 code.
9759 * Backport libcrypto audit of return value checking from 1.1.0-dev; not
9769 * Add similar low-level API blocking to ciphers.
9773 * low-level digest APIs are not approved in FIPS mode: any attempt
9802 * Add support for FIPS mode in ssl library: disable SSLv3, non-FIPS ciphers
9861 *Robin Seggelmann <seggelmann@fh-muenster.de>*
9871 *Robin Seggelmann <seggelmann@fh-muenster.de>, Steve Henson*
9885 -------------
9898 ([CVE-2015-3195])
9904 If PSK identity hints are received by a multi-threaded client then
9908 ([CVE-2015-3196])
9925 This issue was reported to OpenSSL by Joseph Barr-Pixton.
9926 ([CVE-2015-1788])
9930 * Exploitable out-of-bounds read in X509_cmp_time
9946 ([CVE-2015-1789])
9953 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
9961 ([CVE-2015-1790])
9972 ([CVE-2015-1792])
9978 If a NewSessionTicket is received by a multi-threaded client when attempting to
9981 ([CVE-2015-1791])
9995 ([CVE-2015-0286])
10009 ([CVE-2015-0287])
10016 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
10024 ([CVE-2015-0289])
10032 a specially crafted SSLv2 CLIENT-MASTER-KEY message.
10036 ([CVE-2015-0293])
10051 ([CVE-2015-0209])
10061 ([CVE-2015-0288])
10081 ([CVE-2014-3571])
10091 ([CVE-2015-0206])
10095 * Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
10096 built with the no-ssl3 option and an SSL v3 ClientHello is received the ssl
10099 ([CVE-2014-3569])
10108 ([CVE-2014-3572])
10112 * Remove non-export ephemeral RSA code on client and server. This code
10114 non-export ciphersuites and could be used by a server to effectively
10118 ([CVE-2015-0204])
10130 ([CVE-2015-0205])
10142 ([CVE-2014-3570])
10148 By using non-DER or invalid encodings outside the signed portion of a
10163 errors for some broken certificates.
10169 Re-encode DSA/ECDSA signatures and compare with the original received
10180 ([CVE-2014-8275])
10194 ([CVE-2014-3567])
10198 * Build option no-ssl3 is incomplete.
10200 When OpenSSL is configured with "no-ssl3" as a build option, servers
10203 ([CVE-2014-3568])
10210 ([CVE-2014-3566])
10216 Re-encode DigestInto in DER and check against the original when
10233 ([CVE-2014-3510])
10240 ([CVE-2014-3507])
10248 ([CVE-2014-3506])
10255 Thanks to Adam Langley and Wan-Teh Chang for discovering and researching
10257 ([CVE-2014-3505])
10267 ([CVE-2014-3509])
10277 ([CVE-2014-3508])
10283 bogus results, with non-infinity inputs mapped to infinity too.)
10294 researching this issue. ([CVE-2014-0224])
10302 Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
10303 ([CVE-2014-0221])
10312 Thanks to Jüri Aedla for reporting this issue. ([CVE-2014-0195])
10320 this issue. ([CVE-2014-3470])
10324 * Harmonize version and its documentation. -f flag is used to display
10339 ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
10344 flaw and to Yuval Yarom for supplying a fix ([CVE-2014-0076])
10352 to be resent. ([CVE-2013-6450])
10357 avoids preferring ECDHE-ECDSA ciphers when the client appears to be
10359 several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug
10377 ([CVE-2013-0169])
10382 This fixes a DoS attack. ([CVE-2013-0166])
10406 Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
10408 ([CVE-2012-2333])
10425 ([CVE-2012-2110])
10435 old behaviour can be re-enabled in the CMS code by setting the
10439 this issue. ([CVE-2012-0884])
10443 * Fix CVE-2011-4619: make sure we really are receiving a
10451 * Fix for DTLS DoS issue introduced by fix for CVE-2011-4109.
10454 preparing a fix. ([CVE-2012-0050])
10470 <seggelmann@fh-muenster.de> and Michael Tuexen <tuexen@fh-muenster.de>
10471 for preparing the fix. ([CVE-2011-4108])
10476 ([CVE-2011-4576])
10482 Adam Langley for preparing the fix. ([CVE-2011-4619])
10486 * Check parameters are not NULL in GOST ENGINE. ([CVE-2012-0027])
10492 and Rob Austein <sra@hactrn.net> for fixing it. ([CVE-2011-4577])
10500 * Fix ssl_ciph.c set-up race.
10524 * In ssl3_clear, preserve s3->init_extra along with s3->rbuf.
10531 by initialising X509_STORE_CTX properly. ([CVE-2011-3207])
10536 for multi-threaded use of ECDH. ([CVE-2011-3210])
10558 * Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014
10572 Thanks to Martin Rex for discovering this bug. CVE-2010-4180
10576 * Fixed J-PAKE implementation error, originally discovered by
10578 Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252
10586 be shared by multiple threads. CVE-2010-3864
10598 ([CVE-2010-1633])
10600 *Steve Henson, Peter-Michael Hager <hager@dortmund.net>*
10610 * Tolerate yet another broken PKCS#8 key format: private key value negative.
10614 * Add new -subject_hash_old and -issuer_hash_old options to x509 utility to
10669 *Michael Tuexen <tuexen@fh-muenster.de>*
10708 openssl dgst -sha256 foo
10741 * Add session ticket override functionality for use by EAP-FAST.
10750 * Type-checked OBJ_bsearch_ex.
10754 * Type-checked OBJ_bsearch. Also some constification necessitated
10755 by type-checking. Still to come: TXT_DB, bsearch(?),
10834 * To cater for systems that provide a pointer-based thread ID rather
10841 as a pointer-based thread ID to distinguish between threads.
10854 OpenSSL 0.9.9-dev between June 2006 and August 2008. Also, if an
10876 * Revamp of STACK to provide stronger type-checking. Still to come:
10887 * Revamp of LHASH to provide stronger type-checking. Still to come:
10906 files from Configure script, currently only included in VC-WIN32.
10927 draft-rescorla-tls-opaque-prf-input-00.txt. Since this is not an
10933 -DTLSEXT_TYPE_opaque_prf_input=0x9527
10944 an internal copy of the length-'len' string at 'src', and will
10945 return non-zero for success.
10955 int (*cb)(SSL *, void *peerinput, size_t len, void *arg);
10963 has to return non-zero to report success: usually 1 to use opaque
11023 * Add option -stream to use PKCS#7 streaming in smime utility. New
11032 ENGINE support for HMAC keys which are unextractable. New -mac and
11033 -macopt options to dgst utility.
11037 * New option -sigopt to dgst utility. Update dgst to use
11046 ("foo+bar"), moving ("+foo+bar"), disabling ("-foo+bar", or
11054 This means that you can now say, e.g., "PSK:-PSK:HIGH" to enable
11082 away into the non-exported interface ssl/ssl_locl.h, so this
11100 * Add support for dsa-with-SHA224 and dsa-with-SHA256.
11111 * Add support for the ecdsa-with-SHA224/256/384/512 signature types.
11134 -verify_return_error to s_client and s_server. This causes real errors
11177 * Non-blocking OCSP request processing. Add -timeout option to ocsp
11203 list-message-digest-algorithms and list-cipher-algorithms.
11208 of degrees of non-zero coefficients is now terminated with -1.
11234 kECDHr - ECDH cert, signed with RSA
11235 kECDHe - ECDH cert, signed with ECDSA
11236 kECDH - ECDH cert (signed with either RSA or ECDSA)
11237 kEECDH - ephemeral ECDH
11238 ECDH - ECDH cert or ephemeral ECDH
11240 aECDH - ECDH cert
11241 aECDSA - ECDSA cert
11242 ECDSA - ECDSA cert
11244 AECDH - anonymous ECDH
11245 EECDH - non-anonymous ephemeral ECDH (equivalent to "kEECDH:-AECDH")
11271 * New -resign option to smime utility. This adds one or more signers
11272 to an existing PKCS#7 signedData structure. Also -md option to use an
11283 * New -macalg option to pkcs12 utility to allow setting of an alternative
11386 "list-public-key-algorithms" to print out info.
11391 ECC ciphersuites from draft-ietf-tls-ecc-12.txt.
11414 De-spaghettify the public key ASN1 handling. Move public and private
11423 ECC ciphersuites from draft-ietf-tls-ecc-12.txt.
11432 PSK-RC4-SHA, PSK-3DES-EDE-CBC-SHA, PSK-AES128-CBC-SHA,
11433 PSK-AES256-CBC-SHA
11465 - SSL_CTX_set_tlsext_servername_callback()
11467 - SSL_CTX_set_tlsext_servername_arg()
11468 SSL_CTRL_SET_TLSEXT_HOSTNAME - SSL_set_tlsext_host_name()
11470 openssl s_client has a new '-servername ...' option.
11472 openssl s_server has new options '-servername_host ...', '-cert2 ...',
11473 '-key2 ...', '-servername_fatal' (subject to change). This allows
11474 testing the HostName extension for a specific single hostname ('-cert'
11475 and '-key' remain fallbacks for handshakes without HostName
11477 default is a warning; it becomes fatal with the '-servername_fatal'
11486 * BIGNUM code on 64-bit SPARCv9 targets is switched from bn(64,64) to
11490 implementations, between 32- and 64-bit builds without hassle.
