Lines Matching +full:trusted +full:- +full:foundations

4 This is a high-level summary of the most important changes.
11 ----------------
13 - [OpenSSL 3.0](#openssl-30)
14 - [OpenSSL 1.1.1](#openssl-111)
15 - [OpenSSL 1.1.0](#openssl-110)
16 - [OpenSSL 1.0.2](#openssl-102)
17 - [OpenSSL 1.0.1](#openssl-101)
18 - [OpenSSL 1.0.0](#openssl-100)
19 - [OpenSSL 0.9.x](#openssl-09x)
22 -----------
41 ([CVE-2024-6119])
51 ([CVE-2024-5535])
76 ([CVE-2024-4741])
93 ([CVE-2024-4603])
105 * Fixed an issue where some non-default TLS server configurations can cause
110 This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option
112 anti-replay protection is in use). In this case, under certain conditions,
119 ([CVE-2024-2511])
147 ([CVE-2024-0727])
164 with the "-pubin" and "-check" options on untrusted data.
169 ([CVE-2023-6237])
174 have the contained AlgorithmIdentifier.algorithm set to id-ecPublicKey
187 be various - from no consequences, if the calling application does not
188 depend on the contents of non-volatile XMM registers at all, to the worst
195 ([CVE-2023-6129])
209 ([CVE-2023-5678])
217 that alter the key or IV length ([CVE-2023-5363]).
226 does not save the contents of non-volatile XMM registers on Windows 64
230 x86_64 processors supporting the AVX512-IFMA instructions.
233 be various - from no consequences, if the calling application does not
234 depend on the contents of non-volatile XMM registers at all, to the worst
241 ([CVE-2023-4807])
250 fixing CVE-2023-3446 it was discovered that a large q parameter value can
260 ([CVE-2023-3817])
279 ([CVE-2023-3446])
283 * Do not ignore empty associated data entries with AES-SIV.
285 The AES-SIV algorithm allows for authentication of multiple associated
289 The AES-SIV implementation in OpenSSL just returns success for such call
291 The empty data thus will not be authenticated. ([CVE-2023-2975])
296 applications that use empty associated data entries with AES-SIV.
306 OBJECT IDENTIFIER sub-identifiers to canonical numeric text form.
309 numeric text form. For gigantic sub-identifiers, this would take a very
311 sub-identifier. ([CVE-2023-2650])
319 most 128 sub-identifiers, and that the maximum value that each sub-
320 identifier may have is 2^32-1 (4294967295 decimal).
322 For each byte of every sub-identifier, only the 7 lower bits are part of
329 * Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms which
331 trigger a crash of an application using AES-XTS decryption if the memory
334 ([CVE-2023-1255])
338 * Reworked the Fix for the Timing Oracle in RSA Decryption ([CVE-2022-4304]).
340 a severe 2-3x performance regression in the typical use case
352 ([CVE-2023-0466])
361 ([CVE-2023-0465])
366 against CVE-2023-0464. The default limit is set to 1000 nodes, which
371 ([CVE-2023-0464])
386 ([CVE-2023-0401])
409 ([CVE-2023-0286])
424 security requirements imposed by standards such as FIPS 140-3.
425 ([CVE-2023-0217])
439 ([CVE-2023-0216])
443 * Fixed Use-after-free following BIO_new_NDEF.
458 then a use-after-free will occur. This will most likely result in a crash.
459 ([CVE-2023-0215])
484 ([CVE-2022-4450])
495 modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
496 ([CVE-2022-4304])
508 ([CVE-2022-4203])
520 ([CVE-2022-3996])
530 For symmetry, our implementation of `EVP_PKEY_ASN1_METHOD->export_to`
546 certificate verification despite failure to construct a path to a trusted
557 ([CVE-2022-3786])
560 attacker-controlled bytes on the stack. This buffer overflow could
563 ([CVE-2022-3602])
623 ([CVE-2022-3358])
632 * Fixed the linux-mips64 Configure target which was missing the
647 * Fixed detection of ktls support in cross-compile environment on Linux
683 implementation prior to commit 2621751 ("aes/asm/aesv8-armx.pl: avoid
684 32-bit lane assignment in CTR mode") for 64bit targets only, since it is
685 reportedly 2-17% slower and the silicon errata only affects 32bit targets.
708 ([CVE-2022-2274])
712 * AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised
720 ([CVE-2022-2097])
727 CVE-2022-1292, further bugs where the c_rehash script does not
731 When the CVE-2022-1292 was fixed it was not discovered that there
741 (CVE-2022-2068)
752 * Case insensitive string comparison is reimplemented via new locale-agnostic
767 (CVE-2022-1292)
773 where the (non-default) flag OCSP_NOCHECKS is used to return a postivie
784 verifying an ocsp response with the "-no_cert_checks" option the command line
789 ([CVE-2022-1343])
793 * Fixed a bug where the RC4-MD5 ciphersuite incorrectly used the
796 An attacker could exploit this issue by performing a man-in-the-middle attack
800 Note that data sent from an OpenSSL 3.0 endpoint to a non-OpenSSL 3.0
804 3.0 server would be impacted when talking to a non-OpenSSL 3.0 client.
811 endpoint communicating with a non-OpenSSL 3.0 endpoint will fail to complete
815 cannot decrypt data that has been encrypted using this ciphersuite - they can
819 the RC4-MD5 ciphersuite. This ciphersuite is not compiled by default in
825 1) OpenSSL must have been compiled with the (non-default) compile time option
826 enable-weak-ssl-ciphers
837 6) Both endpoints must negotiate the RC4-MD5 ciphersuite in preference to any
839 (CVE-2022-1434)
854 (CVE-2022-1473)
868 for non-prime moduli.
885 - TLS clients consuming server certificates
886 - TLS servers consuming client certificates
887 - Hosting providers taking certificates or private keys from customers
888 - Certificate authorities parsing certification requests from subscribers
889 - Anything else which parses ASN.1 elliptic curve parameters
893 ([CVE-2022-0778])
903 * Made the AES constant time code for no-asm configurations
906 builds, with: ./config no-asm -DOPENSSL_AES_CONST_TIME
944 ([CVE-2021-4044])
1008 * Encrypting more than 2^64 TLS records with AES-GCM is disallowed
1009 as per FIPS 140-2 IG A.5 "Key/IV Pair Uniqueness Requirements from
1010 SP 800-38D". The communication will fail at this point.
1020 beginning of a PEM-formatted file.
1040 "AES-128-SIV", "AES-128-CBC-CTS" and "CAMELLIA-128-CBC-CTS" which were
1051 `--libdir=lib` to override the libdir if adding the postfix is
1073 be suppressed if the undocumented -DI_CAN_LIVE_WITH_LNK4049 was set.
1078 * Rework and make DEBUG macros consistent. Remove unused -DCONF_DEBUG,
1079 -DBN_CTX_DEBUG, and REF_PRINT. Add a new tracing category and use it for
1080 printing reference counts. Rename -DDEBUG_UNUSED to -DUNUSED_RESULT_DEBUG
1097 * Client-initiated renegotiation is disabled by default. To allow it, use
1098 the -client_renegotiation option, the SSL_OP_ALLOW_CLIENT_RENEGOTIATION
1108 * OpenSSL includes a cryptographic module that is intended to be FIPS 140-2
1109 validated. Please consult the README-FIPS and
1110 README-PROVIDERS files, as well as the migration guide.
1220 RIPEMD-160 have been moved to the legacy provider.
1237 * A number of functions handling low-level keys or engines were deprecated
1248 - NID_pbeWithMD2AndDES_CBC
1249 - NID_pbeWithMD5AndDES_CBC
1250 - NID_pbeWithSHA1AndRC2_CBC
1251 - NID_pbeWithMD2AndRC2_CBC
1252 - NID_pbeWithMD5AndRC2_CBC
1253 - NID_pbeWithSHA1AndDES_CBC
1276 algorithms. This is enabled by including the no-cached-fetch option
1281 * pkcs12 now uses defaults of PBKDF2, AES and SHA-256, with a MAC iteration
1286 * The openssl speed command does not use low-level API calls anymore.
1290 * Parallel dual-prime 1024-bit modular exponentiation for AVX512_IFMA
1295 * Combining the Configure options no-ec and no-dh no longer disables TLSv1.3.
1316 RSA_padding_add_SSLv23() and the `-ssl` option in the deprecated
1334 * The default key generation method for the regular 2-prime RSA keys was
1335 changed to the FIPS 186-4 B.3.6 method.
1365 * Behavior of the `pkey` app is changed, when using the `-check` or `-pubcheck`
1376 * The `-cipher-commands` and `-digest-commands` options
1378 Instead use the `-cipher-algorithms` and `-digest-algorithms` options.
1383 The 'quick' one-shot (yet somewhat limited) function L<EVP_PKEY_Q_keygen(3)>
1403 * The `-crypt` option to the `passwd` command line tool has been removed.
1407 * The -C option to the `x509`, `dhparam`, `dsaparam`, and `ecparam` commands
1432 * Added new option for 'openssl list', '-providers', which will display the
1463 ignore TLS protocol version bounds when configuring DTLS-based contexts, and
1465 TLS-based contexts. The commands can be repeated to set bounds of both
1467 "max_protocol" command-line switches, in case some application uses both TLS
1473 error. Now only the "version-flexible" SSL_CTX instances are subject to
1474 limits in configuration files in command-line options.
1493 * Added ciphertext stealing algorithms AES-128-CBC-CTS, AES-192-CBC-CTS and
1494 AES-256-CBC-CTS to the providers. CS1, CS2 and CS3 variants are supported.
1512 a non-default `OSSL_LIB_CTX`.
1543 * Add CAdES-BES signature verification support, mostly derived
1548 * Add CAdES-BES signature scheme and attributes support (RFC 5126) to CMS API.
1552 * Added the AuthEnvelopedData content type structure (RFC 5083) with AES-GCM
1625 [ATX headings]: https://github.github.com/gfm/#atx-headings
1626 [setext headings]: https://github.github.com/gfm/#setext-headings
1627 [inline links]: https://github.github.com/gfm/#inline-link
1628 [reference links]: https://github.github.com/gfm/#reference-link
1629 [fenced code blocks]: https://github.github.com/gfm/#fenced-code-blocks
1630 [indented code blocks]: https://github.github.com/gfm/#indented-code-blocks
1635 A new directory test-runs/ with subdirectories named like the
1642 See L<openssl-cmp(1)> and L<OSSL_CMP_exec_IR_ses(3)> as starting points.
1649 user-defined BIOs (allowing implicit connections), persistent connections,
1651 The legacy OCSP-focused (and only partly documented) API
1656 * Added `util/check-format.pl`, a tool for checking adherence to the
1731 - Common options (such as -rand/-writerand, TLS version control, etc)
1732 were refactored and point to newly-enhanced descriptions in openssl.pod.
1733 - Added style conformance for all options (with help from Richard Levitte),
1737 - Documented some internals, such as all use of environment variables.
1738 - Addressed all internal broken L<> references.
1746 * The low-level MD2, MD4, MD5, MDC2, RIPEMD160 and Whirlpool digest
1787 used in exponentiation with 512-bit moduli. No EC algorithms are
1788 affected. Analysis suggests that attacks against 2-prime RSA1024,
1789 3-prime RSA1536, and DSA1024 as a result of this defect would be very
1792 have to re-use the DH512 private key, which is not recommended anyway.
1793 Also applications directly using the low-level API BN_mod_exp may be
1795 ([CVE-2019-1551])
1799 * Most memory-debug features have been deprecated, and the functionality
1800 replaced with no-ops.
1841 * Change the interpretation of the '--api' configuration option to
1845 the given version, no requires that 'no-deprecated' is also used
1851 value is valid as before, such as -DOPENSSL_API_COMPAT=0x10100000L.
1859 -DOPENSSL_API_COMPAT=30000 For 3.0
1860 -DOPENSSL_API_COMPAT=30200 For 3.2
1863 given API compatibility level, -DOPENSSL_NO_DEPRECATED must be
1874 - X509_LOOKUP_store()
1875 - X509_STORE_load_file()
1876 - X509_STORE_load_path()
1877 - X509_STORE_load_store()
1878 - SSL_add_store_cert_subjects_to_stack()
1879 - SSL_CTX_set_default_verify_store()
1880 - SSL_CTX_load_verify_file()
1881 - SSL_CTX_load_verify_dir()
1882 - SSL_CTX_load_verify_store()
1887 The presence of this system service is determined at run-time.
1896 of application written for pre-3.0 OpenSSL easier.
1918 * s390x assembly pack: add hardware-support for P-256, P-384, P-521,
1956 * Added the `-copy_extensions` option to the `x509` command for use with
1957 `-req` and `-x509toreq`. When given with the `copy` or `copyall` argument,
1962 * Added the `-copy_extensions` option to the `req` command for use with
1963 `-x509`. When given with the `copy` or `copyall` argument,
1971 and for not self-signed certs there is an authorityKeyIdentifier extension
1980 (which may be done by using the CLI option `-x509_strict`):
1992 unless they are self-signed.
2002 * For built-in EC curves, ensure an EC_GROUP built from the curve name is
2018 ([CVE-2019-1547])
2032 The old behaviour can be re-enabled in the CMS code by setting the
2047 * Revised BN_generate_prime_ex to not avoid factors 2..17863 in p-1
2050 the 2-prime and 3-prime RSA modules were easy to distinguish, since
2052 2-prime vs. 3-prime RSA keys was possible by computing N mod 3.
2058 fix TLS connections between an EBCDIC system and a non-EBCDIC system that
2102 * `{CRYPTO,OPENSSL}_mem_debug_{push,pop}` are now no-ops and have been
2151 * Change PBKDF2 to conform to SP800-132 instead of the older PKCS5 RFC2898.
2160 * Add target VC-WIN32-UWP, VC-WIN64A-UWP, VC-WIN32-ARM-UWP and
2161 VC-WIN64-ARM-UWP in Windows OneCore target for making building libraries
2162 for Windows Store apps easier. Also, the "no-uplink" option has been added.
2178 * Added OPENSSL_info() to get diverse built-in OpenSSL data, such
2193 * Limit the number of blocks in a data unit for AES-XTS to 2^20 as
2194 mandated by IEEE Std 1619-2018.
2225 'enable-buildtest-c++'.
2260 (scrypt, TLS1 PRF and HKDF). The low-level KDF functions for PBKDF2
2273 * Fix a bug in the computation of the endpoint-pair shared secret used
2281 re-used X509_PUBKEY object if the second PUBKEY is malformed.
2295 - Major releases (indicated by incrementing the MAJOR release number)
2297 - Minor releases (indicated by incrementing the MINOR release number)
2299 - Patch releases (indicated by incrementing the PATCH number)
2306 * Add support for RFC5297 SIV mode (siv128), including AES-SIV.
2316 * Recreate the OS390-Unix config target. It no longer relies on a
2317 special script like it did for OpenSSL pre-1.1.0.
2322 a 'build.info' keyword SUBDIRS to indicate what sub-directories to
2352 * AES-XTS mode now enforces that its two keys are different to mitigate
2366 * Added new option for 'openssl list', '-objects', which will display the
2371 * Added the options `-crl_lastupdate` and `-crl_nextupdate` to `openssl ca`,
2377 * Added support for Linux Kernel TLS data-path. The Linux Kernel data-path
2379 applications with zero-copy system calls such as sendfile and splice.
2411 doc/man7/provider.pod, doc/man7/provider-base.pod, and they in turn
2418 -------------
2446 again, but this time passing a non-NULL value for the "out" parameter.
2461 ([CVE-2021-3711])
2505 ([CVE-2021-3712])
2522 that non-CA certificates must not be able to issue other certificates.
2536 ([CVE-2021-3450])
2550 ([CVE-2021-3449])
2563 ([CVE-2021-23841])
2570 CVE-2021-23839.
2580 ([CVE-2021-23840])
2607 ([CVE-2020-1971])
2619 ignore TLS protocol version bounds when configuring DTLS-based contexts, and
2621 TLS-based contexts. The commands can be repeated to set bounds of both
2623 "max_protocol" command-line switches, in case some application uses both TLS
2629 error. Now only the "version-flexible" SSL_CTX instances are subject to
2630 limits in configuration files in command-line options.
2650 ([CVE-2020-1967])
2654 * Added AES consttime code for no-asm configurations
2656 when building openssl for no-asm.
2657 Enable with: ./config no-asm -DOPENSSL_AES_CONST_TIME
2658 Disable with: ./config no-asm -DOPENSSL_NO_AES_CONST_TIME
2674 * Revised BN_generate_prime_ex to not avoid factors 3..17863 in p-1
2677 the 2-prime and 3-prime RSA modules were easy to distinguish, since
2679 2-prime vs. 3-prime RSA keys was possible by computing N mod 3.
2723 The presence of this system service is determined at run-time.
2746 ([CVE-2019-1549])
2750 * For built-in EC curves, ensure an EC_GROUP built from the curve name is
2766 ([CVE-2019-1547])
2780 The old behaviour can be re-enabled in the CMS code by setting the
2782 ([CVE-2019-1563])
2797 fix TLS connections between an EBCDIC system and a non-EBCDIC system that
2808 ([CVE-2019-1552])
2844 'enable-buildtest-c++'.
2848 * Enable SHA3 pre-hashing for ECDSA and DSA.
2861 util/fix-doc-nits accordingly.
2882 * Prevent over long nonces in ChaCha20-Poly1305.
2884 ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input
2905 applications that use this cipher directly and set a non-default nonce
2910 ([CVE-2019-1543])
2930 * Change the info callback signals for the start and end of a post-handshake
2951 ([CVE-2018-0734])
2962 ([CVE-2018-0735])
2990 * s390x assembly pack: add (improved) hardware-support for the following
2991 cryptographic primitives: sha3, shake, aes-gcm, aes-ccm, aes-ctr, aes-ofb,
2992 aes-cfb/cfb8, aes-ecb.
3004 differential addition-and-doubling in homogeneous projective coordinates
3005 from Izu-Takagi "A fast parallel elliptic curve multiplication resistant
3006 against side channel attacks" and Brier-Joye "Weierstrass Elliptic Curves
3007 and Side-Channel Attacks" Eq. (8) for y-coordinate recovery, modified
3014 For larger primes this will result in more rounds of Miller-Rabin.
3016 to 2^-128.
3020 * Increase the number of Miller-Rabin rounds for DSA key generating to 64.
3032 length-invariant. Switch even to fixed-length Montgomery multiplication.
3038 differential addition-and-doubling in mixed Lopez-Dahab projective
3047 differential addition-and-doubling algorithms.
3059 * Numerous side-channel attack mitigations have been applied. This may have
3069 mitigate conflict between 1.0 and 1.1 side-by-side installations. It
3071 multi-version installation is managed.
3079 EC cryptosystem implementations are then safer-by-default.
3103 Many applications do not properly handle non-application data records, and
3162 * Fixed X509_NAME_ENTRY_set to get multi-valued RDNs right in all cases.
3216 in responder mode now supports the new "-multi" option, which
3218 requests. The "-timeout" option now also limits the OCSP
3223 as a long-running service, making the OpenSSL CA somewhat more
3224 feature-complete. In this mode, most diagnostic messages logged
3251 The default RAND method now utilizes an AES-CTR DRBG according to
3252 NIST standard SP 800-90Ar1. The new random generator is essentially
3255 using an AES-CTR bit stream and which seeds and reseeds itself
3256 automatically using trusted system entropy sources.
3259 - Support for multiple DRBG instances with seed chaining.
3260 - The default RAND method makes use of a DRBG.
3261 - There is a public and private DRBG instance.
3262 - The DRBG instances are fork-safe.
3263 - Keep all global DRBG instances on the secure heap if it is enabled.
3264 - The public and private DRBG instance are per thread for lock free
3300 * Add multi-prime RSA (RFC 8017) support.
3304 * Add SM3 implemented according to GB/T 32905-2016
3315 * Add SM4 implemented according to GB/T 32907-2016.
3320 * Reimplement -newreq-nodes and ERR_error_string_n; the
3354 To disable, configure with 'no-ui-console'. 'no-ui' is still
3371 * Add devcrypto engine. This has been implemented against cryptodev-linux,
3373 Enable by configuring with 'enable-devcryptoeng'. This is done by default
3407 * Ignore the '-named_curve auto' value for compatibility of applications
3413 bytes long. In theory it is permissible in SSLv3 - TLSv1.2 to fragment such
3431 'z' is to be used for [s]size_t, and 'j' - with [u]int64_t.
3440 * Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
3458 Also remove OPENSSL_GLOBAL entirely, as it became a no-op.
3462 * Remove the VMS-specific reimplementation of gmtime from crypto/o_times.c.
3479 default unless the new "-noservername" option is used. The server name is
3480 based on the host provided to the "-connect" option unless overridden by
3481 using "-servername".
3498 <https://www.akkadia.org/drepper/SHA-crypt.txt>
3516 -------------
3520 * For built-in EC curves, ensure an EC_GROUP built from the curve name is
3536 ([CVE-2019-1547])
3550 The old behaviour can be re-enabled in the CMS code by setting the
3552 ([CVE-2019-1563])
3560 ([CVE-2019-1552])
3573 * Prevent over long nonces in ChaCha20-Poly1305.
3575 ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input
3596 applications that use this cipher directly and set a non-default nonce
3601 ([CVE-2019-1543])
3613 re-used X509_PUBKEY object if the second PUBKEY is malformed.
3636 ([CVE-2018-0734])
3647 ([CVE-2018-0735])
3668 ([CVE-2018-0732])
3681 ([CVE-2018-0737])
3692 length-invariant. Switch even to fixed-length Montgomery multiplication.
3698 For larger primes this will result in more rounds of Miller-Rabin.
3700 to 2^-128.
3704 * Increase the number of Miller-Rabin rounds for DSA key generating to 64.
3731 some characters, such as form-feed, were incorrectly treated as whitespace
3737 and use the "-binary" flag (for the "cms" command line application) or set
3752 This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz
3754 ([CVE-2018-0739])
3758 * Incorrect CRYPTO_memcmp on HP-UX PA-RISC
3760 Because of an implementation bug the PA-RISC CRYPTO_memcmp function is
3765 HP-UX assembler, so that only HP-UX PA-RISC targets are affected.
3769 ([CVE-2018-0733])
3785 SSL_OP_NO_RENEGOTIATION option from 1.1.1-dev has been backported to
3794 * Removed the OS390-Unix config target. It relied on a script that doesn't
3802 used in exponentiation with 1024-bit moduli. No EC algorithms are affected.
3810 no longer an option since CVE-2016-0701.
3816 was originally found via the OSS-Fuzz project.
3817 ([CVE-2017-3738])
3840 This issue was reported to OpenSSL by the OSS-Fuzz project.
3841 ([CVE-2017-3736])
3848 OpenSSL could do a one-byte buffer overread. The most likely result
3851 This issue was reported to OpenSSL by the OSS-Fuzz project.
3852 ([CVE-2017-3735])
3858 * Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
3863 * Remove the VMS-specific reimplementation of gmtime from crypto/o_times.c.
3871 * Encrypt-Then-Mac renegotiation crash
3873 During a renegotiation handshake if the Encrypt-Then-Mac extension is
3874 negotiated where it was not in the original handshake (or vice-versa) then
3879 ([CVE-2017-3733])
3887 If one side of an SSL/TLS path is running on a 32-bit host and a specific
3889 perform an out-of-bounds read, usually resulting in a crash.
3892 ([CVE-2017-3731])
3904 ([CVE-2017-3730])
3922 similar to CVE-2015-3193 but must be treated as a separate problem.
3924 This issue was reported to OpenSSL by the OSS-Fuzz project.
3925 ([CVE-2017-3732])
3931 * ChaCha20/Poly1305 heap-buffer-overflow
3933 TLS connections using `*-CHACHA20-POLY1305` ciphersuites are susceptible to
3938 ([CVE-2016-7054])
3952 ([CVE-2016-7053])
3958 There is a carry propagating bug in the Broadwell-specific Montgomery
3965 erroneous outcome of public-key operations with specially crafted input.
3966 Among EC algorithms only Brainpool P-512 curves are affected and one
3968 detail, because pre-requisites for attack are considered unlikely. Namely
3976 ([CVE-2016-7055])
3989 The patch applied to address CVE-2016-6307 resulted in an issue where if a
3999 ([CVE-2016-6309])
4013 the "no-ocsp" build time option are not affected.
4016 ([CVE-2016-6304])
4027 ([CVE-2016-6305])
4065 memory - which would then mean a more serious Denial of Service.
4068 (CVE-2016-6307 and CVE-2016-6308)
4072 * solaris-x86-cc, i.e. 32-bit configuration with vendor compiler,
4074 assemble our modules with -KPIC flag. As result it, assembly
4076 lack of side-channel resistant code, which is incompatible with
4084 * Windows command-line tool supports UTF-8 opt-in option for arguments
4087 with Windows CryptoAPI and protected with non-ASCII password, as well
4088 as files generated under UTF-8 locale on Linux also protected with
4089 non-ASCII password.
4093 * To mitigate the SWEET32 attack ([CVE-2016-2183]), 3DES cipher suites
4095 See the RC4 item below to re-enable both.
4115 no-ops and deprecated.
4120 calling CryptGenRandom(). Various other RAND-related tickets
4169 * Triple-DES ciphers have been moved from HIGH to MEDIUM.
4175 OPENSSL_LOCAL_CONFIG_DIR as well as the in-source Configurations/
4188 the "no-shared" Configure option.
4192 * Remove the no-aes, no-hmac, no-rsa, no-sha and no-md5 Configure options.
4198 * Make various cleanup routines no-ops and mark them as deprecated. Most
4200 via auto-deinit (see OPENSSL_init_crypto and OPENSSL_init_ssl man pages).
4201 Explicitly de-initing can cause problems (e.g. where a library that uses
4202 OpenSSL de-inits, but an application is still using it). The affected
4210 * --strict-warnings no longer enables runtime debugging options
4212 enabled with '--debug' builds.
4240 * Removed no-rijndael as a config option. Rijndael is an old name for AES.
4253 * Removed the aged BC-32 config and all its supporting scripts
4271 encryptions/decryptions simultaneously. There are currently no built-in
4281 AES128-CBC. The kernel must be version 4.1.0 or greater.
4286 set locking callbacks to use OpenSSL in a multi-threaded environment. There
4288 also possible to configure OpenSSL at compile time for "no-threads". The
4290 replaced with "no-op" compatibility macros.
4299 * Add SSL_CIPHER queries for authentication and key-exchange.
4304 - Prefer (EC)DHE handshakes over plain RSA.
4305 - Prefer AEAD ciphers over legacy ciphers.
4306 - Prefer ECDSA over RSA when both certificates are available.
4307 - Prefer TLSv1.2 ciphers/PRF.
4308 - Remove DSS, SEED, IDEA, CAMELLIA, and AES-CCM from the
4319 disabled by default. They can be re-enabled using the
4320 enable-weak-ssl-ciphers option to Configure.
4334 draft-ietf-curdle-pkix-02. The corresponding EVP_PKEY method supports
4337 TLS support complies with draft-ietf-tls-rfc4492bis-08 and uses
4344 In order to fix an unavoidable memory leak ([CVE-2016-0798]),
4364 the configuration option "disable-dynamic-engine".
4369 with "disable-dso" or "disable-pic".
4384 If this isn't desirable, the configuration options "disable-pic"
4385 or "no-pic" can be used to disable the use of PIC. This will
4396 is for. Also, the configuration option --install_prefix is
4402 for DTLS; configure with enable-heartbeats. Code that uses the
4423 template in Configurations, like unix-Makefile.tmpl or
4436 * Added support for auto-initialisation and de-initialisation of the library.
4458 the leading 0-byte.
4470 SSL_CTX_sess_set_get_cb was changed. The read-only input buffer
4477 RNG, and other conditional uses of DPURIFY. This makes -DPURIFY a no-op.
4510 --prefix and --openssldir change their semantics, and become more
4513 --prefix shall be used exclusively to give the location INSTALLTOP
4517 --openssldir shall be used exclusively to give the default
4522 values of both the --prefix value and the --openssldir value will
4524 The default for --openssldir is INSTALLTOP/ssl.
4526 Anyone who uses --openssldir to specify where OpenSSL is to be
4527 installed MUST change to use --prefix instead.
4539 * EGD is no longer supported by default; use enable-egd when
4563 example, be used to implement local end-entity certificate or
4564 trust-anchor "pinning", where the "pin" data takes the form
4573 source files with -DOPENSSL_API_COMPAT=0x10100000L, which hides
4579 should be used with the --api=1.1.0 option to entirely remove
4582 Essentially the same effect can be achieved with the "no-deprecated"
4588 they should update their compile-time OPENSSL_API_COMPAT define
4654 * Added ASYNC support. Libcrypto now includes the async sub-library to enable
4667 "-no_ecdhe" option has been removed from s_server.
4693 with OpenSSL (case-matching; e.g., OPENSSL_VERSION for #define's)
4728 * Remove EVP_CHECK_DES_KEY, a compile-time option that never compiled.
4746 * Fix no-stdio build.