11503 "64-bit" performance on certain 32-bit targets.
11514 * New option -V for 'openssl ciphers'. This prints the ciphersuite code
11562 -------------
11567 update s->server with a new major version number. As of
11568 - OpenSSL 0.9.8m if 'short' is a 16-bit type,
11569 - OpenSSL 0.9.8f if 'short' is longer than 16 bits,
11572 protection is active. ([CVE-2010-0740])
11576 * Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL
11583 * Always check bn_wexpand() return values for failure. ([CVE-2009-3245])
11617 This results in significant per-connection memory leaks and
11618 has caused some security issues including CVE-2008-1678 and
11619 CVE-2009-4355.
11656 * Replace the highly broken and deprecated SPKAC certification method with
11661 * Implement RFC5746. Re-enable renegotiation but require the extension
11672 servername handling. Use a non-zero length session ID when attempting
11687 * Add --strict-warnings option to Configure script to include devteam
11692 * Add support for --libdir option and LIBDIR variable in makefiles. This
11723 it used to have an ad-hoc builder which was unable to cope with anything
11731 with non-FIPS digests are now usable in FIPS mode.
11742 buffered. ([CVE-2009-1378])
11752 ([CVE-2009-1377])
11756 * Keep a copy of frag->msg_header.frag_len so it can be used after the
11757 parent structure is freed. ([CVE-2009-1379])
11761 * Handle non-blocking I/O properly in SSL_shutdown() call.
11763 *Darryl Miles <darryl-mailinglists@netbauds.net>*
11771 * Disable renegotiation completely - this fixes a severe security
11772 problem ([CVE-2009-3555]) at the cost of breaking all
11773 renegotiation. Renegotiation can be re-enabled by setting
11774 SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s3->flags at
11775 run-time. This is really not recommended unless you know what
11784 zeroing past the valid field. ([CVE-2009-0789])
11790 appear to verify correctly. ([CVE-2009-0591])
11796 a legal length. ([CVE-2009-0590])
11816 * New -hex option for openssl rand.
11837 ([CVE-2008-5077]).
11855 * Tweak Configure so that you need to say "experimental-jpake" to enable
11856 JPAKE, and need to use -DOPENSSL_EXPERIMENTAL_JPAKE in applications.
11873 * Change the server-side SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG behavior
11884 ChangeCipherSpec as first record ([CVE-2009-1386]).
11894 double-checked locking was incomplete for RSA blinding,
11896 doubly unsafe triple-checked locking.
11905 - Avoid size_t integer overflow in HASH_UPDATE (md32_common.h).
11907 - Avoid a buffer overflow in d2i_SSL_SESSION() (ssl_asn1.c).
11911 - Change bn_nist.c so that it will properly handle input BIGNUMs
11914 - Enforce the 'num' check in BN_div() (bn_div.c) for non-BN_DEBUG
11919 * Allow engines to be "soft loaded" - i.e. optionally don't die if
11928 * Fix BN_GF2m_mod_arr() top-bit cleanup code.
11940 Not compiled unless enable-capieng specified to Configure.
11957 Codenomicon TLS test suite ([CVE-2008-1672])
11962 a remote crash found by Codenomicon TLS test suite ([CVE-2008-0891])
11986 the 'db' section contains nothing but zeroes (there is a one-byte
11991 * Partial backport from 0.9.9-dev:
11995 While 0.9.9-dev uses assembler for various architectures, only
11997 32-bit x86 is available through a compile-time setting.
11999 To try the 32-bit x86 assembler implementation, use Configure
12000 option "enable-montasm" (which exists only for this backport).
12002 As "enable-montasm" for 32-bit x86 disclaims code stability
12004 backported from 0.9.9-dev for further performance improvements,
12006 e.g. x86_64, try `-DMONT_FROM_WORD___NON_DEFAULT_0_9_8_BUILD`.)
12017 * Reverse ENGINE-internal logic for caching default ENGINE handles.
12018 This was broken until now in 0.9.8 releases, such that the only way
12024 'uptodate' flag is reset so that auto-discovery will be used next
12041 with the enable-cms configuration option.
12078 - fixed wrong usage of ioctlsocket() when build for LIBC BSD sockets
12079 - fixed do_tests.pl to run the test suite with CLIB builds too (CLIB_OPT)
12080 - added some more tests to do_tests.pl
12081 - fixed RunningProcess usage so that it works with newer LIBC NDKs too
12082 - removed usage of BN_LLONG for CLIB builds to avoid runtime dependency
12083 - added new Configure targets netware-clib-bsdsock, netware-clib-gcc,
12084 netware-clib-bsdsock-gcc, netware-libc-bsdsock-gcc
12085 - various changes to netware.pl to enable gcc-cross builds on Win32
12087 - changed crypto/bio/b_sock.c to work with macro functions (CLIB BSD)
12088 - various changes to fix missing prototype warnings
12089 - fixed x86nasm.pl to create correct asm files for NASM COFF output
12090 - added AES, WHIRLPOOL and CPUID assembler code to build files
12091 - added missing AES assembler make rules to mk1mf.pl
12092 - fixed order of includes in `apps/ocsp.c` so that `e_os.h` settings apply
12108 + DTLS interoperation with non-compliant servers
12120 pre-0.9.8f clients. To allow for hassle free upgrade post-0.9.8e
12123 This update even addresses CVE-2007-4995.
12172 - SSL_CTX_set_tlsext_servername_callback()
12174 - SSL_CTX_set_tlsext_servername_arg()
12175 SSL_CTRL_SET_TLSEXT_HOSTNAME - SSL_set_tlsext_host_name()
12177 openssl s_client has a new '-servername ...' option.
12179 openssl s_server has new options '-servername_host ...', '-cert2 ...',
12180 '-key2 ...', '-servername_fatal' (subject to change). This allows
12181 testing the HostName extension for a specific single hostname ('-cert'
12182 and '-key' remain fallbacks for handshakes without HostName
12184 default is a warning; it becomes fatal with the '-servername_fatal'
12210 * Add the Korean symmetric 128-bit cipher SEED (see
12214 TLS_RSA_WITH_SEED_CBC_SHA = "SEED-SHA"
12215 TLS_DHE_DSS_WITH_SEED_CBC_SHA = "DHE-DSS-SEED-SHA"
12216 TLS_DHE_RSA_WITH_SEED_CBC_SHA = "DHE-RSA-SEED-SHA"
12217 TLS_DH_anon_WITH_SEED_CBC_SHA = "ADH-SEED-SHA"
12221 is configured with 'enable-seed'.
12229 J.-P. Seifert, "New Branch Prediction Vulnerabilities in OpenSSL
12233 respectively, which are slower, but avoid the security-relevant
12248 constant-time implementations for more than just exponentiation.
12265 out-of-context reuse was forbidden only if SSL_VERIFY_PEER was
12276 authentication-only ciphersuites.
12280 * Update the SSL_get_shared_ciphers() fix CVE-2006-3738 which was
12282 ([CVE-2007-5135]) [Ben Laurie]
12324 *Goetz Babin-Ebell*
12329 cause a denial of service. ([CVE-2006-2940])
12334 in a denial of service. ([CVE-2006-2937]) [Steve Henson]
12337 ([CVE-2006-3738]) [Tavis Ormandy and Will Drewry, Google Security Team]
12340 malicious SSLv2 server. ([CVE-2006-4343])
12345 match only those. Before that, "AES256-SHA" would be interpreted
12346 as a pattern and match "AES128-SHA" too (since AES128-SHA got
12350 "RC4-MD5" that intentionally matched multiple ciphersuites --
12357 Thus, "RC4-MD5" again will properly select both the SSL 2.0
12374 ([CVE-2006-4339]) [Ben Laurie and Google Security Team]
12389 However, please upgrade to OpenSSL 0.9.9[-dev] for
12390 non-experimental use of the ECC ciphersuites to get TLS extension
12398 - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
12399 - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
12400 - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")
12403 draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really
12407 draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as
12413 dual-core machines) and other potential thread-safety issues.
12417 * Add the symmetric cipher Camellia (128-bit, 192-bit, 256-bit key
12418 versions), which is now available for royalty-free use
12424 is configured with 'enable-camellia'.
12448 * Update support for ECC-based TLS ciphersuites according to
12449 draft-ietf-tls-ecc-12.txt with proposed changes (but without
12464 Static zlib linking now works on Windows and the new --with-zlib-include
12465 --with-zlib-lib options to Configure can be used to supply the location
12492 countermeasure against man-in-the-middle protocol-version
12494 idea. ([CVE-2005-2969])
12509 * Avoid some small subgroup attacks in Diffie-Hellman.
12513 * Add functions for well-known primes.
12550 * Add -utf8 command line and config file option to 'ca'.
12560 involves renaming the source and generated shared-libs for
12569 use it. Make -CSP option work again in pkcs12 utility.
12574 - automatic re-creation of the BN_BLINDING parameters after
12576 - add new function for parameter creation
12577 - introduce flags to control the update behaviour of the
12579 - hide BN_BLINDING structure
12600 * Use SHA-1 instead of MD5 as the default digest algorithm for
12605 * Compile clean with "-Wall -Wmissing-prototypes
12606 -Wstrict-prototypes -Wmissing-declarations -Werror". Currently
12612 The new counterpiece to "no-xxx" is "enable-xxx".
12615 "enable-rc5" and "enable-mdc2", respectively, are specified.
12619 fee for non-commercial use. As before, "no-idea" can be used to
12626 EGEE (Enabling Grids for E-science in Europe).
12631 as Intel P4, IA-64 and AMD64.
12635 * New utility extract-section.pl. This can be used specify an alternative
12646 * New arguments -certform, -keyform and -pass for s_client and s_server
12671 * New FIPS 180-2 algorithms, SHA-224/-256/-384/-512 are implemented.
12687 moved from CA.pl to the 'ca' utility with a new option -create_serial.
12692 patchlevels, 0.9.7e employed 'openssl x509 -next_serial' in
12700 give fewer recursive includes, which could break lazy source code - so
12704 backwards-compatible behaviour prevails when this isn't defined.
12741 static array of bignums, BN_CTX now uses a linked-list of such arrays
12777 * BN_CTX_get() should return zero-valued bignums, providing the same
12810 * Because of the callback-based approach for implementing LHASH as a
12811 template type, lh_insert() adds opaque objects to hash-tables and
12814 (and losing the object pointers). So some over-zealous constifications in
12828 aren't necessarily the greatest nomenclatures - but this is what was used
12835 the self-tests were still using deprecated key-generation functions so
12856 modulus operations are not performed. The (pre-generated) prime
12858 re-generated on some platforms because of the "division by zero"
12863 * Update support for ECC-based TLS ciphersuites according to
12864 draft-ietf-tls-ecc-03.txt: the KDF1 key derivation function with
12865 SHA-1 now is only used for "small" curves (where the
12879 *Götz Babin-Ebell <babin-ebell@trustcenter.de> via Richard Levitte*
12891 to certificate and key stores, be they simple file-based stores, or
12892 HSM-type store, or LDAP stores, or...
12905 a string. The copy gets NUL-terminated. BUF_memdup() duplicates
12913 searched-for key would be inserted to preserve sorting order.
12934 * Make it possible to create self-signed certificates with 'openssl ca'
12935 in such a way that the self-signed certificate becomes part of the
12937 as all other certificate signing. The new flag '-selfsign' enables
12944 request can be signed by that key (self-signing).
12957 * Generate multi-valued AVAs using '+' notation in config files for
12975 dsa_mod_exp() and/or bn_mod_exp() handlers if they are non-NULL,
13004 * Add full support for -rpath/-R, both in shared libraries and
13034 ./config -DOPENSSL_USE_GMP -lgmp
13039 testing availability of engines with "-t" - the old behaviour is
13040 produced by increasing the feature's verbosity with "-tt".
13051 * Key-generation can now be implemented in RSA_METHOD, DSA_METHOD
13058 * Change the "progress" mechanism used in key-generation and
13064 migrate to the new functions. Also, the new key-generation API
13065 functions operate on a caller-supplied key-structure and return
13066 success/failure rather than returning a key or NULL - this is to
13071 int (*my_callback)(int a, int b, BN_GENCB *cb) = ...;
13080 * cb will point to my_cb; my_arg can be retrieved as cb->arg.
13089 draft-ietf-tls-compression-04.txt.
13099 -- at least one of the pair shall be present -- }
13116 void BN_set_negative(BIGNUM *a, int neg);
13118 int BN_is_negative(const BIGNUM *a);
13120 to avoid the need to access 'a->neg' directly in applications.
13124 * Implement fast modular reduction for pseudo-Mersenne primes
13145 the usual use of --prefix and/or --openssldir, and at run
13161 files while avoiding the low-level API.
13165 algorithm NIDs can be set to -1 for no encryption, the mac
13168 Enhance pkcs12 utility by making the -nokeys and -nocerts
13169 options work when creating a PKCS#12 file. New option -nomac
13172 instead of the low-level API.
13188 * Let 'openssl req' fail if an argument to '-newkey' is not
13193 * Add support for ECC-based ciphersuites from draft-ietf-tls-ecc-01.txt.
13208 without success (which indicates a broken PRNG).
13294 field can be given as an 'unsigned int[]' with strictly
13329 functionality is disabled at compile-time.
13336 Modify asn1_parse2 (crypto/asn1/asn1_par.c) so that in non-'dump'
13337 mode the content of non-printable OCTET STRINGs is output in a
13350 - Curves (i.e., groups) are encoded explicitly unless asn1_flag
13352 - Points are encoded in uncompressed form by default; options for
13401 EC_METHOD) that verifies that the curve discriminant is non-zero.
13416 - 'openssl req' now has a '-newkey ecdsa:file' option;
13417 - EVP_PKCS82PKEY (crypto/evp/evp_pkey.c) now can handle ECDSA;
13418 - X509_PUBKEY_get (crypto/asn1/x_pubkey.c) and
13422 - ECDSA engine support has been added.
13458 authentication-only ciphersuites.
13502 cause a denial of service. ([CVE-2006-2940])
13507 in a denial of service. ([CVE-2006-2937]) [Steve Henson]
13510 ([CVE-2006-3738]) [Tavis Ormandy and Will Drewry, Google Security Team]
13513 malicious SSLv2 server. ([CVE-2006-4343])
13518 ciphersuite selects this one ciphersuite (so that "AES256-SHA"
13519 will no longer include "AES128-SHA"), and any other similar
13521 "RC4-MD5" will still include both the SSL 2.0 ciphersuite and the
13530 ([CVE-2006-4339]) [Ben Laurie and Google Security Team]
13540 - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
13541 - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
13542 - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")
13545 draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really
13549 draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as
13555 dual-core machines) and other potential thread-safety issues.
13570 * Add new Windows build target VC-32-GMAKE for VC++. This uses GNU make
13582 safely run with a non-FIPSed libcrypto, as it may crash because of
13591 countermeasure against man-in-the-middle protocol-version
13593 idea. ([CVE-2005-2969])
13605 the exponentiation using a fixed-length exponent. (Otherwise,
13612 * Make a new fixed-window mod_exp implementation the default for
13613 RSA, DSA, and DH private-key operations so that the sequence of
13616 cache-timing and potential related attacks.
13635 * Add support for smime-type MIME parameter in S/MIME messages which some
13672 they must be explicitly allowed in run-time. See
13679 * Use (SSL_RANDOM_VALUE - 4) bytes of pseudo random data when generating
13681 (SSL_RANDOM_VALUE - sizeof(time_t)) would be used which would result in
13714 * Back-port of selected performance improvements from development
13724 * Add new -passin argument to dgst.
13729 this is needed for some certificates that re-encode DNs into UTF8Strings
13740 - if there is an unhandled critical extension (unless the user
13742 - if the path length has been exceeded (if one is set at all)
13743 - that certain extensions fit the associated purpose (if one has
13770 certificate is created using 'openssl req -x509'. The initial serial
13771 number file is created using 'openssl x509 -next_serial' in CA.pl
13778 * Fix null-pointer assignment in do_change_cipher_spec() revealed
13779 by using the Codenomicon TLS Test Tool ([CVE-2004-0079])
13784 ([CVE-2004-0112])
13797 * X509 verify fixes. Disable broken certificate workarounds when
13834 invalid tags (CVE-2003-0543 and CVE-2003-0544).
13836 Free up ASN1_TYPE correctly if ANY type is invalid ([CVE-2003-0545]).
13843 * New -ignore_err option in ocsp application to stop the server
13880 PKCS7_NOOLDMIMETYPE is set. Tolerate some broken signatures.
13889 * Countermeasure against the Klima-Pokorny-Rosa extension of
13899 They would be ill-advised to do so in most cases.
13905 an unpredictable seed -- if it is not unpredictable, there
13906 is no point in blinding anyway). Make RSA blinding thread-safe
13907 by remembering the creator's thread ID in rsa->blinding and
13908 having all other threads use local one-time blinding factors
13909 (this requires more computation than sharing rsa->blinding, but
13933 between bad padding and a MAC verification error. ([CVE-2003-0078])
13939 * Make the no-err option work as intended. The intention with no-err
13947 used by default when no-err is given.
14007 * IA-32 assembler support enhancements: unified ELF targets, support
14013 FreeBSD on non-x86 processors is separate from x86 processors on
14062 warnings and a request that patches get sent to openssl-dev.
14066 * Add the VC-CE target, introduce the WINCE sysname, and add
14071 * Change the DLL names for Cygwin to cygcrypto-x.y.z.dll and
14072 cygssl-x.y.z.dll, where x, y and z are the major, minor and
14082 * Avoid using fixed-size buffers for one-line DNs.
14141 * Add assertions to prevent user-supplied crypto functions from
14159 * Fix off-by-one error in EGD path.
14189 Remote buffer overflow in SSL3 protocol - an attacker could
14190 supply an oversized master key in Kerberos-enabled versions.
14191 ([CVE-2002-0657])
14199 * Make -nameopt work fully for req and add -reqopt switch.
14201 *Michael Bell <michael.bell@rz.hu-berlin.de>, Steve Henson*
14215 which may be activated as a side-effect of selecting a single cipher.