4765 * Revamped memory debug; only -DCRYPTO_MDEBUG and -DCRYPTO_MDEBUG_ABORT
4819 EXP-DH-RSA-DES-CBC-SHA and EXP-DH-DSS-DES-CBC-SHA. These two ciphersuites
4837 code and the associated standard is no longer considered fit-for-purpose.
4864 draft-ietf-tls-session-hash-03.txt. Thanks for Alfredo Pironti for an
4877 Access to deprecated functions can be re-enabled by running config with
4878 "enable-deprecated". In addition applications wishing to use deprecated
4887 at <https://www.openssl.org/source/OCB-patent-grant-OpenSSL.pdf>. Support
4888 for OCB can be removed by calling config with no-ocb.
4898 done while fixing the error code for the key-too-small case.
4900 *Annie Yousar <a.yousar@informatik.hu-berlin.de>*
4921 16-bit platforms such as WIN16
4926 - Use setbuf() and remove OPENSSL_NO_SETVBUF_IONBF
4927 - Rename OPENSSL_SYSNAME_xxx to OPENSSL_SYS_xxx
4928 - OPENSSL_NO_EC{DH,DSA} merged into OPENSSL_NO_EC
4929 - OPENSSL_NO_RIPEMD160, OPENSSL_NO_RIPEMD merged into OPENSSL_NO_RMD160
4930 - OPENSSL_NO_FP_API merged into OPENSSL_NO_STDIO
4931 - Remove OPENSSL_NO_BIO OPENSSL_NO_BUFFER OPENSSL_NO_CHAIN_VERIFY
4935 - Remove MS_STATIC; it's a relic from platforms <32 bits.
4946 NULL. Remove the non-null checks from callers. Save much code.
4966 * Harmonize version and its documentation. -f flag is used to display
4986 preparing the fix ([CVE-2014-0160])
4991 ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
4996 flaw and to Yuval Yarom for supplying a fix ([CVE-2014-0076])
5005 * Experimental encrypt-then-mac support.
5008 draft-gutmann-tls-encrypt-then-mac-02.txt
5011 server) using e.g. -DTLSEXT_TYPE_encrypt_then_mac=0x42
5013 For non-compliant peers (i.e. just about everything) this should have no
5027 * Extend CMS code to support RSA-PSS signatures and RSA-OAEP for
5067 * Add FIPS selftest for ECDH algorithm using P-224 and B-233 curves.
5091 FIPS 186-3 A.2.3.
5093 * Add support for HMAC DRBG from SP800-90. Update DRBG algorithm test and
5119 information in FIPS186-3, SP800-57 and SP800-131A.
5155 anyway as the X9.31 PRNG is now deprecated by FIPS 140-2
5159 * Extensive self tests and health checking required by SP800-90 DRBG.
5174 leading zeroes if needed: this complies with SP800-56A et al.
5178 * Initial implementation of SP800-90 DRBGs for Hash and CTR. Not used by
5196 * Add selftest checks and algorithm block of non-fips algorithms in
5207 * New build option no-ec2m to disable characteristic 2 code.
5222 * Initial, experimental EVP support for AES-GCM. AAD can be input by
5248 * Improve forward-security support: add functions
5269 * New -verify_name option in command line utilities to set verification
5279 * Experimental renegotiation in s_server -www mode. If the client
5287 multi-process servers.
5306 * New -noct, -requestct, -requirect and -ctlogfile options for s_client.
5313 -------------
5317 * For built-in EC curves, ensure an EC_GROUP built from the curve name is
5333 ([CVE-2019-1547])
5347 The old behaviour can be re-enabled in the CMS code by setting the
5349 ([CVE-2019-1563])
5356 binaries and run-time config file.
5357 ([CVE-2019-1552])
5370 * Add FIPS support for Android Arm 64-bit
5372 Support for Android Arm 64-bit was added to the OpenSSL FIPS Object
5374 'android64-aarch64' was missing OpenSSL 1.0.2, whence it could not be
5375 built with FIPS support on Android Arm 64-bit. This omission has been
5382 * 0-byte record padding oracle
5392 In order for this to be exploitable "non-stitched" ciphersuites must be in
5401 ([CVE-2019-1559])
5421 ([CVE-2018-5407])
5432 ([CVE-2018-0734])
5453 ([CVE-2018-0732])
5466 ([CVE-2018-0737])
5477 length-invariant. Switch even to fixed-length Montgomery multiplication.
5483 For larger primes this will result in more rounds of Miller-Rabin.
5485 to 2^-128.
5489 * Increase the number of Miller-Rabin rounds for DSA key generating to 64.
5519 This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz
5521 ([CVE-2018-0739])
5546 ([CVE-2017-3737])
5553 used in exponentiation with 1024-bit moduli. No EC algorithms are affected.
5561 no longer an option since CVE-2016-0701.
5567 was originally found via the OSS-Fuzz project.
5568 ([CVE-2017-3738])
5591 This issue was reported to OpenSSL by the OSS-Fuzz project.
5592 ([CVE-2017-3736])
5599 OpenSSL could do a one-byte buffer overread. The most likely result
5602 This issue was reported to OpenSSL by the OSS-Fuzz project.
5608 * Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
5617 If one side of an SSL/TLS path is running on a 32-bit host and a specific
5619 perform an out-of-bounds read, usually resulting in a crash.
5622 ([CVE-2017-3731])
5640 similar to CVE-2015-3193 but must be treated as a separate problem.
5642 This issue was reported to OpenSSL by the OSS-Fuzz project.
5643 ([CVE-2017-3732])
5649 There is a carry propagating bug in the Broadwell-specific Montgomery
5656 erroneous outcome of public-key operations with specially crafted input.
5657 Among EC algorithms only Brainpool P-512 curves are affected and one
5659 detail, because pre-requisites for attack are considered unlikely. Namely
5667 ([CVE-2016-7055])
5687 ([CVE-2016-7052])
5701 the "no-ocsp" build time option are not affected.
5704 ([CVE-2016-6304])
5713 ([CVE-2016-2183])
5729 ([CVE-2016-6303])
5743 ([CVE-2016-6302])
5756 ([CVE-2016-2182])
5768 ([CVE-2016-2180])
5794 ([CVE-2016-2177])
5802 implementation means that a non-constant time codepath is followed for
5803 certain operations. This has been demonstrated through a cache-timing
5809 ([CVE-2016-2178])
5815 In a DTLS connection where handshake messages are delivered out-of-order
5827 ([CVE-2016-2179])
5842 ([CVE-2016-2181])
5858 ([CVE-2016-6306])
5864 * Prevent padding oracle in AES-NI CBC MAC check
5868 AES-NI.
5871 attack ([CVE-2013-0169]). The padding check was rewritten to be in
5877 This issue was reported by Juraj Somorovsky using TLS-Attacker.
5896 ([CVE-2016-2105])
5920 ([CVE-2016-2106])
5936 ([CVE-2016-2109])
5947 ([CVE-2016-2176])
5961 * Only remove the SSLv2 methods with the no-ssl2-method option. When the
5969 Builds that are not configured with "enable-weak-ssl-ciphers" will not
5975 is by default disabled at build-time. Builds that are not configured with
5976 "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used,
5977 users who want to negotiate SSLv2 via the version-flexible SSLv23_method()
5985 explicitly uses the version-specific SSLv2_method() or its client and
5987 recovery have been removed. Specifically, the SSLv2 40-bit EXPORT
5988 ciphers, and SSLv2 56-bit DES are no longer available.
5989 ([CVE-2016-0800])
5993 * Fix a double-free in DSA code
6002 ([CVE-2016-0705])
6022 ([CVE-2016-0798])
6047 ([CVE-2016-0797])
6068 functions when printing out human-readable dumps of ASN.1 data. Therefore
6079 ([CVE-2016-0799])
6085 A side-channel attack was found which makes use of cache-bank conflicts on
6086 the Intel Sandy-Bridge microarchitecture which could lead to the recovery
6089 hyper-threaded core as the victim thread which is performing decryptions.
6095 ([CVE-2016-0702])
6099 * Change the `req` command to generate a 2048-bit RSA/DSA key by default,
6136 ([CVE-2016-0701])
6149 ([CVE-2015-3197])
6171 ([CVE-2015-3193])
6187 ([CVE-2015-3194])
6200 ([CVE-2015-3195])
6253 This issue was reported to OpenSSL by Joseph Barr-Pixton.
6254 ([CVE-2015-1788])
6258 * Exploitable out-of-bounds read in X509_cmp_time
6274 ([CVE-2015-1789])
6281 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
6289 ([CVE-2015-1790])
6300 ([CVE-2015-1792])
6306 If a NewSessionTicket is received by a multi-threaded client when attempting to
6309 ([CVE-2015-1791])
6313 * Only support 256-bit or stronger elliptic curves with the
6315 curves, prefer P-256 (both).
6329 ([CVE-2015-0291])
6339 using non-blocking IO. Typically, when the user application is using a
6345 ([CVE-2015-0290])
6362 ([CVE-2015-0207])
6374 ([CVE-2015-0286])
6389 ([CVE-2015-0208])
6403 ([CVE-2015-0287])
6410 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
6418 ([CVE-2015-0289])
6426 a specially crafted SSLv2 CLIENT-MASTER-KEY message.
6430 ([CVE-2015-0293])
6439 ([CVE-2015-1787])
6447 - The client is on a platform where the PRNG has not been seeded
6449 - A protocol specific client method version has been used (i.e. not
6451 - A ciphersuite is used that does not require additional random data from
6452 the PRNG beyond the initial ClientHello client random (e.g. PSK-RC4-SHA).
6461 openssl s_client -psk 1a2b3c4d -tls1_2 -cipher PSK-RC4-SHA
6462 ([CVE-2015-0285])
6477 ([CVE-2015-0209])
6487 ([CVE-2015-0288])
6502 near-optimal performance even on newer platforms.
6506 * Accelerated NIST P-256 elliptic curve implementation for x86_64
6518 bogus results, with non-infinity inputs mapped to infinity too.)
6529 * Add support for little-endian ppc64 Linux target.
6536 Both 32- and 64-bit modes are supported.
6557 implementations, AESNI-SHA256 and GCM, and multi-buffer support
6597 * Add -rev test option to s_server to just reverse order of characters
6603 * New option -brief for s_client and s_server to print out a brief summary
6612 * New option -crl_download in several openssl utilities to download CRLs
6617 * New options -CRL and -CRLform for s_client and s_server for CRLs.
6653 "enable-ssl-trace". New options to s_client and s_server to enable
6795 * Initial experimental support for explicitly trusted non-root CAs.
6798 setting is used: whether to trust (e.g., -addtrust option to the x509
6803 * Add -trusted_first option which attempts to find certificates in the
6804 trusted store even if an untrusted chain is also supplied.
6813 * Support for linux-x32, ILP32 environment in x86_64 framework.
6817 * Experimental multi-implementation support for FIPS capable OpenSSL.
6863 between NIDs and the more common NIST names such as "P-256". Enhance
6883 * New function i2d_re_X509_tbs for re-encoding the TBS portion of
6885 Note: Related 1.0.2-beta specific macros X509_get_cert_info,
6890 -------------
6902 the "no-ocsp" build time option are not affected.
6905 ([CVE-2016-6304])
6914 ([CVE-2016-2183])
6930 ([CVE-2016-6303])
6944 ([CVE-2016-6302])
6957 ([CVE-2016-2182])
6969 ([CVE-2016-2180])
6995 ([CVE-2016-2177])
7003 implementation means that a non-constant time codepath is followed for
7004 certain operations. This has been demonstrated through a cache-timing
7010 ([CVE-2016-2178])
7016 In a DTLS connection where handshake messages are delivered out-of-order
7028 ([CVE-2016-2179])
7043 ([CVE-2016-2181])
7059 ([CVE-2016-6306])
7065 * Prevent padding oracle in AES-NI CBC MAC check
7069 AES-NI.
7072 attack ([CVE-2013-0169]). The padding check was rewritten to be in
7078 This issue was reported by Juraj Somorovsky using TLS-Attacker.
7079 ([CVE-2016-2107])
7098 ([CVE-2016-2105])
7122 ([CVE-2016-2106])
7138 ([CVE-2016-2109])
7149 ([CVE-2016-2176])
7163 * Only remove the SSLv2 methods with the no-ssl2-method option. When the
7171 Builds that are not configured with "enable-weak-ssl-ciphers" will not
7177 is by default disabled at build-time. Builds that are not configured with
7178 "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used,
7179 users who want to negotiate SSLv2 via the version-flexible SSLv23_method()
7187 explicitly uses the version-specific SSLv2_method() or its client and
7189 recovery have been removed. Specifically, the SSLv2 40-bit EXPORT
7190 ciphers, and SSLv2 56-bit DES are no longer available.
7191 ([CVE-2016-0800])
7195 * Fix a double-free in DSA code
7204 ([CVE-2016-0705])
7224 ([CVE-2016-0798])
7249 ([CVE-2016-0797])
7270 functions when printing out human-readable dumps of ASN.1 data. Therefore
7281 ([CVE-2016-0799])
7287 A side-channel attack was found which makes use of cache-bank conflicts on
7288 the Intel Sandy-Bridge microarchitecture which could lead to the recovery
7291 hyper-threaded core as the victim thread which is performing decryptions.
7297 ([CVE-2016-0702])
7301 * Change the req command to generate a 2048-bit RSA/DSA key by default,
7327 ([CVE-2015-3197])
7349 ([CVE-2015-3194])
7362 ([CVE-2015-3195])
7391 ([CVE-2015-1793])
7397 If PSK identity hints are received by a multi-threaded client then
7401 ([CVE-2015-3196])
7424 This issue was reported to OpenSSL by Joseph Barr-Pixton.
7425 ([CVE-2015-1788])
7429 * Exploitable out-of-bounds read in X509_cmp_time
7445 ([CVE-2015-1789])
7452 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
7460 ([CVE-2015-1790])
7471 ([CVE-2015-1792])
7477 If a NewSessionTicket is received by a multi-threaded client when attempting to
7480 ([CVE-2015-1791])
7488 * dhparam: generate 2048-bit parameters by default.
7502 ([CVE-2015-0286])
7516 ([CVE-2015-0287])
7523 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
7531 ([CVE-2015-0289])
7539 a specially crafted SSLv2 CLIENT-MASTER-KEY message.