14223 * Add appropriate support for separate platform-dependent build
14224 directories. The recommended way to make a platform-dependent
14231 mkdir -p objtree/"`uname -s`-`uname -r`-`uname -m`"
14232 cd objtree/"`uname -s`-`uname -r`-`uname -m`"
14233 (cd $OPENSSL_SOURCE; find . -type f) | while read F; do
14234 mkdir -p `dirname $F`
14235 ln -s $OPENSSL_SOURCE/$F $F
14249 *Götz Babin-Ebell <babinebell@trustcenter.de>*
14251 * Improve diagnostics in file reading and command-line digests.
14256 error in AES-CFB decryption.
14275 * Fix escaping of non-ASCII characters when using the -subj option
14286 Some more OID additions. (Michael Bell <michael.bell@rz.hu-berlin.de>)
14299 * Fix the 'app_verify_callback' interface so that the user-defined
14303 int (*cb)()
14305 int (*cb)(X509_STORE_CTX *,void *);
14307 i=s->ctx->app_verify_callback(&ctx)
14309 i=s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg).
14342 the same as the utility itself: that is the -config
14373 * Have the CHIL engine fork-safe (as defined by nCipher) and actually
14382 * Add the configuration target debug-linux-ppro.
14394 * Add -keyform to rsautl, and document -engine.
14447 (up to about 10% better than before for P-192 and P-224).
14460 void cb(int write_p, int version, int content_type,
14471 SSL object, and 'arg' is the application-defined value set by
14474 'openssl s_client' and 'openssl s_server' have new '-msg' options
14505 * Add -multi and -mr options to "openssl speed" - giving multiple parallel
14506 runs for the former and machine-readable output for the latter.
14510 * Add '-noemailDN' option to 'openssl ca'. This prevents inclusion
14511 of the e-mail address in the DN (i.e., it will go into a certificate
14590 support for symmetric ciphers and digest implementations - so ENGINEs
14595 API changes worth noting - some RSA, DSA, DH, and RAND functions that
14597 reverted back - the hooking from this code to ENGINE is now a good
14598 deal more passive and at run-time, operations deal directly with
14601 functions dealing with `BN_MOD_EXP[_CRT]` handlers have been removed -
14652 * Add support for shared libraries for Unixware-7
14666 makes them more flexible to be built both as statically-linked ENGINEs
14667 and self-contained shared-libraries loadable via the "dynamic" ENGINE.
14668 Also, add stub code to each that makes building them as self-contained
14669 shared-libraries easier (see [README-Engine.md](README-Engine.md)).
14675 self-contained shared-libraries. The "dynamic" ENGINE exposes control
14676 commands that can be used to configure what shared-library to load and
14678 the [README-Engine.md](README-Engine.md) file
14679 that brings its information up-to-date and
14681 (ie. how to use it, how to build "dynamic"-loadable ENGINEs, etc).
14710 ex_data state - it's now all inside ex_data.c and all "class" code (eg.
14711 RSA, BIO, SSL_CTX, etc) no longer stores its own STACKS and per-class
14716 thread-safety problems that existed, and (b) makes it possible to clean
14842 Added openssl-style ASN.1 macros for Kerberos ticket, ap_req,
14849 * Cause 'openssl speed' to use fully hard-coded DSA keys as it
14860 s-cbc 4408.85k 5560.51k 5778.46k 5862.20k 5825.16k
14861 s-cbc 4389.55k 5571.17k 5792.23k 5846.91k 5832.11k
14862 s-cbc 4394.32k 5575.92k 5807.44k 5848.37k 5841.30k
14864 s-cbc 3482.66k 5069.49k 5496.39k 5614.16k 5639.28k
14865 s-cbc 3480.74k 5068.76k 5510.34k 5609.87k 5635.52k
14866 s-cbc 3483.72k 5067.62k 5504.60k 5708.01k 5724.80k
14869 s-cbc 4660.16k 5650.19k 5807.19k 5827.13k 5783.32k
14871 s-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
14875 * Added the OS2-EMX target.
14894 * Change all calls to low-level digest routines in the library and
14911 dialog box interfaces, application-defined prompts, the possibility
14918 attribute in PKCS#12 files, add new -CSP option to pkcs12 utility.
15004 per-structure level rather than having to store it globally.
15016 by ENGINE_by_id() normally, when it is incremented on the pre-existing
15028 - verbosity levels ('-v', '-vv', and '-vvv') that provide information
15030 - executing control commands from command line arguments using the
15031 '-pre' and '-post' switches. '-post' is only used if '-t' is
15033 the individual commands are colon-separated, for example;
15034 openssl engine chil -pre FORK_CHECK:0 -pre SO_PATH:/lib/test.so
15040 and input types for run-time discovery by calling applications. A
15043 the new string-based API function ENGINE_ctrl_cmd_string(). (Eg. this
15052 OpenSSL-based application. Commands have been added to all the
15053 existing hardware-supporting ENGINEs, noticeably "SO_PATH" to allow
15054 control over shared-library paths without source code alterations.
15068 should already have non-const pointers to it (ie. they should only
15074 - "atalla" and "ubsec" string definitions were moved from header files
15076 rather than hard-coded - allowing parameterisation of these values
15078 - Removed unused "#if 0"'d code.
15079 - Fixed engine list iteration code so it uses ENGINE_free() to release
15081 - Constified the RAND_METHOD element of ENGINE structures.
15082 - Constified various get/set functions as appropriate and added
15083 missing functions (including a catch-all ENGINE_cpy that duplicates
15085 - Removed NULL parameter checks in get/set functions. Setting a method
15089 - Deprecate the ENGINE_FLAGS_MALLOCED define and move the area for
15091 - Changed prototypes for ENGINE handler functions (init(), finish(),
15092 ctrl(), key-load functions, etc) to take an (ENGINE*) parameter.
15098 used only if the modulus is odd. On 32-bit systems, it is faster
15099 only for relatively small moduli (roughly 20-30% for 128-bit moduli,
15100 roughly 5-15% for 256-bit moduli), so we use it only for moduli
15101 up to 450 bits. In 64-bit environments, the binary algorithm
15150 Lenka Fibikova <fibikova@exp-math.uni-essen.de>*
15166 * Add the -HTTP option to s_server. It is similar to -WWW, but requires
15172 change the def and num file printf format specifier from "%-40sXXX"
15173 to "%-39s XXX". The latter will always guarantee a space after the
15220 * New option '-subj arg' for 'openssl req' and 'openssl ca'. This
15227 Add options '-batch' and '-verbose' to 'openssl req'.
15241 OPENSSL_IMPLEMENT_GLOBAL(int,foo)=1;
15247 OPENSSL_DECLARE_GLOBAL(int,foo);
15284 caused by either OCSP responder or client clock inaccuracy. Instead
15287 checked. Two new options -validity_period and -status_age added to
15321 can be useful for session caching in multiple-server environments. A
15322 command-line switch for testing this (and any client code that wishes
15337 sure e_os2.h will cover all platform-specific cases together with
15339 Additionally, it is now possible to define configuration/platform-
15343 from `OPENSSL_SYSNAME_*` or compiler-specific macros depending on
15348 * New option -set_serial to 'req' and 'x509' this allows the serial
15375 port and path components: primarily to parse OCSP URLs. New -url
15386 the request is nonce-less.
15392 e.g. `(openssl x509 -out cert1; openssl x509 -out cert2) <certs`.
15406 (Also replaces the broken/deactivated SSL_OP_NON_EXPORT_FIRST option.)
15421 * Add the option -VAfile to 'openssl ocsp', so the user can give the
15493 is initialised to -1 but X509_time_adj() now has to check the value
15539 * New '-extfile ...' option to 'openssl ca' for reading X.509v3
15542 the '-extensions ...' option may be used for specifying the
15555 `openssl ca -status <serial>` prints the status of the cert with
15557 `openssl ca -updatedb` updates the expiry status of certificates
15562 * New '-newreq-nodes' command option to CA.pl. This is like
15563 '-newreq', but calls 'openssl req' with the '-nodes' option
15578 * New SSLeay_version code SSLEAY_DIR to determine the compiled-in
15579 value of OPENSSLDIR. This is available via the new '-d' option
15580 to 'openssl version', and is also included in 'openssl version -a'.
15586 (a `const char*` and an int). The basic functionality remains, as
15607 There should no longer be any prototype-casting required when using
15618 The locations /var/run/egd-pool, /dev/egd-pool, /etc/egd-pool, and
15627 (select timeout) and read in non-blocking mode. DEVRANDOM now
15632 For VMS, there's a currently-empty rand_vms.c.
15685 it uses the received order. This is necessary to tolerate some broken
15751 problems: As the program is single-threaded, all we have
15760 during TLS/SSL handshakes so that thread-safety is essential.
15762 for multi-threaded use, so it probably should be abolished.
15816 * Fix BN_uadd and BN_usub: Always return non-negative results instead
15821 * BN_div bugfix: If the result is 0, the sign (res->neg) must not be
15828 that provide type-safety and avoid function pointer casting for the
15829 type-specific callbacks.
15849 (using the probabilistic Tonelli-Shanks algorithm unless
15853 *Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller*
15896 * Change BN_mod_mul so that the result is always non-negative.
15918 These functions always generate non-negative results.
15927 *Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller*
15929 <!--
15943 -->
15946 unless the '-salt' option is used (which usually means that
15949 or the new '-noverify' option is used.
15952 non-interactive use of 'openssl passwd' (passwords on the command
15953 line, '-stdin' option, '-in ...' option) and thus should not
15970 casts back to non-const were required (to be solved at a later
15992 are built-in in OpenSSL shall ever be used or not. The benefit is
16046 * Rework the filename-translation in the DSO code. It is now possible to
16053 * Support threads on FreeBSD-elf in Configure.
16102 * Fix null-pointer assignment in do_change_cipher_spec() revealed
16103 by using the Codenomicon TLS Test Tool ([CVE-2004-0079])
16112 certain ASN.1 tags ([CVE-2003-0851])
16121 invalid tags (CVE-2003-0543 and CVE-2003-0544).
16147 * Countermeasure against the Klima-Pokorny-Rosa extension of
16157 They would be ill-advised to do so in most cases.
16163 an unpredictable seed -- if it is not unpredictable, there
16164 is no point in blinding anyway). Make RSA blinding thread-safe
16165 by remembering the creator's thread ID in rsa->blinding and
16166 having all other threads use local one-time blinding factors
16167 (this requires more computation than sharing rsa->blinding, but
16179 between bad padding and a MAC verification error. ([CVE-2003-0078])
16197 because the session->cipher setting was not restored when reloading
16205 length of the REQUEST-CERTIFICATE message is 18 .. 34, not 17 .. 33.
16207 *Zeev Lieber <zeev-l@yahoo.com>*
16230 the bitwise-OR of the two for use by the majority of applications
16233 changing anyway, so this is more a bug-fix than a behavioural
16238 * Don't impose a 16-byte length minimum on session IDs in ssl/s3_clnt.c
16255 contents. Bug found by Sam Varshavchik <mrsam@courier-mta.com>
16267 * [In 0.9.6g-engine release:]
16276 *Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>,
16310 broken SSL implementations, the new option is part of SSL_OP_ALL.
16312 implementations is desired (e.g. '-bugs' option to 's_client' and
16323 F30602-01-2-0537.
16328 supplied buffer. ([CVE-2002-0659])
16338 too small for 64 bit platforms. ([CVE-2002-0655])
16339 *Matthew Byng-Maddick <mbm@aldigital.co.uk> and Ben Laurie (CHATS)>*
16341 * Remote buffer overflow in SSL3 protocol - an attacker could
16342 supply an oversized session ID to a client. ([CVE-2002-0656])
16346 * Remote buffer overflow in SSL2 protocol - an attacker could
16347 supply an oversized client master key. ([CVE-2002-0656])
16354 encoded as NULL) with id-dsa-with-sha1.
16363 an end-of-file condition would erroneously be flagged, when the CRLF
16366 BASE64-decoding BIO. Bug fund and patch submitted by Pavel Tsekov
16382 * TLS/SSL library bugfix: use s->s3->in_read_app_data differently
16385 processing was enabled when in fact s->s3->in_read_app_data was
16398 * Fix DH_generate_parameters() so that it works for 'non-standard'
16405 a generator of the order-q subgroup is just as good, if not
16416 returning non-zero before the data has been completely received
16417 when using non-blocking I/O.
16453 * [In 0.9.6d-engine release:]
16458 * Add the configuration target linux-s390x.
16460 *Neale Ferguson <Neale.Ferguson@SoftwareAG-USA.com> via Richard Levitte*
16466 invocations of ssl3_accept when using non-blocking I/O, the
16471 To avoid this problem, we now set s->new_session to 2 instead of
16476 * Bugfix: Return -1 from ssl3_get_server_done (ssl3/s3_clnt.c)
16490 type, we must throw them away by setting rr->length to 0.
16508 * Fix crypto/objects/objects.h: "ld-ce" should be "id-ce",
16510 Also some ip-pda OIDs in crypto/objects/objects.txt were
16520 * [In 0.9.6c-engine release:]
16525 * [In 0.9.6c-engine release:]
16533 rearranged (all '-L' options must appear before the first object
16538 * [In 0.9.6c-engine release:]
16544 * [In 0.9.6c-engine release:]
16550 * [In 0.9.6c-engine release:]
16561 messages are stored in a single piece (fixed-length part and
16562 variable-length part combined) and fix various bugs found on the way.
16583 never resets s->method to s->ctx->method when called from within
16632 * Add OpenUNIX-8 support including shared libraries
16649 * Rabin-Miller test analyses assume uniformly distributed witnesses,
16661 This function was broken, as the check for a new client hello message
16681 configuration target "alpha-cc-rpath", which will never be selected
16693 * Enhanced support for IA-64 Unix platforms (well, Linux and HP-UX).
16714 dh->length and always used
16716 BN_rand_range(priv_key, dh->p).
16718 BN_rand_range() is not necessary for Diffie-Hellman, and this
16719 specific range makes Diffie-Hellman unnecessarily inefficient if
16720 dh->length (recommended exponent length) is much smaller than the
16721 length of dh->p. We could use BN_rand_range() if the order of
16723 dh->length.
16729 where 'l' is dh->length if this is defined, or BN_num_bits(dh->p)-1
16747 * In crypto/rand/md_rand.c, use a new short-time lock CRYPTO_LOCK_RAND2
16762 *Albert Chin-A-Young <china@thewrittenword.com>*
16764 * Add configuration option to build on Linux on both big-endian and
16765 little-endian MIPS.
16767 *Ralf Baechle <ralf@uni-koblenz.de>*
16769 * Add the possibility to create shared libraries on HP-UX.
16777 Markku-Juhani O. Saarinen <markku-juhani.saarinen@nokia.com>:
16780 'md' followed by enough consecutive 1-byte PRNG requests
16791 Markku-Juhani's attack. (Actually it had never occurred
16793 half from which PRNG output bytes were taken -- I had always
16836 when fixing the server behaviour for backwards-compatible 'client
16840 around 2^-40; see section 5 in Bleichenbacher's CRYPTO '98
16896 * Change bctest again: '-x' expressions are not available in all
16916 If SEQUENCE is length is indefinite just set c->slen to the total
16923 * Change bctest to avoid here-documents inside command substitution
16936 * Check the result of RSA-CRT (see D. Boneh, R. DeMillo, R. Lipton:
16938 Computations, J. Cryptology 14 (2001) 2, 101-119,
16961 (but broken) behaviour.
17005 due to incorrect handling of multi-threading:
17013 inband-signalling in the previous code (which relied on the
17018 * Add "-rand" option also to s_client and s_server.
17023 *Kurt Hockenbury <khockenb@stevens-tech.edu> and
17042 to be set and top=0 forces the highest bit to be set; top=-1 is new
17047 * In the `NCONF_...`-based implementations for `CONF_...` queries
17103 * Fix 'openssl passwd -1'.
17114 * Fix C code generated by 'openssl dsaparam -C': If a BN_bin2bn
17124 * Increase s2->wbuf allocation by one byte in ssl2_new (ssl/s2_lib.c).
17131 obtain lock CRYPTO_LOCK_RSA before setting `rsa->_method_mod_{n,p,q}`.
17156 so that 'make test' does not abort just because 'bc' is broken.
17167 * Fix ssl3_pending: If the record in s->s3->rrec is not of type
17174 Both ssl2_peek and ssl3_peek, which were totally broken in earlier
17175 releases, have been re-implemented by renaming the previous
17186 the method-specific "init()" handler. Also clean up ex_data after
17187 calling the method-specific "finish()" handler. Previously, this was
17206 *Jean-Marc Desperrier <jean-marc.desperrier@certplus.com>*
17210 - Make note of the expected extension for the shared libraries and
17215 - Make as few rebuilds of the shared libraries as possible.
17217 - Still avoid linking the OpenSSL programs with the shared libraries.
17219 - When installing, install the shared libraries separately from the
17283 in a record-oriented fashion. That means that every write() will
17294 Currently, it's a VMS-only method, because that's where it has
17302 but it was in 0.9.6-beta[12].)
17328 documentation and run-time libraries. The devel package contains
17337 *Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>*
17460 In BIO_puts, increment b->num_write as in BIO_write.
17477 used for low-level RSA operations. DER public key
17484 *Andreas Schneider <andreas@ds3.etech.fh-hamburg.de>*
17486 * A demo state-machine implementation was sponsored by
17562 * Add the arguments -CAfile and -CApath to the pkcs12 utility.
17584 * Fix SSL 2.0 rollback checking: Due to an off-by-one error in
17589 In s23_clnt.c, don't use special rollback-attack detection padding
17655 * New options to smime application. -inform and -outform
17657 PEM and DER. The -content option allows the content to be
17682 - New object identifiers are inserted in objects.txt, following
17684 - objects.pl is used to process obj_mac.num and create a new
17686 - obj_dat.pl is used to create a new obj_dat.h, using the data in
17698 * Add BSD-style MD5-based passwords to 'openssl passwd' (option '-1').
17702 * Addition of the command line parameter '-rand file' to 'openssl req'.