7543 ([CVE-2015-0293])
7558 ([CVE-2015-0209])
7568 ([CVE-2015-0288])
7588 ([CVE-2014-3571])
7598 ([CVE-2015-0206])
7602 * Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
7603 built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl
7606 ([CVE-2014-3569])
7615 ([CVE-2014-3572])
7619 * Remove non-export ephemeral RSA code on client and server. This code
7621 non-export ciphersuites and could be used by a server to effectively
7625 ([CVE-2015-0204])
7637 ([CVE-2015-0205])
7651 By using non-DER or invalid encodings outside the signed portion of a
7672 Re-encode DSA/ECDSA signatures and compare with the original received
7683 ([CVE-2014-8275])
7695 ([CVE-2014-3570])
7712 * Tighten client-side session ticket handling during renegotiation:
7737 ([CVE-2014-3513])
7749 ([CVE-2014-3567])
7753 * Build option no-ssl3 is incomplete.
7755 When OpenSSL is configured with "no-ssl3" as a build option, servers
7758 ([CVE-2014-3568])
7765 ([CVE-2014-3566])
7771 Re-encode DigestInto in DER and check against the original when
7787 ([CVE-2014-3512])
7793 is badly fragmented. This allows a man-in-the-middle attacker to force a
7799 ([CVE-2014-3511])
7810 ([CVE-2014-3510])
7817 ([CVE-2014-3507])
7825 ([CVE-2014-3506])
7832 Thanks to Adam Langley and Wan-Teh Chang for discovering and researching
7834 ([CVE-2014-3505])
7844 ([CVE-2014-3509])
7855 ([CVE-2014-5139])
7865 ([CVE-2014-3508])
7871 bogus results, with non-infinity inputs mapped to infinity too.)
7882 researching this issue. ([CVE-2014-0224])
7890 Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
7891 ([CVE-2014-0221])
7900 Thanks to Jüri Aedla for reporting this issue. ([CVE-2014-0195])
7908 this issue. ([CVE-2014-3470])
7912 * Harmonize version and its documentation. -f flag is used to display
7934 preparing the fix ([CVE-2014-0160])
7939 ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
7944 flaw and to Yuval Yarom for supplying a fix ([CVE-2014-0076])
7948 * TLS pad extension: draft-agl-tls-padding-03
7962 ([CVE-2013-4353])
7966 to be resent. ([CVE-2013-6450])
7971 avoids preferring ECDHE-ECDSA ciphers when the client appears to be
7973 several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug
7981 * Correct fix for CVE-2013-0169. The original didn't work on AES-NI
7998 ([CVE-2013-0169])
8007 ([CVE-2012-2686])
8012 This fixes a DoS attack. ([CVE-2013-0166])
8041 Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
8043 ([CVE-2012-2333])
8090 ([CVE-2012-2110])
8094 * Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections.
8106 -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure.
8142 *Robin Seggelmann <seggelmann@fh-muenster.de>*
8146 *Robin Seggelmann <seggelmann@fh-muenster.de>*
8154 - x86[_64]: AES-NI, PCLMULQDQ, RDRAND support;
8155 - x86[_64]: SSSE3 support (SHA1, vector-permutation AES);
8156 - x86_64: bit-sliced AES implementation;
8157 - ARM: NEON support, contemporary platforms optimizations;
8158 - s390x: z196 support;
8159 - `*`: GHASH and GF(2^m) multiplication implementations;
8163 * Make TLS-SRP code conformant with RFC 5054 API cleanup
8172 * Add DTLS-SRTP negotiation from RFC 5764.
8177 <http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-00>. Can be
8178 disabled with a no-npn flag to config or Configure. Code donated
8183 * Add optional 64-bit optimized implementations of elliptic curves NIST-P224,
8184 NIST-P256, NIST-P521, with constant-time single point multiplication on
8186 required to use this (present in gcc 4.4 and later, for 64-bit builds).
8189 Specify "enable-ec_nistp_64_gcc_128" on the Configure (or config) command
8209 * New -sigopt option to the ca, req and x509 utilities. Additional
8222 New function ASN1_item_sign_ctx() signs a pre-initialised
8261 * Session-handling fixes:
8262 - Fix handling of connections that are resuming with a session ID,
8264 - Fix a bug that suppressed issuing of a new ticket if the client
8266 - Try to set the ticket lifetime hint to something reasonable.
8267 - Make tickets shorter by excluding irrelevant information.
8268 - On the client side, don't ignore renewed tickets.
8276 * Add RC4-MD5 and AESNI-SHA1 "stitched" implementations.
8304 switch between FIPS and non-FIPS modes.
8310 keep original code iff non-FIPS operations are allowed.
8314 * Add -attime option to openssl utilities.
8327 * New build option no-ec2m to disable characteristic 2 code.
8331 * Backport libcrypto audit of return value checking from 1.1.0-dev; not
8341 * Add similar low-level API blocking to ciphers.
8345 * low-level digest APIs are not approved in FIPS mode: any attempt
8374 * Add support for FIPS mode in ssl library: disable SSLv3, non-FIPS ciphers
8433 *Robin Seggelmann <seggelmann@fh-muenster.de>*
8443 *Robin Seggelmann <seggelmann@fh-muenster.de>, Steve Henson*
8457 -------------
8470 ([CVE-2015-3195])
8476 If PSK identity hints are received by a multi-threaded client then
8480 ([CVE-2015-3196])
8497 This issue was reported to OpenSSL by Joseph Barr-Pixton.
8498 ([CVE-2015-1788])
8502 * Exploitable out-of-bounds read in X509_cmp_time
8518 ([CVE-2015-1789])
8525 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
8533 ([CVE-2015-1790])
8544 ([CVE-2015-1792])
8550 If a NewSessionTicket is received by a multi-threaded client when attempting to
8553 ([CVE-2015-1791])
8567 ([CVE-2015-0286])
8581 ([CVE-2015-0287])
8588 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
8596 ([CVE-2015-0289])
8604 a specially crafted SSLv2 CLIENT-MASTER-KEY message.
8608 ([CVE-2015-0293])
8623 ([CVE-2015-0209])
8633 ([CVE-2015-0288])
8653 ([CVE-2014-3571])
8663 ([CVE-2015-0206])
8667 * Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
8668 built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl
8671 ([CVE-2014-3569])
8680 ([CVE-2014-3572])
8684 * Remove non-export ephemeral RSA code on client and server. This code
8686 non-export ciphersuites and could be used by a server to effectively
8690 ([CVE-2015-0204])
8702 ([CVE-2015-0205])
8714 ([CVE-2014-3570])
8720 By using non-DER or invalid encodings outside the signed portion of a
8752 ([CVE-2014-8275])
8766 ([CVE-2014-3567])
8770 * Build option no-ssl3 is incomplete.
8772 When OpenSSL is configured with "no-ssl3" as a build option, servers
8775 ([CVE-2014-3568])
8782 ([CVE-2014-3566])
8805 ([CVE-2014-3510])
8812 ([CVE-2014-3507])
8820 ([CVE-2014-3506])
8827 Thanks to Adam Langley and Wan-Teh Chang for discovering and researching
8829 ([CVE-2014-3505])
8839 ([CVE-2014-3509])
8849 ([CVE-2014-3508])
8855 bogus results, with non-infinity inputs mapped to infinity too.)
8866 researching this issue. ([CVE-2014-0224])
8874 Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
8875 ([CVE-2014-0221])
8884 Thanks to Jüri Aedla for reporting this issue. ([CVE-2014-0195])
8892 this issue. ([CVE-2014-3470])
8896 * Harmonize version and its documentation. -f flag is used to display
8911 ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
8916 flaw and to Yuval Yarom for supplying a fix ([CVE-2014-0076])
8924 to be resent. ([CVE-2013-6450])
8929 avoids preferring ECDHE-ECDSA ciphers when the client appears to be
8931 several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug
8949 ([CVE-2013-0169])
8954 This fixes a DoS attack. ([CVE-2013-0166])
8978 Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
8980 ([CVE-2012-2333])
8997 ([CVE-2012-2110])
9007 old behaviour can be re-enabled in the CMS code by setting the
9011 this issue. ([CVE-2012-0884])
9015 * Fix CVE-2011-4619: make sure we really are receiving a
9023 * Fix for DTLS DoS issue introduced by fix for CVE-2011-4109.
9026 preparing a fix. ([CVE-2012-0050])
9042 <seggelmann@fh-muenster.de> and Michael Tuexen <tuexen@fh-muenster.de>
9043 for preparing the fix. ([CVE-2011-4108])
9048 ([CVE-2011-4576])
9054 Adam Langley for preparing the fix. ([CVE-2011-4619])
9058 * Check parameters are not NULL in GOST ENGINE. ([CVE-2012-0027])
9064 and Rob Austein <sra@hactrn.net> for fixing it. ([CVE-2011-4577])
9072 * Fix ssl_ciph.c set-up race.
9096 * In ssl3_clear, preserve s3->init_extra along with s3->rbuf.
9103 by initialising X509_STORE_CTX properly. ([CVE-2011-3207])
9108 for multi-threaded use of ECDH. ([CVE-2011-3210])
9130 * Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014
9144 Thanks to Martin Rex for discovering this bug. CVE-2010-4180
9148 * Fixed J-PAKE implementation error, originally discovered by
9150 Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252
9158 be shared by multiple threads. CVE-2010-3864
9170 ([CVE-2010-1633])
9172 *Steve Henson, Peter-Michael Hager <hager@dortmund.net>*
9186 * Add new -subject_hash_old and -issuer_hash_old options to x509 utility to
9241 *Michael Tuexen <tuexen@fh-muenster.de>*
9280 openssl dgst -sha256 foo
9313 * Add session ticket override functionality for use by EAP-FAST.
9322 * Type-checked OBJ_bsearch_ex.
9326 * Type-checked OBJ_bsearch. Also some constification necessitated
9327 by type-checking. Still to come: TXT_DB, bsearch(?),
9406 * To cater for systems that provide a pointer-based thread ID rather
9413 as a pointer-based thread ID to distinguish between threads.
9426 OpenSSL 0.9.9-dev between June 2006 and August 2008. Also, if an
9448 * Revamp of STACK to provide stronger type-checking. Still to come:
9459 * Revamp of LHASH to provide stronger type-checking. Still to come:
9478 files from Configure script, currently only included in VC-WIN32.
9499 draft-rescorla-tls-opaque-prf-input-00.txt. Since this is not an
9505 -DTLSEXT_TYPE_opaque_prf_input=0x9527
9516 an internal copy of the length-'len' string at 'src', and will
9517 return non-zero for success.
9535 has to return non-zero to report success: usually 1 to use opaque
9595 * Add option -stream to use PKCS#7 streaming in smime utility. New
9604 ENGINE support for HMAC keys which are unextractable. New -mac and
9605 -macopt options to dgst utility.
9609 * New option -sigopt to dgst utility. Update dgst to use
9618 ("foo+bar"), moving ("+foo+bar"), disabling ("-foo+bar", or
9626 This means that you can now say, e.g., "PSK:-PSK:HIGH" to enable
9654 away into the non-exported interface ssl/ssl_locl.h, so this
9672 * Add support for dsa-with-SHA224 and dsa-with-SHA256.
9683 * Add support for the ecdsa-with-SHA224/256/384/512 signature types.
9706 -verify_return_error to s_client and s_server. This causes real errors
9749 * Non-blocking OCSP request processing. Add -timeout option to ocsp
9775 list-message-digest-algorithms and list-cipher-algorithms.
9780 of degrees of non-zero coefficients is now terminated with -1.
9806 kECDHr - ECDH cert, signed with RSA
9807 kECDHe - ECDH cert, signed with ECDSA
9808 kECDH - ECDH cert (signed with either RSA or ECDSA)
9809 kEECDH - ephemeral ECDH
9810 ECDH - ECDH cert or ephemeral ECDH
9812 aECDH - ECDH cert
9813 aECDSA - ECDSA cert
9814 ECDSA - ECDSA cert
9816 AECDH - anonymous ECDH
9817 EECDH - non-anonymous ephemeral ECDH (equivalent to "kEECDH:-AECDH")
9843 * New -resign option to smime utility. This adds one or more signers
9844 to an existing PKCS#7 signedData structure. Also -md option to use an
9855 * New -macalg option to pkcs12 utility to allow setting of an alternative
9958 "list-public-key-algorithms" to print out info.
9963 ECC ciphersuites from draft-ietf-tls-ecc-12.txt.
9986 De-spaghettify the public key ASN1 handling. Move public and private
9995 ECC ciphersuites from draft-ietf-tls-ecc-12.txt.
10004 PSK-RC4-SHA, PSK-3DES-EDE-CBC-SHA, PSK-AES128-CBC-SHA,
10005 PSK-AES256-CBC-SHA
10037 - SSL_CTX_set_tlsext_servername_callback()
10039 - SSL_CTX_set_tlsext_servername_arg()
10040 SSL_CTRL_SET_TLSEXT_HOSTNAME - SSL_set_tlsext_host_name()
10042 openssl s_client has a new '-servername ...' option.
10044 openssl s_server has new options '-servername_host ...', '-cert2 ...',
10045 '-key2 ...', '-servername_fatal' (subject to change). This allows
10046 testing the HostName extension for a specific single host name ('-cert'
10047 and '-key' remain fallbacks for handshakes without HostName
10049 default is a warning; it becomes fatal with the '-servername_fatal'
10058 * BIGNUM code on 64-bit SPARCv9 targets is switched from bn(64,64) to
10062 implementations, between 32- and 64-bit builds without hassle.
10075 "64-bit" performance on certain 32-bit targets.
10086 * New option -V for 'openssl ciphers'. This prints the ciphersuite code
10134 -------------
10139 update s->server with a new major version number. As of
10140 - OpenSSL 0.9.8m if 'short' is a 16-bit type,
10141 - OpenSSL 0.9.8f if 'short' is longer than 16 bits,
10144 protection is active. ([CVE-2010-0740])
10148 * Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL
10155 * Always check bn_wexpand() return values for failure. ([CVE-2009-3245])
10189 This results in significant per-connection memory leaks and
10190 has caused some security issues including CVE-2008-1678 and
10191 CVE-2009-4355.
10233 * Implement RFC5746. Re-enable renegotiation but require the extension
10244 servername handling. Use a non-zero length session ID when attempting
10259 * Add --strict-warnings option to Configure script to include devteam
10264 * Add support for --libdir option and LIBDIR variable in makefiles. This
10295 it used to have an ad-hoc builder which was unable to cope with anything
10303 with non-FIPS digests are now usable in FIPS mode.
10314 buffered. ([CVE-2009-1378])
10324 ([CVE-2009-1377])
10328 * Keep a copy of frag->msg_header.frag_len so it can be used after the
10329 parent structure is freed. ([CVE-2009-1379])
10333 * Handle non-blocking I/O properly in SSL_shutdown() call.