17744 an -sgckey command line option to the rsa utility. Thanks to
17746 algorithm to openssl-dev.
17763 * Re-implement BN_mod_exp2_mont using independent (and larger) windows.
17794 * The type-safe stack code has been rejigged. It is now only compiled
17796 by default all type-specific stack functions are "#define"d back to
17798 but retains the type-safety checking possibilities of the original
17806 map type-safe stack functions onto their plain stack counterparts.
17846 for CFB and OFB modes they zero ctx->num.
17865 this option is set, tolerate broken clients that send the negotiated
17872 i.e. non-zero for export ciphersuites, zero otherwise.
17890 Added -fingerprint option to crl utility, to support new c_rehash
17895 * Eliminate non-ANSI declarations in crypto.h and stack.h.
17932 * Bugfix for linux-elf makefile.one.
17992 * Add '-tls1' option to 'openssl ciphers', which was already
18000 OpenSSL-based applications) load shared libraries and bind to
18012 * Rename openssl x509 option '-crlext', which was added in 0.9.5,
18013 to '-clrext' (= clear extensions), as intended and documented.
18031 *Ulf Möller, using the problem description in krb4-0.9.7, where
18040 'openssl XXX' exists, the new pseudo-command 'openssl no-XXX'
18042 'no-XXX' is printed in this case, 'XXX' otherwise. In both cases,
18047 the 'no-cipher' compilation switches can be tested this way.
18049 ('openssl no-XXX' is not able to detect pseudo-commands such
18050 as 'quit', 'list-XXX-commands', or 'no-XXX' itself.)
18054 * Update test suite so that 'make test' succeeds in 'no-rsa' configuration.
18062 to parameters -- in previous versions (since OpenSSL 0.9.3) the
18068 * New s_client option -ign_eof: EOF at stdin is ignored, and
18070 This is part of what -quiet does; unlike -quiet, -ign_eof
18107 * Add '-dsaparam' option to 'openssl dhparam' application. This
18114 by 'openssl dhparam -C'.
18140 * New 'rand' application for creating pseudo-random output.
18154 *Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE> and Anonymous*
18214 or -rand.
18246 sections with information on -D... compiler switches used for
18248 one of these sections, a pre-processor symbol `OPENSSL_..._DEFINES`
18296 * HP-UX tune-up: new unified configs, HP C compiler bug workaround.
18300 * Add -rand argument to smime and pkcs12 applications and read/write
18327 equal (it gave wrong results if `(rem=(n1-q*d0)&BN_MASK2) < d0)`.
18331 * Add support for various broken PKCS#8 formats, and command line
18356 * Add a new -notext option to 'ca' and a -pubkey option to 'spkac'.
18360 * Use a less unusual form of the Miller-Rabin primality test (it used
18361 a binary algorithm for exponentiation integrated into the Miller-Rabin
18383 using 50 iterations of the Rabin-Miller test.
18386 iterations of the Rabin-Miller test as required by the appendix
18387 to FIPS PUB 186[-1]) instead of DSA_is_prime.
18393 for each positive witness in the Rabin-Miller test, not just
18398 function with an 'iteration count' of -1, meaning that a
18400 from an application-provided seed, trial division is skipped).
18405 division before starting the Rabin-Miller test and has
18408 'callback(1, -1, cb_arg)' is called when a number has passed the
18418 * New -pkcs12 option to CA.pl script to write out a PKCS#12 file.
18426 * Clean up BN_mod_mul_montgomery(): replace the broken (and unreadable)
18440 by stat(). RAND_load_file(..., -1) is new and uses the complete file
18457 Rabin-Miller iterations.
18461 * Diffie-Hellman uses "safe" primes: DH_check() return code renamed to
18483 cipher-strength (using the strength_bits hard coded in the tables).
18486 Fix a bug in the cipher-command parser: when supplying a cipher command
18488 *A-Za-z0-9*, ssl_set_cipher_list used to hang in an endless loop. Now
18491 Due to the strength-sorting extension, the code of the
18493 the readability was also increased :-)
18495 *Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>*
18497 * Minor change to 'x509' utility. The -CAcreateserial option now uses 1
18540 * Do more iterations of Rabin-Miller probable prime test (specifically,
18541 3 for 1024-bit primes, 6 for 512-bit primes, 12 for 256-bit primes
18544 false-positive rate of at most 2^-80 for random input.
18566 -nomaciter option is used. This improves file security and
18571 * Honor the no-xxx Configure options when creating .DEF files.
18628 $PATH. Just exploiting of the BWX extension results in 20-30%
18858 -fingerprint and -x509toreq options. Also -x509toreq choked if a
18886 Two new options to the verify program: -untrusted allows a set of
18887 untrusted certificates to be passed in and -purpose which sets the
18919 Added a -pubkey option to the 'x509' utility to output the public key.
18958 openssl verify -CAfile ss.pem ss.pem
18966 but an application-provided verification callback (set by
18968 anyway (i.e. leaves x509_store_ctx->error != X509_V_OK
18970 ssl->verify_result to the appropriate error code to avoid
18979 *Po-Cheng Chen <pocheng@nst.com.tw>, slightly modified by Steve Henson*
18983 -S option to allow a salt to be input on the command line.
19013 the string plus current file name and line number to a per-thread
19016 Also updated memory leak detection code to be multi-thread-safe.
19020 * Add options -text and -noout to pkcs7 utility and delete the
19036 * Fix the -revoke option in ca. It was freeing up memory twice,
19061 with non-optimised assembler. Even so, this now gives around 95%
19081 X509_NAME_add_entry_by_txt(nm, "CN", MBSTRING_ASC, "Steve", -1, -1, 0);
19084 X509_NAME_add_entry_by_txt(nm, field, MBSTRING_UTF8, str, -1, -1, 0);
19091 way in req, ca, and x509 which was rather broken and didn't support
19100 - Assure unique random numbers after fork().
19101 - Make sure that concurrent threads access the global counter and
19115 dsaparam -genkey (which also ignored its '-rand' option),
19124 of each file listed in the '-rand' option. The function as previously
19126 that support '-rand'.
19159 verification. Also added a -purpose flag to x509 utility to
19176 * RC4 tune-up featuring 30-40% performance improvement on most RISC
19181 * New -noout option to asn1parse. This causes no output to be produced
19182 its main use is when combined with -strparse and -out to extract data
19192 * New option -dhparam in s_server. This allows a DH parameter file to be
19199 * Add -pubin and -pubout options to the rsa and dsa commands. These allow
19201 openssl rsa -in key.pem -pubout -out pubkey.pem
19242 working at all :-) A dedicated Windows application might handle this
19259 * Add new -verify -CAfile and -CApath options to the crl program, these
19264 a V2 CRL: this will allow it to tolerate some broken CRLs.
19268 * Initialize all non-automatic variables each time one of the openssl
19269 sub-programs is started (this is necessary as they may be started
19282 * Non-copying interface to BIO pairs.
19317 <madwolf@comune.modena.it>. The new option is called -extensions
19318 and can be applied to ca, req and x509. Also -reqexts to override
19319 the request extensions in req and -crlexts to override the crl extensions
19334 config file. They can be printed out with the -text option to req but
19357 library. Also added low-level modexp hooks and CRYPTO_EX structure and
19377 an SSLv2-compatible client hello for SSLv3 or TLSv1 could be read,
19403 * -crlf option to s_client and s_server for sending newlines as
19418 * Fix -startdate and -enddate (which was missing) arguments to 'ca'
19427 For 1024-bit p, DSA_generate_parameters followed by DSA_dup_DH is
19430 much more efficient (160-bit exponentiation instead of 1024-bit
19446 * Allow the -k option to be used more than once in the enc program:
19473 typedef int pem_password_cb(char *buf, int size, int rwflag);
19475 ....(char *buf, int size, int rwflag, void *userdata);
19493 * The -DPLATFORM="\"$(PLATFORM)\"" definition and the similar -DCFLAGS=...
19497 auto-generated file crypto/buildinf.h (created by crypto/Makefile.ssl
19518 * Fix memory leaks in s3_clnt.c: All non-anonymous SSL3/TLS1 connections
19525 * New function RSA_check_key and new openssl rsa option -check
19532 2. Change unsigned int to int in b_dump.c to avoid "signed/unsigned
19564 * Memory leak checking (-DCRYPTO_MDEBUG) had some problems.
19573 to disable memory-checking temporarily.
19578 -DCRYPTO_MDEBUG_TIME is new and additionally stores the current time
19582 -DCRYPTO_MDEBUG_THREAD is also new and adds the thread ID.
19584 -DCRYPTO_MDEBUG_ALL enables all of the above, plus any future
19606 * Fix problems with no-hmac etc.
19627 *Steve Henson, reported by Brien Wheeler <bwheeler@authentica-security.com>*
19647 Fixed, now "no-idea no-rc5 -DCRYPTO_MDEBUG" etc. works as intended.
19658 Whoever hopes to achieve shared-library compatibility across versions
19659 must use this, not the compile-time macro.
19662 Note: All this applies only to multi-threaded programs, others don't
19667 * Add missing case to s3_clnt.c state machine -- one of the new SSL tests
19720 name for unistd.h (for pre-POSIX systems); we need this for NeXTstep,
19730 Changing the behaviour of the former might break existing programs --
19736 fails, it needs to cause bc to give a non-zero result or make test carries
19749 yet. Added a -v2 "cipher" option to pkcs8 application to allow the use
19754 * Instead of "mkdir -p", which is not fully portable, use new
19755 Perl script "util/mkdir-p.pl".
19785 * "linux-sparc64" configuration (ultrapenguin).
19788 "linux-sparc" configuration.
19790 *Christian Forster <fo@hawo.stw.uni-erlangen.de>*
19792 * config now generates no-xxx options for missing ciphers.
19801 * Support BS2000/OSD-POSIX.
19817 * New configuration variants "bsdi-elf-gcc" (BSD/OS 4.x).
19823 * New configuration variant "sco5-gcc".
19846 * SHA library changes for irix64-mips4-cc.
19900 to and from BNs: it was completely broken. New compilation option
19901 NEG_PUBKEY_BUG to allow for some broken certificates that encode public
19914 * New option -out to asn1parse to allow the parsed structure to be
19915 output to a file. This is most useful when combined with the -strparse
19920 * Make SSL library a little more fool-proof by not requiring any longer
19924 intended anyway -- now it really works as intended).
19932 * Fix various things to let OpenSSL even pass "egcc -pipe -O2 -Wall
19933 -Wshadow -Wpointer-arith -Wcast-align -Wmissing-prototypes
19934 -Wmissing-declarations -Wnested-externs -Winline" with EGCS 1.1.2+
19945 various ways (and thus what used to be known as ctx->default_cert
19946 is now called ctx->cert, since we don't resort to `s->ctx->[default_]cert`
19947 any longer when s->cert does not give us what we need).
19950 we have solved a couple of bugs of the earlier code where s->cert
19960 that holds per-session data (if available); currently, this is
19988 * Add PEDANTIC compiler flag to allow compilation with gcc -pedantic,
19989 without disallowing inline assembler and the like for non-pedantic builds.
20001 * SHA-1 cleanups and performance enhancements.
20009 * Accept any -xxx and +xxx compiler options in Configure.
20024 DER-encoded.)
20029 x509_vfy.c had what can be considered an off-by-one-error:
20057 * New Configure options "threads" and "no-threads". For systems
20068 $(INSTALLTOP)/bin -- they shouldn't clutter directories
20073 * "make linux-shared" to build shared libraries.
20077 * New Configure option `no-<cipher>` (rsa, idea, rc5, ...).
20095 * New Configure options --prefix=DIR and --openssldir=DIR.
20116 * Change behaviour of ssl2_read when facing length-0 packets: Don't return
20134 * Fix new 56-bit DES export ciphersuites: they were using 7 bytes instead of
20212 * Don't auto-generate pem.h.
20216 * Introduce type-safe ASN.1 SETs.
20220 * Convert various additional casted stacks to type-safe STACK_OF() variants.
20224 * Introduce type-safe STACKs. This will almost certainly break lots of code
20232 * Add `openssl ca -revoke <certfile>` facility which revokes a certificate
20235 revoking a certificate. The -revoke option does the gory details now.
20239 * Fix `openssl crl -noout -text` combination where `-noout` killed the
20240 `-text` option at all and this way the `-noout -text` combination was
20252 ciphers that were excluded, e.g. by -DNO_IDEA. Also, test
20256 `openssl list-cipher-commands` is used.
20294 * New "-showcerts" option for s_client.
20335 * Make sure the RSA OAEP test is skipped under -DRSAref because
20341 so they no longer are missing under -DNOPROTO.
20371 * Make rsa_oaep_test return non-zero on error.
20376 solaris-sparc-sc4-pic, make, then run shlib/solaris-sc4.sh. It'd be nice
20406 * Let util/clean-depend.pl work also with older Perl 5.00x versions.
20418 * DES quad checksum was broken on big-endian architectures. Fixed.
20479 pre-configured entry in Configure's %table under key `<id>` with value
20481 perform a quick test-compile under FreeBSD 3.1 with pgcc and without
20482 assembler stuff you can use `perl Configure "FreeBSD-elf:pgcc:-O6:::"`
20483 now, which overrides the FreeBSD-elf entry on-the-fly.
20491 * Allow DSO flags like -fpic, -fPIC, -KPIC etc. to be specified
20498 * Remarkably, export ciphers were totally broken and no-one had noticed!
20504 questions now is the OpenSSL core team under openssl-core@openssl.org.
20505 And add a paragraph about the dual-license situation to make sure people
20561 stuff. Fix mk1mf.pl and VC-32.pl to support NT differences also. Various
20572 This means that Apache-SSL and similar packages don't have to mess around
20584 * Get rid of remaining C++-style comments which strict C compilers hate.
20595 their SSL_CTX_xxx() counterparts but work on a per-connection basis. This
20597 per-connection basis (e.g. Apache+mod_ssl) instead of a per-context basis
20607 non-public-API function ssl_cert_instantiate() is used as a helper
20612 * Move s_server -dcert and -dkey options out of the undocumented feature
20625 * Fix `port` variable from `int` to `unsigned int` in crypto/bio/b_sock.c
20630 from `int` to `unsigned int` because it is a length and initialized by
20631 EVP_DigestFinal() which expects an `unsigned int *`.
20635 * Don't hard-code path to Perl interpreter on shebang line of Configure
20636 script. Instead use the usual Shell->Perl transition trick.
20640 * Make `openssl x509 -noout -modulus`' functional also for DSA certificates
20642 -noout -modulus` as it's already the case for `openssl rsa -noout
20643 -modulus`. For RSA the -modulus is the real "modulus" while for DSA
20645 `openssl dsa -modulus` in the past) which serves a similar purpose.
20646 Additionally the NO_RSA no longer completely removes the whole -modulus
20652 * Add Arne Ansper's reliable BIO - this is an encrypted, block-digested
20669 TLS_RSA_EXPORT56_WITH_DES_CBC_SHA, as specified in "56-bit Export Cipher
20670 Suites For TLS", draft-ietf-tls-56-bit-ciphersuites-00.txt.
20700 foundations than the ad-hoc padding used in PKCS #1 v1.5. It is secure
20731 *Lars Weber <3weber@informatik.uni-hamburg.de>*
20784 - ported BN stuff to OpenSSL's different BN library
20785 - made the perl/ source tree CVS-aware
20786 - renamed the package from SSLeay to OpenSSL (the files still contain
20788 - removed obsolete files (the test scripts will be replaced
20800 -rSSLeay_0_8_1b" or they were renamed (as it was definitely the case for
20808 what that's for :-) Fix to ASN1 macro which messed up
20835 * Fixed ms/32all.bat script: `no_asm` -> `no-asm`
20837 *Rainer W. Gerling <gerling@mpg-gv.mpg.de>*
20843 * Modify crl2pkcs7 so it supports multiple -certfile arguments. Fix a
20872 and add a sample to openssl.cnf so req -x509 now adds appropriate
20891 this allows certain broken certificates that don't set the version
20897 Ad Hoc Way) - Makefile.ssls now all contain local dependencies, which
20902 * Spelling mistake in C version of CAST-128.
20906 * Changes to the error generation code. The perl script err-code.pl
20913 either modify crypto/Makefile.ssl to pass the -regen flag to err_code.pl
20918 * CAST-128 was incorrectly implemented for short keys. The C version has
20920 new assembler HAS NOT BEEN GENERATED FOR WIN32 - the Makefile needs fixing
20922 *Ben Laurie, reported (with fix for C version) by Jun-ichiro itojun
20964 * The function OBJ_txt2nid was broken. It was supposed to return a nid
20999 *Bodo Moeller <3moeller@informatik.uni-hamburg.de>*
21001 * Don't blow it for numeric `-newkey` arguments to `apps/req`.
21003 *Bodo Moeller <3moeller@informatik.uni-hamburg.de>*
21027 * BIO_s_socket() had a broken should_retry() on Windoze.
21035 * Make sure the already existing X509_STORE->depth variable is initialized
21067 * Make the top-level INSTALL documentation easier to understand.
21071 * Makefiles updated to exit if an error occurs in a sub-directory
21086 * Enhanced the err-ins.pl script so it makes the error library number
21123 *Ben Laurie - pointed out by Ulf Möller <ulf@fitug.de>*
21131 ncr-scde
21132 unixware-2.0
21133 unixware-2.0-pentium
21134 sco5-cc.
21147 ### Changes between 0.9.1b and 0.9.1c [23-Dec-1998]
21154 * Some fixups to the top-level documents.
21158 * Fixed the nasty bug where rsaref.h was not found under compile-time
21163 * Incorporated the popular no-RSA/DSA-only patches
21164 which allow to compile an RSA-free SSLeay.
21168 * Fixed nasty rehash problem under `make -f Makefile.ssl links`
21186 * Recompiled the error-definition header files and added
21191 * Cleaned up the top-level documents;
21241 * Add -strparse option to asn1pars program which parses nested
21254 * Added "-genkey" option to "dsaparam" program.
21262 * Added -a (all) option to "ssleay version" command.