10335 *Darryl Miles <darryl-mailinglists@netbauds.net>*
10343 * Disable renegotiation completely - this fixes a severe security
10344 problem ([CVE-2009-3555]) at the cost of breaking all
10345 renegotiation. Renegotiation can be re-enabled by setting
10346 SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s3->flags at
10347 run-time. This is really not recommended unless you know what
10356 zeroing past the valid field. ([CVE-2009-0789])
10362 appear to verify correctly. ([CVE-2009-0591])
10368 a legal length. ([CVE-2009-0590])
10388 * New -hex option for openssl rand.
10409 ([CVE-2008-5077]).
10427 * Tweak Configure so that you need to say "experimental-jpake" to enable
10428 JPAKE, and need to use -DOPENSSL_EXPERIMENTAL_JPAKE in applications.
10445 * Change the server-side SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG behavior
10456 ChangeCipherSpec as first record ([CVE-2009-1386]).
10466 double-checked locking was incomplete for RSA blinding,
10468 doubly unsafe triple-checked locking.
10477 - Avoid size_t integer overflow in HASH_UPDATE (md32_common.h).
10479 - Avoid a buffer overflow in d2i_SSL_SESSION() (ssl_asn1.c).
10483 - Change bn_nist.c so that it will properly handle input BIGNUMs
10486 - Enforce the 'num' check in BN_div() (bn_div.c) for non-BN_DEBUG
10491 * Allow engines to be "soft loaded" - i.e. optionally don't die if
10500 * Fix BN_GF2m_mod_arr() top-bit cleanup code.
10512 Not compiled unless enable-capieng specified to Configure.
10529 Codenomicon TLS test suite ([CVE-2008-1672])
10534 a remote crash found by Codenomicon TLS test suite ([CVE-2008-0891])
10558 the 'db' section contains nothing but zeroes (there is a one-byte
10563 * Partial backport from 0.9.9-dev:
10567 While 0.9.9-dev uses assembler for various architectures, only
10569 32-bit x86 is available through a compile-time setting.
10571 To try the 32-bit x86 assembler implementation, use Configure
10572 option "enable-montasm" (which exists only for this backport).
10574 As "enable-montasm" for 32-bit x86 disclaims code stability
10576 backported from 0.9.9-dev for further performance improvements,
10578 e.g. x86_64, try `-DMONT_FROM_WORD___NON_DEFAULT_0_9_8_BUILD`.)
10589 * Reverse ENGINE-internal logic for caching default ENGINE handles.
10596 'uptodate' flag is reset so that auto-discovery will be used next
10613 with the enable-cms configuration option.
10650 - fixed wrong usage of ioctlsocket() when build for LIBC BSD sockets
10651 - fixed do_tests.pl to run the test suite with CLIB builds too (CLIB_OPT)
10652 - added some more tests to do_tests.pl
10653 - fixed RunningProcess usage so that it works with newer LIBC NDKs too
10654 - removed usage of BN_LLONG for CLIB builds to avoid runtime dependency
10655 - added new Configure targets netware-clib-bsdsock, netware-clib-gcc,
10656 netware-clib-bsdsock-gcc, netware-libc-bsdsock-gcc
10657 - various changes to netware.pl to enable gcc-cross builds on Win32
10659 - changed crypto/bio/b_sock.c to work with macro functions (CLIB BSD)
10660 - various changes to fix missing prototype warnings
10661 - fixed x86nasm.pl to create correct asm files for NASM COFF output
10662 - added AES, WHIRLPOOL and CPUID assembler code to build files
10663 - added missing AES assembler make rules to mk1mf.pl
10664 - fixed order of includes in `apps/ocsp.c` so that `e_os.h` settings apply
10680 + DTLS interoperation with non-compliant servers
10692 pre-0.9.8f clients. To allow for hassle free upgrade post-0.9.8e
10695 This update even addresses CVE-2007-4995.
10744 - SSL_CTX_set_tlsext_servername_callback()
10746 - SSL_CTX_set_tlsext_servername_arg()
10747 SSL_CTRL_SET_TLSEXT_HOSTNAME - SSL_set_tlsext_host_name()
10749 openssl s_client has a new '-servername ...' option.
10751 openssl s_server has new options '-servername_host ...', '-cert2 ...',
10752 '-key2 ...', '-servername_fatal' (subject to change). This allows
10753 testing the HostName extension for a specific single host name ('-cert'
10754 and '-key' remain fallbacks for handshakes without HostName
10756 default is a warning; it becomes fatal with the '-servername_fatal'
10782 * Add the Korean symmetric 128-bit cipher SEED (see
10786 TLS_RSA_WITH_SEED_CBC_SHA = "SEED-SHA"
10787 TLS_DHE_DSS_WITH_SEED_CBC_SHA = "DHE-DSS-SEED-SHA"
10788 TLS_DHE_RSA_WITH_SEED_CBC_SHA = "DHE-RSA-SEED-SHA"
10789 TLS_DH_anon_WITH_SEED_CBC_SHA = "ADH-SEED-SHA"
10793 is configured with 'enable-seed'.
10801 J.-P. Seifert, "New Branch Prediction Vulnerabilities in OpenSSL
10805 respectively, which are slower, but avoid the security-relevant
10820 constant-time implementations for more than just exponentiation.
10837 out-of-context reuse was forbidden only if SSL_VERIFY_PEER was
10848 authentication-only ciphersuites.
10852 * Update the SSL_get_shared_ciphers() fix CVE-2006-3738 which was
10854 ([CVE-2007-5135]) [Ben Laurie]
10896 *Goetz Babin-Ebell*
10901 cause a denial of service. ([CVE-2006-2940])
10906 in a denial of service. ([CVE-2006-2937]) [Steve Henson]
10909 ([CVE-2006-3738]) [Tavis Ormandy and Will Drewry, Google Security Team]
10912 malicious SSLv2 server. ([CVE-2006-4343])
10917 match only those. Before that, "AES256-SHA" would be interpreted
10918 as a pattern and match "AES128-SHA" too (since AES128-SHA got
10922 "RC4-MD5" that intentionally matched multiple ciphersuites --
10929 Thus, "RC4-MD5" again will properly select both the SSL 2.0
10946 ([CVE-2006-4339]) [Ben Laurie and Google Security Team]
10961 However, please upgrade to OpenSSL 0.9.9[-dev] for
10962 non-experimental use of the ECC ciphersuites to get TLS extension
10970 - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
10971 - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
10972 - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")
10975 draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really
10979 draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as
10985 dual-core machines) and other potential thread-safety issues.
10989 * Add the symmetric cipher Camellia (128-bit, 192-bit, 256-bit key
10990 versions), which is now available for royalty-free use
10996 is configured with 'enable-camellia'.
11020 * Update support for ECC-based TLS ciphersuites according to
11021 draft-ietf-tls-ecc-12.txt with proposed changes (but without
11036 Static zlib linking now works on Windows and the new --with-zlib-include
11037 --with-zlib-lib options to Configure can be used to supply the location
11064 countermeasure against man-in-the-middle protocol-version
11066 idea. ([CVE-2005-2969])
11081 * Avoid some small subgroup attacks in Diffie-Hellman.
11085 * Add functions for well-known primes.
11122 * Add -utf8 command line and config file option to 'ca'.
11132 involves renaming the source and generated shared-libs for
11141 use it. Make -CSP option work again in pkcs12 utility.
11146 - automatic re-creation of the BN_BLINDING parameters after
11148 - add new function for parameter creation
11149 - introduce flags to control the update behaviour of the
11151 - hide BN_BLINDING structure
11172 * Use SHA-1 instead of MD5 as the default digest algorithm for
11177 * Compile clean with "-Wall -Wmissing-prototypes
11178 -Wstrict-prototypes -Wmissing-declarations -Werror". Currently
11184 The new counterpiece to "no-xxx" is "enable-xxx".
11187 "enable-rc5" and "enable-mdc2", respectively, are specified.
11191 fee for non-commercial use. As before, "no-idea" can be used to
11198 EGEE (Enabling Grids for E-science in Europe).
11203 as Intel P4, IA-64 and AMD64.
11207 * New utility extract-section.pl. This can be used specify an alternative
11218 * New arguments -certform, -keyform and -pass for s_client and s_server
11243 * New FIPS 180-2 algorithms, SHA-224/-256/-384/-512 are implemented.
11259 moved from CA.pl to the 'ca' utility with a new option -create_serial.
11264 patchlevels, 0.9.7e employed 'openssl x509 -next_serial' in
11272 give fewer recursive includes, which could break lazy source code - so
11276 backwards-compatible behaviour prevails when this isn't defined.
11313 static array of bignums, BN_CTX now uses a linked-list of such arrays
11349 * BN_CTX_get() should return zero-valued bignums, providing the same
11382 * Because of the callback-based approach for implementing LHASH as a
11383 template type, lh_insert() adds opaque objects to hash-tables and
11386 (and losing the object pointers). So some over-zealous constifications in
11400 aren't necessarily the greatest nomenclatures - but this is what was used
11407 the self-tests were still using deprecated key-generation functions so
11428 modulus operations are not performed. The (pre-generated) prime
11430 re-generated on some platforms because of the "division by zero"
11435 * Update support for ECC-based TLS ciphersuites according to
11436 draft-ietf-tls-ecc-03.txt: the KDF1 key derivation function with
11437 SHA-1 now is only used for "small" curves (where the
11451 *Götz Babin-Ebell <babin-ebell@trustcenter.de> via Richard Levitte*
11463 to certificate and key stores, be they simple file-based stores, or
11464 HSM-type store, or LDAP stores, or...
11477 a string. The copy gets NUL-terminated. BUF_memdup() duplicates
11485 searched-for key would be inserted to preserve sorting order.
11506 * Make it possible to create self-signed certificates with 'openssl ca'
11507 in such a way that the self-signed certificate becomes part of the
11509 as all other certificate signing. The new flag '-selfsign' enables
11516 request can be signed by that key (self-signing).
11529 * Generate multi-valued AVAs using '+' notation in config files for
11547 dsa_mod_exp() and/or bn_mod_exp() handlers if they are non-NULL,
11576 * Add full support for -rpath/-R, both in shared libraries and
11606 ./config -DOPENSSL_USE_GMP -lgmp
11611 testing availability of engines with "-t" - the old behaviour is
11612 produced by increasing the feature's verbosity with "-tt".
11623 * Key-generation can now be implemented in RSA_METHOD, DSA_METHOD
11630 * Change the "progress" mechanism used in key-generation and
11636 migrate to the new functions. Also, the new key-generation API
11637 functions operate on a caller-supplied key-structure and return
11638 success/failure rather than returning a key or NULL - this is to
11652 * cb will point to my_cb; my_arg can be retrieved as cb->arg.
11661 draft-ietf-tls-compression-04.txt.
11671 -- at least one of the pair shall be present -- }
11692 to avoid the need to access 'a->neg' directly in applications.
11696 * Implement fast modular reduction for pseudo-Mersenne primes
11717 the usual use of --prefix and/or --openssldir, and at run
11733 files while avoiding the low-level API.
11737 algorithm NIDs can be set to -1 for no encryption, the mac
11740 Enhance pkcs12 utility by making the -nokeys and -nocerts
11741 options work when creating a PKCS#12 file. New option -nomac
11744 instead of the low-level API.
11760 * Let 'openssl req' fail if an argument to '-newkey' is not
11765 * Add support for ECC-based ciphersuites from draft-ietf-tls-ecc-01.txt.
11901 functionality is disabled at compile-time.
11908 Modify asn1_parse2 (crypto/asn1/asn1_par.c) so that in non-'dump'
11909 mode the content of non-printable OCTET STRINGs is output in a
11922 - Curves (i.e., groups) are encoded explicitly unless asn1_flag
11924 - Points are encoded in uncompressed form by default; options for
11973 EC_METHOD) that verifies that the curve discriminant is non-zero.
11988 - 'openssl req' now has a '-newkey ecdsa:file' option;
11989 - EVP_PKCS82PKEY (crypto/evp/evp_pkey.c) now can handle ECDSA;
11990 - X509_PUBKEY_get (crypto/asn1/x_pubkey.c) and
11994 - ECDSA engine support has been added.
12030 authentication-only ciphersuites.
12074 cause a denial of service. ([CVE-2006-2940])
12079 in a denial of service. ([CVE-2006-2937]) [Steve Henson]
12082 ([CVE-2006-3738]) [Tavis Ormandy and Will Drewry, Google Security Team]
12085 malicious SSLv2 server. ([CVE-2006-4343])
12090 ciphersuite selects this one ciphersuite (so that "AES256-SHA"
12091 will no longer include "AES128-SHA"), and any other similar
12093 "RC4-MD5" will still include both the SSL 2.0 ciphersuite and the
12102 ([CVE-2006-4339]) [Ben Laurie and Google Security Team]
12112 - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
12113 - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
12114 - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")
12117 draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really
12121 draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as
12127 dual-core machines) and other potential thread-safety issues.
12142 * Add new Windows build target VC-32-GMAKE for VC++. This uses GNU make
12154 safely run with a non-FIPSed libcrypto, as it may crash because of
12163 countermeasure against man-in-the-middle protocol-version
12165 idea. ([CVE-2005-2969])
12177 the exponentiation using a fixed-length exponent. (Otherwise,
12184 * Make a new fixed-window mod_exp implementation the default for
12185 RSA, DSA, and DH private-key operations so that the sequence of
12188 cache-timing and potential related attacks.
12207 * Add support for smime-type MIME parameter in S/MIME messages which some
12244 they must be explicitly allowed in run-time. See
12251 * Use (SSL_RANDOM_VALUE - 4) bytes of pseudo random data when generating
12253 (SSL_RANDOM_VALUE - sizeof(time_t)) would be used which would result in
12286 * Back-port of selected performance improvements from development
12296 * Add new -passin argument to dgst.
12301 this is needed for some certificates that re-encode DNs into UTF8Strings
12312 - if there is an unhandled critical extension (unless the user
12314 - if the path length has been exceeded (if one is set at all)
12315 - that certain extensions fit the associated purpose (if one has
12342 certificate is created using 'openssl req -x509'. The initial serial
12343 number file is created using 'openssl x509 -next_serial' in CA.pl
12350 * Fix null-pointer assignment in do_change_cipher_spec() revealed
12351 by using the Codenomicon TLS Test Tool ([CVE-2004-0079])
12356 ([CVE-2004-0112])
12406 invalid tags (CVE-2003-0543 and CVE-2003-0544).
12408 Free up ASN1_TYPE correctly if ANY type is invalid ([CVE-2003-0545]).
12415 * New -ignore_err option in ocsp application to stop the server
12461 * Countermeasure against the Klima-Pokorny-Rosa extension of
12471 They would be ill-advised to do so in most cases.
12477 an unpredictable seed -- if it is not unpredictable, there
12478 is no point in blinding anyway). Make RSA blinding thread-safe
12479 by remembering the creator's thread ID in rsa->blinding and
12480 having all other threads use local one-time blinding factors
12481 (this requires more computation than sharing rsa->blinding, but
12505 between bad padding and a MAC verification error. ([CVE-2003-0078])
12511 * Make the no-err option work as intended. The intention with no-err
12519 used by default when no-err is given.
12579 * IA-32 assembler support enhancements: unified ELF targets, support
12585 FreeBSD on non-x86 processors is separate from x86 processors on
12634 warnings and a request that patches get sent to openssl-dev.
12638 * Add the VC-CE target, introduce the WINCE sysname, and add
12643 * Change the DLL names for Cygwin to cygcrypto-x.y.z.dll and
12644 cygssl-x.y.z.dll, where x, y and z are the major, minor and
12654 * Avoid using fixed-size buffers for one-line DNs.
12713 * Add assertions to prevent user-supplied crypto functions from
12731 * Fix off-by-one error in EGD path.
12761 Remote buffer overflow in SSL3 protocol - an attacker could
12762 supply an oversized master key in Kerberos-enabled versions.
12763 ([CVE-2002-0657])
12771 * Make -nameopt work fully for req and add -reqopt switch.
12773 *Michael Bell <michael.bell@rz.hu-berlin.de>, Steve Henson*
12787 which may be activated as a side-effect of selecting a single cipher.
12795 * Add appropriate support for separate platform-dependent build
12796 directories. The recommended way to make a platform-dependent
12803 mkdir -p objtree/"`uname -s`-`uname -r`-`uname -m`"
12804 cd objtree/"`uname -s`-`uname -r`-`uname -m`"
12805 (cd $OPENSSL_SOURCE; find . -type f) | while read F; do
12806 mkdir -p `dirname $F`
12807 ln -s $OPENSSL_SOURCE/$F $F
12821 *Götz Babin-Ebell <babinebell@trustcenter.de>*
12823 * Improve diagnostics in file reading and command-line digests.
12828 error in AES-CFB decryption.
12847 * Fix escaping of non-ASCII characters when using the -subj option
12858 Some more OID additions. (Michael Bell <michael.bell@rz.hu-berlin.de>)
12871 * Fix the 'app_verify_callback' interface so that the user-defined
12879 i=s->ctx->app_verify_callback(&ctx)
12881 i=s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg).
12914 the same as the utility itself: that is the -config
12945 * Have the CHIL engine fork-safe (as defined by nCipher) and actually
12954 * Add the configuration target debug-linux-ppro.
12966 * Add -keyform to rsautl, and document -engine.
13019 (up to about 10% better than before for P-192 and P-224).
13043 SSL object, and 'arg' is the application-defined value set by
13046 'openssl s_client' and 'openssl s_server' have new '-msg' options
13077 * Add -multi and -mr options to "openssl speed" - giving multiple parallel
13078 runs for the former and machine-readable output for the latter.
13082 * Add '-noemailDN' option to 'openssl ca'. This prevents inclusion
13083 of the e-mail address in the DN (i.e., it will go into a certificate
13162 support for symmetric ciphers and digest implementations - so ENGINEs
13167 API changes worth noting - some RSA, DSA, DH, and RAND functions that
13169 reverted back - the hooking from this code to ENGINE is now a good
13170 deal more passive and at run-time, operations deal directly with
13173 functions dealing with `BN_MOD_EXP[_CRT]` handlers have been removed -
13224 * Add support for shared libraries for Unixware-7
13238 makes them more flexible to be built both as statically-linked ENGINEs
13239 and self-contained shared-libraries loadable via the "dynamic" ENGINE.
13240 Also, add stub code to each that makes building them as self-contained
13241 shared-libraries easier (see [README-Engine.md](README-Engine.md)).
13247 self-contained shared-libraries. The "dynamic" ENGINE exposes control
13248 commands that can be used to configure what shared-library to load and
13250 the [README-Engine.md](README-Engine.md) file
13251 that brings its information up-to-date and
13253 (ie. how to use it, how to build "dynamic"-loadable ENGINEs, etc).
13282 ex_data state - it's now all inside ex_data.c and all "class" code (eg.
13283 RSA, BIO, SSL_CTX, etc) no longer stores its own STACKS and per-class
13288 thread-safety problems that existed, and (b) makes it possible to clean
13414 Added openssl-style ASN.1 macros for Kerberos ticket, ap_req,
13421 * Cause 'openssl speed' to use fully hard-coded DSA keys as it
13432 s-cbc 4408.85k 5560.51k 5778.46k 5862.20k 5825.16k
13433 s-cbc 4389.55k 5571.17k 5792.23k 5846.91k 5832.11k
13434 s-cbc 4394.32k 5575.92k 5807.44k 5848.37k 5841.30k
13436 s-cbc 3482.66k 5069.49k 5496.39k 5614.16k 5639.28k
13437 s-cbc 3480.74k 5068.76k 5510.34k 5609.87k 5635.52k
13438 s-cbc 3483.72k 5067.62k 5504.60k 5708.01k 5724.80k
13441 s-cbc 4660.16k 5650.19k 5807.19k 5827.13k 5783.32k
13443 s-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
13447 * Added the OS2-EMX target.
13466 * Change all calls to low-level digest routines in the library and
13483 dialog box interfaces, application-defined prompts, the possibility
13490 attribute in PKCS#12 files, add new -CSP option to pkcs12 utility.
13576 per-structure level rather than having to store it globally.
13588 by ENGINE_by_id() normally, when it is incremented on the pre-existing
13600 - verbosity levels ('-v', '-vv', and '-vvv') that provide information
13602 - executing control commands from command line arguments using the
13603 '-pre' and '-post' switches. '-post' is only used if '-t' is
13605 the individual commands are colon-separated, for example;
13606 openssl engine chil -pre FORK_CHECK:0 -pre SO_PATH:/lib/test.so
13612 and input types for run-time discovery by calling applications. A
13615 the new string-based API function ENGINE_ctrl_cmd_string(). (Eg. this
13624 OpenSSL-based application. Commands have been added to all the
13625 existing hardware-supporting ENGINEs, noticeably "SO_PATH" to allow
13626 control over shared-library paths without source code alterations.
13640 should already have non-const pointers to it (ie. they should only
13646 - "atalla" and "ubsec" string definitions were moved from header files
13648 rather than hard-coded - allowing parameterisation of these values
13650 - Removed unused "#if 0"'d code.
13651 - Fixed engine list iteration code so it uses ENGINE_free() to release
13653 - Constified the RAND_METHOD element of ENGINE structures.
13654 - Constified various get/set functions as appropriate and added
13655 missing functions (including a catch-all ENGINE_cpy that duplicates
13657 - Removed NULL parameter checks in get/set functions. Setting a method
13661 - Deprecate the ENGINE_FLAGS_MALLOCED define and move the area for
13663 - Changed prototypes for ENGINE handler functions (init(), finish(),
13664 ctrl(), key-load functions, etc) to take an (ENGINE*) parameter.
13670 used only if the modulus is odd. On 32-bit systems, it is faster
13671 only for relatively small moduli (roughly 20-30% for 128-bit moduli,
13672 roughly 5-15% for 256-bit moduli), so we use it only for moduli
13673 up to 450 bits. In 64-bit environments, the binary algorithm
13722 Lenka Fibikova <fibikova@exp-math.uni-essen.de>*
13738 * Add the -HTTP option to s_server. It is similar to -WWW, but requires
13744 change the def and num file printf format specifier from "%-40sXXX"
13745 to "%-39s XXX". The latter will always guarantee a space after the
13792 * New option '-subj arg' for 'openssl req' and 'openssl ca'. This
13799 Add options '-batch' and '-verbose' to 'openssl req'.
13859 checked. Two new options -validity_period and -status_age added to
13893 can be useful for session caching in multiple-server environments. A
13894 command-line switch for testing this (and any client code that wishes
13909 sure e_os2.h will cover all platform-specific cases together with
13911 Additionally, it is now possible to define configuration/platform-
13915 from `OPENSSL_SYSNAME_*` or compiler-specific macros depending on
13920 * New option -set_serial to 'req' and 'x509' this allows the serial
13947 port and path components: primarily to parse OCSP URLs. New -url
13958 the request is nonce-less.
13964 e.g. `(openssl x509 -out cert1; openssl x509 -out cert2) <certs`.
13993 * Add the option -VAfile to 'openssl ocsp', so the user can give the
14045 passed by the function are trusted implicitly. If any of them signed the
14065 is initialised to -1 but X509_time_adj() now has to check the value
14105 if it is explicitly trusted for OCSP signing. This is used to set
14111 * New '-extfile ...' option to 'openssl ca' for reading X.509v3
14114 the '-extensions ...' option may be used for specifying the
14127 `openssl ca -status <serial>` prints the status of the cert with
14129 `openssl ca -updatedb` updates the expiry status of certificates
14134 * New '-newreq-nodes' command option to CA.pl. This is like
14135 '-newreq', but calls 'openssl req' with the '-nodes' option
14150 * New SSLeay_version code SSLEAY_DIR to determine the compiled-in
14151 value of OPENSSLDIR. This is available via the new '-d' option
14152 to 'openssl version', and is also included in 'openssl version -a'.
14179 There should no longer be any prototype-casting required when using
14190 The locations /var/run/egd-pool, /dev/egd-pool, /etc/egd-pool, and
14199 (select timeout) and read in non-blocking mode. DEVRANDOM now
14204 For VMS, there's a currently-empty rand_vms.c.
14323 problems: As the program is single-threaded, all we have
14332 during TLS/SSL handshakes so that thread-safety is essential.
14334 for multi-threaded use, so it probably should be abolished.
14388 * Fix BN_uadd and BN_usub: Always return non-negative results instead
14393 * BN_div bugfix: If the result is 0, the sign (res->neg) must not be
14400 that provide type-safety and avoid function pointer casting for the
14401 type-specific callbacks.
14421 (using the probabilistic Tonelli-Shanks algorithm unless
14425 *Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller*
14468 * Change BN_mod_mul so that the result is always non-negative.
14490 These functions always generate non-negative results.
14499 *Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller*
14501 <!--
14515 -->
14518 unless the '-salt' option is used (which usually means that
14521 or the new '-noverify' option is used.
14524 non-interactive use of 'openssl passwd' (passwords on the command
14525 line, '-stdin' option, '-in ...' option) and thus should not
14542 casts back to non-const were required (to be solved at a later
14564 are built-in in OpenSSL shall ever be used or not. The benefit is
14618 * Rework the filename-translation in the DSO code. It is now possible to
14625 * Support threads on FreeBSD-elf in Configure.
14674 * Fix null-pointer assignment in do_change_cipher_spec() revealed
14675 by using the Codenomicon TLS Test Tool ([CVE-2004-0079])
14684 certain ASN.1 tags ([CVE-2003-0851])
14693 invalid tags (CVE-2003-0543 and CVE-2003-0544).
14719 * Countermeasure against the Klima-Pokorny-Rosa extension of
14729 They would be ill-advised to do so in most cases.
14735 an unpredictable seed -- if it is not unpredictable, there
14736 is no point in blinding anyway). Make RSA blinding thread-safe
14737 by remembering the creator's thread ID in rsa->blinding and
14738 having all other threads use local one-time blinding factors
14739 (this requires more computation than sharing rsa->blinding, but
14751 between bad padding and a MAC verification error. ([CVE-2003-0078])
14769 because the session->cipher setting was not restored when reloading
14777 length of the REQUEST-CERTIFICATE message is 18 .. 34, not 17 .. 33.
14779 *Zeev Lieber <zeev-l@yahoo.com>*
14802 the bitwise-OR of the two for use by the majority of applications
14805 changing anyway, so this is more a bug-fix than a behavioural
14810 * Don't impose a 16-byte length minimum on session IDs in ssl/s3_clnt.c
14827 contents. Bug found by Sam Varshavchik <mrsam@courier-mta.com>
14839 * [In 0.9.6g-engine release:]
14848 *Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>,
14884 implementations is desired (e.g. '-bugs' option to 's_client' and
14895 F30602-01-2-0537.
14900 supplied buffer. ([CVE-2002-0659])
14910 too small for 64 bit platforms. ([CVE-2002-0655])
14911 *Matthew Byng-Maddick <mbm@aldigital.co.uk> and Ben Laurie (CHATS)>*
14913 * Remote buffer overflow in SSL3 protocol - an attacker could
14914 supply an oversized session ID to a client. ([CVE-2002-0656])
14918 * Remote buffer overflow in SSL2 protocol - an attacker could
14919 supply an oversized client master key. ([CVE-2002-0656])
14926 encoded as NULL) with id-dsa-with-sha1.
14935 an end-of-file condition would erroneously be flagged, when the CRLF
14938 BASE64-decoding BIO. Bug fund and patch submitted by Pavel Tsekov
14954 * TLS/SSL library bugfix: use s->s3->in_read_app_data differently
14957 processing was enabled when in fact s->s3->in_read_app_data was
14970 * Fix DH_generate_parameters() so that it works for 'non-standard'
14977 a generator of the order-q subgroup is just as good, if not
14988 returning non-zero before the data has been completely received
14989 when using non-blocking I/O.
15025 * [In 0.9.6d-engine release:]
15030 * Add the configuration target linux-s390x.
15032 *Neale Ferguson <Neale.Ferguson@SoftwareAG-USA.com> via Richard Levitte*
15038 invocations of ssl3_accept when using non-blocking I/O, the
15043 To avoid this problem, we now set s->new_session to 2 instead of
15048 * Bugfix: Return -1 from ssl3_get_server_done (ssl3/s3_clnt.c)
15062 type, we must throw them away by setting rr->length to 0.
15080 * Fix crypto/objects/objects.h: "ld-ce" should be "id-ce",
15082 Also some ip-pda OIDs in crypto/objects/objects.txt were
15092 * [In 0.9.6c-engine release:]
15097 * [In 0.9.6c-engine release:]
15105 rearranged (all '-L' options must appear before the first object
15110 * [In 0.9.6c-engine release:]
15116 * [In 0.9.6c-engine release:]
15122 * [In 0.9.6c-engine release:]
15133 messages are stored in a single piece (fixed-length part and
15134 variable-length part combined) and fix various bugs found on the way.
15155 never resets s->method to s->ctx->method when called from within
15204 * Add OpenUNIX-8 support including shared libraries
15221 * Rabin-Miller test analyses assume uniformly distributed witnesses,
15253 configuration target "alpha-cc-rpath", which will never be selected
15265 * Enhanced support for IA-64 Unix platforms (well, Linux and HP-UX).