21351 <!-- Links -->
21353 [CVE-2025-9232]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-9232
21354 [CVE-2025-9231]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-9231
21355 [CVE-2025-9230]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-9230
21356 [CVE-2025-4575]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-4575
21357 [CVE-2024-13176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176
21358 [CVE-2024-9143]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143
21359 [CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
21360 [CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535
21361 [CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
21362 [CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603
21363 [CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511
21364 [CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727
21365 [CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237
21366 [CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129
21367 [CVE-2023-5678]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5678
21368 [CVE-2023-5363]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5363
21369 [CVE-2023-4807]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-4807
21370 [CVE-2023-3817]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3817
21371 [CVE-2023-3446]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3446
21372 [CVE-2023-2975]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2975
21373 [RFC 2578 (STD 58), section 3.5]: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5
21374 [CVE-2023-2650]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2650
21375 [CVE-2023-1255]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-1255
21376 [CVE-2023-0466]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466
21377 [CVE-2023-0465]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0465
21378 [CVE-2023-0464]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0464
21379 [CVE-2023-0401]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0401
21380 [CVE-2023-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0286
21381 [CVE-2023-0217]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0217
21382 [CVE-2023-0216]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0216
21383 [CVE-2023-0215]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0215
21384 [CVE-2022-4450]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4450
21385 [CVE-2022-4304]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4304
21386 [CVE-2022-4203]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4203
21387 [CVE-2022-3996]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-3996
21388 [CVE-2022-2274]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2274
21389 [CVE-2022-2097]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2097
21390 [CVE-2020-1971]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1971
21391 [CVE-2020-1967]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1967
21392 [CVE-2019-1563]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1563
21393 [CVE-2019-1559]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1559
21394 [CVE-2019-1552]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1552
21395 [CVE-2019-1551]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1551
21396 [CVE-2019-1549]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1549
21397 [CVE-2019-1547]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1547
21398 [CVE-2019-1543]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1543
21399 [CVE-2018-5407]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-5407
21400 [CVE-2018-0739]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0739
21401 [CVE-2018-0737]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0737
21402 [CVE-2018-0735]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0735
21403 [CVE-2018-0734]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0734
21404 [CVE-2018-0733]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0733
21405 [CVE-2018-0732]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0732
21406 [CVE-2017-3738]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3738
21407 [CVE-2017-3737]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3737
21408 [CVE-2017-3736]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3736
21409 [CVE-2017-3735]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3735
21410 [CVE-2017-3733]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3733
21411 [CVE-2017-3732]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3732
21412 [CVE-2017-3731]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3731
21413 [CVE-2017-3730]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3730
21414 [CVE-2016-7055]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7055
21415 [CVE-2016-7054]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7054
21416 [CVE-2016-7053]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7053
21417 [CVE-2016-7052]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7052
21418 [CVE-2016-6309]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6309
21419 [CVE-2016-6308]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6308
21420 [CVE-2016-6307]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6307
21421 [CVE-2016-6306]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6306
21422 [CVE-2016-6305]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6305
21423 [CVE-2016-6304]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6304
21424 [CVE-2016-6303]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6303
21425 [CVE-2016-6302]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6302
21426 [CVE-2016-2183]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2183
21427 [CVE-2016-2182]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2182
21428 [CVE-2016-2181]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2181
21429 [CVE-2016-2180]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2180
21430 [CVE-2016-2179]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2179
21431 [CVE-2016-2178]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2178
21432 [CVE-2016-2177]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2177
21433 [CVE-2016-2176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2176
21434 [CVE-2016-2109]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2109
21435 [CVE-2016-2107]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2107
21436 [CVE-2016-2106]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2106
21437 [CVE-2016-2105]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2105
21438 [CVE-2016-0800]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0800
21439 [CVE-2016-0799]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0799
21440 [CVE-2016-0798]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0798
21441 [CVE-2016-0797]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0797
21442 [CVE-2016-0705]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0705
21443 [CVE-2016-0702]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0702
21444 [CVE-2016-0701]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0701
21445 [CVE-2015-3197]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3197
21446 [CVE-2015-3196]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3196
21447 [CVE-2015-3195]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3195
21448 [CVE-2015-3194]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3194
21449 [CVE-2015-3193]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3193
21450 [CVE-2015-1793]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1793
21451 [CVE-2015-1792]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1792
21452 [CVE-2015-1791]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1791
21453 [CVE-2015-1790]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1790
21454 [CVE-2015-1789]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1789
21455 [CVE-2015-1788]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1788
21456 [CVE-2015-1787]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1787
21457 [CVE-2015-0293]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0293
21458 [CVE-2015-0291]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0291
21459 [CVE-2015-0290]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0290
21460 [CVE-2015-0289]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0289
21461 [CVE-2015-0288]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0288
21462 [CVE-2015-0287]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0287
21463 [CVE-2015-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0286
21464 [CVE-2015-0285]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0285
21465 [CVE-2015-0209]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0209
21466 [CVE-2015-0208]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0208
21467 [CVE-2015-0207]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0207
21468 [CVE-2015-0206]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0206
21469 [CVE-2015-0205]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0205
21470 [CVE-2015-0204]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0204
21471 [CVE-2014-8275]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-8275
21472 [CVE-2014-5139]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-5139
21473 [CVE-2014-3572]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3572
21474 [CVE-2014-3571]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3571
21475 [CVE-2014-3570]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3570
21476 [CVE-2014-3569]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3569
21477 [CVE-2014-3568]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3568
21478 [CVE-2014-3567]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3567
21479 [CVE-2014-3566]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3566
21480 [CVE-2014-3513]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3513
21481 [CVE-2014-3512]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3512
21482 [CVE-2014-3511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3511
21483 [CVE-2014-3510]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3510
21484 [CVE-2014-3509]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3509
21485 [CVE-2014-3508]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3508
21486 [CVE-2014-3507]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3507
21487 [CVE-2014-3506]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3506
21488 [CVE-2014-3505]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3505
21489 [CVE-2014-3470]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3470
21490 [CVE-2014-0224]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0224
21491 [CVE-2014-0221]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0221
21492 [CVE-2014-0195]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0195
21493 [CVE-2014-0160]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0160
21494 [CVE-2014-0076]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0076
21495 [CVE-2013-6450]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-6450
21496 [CVE-2013-4353]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-4353
21497 [CVE-2013-0169]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-0169
21498 [CVE-2013-0166]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-0166
21499 [CVE-2012-2686]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2686
21500 [CVE-2012-2333]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2333
21501 [CVE-2012-2110]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2110
21502 [CVE-2012-0884]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0884
21503 [CVE-2012-0050]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0050
21504 [CVE-2012-0027]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0027
21505 [CVE-2011-4619]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4619
21506 [CVE-2011-4577]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4577
21507 [CVE-2011-4576]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4576
21508 [CVE-2011-4109]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4109
21509 [CVE-2011-4108]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4108
21510 [CVE-2011-3210]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-3210
21511 [CVE-2011-3207]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-3207
21512 [CVE-2011-0014]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-0014
21513 [CVE-2010-4252]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-4252
21514 [CVE-2010-4180]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-4180
21515 [CVE-2010-3864]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-3864
21516 [CVE-2010-1633]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-1633
21517 [CVE-2010-0740]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-0740
21518 [CVE-2010-0433]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-0433
21519 [CVE-2009-4355]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-4355
21520 [CVE-2009-3555]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-3555
21521 [CVE-2009-3245]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-3245
21522 [CVE-2009-1386]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1386
21523 [CVE-2009-1379]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1379
21524 [CVE-2009-1378]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1378
21525 [CVE-2009-1377]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1377
21526 [CVE-2009-0789]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0789
21527 [CVE-2009-0591]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0591
21528 [CVE-2009-0590]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0590
21529 [CVE-2008-5077]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-5077
21530 [CVE-2008-1678]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-1678
21531 [CVE-2008-1672]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-1672
21532 [CVE-2008-0891]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-0891
21533 [CVE-2007-5135]: https://www.openssl.org/news/vulnerabilities.html#CVE-2007-5135
21534 [CVE-2007-4995]: https://www.openssl.org/news/vulnerabilities.html#CVE-2007-4995
21535 [CVE-2006-4343]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-4343
21536 [CVE-2006-4339]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-4339
21537 [CVE-2006-3738]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-3738
21538 [CVE-2006-2940]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-2940
21539 [CVE-2006-2937]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-2937
21540 [CVE-2005-2969]: https://www.openssl.org/news/vulnerabilities.html#CVE-2005-2969
21541 [CVE-2004-0112]: https://www.openssl.org/news/vulnerabilities.html#CVE-2004-0112
21542 [CVE-2004-0079]: https://www.openssl.org/news/vulnerabilities.html#CVE-2004-0079
21543 [CVE-2003-0851]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0851
21544 [CVE-2003-0545]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0545
21545 [CVE-2003-0544]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0544
21546 [CVE-2003-0543]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0543
21547 [CVE-2003-0078]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0078
21548 [CVE-2002-0659]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0659
21549 [CVE-2002-0657]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0657
21550 [CVE-2002-0656]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0656
21551 [CVE-2002-0655]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0655
21552 [CMVP]: https://csrc.nist.gov/projects/cryptographic-module-validation-program
21553 [ESV]: https://csrc.nist.gov/Projects/cryptographic-module-validation-program/entropy-validations