15286 dh->length and always used
15288 BN_rand_range(priv_key, dh->p).
15290 BN_rand_range() is not necessary for Diffie-Hellman, and this
15291 specific range makes Diffie-Hellman unnecessarily inefficient if
15292 dh->length (recommended exponent length) is much smaller than the
15293 length of dh->p. We could use BN_rand_range() if the order of
15295 dh->length.
15301 where 'l' is dh->length if this is defined, or BN_num_bits(dh->p)-1
15319 * In crypto/rand/md_rand.c, use a new short-time lock CRYPTO_LOCK_RAND2
15334 *Albert Chin-A-Young <china@thewrittenword.com>*
15336 * Add configuration option to build on Linux on both big-endian and
15337 little-endian MIPS.
15339 *Ralf Baechle <ralf@uni-koblenz.de>*
15341 * Add the possibility to create shared libraries on HP-UX.
15349 Markku-Juhani O. Saarinen <markku-juhani.saarinen@nokia.com>:
15352 'md' followed by enough consecutive 1-byte PRNG requests
15363 Markku-Juhani's attack. (Actually it had never occurred
15365 half from which PRNG output bytes were taken -- I had always
15408 when fixing the server behaviour for backwards-compatible 'client
15412 around 2^-40; see section 5 in Bleichenbacher's CRYPTO '98
15468 * Change bctest again: '-x' expressions are not available in all
15488 If SEQUENCE is length is indefinite just set c->slen to the total
15495 * Change bctest to avoid here-documents inside command substitution
15508 * Check the result of RSA-CRT (see D. Boneh, R. DeMillo, R. Lipton:
15510 Computations, J. Cryptology 14 (2001) 2, 101-119,
15577 due to incorrect handling of multi-threading:
15585 inband-signalling in the previous code (which relied on the
15590 * Add "-rand" option also to s_client and s_server.
15595 *Kurt Hockenbury <khockenb@stevens-tech.edu> and
15614 to be set and top=0 forces the highest bit to be set; top=-1 is new
15619 * In the `NCONF_...`-based implementations for `CONF_...` queries
15675 * Fix 'openssl passwd -1'.
15686 * Fix C code generated by 'openssl dsaparam -C': If a BN_bin2bn
15696 * Increase s2->wbuf allocation by one byte in ssl2_new (ssl/s2_lib.c).
15703 obtain lock CRYPTO_LOCK_RSA before setting `rsa->_method_mod_{n,p,q}`.
15733 avoid potential security hole. (Re-used sessions on the client side
15739 * Fix ssl3_pending: If the record in s->s3->rrec is not of type
15747 releases, have been re-implemented by renaming the previous
15758 the method-specific "init()" handler. Also clean up ex_data after
15759 calling the method-specific "finish()" handler. Previously, this was
15778 *Jean-Marc Desperrier <jean-marc.desperrier@certplus.com>*
15782 - Make note of the expected extension for the shared libraries and
15787 - Make as few rebuilds of the shared libraries as possible.
15789 - Still avoid linking the OpenSSL programs with the shared libraries.
15791 - When installing, install the shared libraries separately from the
15855 in a record-oriented fashion. That means that every write() will
15866 Currently, it's a VMS-only method, because that's where it has
15874 but it was in 0.9.6-beta[12].)
15900 documentation and run-time libraries. The devel package contains
15909 *Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>*
16004 STACK for its trusted certificate store is also provided
16032 In BIO_puts, increment b->num_write as in BIO_write.
16049 used for low-level RSA operations. DER public key
16056 *Andreas Schneider <andreas@ds3.etech.fh-hamburg.de>*
16058 * A demo state-machine implementation was sponsored by
16134 * Add the arguments -CAfile and -CApath to the pkcs12 utility.
16156 * Fix SSL 2.0 rollback checking: Due to an off-by-one error in
16161 In s23_clnt.c, don't use special rollback-attack detection padding
16227 * New options to smime application. -inform and -outform
16229 PEM and DER. The -content option allows the content to be
16254 - New object identifiers are inserted in objects.txt, following
16256 - objects.pl is used to process obj_mac.num and create a new
16258 - obj_dat.pl is used to create a new obj_dat.h, using the data in
16270 * Add BSD-style MD5-based passwords to 'openssl passwd' (option '-1').
16274 * Addition of the command line parameter '-rand file' to 'openssl req'.
16316 an -sgckey command line option to the rsa utility. Thanks to
16318 algorithm to openssl-dev.
16335 * Re-implement BN_mod_exp2_mont using independent (and larger) windows.
16366 * The type-safe stack code has been rejigged. It is now only compiled
16368 by default all type-specific stack functions are "#define"d back to
16370 but retains the type-safety checking possibilities of the original
16378 map type-safe stack functions onto their plain stack counterparts.
16418 for CFB and OFB modes they zero ctx->num.
16444 i.e. non-zero for export ciphersuites, zero otherwise.
16462 Added -fingerprint option to crl utility, to support new c_rehash
16467 * Eliminate non-ANSI declarations in crypto.h and stack.h.
16504 * Bugfix for linux-elf makefile.one.
16564 * Add '-tls1' option to 'openssl ciphers', which was already
16572 OpenSSL-based applications) load shared libraries and bind to
16584 * Rename openssl x509 option '-crlext', which was added in 0.9.5,
16585 to '-clrext' (= clear extensions), as intended and documented.
16603 *Ulf Möller, using the problem description in krb4-0.9.7, where
16612 'openssl XXX' exists, the new pseudo-command 'openssl no-XXX'
16614 'no-XXX' is printed in this case, 'XXX' otherwise. In both cases,
16619 the 'no-cipher' compilation switches can be tested this way.
16621 ('openssl no-XXX' is not able to detect pseudo-commands such
16622 as 'quit', 'list-XXX-commands', or 'no-XXX' itself.)
16626 * Update test suite so that 'make test' succeeds in 'no-rsa' configuration.
16634 to parameters -- in previous versions (since OpenSSL 0.9.3) the
16640 * New s_client option -ign_eof: EOF at stdin is ignored, and
16642 This is part of what -quiet does; unlike -quiet, -ign_eof
16679 * Add '-dsaparam' option to 'openssl dhparam' application. This
16686 by 'openssl dhparam -C'.
16712 * New 'rand' application for creating pseudo-random output.
16726 *Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE> and Anonymous*
16786 or -rand.
16818 sections with information on -D... compiler switches used for
16820 one of these sections, a pre-processor symbol `OPENSSL_..._DEFINES`
16868 * HP-UX tune-up: new unified configs, HP C compiler bug workaround.
16872 * Add -rand argument to smime and pkcs12 applications and read/write
16899 equal (it gave wrong results if `(rem=(n1-q*d0)&BN_MASK2) < d0)`.
16928 * Add a new -notext option to 'ca' and a -pubkey option to 'spkac'.
16932 * Use a less unusual form of the Miller-Rabin primality test (it used
16933 a binary algorithm for exponentiation integrated into the Miller-Rabin
16955 using 50 iterations of the Rabin-Miller test.
16958 iterations of the Rabin-Miller test as required by the appendix
16959 to FIPS PUB 186[-1]) instead of DSA_is_prime.
16965 for each positive witness in the Rabin-Miller test, not just
16970 function with an 'iteration count' of -1, meaning that a
16972 from an application-provided seed, trial division is skipped).
16977 division before starting the Rabin-Miller test and has
16980 'callback(1, -1, cb_arg)' is called when a number has passed the
16990 * New -pkcs12 option to CA.pl script to write out a PKCS#12 file.
17012 by stat(). RAND_load_file(..., -1) is new and uses the complete file
17029 Rabin-Miller iterations.
17033 * Diffie-Hellman uses "safe" primes: DH_check() return code renamed to
17055 cipher-strength (using the strength_bits hard coded in the tables).
17058 Fix a bug in the cipher-command parser: when supplying a cipher command
17060 *A-Za-z0-9*, ssl_set_cipher_list used to hang in an endless loop. Now
17063 Due to the strength-sorting extension, the code of the
17065 the readability was also increased :-)
17067 *Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>*
17069 * Minor change to 'x509' utility. The -CAcreateserial option now uses 1
17112 * Do more iterations of Rabin-Miller probable prime test (specifically,
17113 3 for 1024-bit primes, 6 for 512-bit primes, 12 for 256-bit primes
17116 false-positive rate of at most 2^-80 for random input.
17138 -nomaciter option is used. This improves file security and
17143 * Honor the no-xxx Configure options when creating .DEF files.
17200 $PATH. Just exploiting of the BWX extension results in 20-30%
17258 two sequences of OIDs for trusted and rejected settings. These will
17266 in place for compatibility: they check the NID and also return "trusted"
17430 -fingerprint and -x509toreq options. Also -x509toreq choked if a
17446 trusted for SSL client use. However the default value can be changed to
17458 Two new options to the verify program: -untrusted allows a set of
17459 untrusted certificates to be passed in and -purpose which sets the
17491 Added a -pubkey option to the 'x509' utility to output the public key.
17530 openssl verify -CAfile ss.pem ss.pem
17538 but an application-provided verification callback (set by
17540 anyway (i.e. leaves x509_store_ctx->error != X509_V_OK
17542 ssl->verify_result to the appropriate error code to avoid
17551 *Po-Cheng Chen <pocheng@nst.com.tw>, slightly modified by Steve Henson*
17555 -S option to allow a salt to be input on the command line.
17585 the string plus current file name and line number to a per-thread
17588 Also updated memory leak detection code to be multi-thread-safe.
17592 * Add options -text and -noout to pkcs7 utility and delete the
17608 * Fix the -revoke option in ca. It was freeing up memory twice,
17625 can only be trusted if it is self signed and then it is trusted
17633 with non-optimised assembler. Even so, this now gives around 95%
17653 X509_NAME_add_entry_by_txt(nm, "CN", MBSTRING_ASC, "Steve", -1, -1, 0);
17656 X509_NAME_add_entry_by_txt(nm, field, MBSTRING_UTF8, str, -1, -1, 0);
17672 - Assure unique random numbers after fork().
17673 - Make sure that concurrent threads access the global counter and
17687 dsaparam -genkey (which also ignored its '-rand' option),
17696 of each file listed in the '-rand' option. The function as previously
17698 that support '-rand'.
17731 verification. Also added a -purpose flag to x509 utility to
17748 * RC4 tune-up featuring 30-40% performance improvement on most RISC
17753 * New -noout option to asn1parse. This causes no output to be produced
17754 its main use is when combined with -strparse and -out to extract data
17764 * New option -dhparam in s_server. This allows a DH parameter file to be
17771 * Add -pubin and -pubout options to the rsa and dsa commands. These allow
17773 openssl rsa -in key.pem -pubout -out pubkey.pem
17814 working at all :-) A dedicated Windows application might handle this
17831 * Add new -verify -CAfile and -CApath options to the crl program, these
17840 * Initialize all non-automatic variables each time one of the openssl
17841 sub-programs is started (this is necessary as they may be started
17854 * Non-copying interface to BIO pairs.
17889 <madwolf@comune.modena.it>. The new option is called -extensions
17890 and can be applied to ca, req and x509. Also -reqexts to override
17891 the request extensions in req and -crlexts to override the crl extensions
17906 config file. They can be printed out with the -text option to req but
17929 library. Also added low-level modexp hooks and CRYPTO_EX structure and
17949 a SSLv2-compatible client hello for SSLv3 or TLSv1 could be read,
17975 * -crlf option to s_client and s_server for sending newlines as
17990 * Fix -startdate and -enddate (which was missing) arguments to 'ca'
17999 For 1024-bit p, DSA_generate_parameters followed by DSA_dup_DH is
18002 much more efficient (160-bit exponentiation instead of 1024-bit
18018 * Allow the -k option to be used more than once in the enc program:
18065 * The -DPLATFORM="\"$(PLATFORM)\"" definition and the similar -DCFLAGS=...
18069 auto-generated file crypto/buildinf.h (created by crypto/Makefile.ssl
18090 * Fix memory leaks in s3_clnt.c: All non-anonymous SSL3/TLS1 connections
18097 * New function RSA_check_key and new openssl rsa option -check
18136 * Memory leak checking (-DCRYPTO_MDEBUG) had some problems.
18145 to disable memory-checking temporarily.
18150 -DCRYPTO_MDEBUG_TIME is new and additionally stores the current time
18154 -DCRYPTO_MDEBUG_THREAD is also new and adds the thread ID.
18156 -DCRYPTO_MDEBUG_ALL enables all of the above, plus any future
18178 * Fix problems with no-hmac etc.
18199 *Steve Henson, reported by Brien Wheeler <bwheeler@authentica-security.com>*
18219 Fixed, now "no-idea no-rc5 -DCRYPTO_MDEBUG" etc. works as intended.
18230 Whoever hopes to achieve shared-library compatibility across versions
18231 must use this, not the compile-time macro.
18234 Note: All this applies only to multi-threaded programs, others don't
18239 * Add missing case to s3_clnt.c state machine -- one of the new SSL tests
18292 name for unistd.h (for pre-POSIX systems); we need this for NeXTstep,
18302 Changing the behaviour of the former might break existing programs --
18308 fails, it needs to cause bc to give a non-zero result or make test carries
18321 yet. Added a -v2 "cipher" option to pkcs8 application to allow the use
18326 * Instead of "mkdir -p", which is not fully portable, use new
18327 Perl script "util/mkdir-p.pl".
18357 * "linux-sparc64" configuration (ultrapenguin).
18360 "linux-sparc" configuration.
18362 *Christian Forster <fo@hawo.stw.uni-erlangen.de>*
18364 * config now generates no-xxx options for missing ciphers.
18373 * Support BS2000/OSD-POSIX.
18389 * New configuration variants "bsdi-elf-gcc" (BSD/OS 4.x).
18395 * New configuration variant "sco5-gcc".
18418 * SHA library changes for irix64-mips4-cc.
18486 * New option -out to asn1parse to allow the parsed structure to be
18487 output to a file. This is most useful when combined with the -strparse
18492 * Make SSL library a little more fool-proof by not requiring any longer
18496 intended anyway -- now it really works as intended).
18504 * Fix various things to let OpenSSL even pass "egcc -pipe -O2 -Wall
18505 -Wshadow -Wpointer-arith -Wcast-align -Wmissing-prototypes
18506 -Wmissing-declarations -Wnested-externs -Winline" with EGCS 1.1.2+
18517 various ways (and thus what used to be known as ctx->default_cert
18518 is now called ctx->cert, since we don't resort to `s->ctx->[default_]cert`
18519 any longer when s->cert does not give us what we need).
18522 we have solved a couple of bugs of the earlier code where s->cert
18532 that holds per-session data (if available); currently, this is
18560 * Add PEDANTIC compiler flag to allow compilation with gcc -pedantic,
18561 without disallowing inline assembler and the like for non-pedantic builds.
18573 * SHA-1 cleanups and performance enhancements.
18581 * Accept any -xxx and +xxx compiler options in Configure.
18596 DER-encoded.)
18601 x509_vfy.c had what can be considered an off-by-one-error:
18629 * New Configure options "threads" and "no-threads". For systems
18640 $(INSTALLTOP)/bin -- they shouldn't clutter directories
18645 * "make linux-shared" to build shared libraries.
18649 * New Configure option `no-<cipher>` (rsa, idea, rc5, ...).
18667 * New Configure options --prefix=DIR and --openssldir=DIR.
18688 * Change behaviour of ssl2_read when facing length-0 packets: Don't return
18706 * Fix new 56-bit DES export ciphersuites: they were using 7 bytes instead of
18784 * Don't auto-generate pem.h.
18788 * Introduce type-safe ASN.1 SETs.
18792 * Convert various additional casted stacks to type-safe STACK_OF() variants.
18796 * Introduce type-safe STACKs. This will almost certainly break lots of code
18804 * Add `openssl ca -revoke <certfile>` facility which revokes a certificate
18807 revoking a certificate. The -revoke option does the gory details now.
18811 * Fix `openssl crl -noout -text` combination where `-noout` killed the
18812 `-text` option at all and this way the `-noout -text` combination was
18824 ciphers that were excluded, e.g. by -DNO_IDEA. Also, test
18828 `openssl list-cipher-commands` is used.
18866 * New "-showcerts" option for s_client.
18907 * Make sure the RSA OAEP test is skipped under -DRSAref because
18913 so they no longer are missing under -DNOPROTO.
18943 * Make rsa_oaep_test return non-zero on error.
18948 solaris-sparc-sc4-pic, make, then run shlib/solaris-sc4.sh. It'd be nice
18978 * Let util/clean-depend.pl work also with older Perl 5.00x versions.
18990 * DES quad checksum was broken on big-endian architectures. Fixed.
19051 pre-configured entry in Configure's %table under key `<id>` with value
19053 perform a quick test-compile under FreeBSD 3.1 with pgcc and without
19054 assembler stuff you can use `perl Configure "FreeBSD-elf:pgcc:-O6:::"`
19055 now, which overrides the FreeBSD-elf entry on-the-fly.
19063 * Allow DSO flags like -fpic, -fPIC, -KPIC etc. to be specified
19070 * Remarkably, export ciphers were totally broken and no-one had noticed!
19076 questions now is the OpenSSL core team under openssl-core@openssl.org.
19077 And add a paragraph about the dual-license situation to make sure people
19133 stuff. Fix mk1mf.pl and VC-32.pl to support NT differences also. Various
19144 This means that Apache-SSL and similar packages don't have to mess around
19156 * Get rid of remaining C++-style comments which strict C compilers hate.
19167 their SSL_CTX_xxx() counterparts but work on a per-connection basis. This
19169 per-connection basis (e.g. Apache+mod_ssl) instead of a per-context basis
19179 non-public-API function ssl_cert_instantiate() is used as a helper
19184 * Move s_server -dcert and -dkey options out of the undocumented feature
19207 * Don't hard-code path to Perl interpreter on shebang line of Configure
19208 script. Instead use the usual Shell->Perl transition trick.
19212 * Make `openssl x509 -noout -modulus`' functional also for DSA certificates
19214 -noout -modulus` as it's already the case for `openssl rsa -noout
19215 -modulus`. For RSA the -modulus is the real "modulus" while for DSA
19217 `openssl dsa -modulus` in the past) which serves a similar purpose.
19218 Additionally the NO_RSA no longer completely removes the whole -modulus
19224 * Add Arne Ansper's reliable BIO - this is an encrypted, block-digested
19241 TLS_RSA_EXPORT56_WITH_DES_CBC_SHA, as specified in "56-bit Export Cipher
19242 Suites For TLS", draft-ietf-tls-56-bit-ciphersuites-00.txt.
19272 foundations than the ad-hoc padding used in PKCS #1 v1.5. It is secure
19303 *Lars Weber <3weber@informatik.uni-hamburg.de>*
19356 - ported BN stuff to OpenSSL's different BN library
19357 - made the perl/ source tree CVS-aware
19358 - renamed the package from SSLeay to OpenSSL (the files still contain
19360 - removed obsolete files (the test scripts will be replaced
19372 -rSSLeay_0_8_1b" or they were renamed (as it was definitely the case for
19380 what that's for :-) Fix to ASN1 macro which messed up
19407 * Fixed ms/32all.bat script: `no_asm` -> `no-asm`
19409 *Rainer W. Gerling <gerling@mpg-gv.mpg.de>*
19415 * Modify crl2pkcs7 so it supports multiple -certfile arguments. Fix a
19444 and add a sample to openssl.cnf so req -x509 now adds appropriate
19469 Ad Hoc Way) - Makefile.ssls now all contain local dependencies, which
19474 * Spelling mistake in C version of CAST-128.
19478 * Changes to the error generation code. The perl script err-code.pl
19485 either modify crypto/Makefile.ssl to pass the -regen flag to err_code.pl
19490 * CAST-128 was incorrectly implemented for short keys. The C version has
19492 new assembler HAS NOT BEEN GENERATED FOR WIN32 - the Makefile needs fixing
19494 *Ben Laurie, reported (with fix for C version) by Jun-ichiro itojun
19571 *Bodo Moeller <3moeller@informatik.uni-hamburg.de>*
19573 * Don't blow it for numeric `-newkey` arguments to `apps/req`.
19575 *Bodo Moeller <3moeller@informatik.uni-hamburg.de>*
19607 * Make sure the already existing X509_STORE->depth variable is initialized
19639 * Make the top-level INSTALL documentation easier to understand.
19643 * Makefiles updated to exit if an error occurs in a sub-directory
19658 * Enhanced the err-ins.pl script so it makes the error library number
19695 *Ben Laurie - pointed out by Ulf Möller <ulf@fitug.de>*
19703 ncr-scde
19704 unixware-2.0
19705 unixware-2.0-pentium
19706 sco5-cc.
19719 ### Changes between 0.9.1b and 0.9.1c [23-Dec-1998]
19726 * Some fixups to the top-level documents.
19730 * Fixed the nasty bug where rsaref.h was not found under compile-time
19735 * Incorporated the popular no-RSA/DSA-only patches
19736 which allow to compile an RSA-free SSLeay.
19740 * Fixed nasty rehash problem under `make -f Makefile.ssl links`
19758 * Recompiled the error-definition header files and added
19763 * Cleaned up the top-level documents;
19813 * Add -strparse option to asn1pars program which parses nested
19826 * Added "-genkey" option to "dsaparam" program.
19834 * Added -a (all) option to "ssleay version" command.
19923 <!-- Links -->
19925 [CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
19926 [CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535
19927 [CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
19928 [CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603
19929 [CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511
19930 [CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727
19931 [CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237
19932 [CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129
19933 [CVE-2023-5678]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5678
19934 [CVE-2023-5363]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5363
19935 [CVE-2023-4807]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-4807
19936 [CVE-2023-3817]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3817
19937 [CVE-2023-3446]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3446
19938 [CVE-2023-2975]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2975
19939 [RFC 2578 (STD 58), section 3.5]: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5
19940 [CVE-2023-2650]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2650
19941 [CVE-2023-1255]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-1255
19942 [CVE-2023-0466]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466
19943 [CVE-2023-0465]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0465
19944 [CVE-2023-0464]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0464
19945 [CVE-2023-0401]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0401
19946 [CVE-2023-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0286
19947 [CVE-2023-0217]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0217
19948 [CVE-2023-0216]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0216
19949 [CVE-2023-0215]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0215
19950 [CVE-2022-4450]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4450
19951 [CVE-2022-4304]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4304
19952 [CVE-2022-4203]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4203
19953 [CVE-2022-3996]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-3996
19954 [CVE-2022-2274]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2274
19955 [CVE-2022-2097]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2097
19956 [CVE-2020-1971]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1971
19957 [CVE-2020-1967]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1967
19958 [CVE-2019-1563]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1563
19959 [CVE-2019-1559]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1559
19960 [CVE-2019-1552]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1552
19961 [CVE-2019-1551]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1551
19962 [CVE-2019-1549]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1549
19963 [CVE-2019-1547]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1547
19964 [CVE-2019-1543]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1543
19965 [CVE-2018-5407]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-5407
19966 [CVE-2018-0739]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0739
19967 [CVE-2018-0737]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0737
19968 [CVE-2018-0735]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0735
19969 [CVE-2018-0734]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0734
19970 [CVE-2018-0733]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0733
19971 [CVE-2018-0732]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0732
19972 [CVE-2017-3738]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3738
19973 [CVE-2017-3737]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3737
19974 [CVE-2017-3736]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3736
19975 [CVE-2017-3735]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3735
19976 [CVE-2017-3733]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3733
19977 [CVE-2017-3732]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3732
19978 [CVE-2017-3731]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3731
19979 [CVE-2017-3730]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3730
19980 [CVE-2016-7055]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7055
19981 [CVE-2016-7054]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7054
19982 [CVE-2016-7053]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7053
19983 [CVE-2016-7052]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7052
19984 [CVE-2016-6309]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6309
19985 [CVE-2016-6308]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6308
19986 [CVE-2016-6307]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6307
19987 [CVE-2016-6306]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6306
19988 [CVE-2016-6305]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6305
19989 [CVE-2016-6304]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6304
19990 [CVE-2016-6303]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6303
19991 [CVE-2016-6302]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6302
19992 [CVE-2016-2183]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2183
19993 [CVE-2016-2182]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2182
19994 [CVE-2016-2181]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2181
19995 [CVE-2016-2180]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2180
19996 [CVE-2016-2179]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2179
19997 [CVE-2016-2178]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2178
19998 [CVE-2016-2177]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2177
19999 [CVE-2016-2176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2176
20000 [CVE-2016-2109]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2109
20001 [CVE-2016-2107]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2107
20002 [CVE-2016-2106]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2106
20003 [CVE-2016-2105]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2105
20004 [CVE-2016-0800]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0800
20005 [CVE-2016-0799]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0799
20006 [CVE-2016-0798]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0798
20007 [CVE-2016-0797]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0797
20008 [CVE-2016-0705]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0705
20009 [CVE-2016-0702]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0702
20010 [CVE-2016-0701]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0701
20011 [CVE-2015-3197]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3197
20012 [CVE-2015-3196]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3196
20013 [CVE-2015-3195]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3195
20014 [CVE-2015-3194]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3194
20015 [CVE-2015-3193]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3193
20016 [CVE-2015-1793]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1793
20017 [CVE-2015-1792]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1792
20018 [CVE-2015-1791]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1791
20019 [CVE-2015-1790]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1790
20020 [CVE-2015-1789]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1789
20021 [CVE-2015-1788]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1788
20022 [CVE-2015-1787]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1787
20023 [CVE-2015-0293]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0293
20024 [CVE-2015-0291]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0291
20025 [CVE-2015-0290]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0290
20026 [CVE-2015-0289]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0289
20027 [CVE-2015-0288]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0288
20028 [CVE-2015-0287]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0287
20029 [CVE-2015-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0286
20030 [CVE-2015-0285]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0285
20031 [CVE-2015-0209]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0209
20032 [CVE-2015-0208]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0208
20033 [CVE-2015-0207]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0207
20034 [CVE-2015-0206]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0206
20035 [CVE-2015-0205]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0205
20036 [CVE-2015-0204]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0204
20037 [CVE-2014-8275]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-8275
20038 [CVE-2014-5139]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-5139
20039 [CVE-2014-3572]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3572
20040 [CVE-2014-3571]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3571
20041 [CVE-2014-3570]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3570
20042 [CVE-2014-3569]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3569
20043 [CVE-2014-3568]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3568
20044 [CVE-2014-3567]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3567
20045 [CVE-2014-3566]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3566
20046 [CVE-2014-3513]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3513
20047 [CVE-2014-3512]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3512
20048 [CVE-2014-3511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3511
20049 [CVE-2014-3510]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3510
20050 [CVE-2014-3509]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3509
20051 [CVE-2014-3508]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3508
20052 [CVE-2014-3507]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3507
20053 [CVE-2014-3506]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3506
20054 [CVE-2014-3505]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3505
20055 [CVE-2014-3470]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3470
20056 [CVE-2014-0224]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0224
20057 [CVE-2014-0221]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0221
20058 [CVE-2014-0195]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0195
20059 [CVE-2014-0160]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0160
20060 [CVE-2014-0076]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0076
20061 [CVE-2013-6450]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-6450
20062 [CVE-2013-4353]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-4353
20063 [CVE-2013-0169]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-0169
20064 [CVE-2013-0166]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-0166
20065 [CVE-2012-2686]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2686
20066 [CVE-2012-2333]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2333
20067 [CVE-2012-2110]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2110
20068 [CVE-2012-0884]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0884
20069 [CVE-2012-0050]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0050
20070 [CVE-2012-0027]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0027
20071 [CVE-2011-4619]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4619
20072 [CVE-2011-4577]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4577
20073 [CVE-2011-4576]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4576
20074 [CVE-2011-4109]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4109
20075 [CVE-2011-4108]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4108
20076 [CVE-2011-3210]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-3210
20077 [CVE-2011-3207]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-3207
20078 [CVE-2011-0014]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-0014
20079 [CVE-2010-4252]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-4252
20080 [CVE-2010-4180]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-4180
20081 [CVE-2010-3864]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-3864
20082 [CVE-2010-1633]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-1633
20083 [CVE-2010-0740]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-0740
20084 [CVE-2010-0433]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-0433
20085 [CVE-2009-4355]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-4355
20086 [CVE-2009-3555]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-3555
20087 [CVE-2009-3245]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-3245
20088 [CVE-2009-1386]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1386
20089 [CVE-2009-1379]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1379
20090 [CVE-2009-1378]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1378
20091 [CVE-2009-1377]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1377
20092 [CVE-2009-0789]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0789
20093 [CVE-2009-0591]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0591
20094 [CVE-2009-0590]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0590
20095 [CVE-2008-5077]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-5077
20096 [CVE-2008-1678]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-1678
20097 [CVE-2008-1672]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-1672
20098 [CVE-2008-0891]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-0891
20099 [CVE-2007-5135]: https://www.openssl.org/news/vulnerabilities.html#CVE-2007-5135
20100 [CVE-2007-4995]: https://www.openssl.org/news/vulnerabilities.html#CVE-2007-4995
20101 [CVE-2006-4343]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-4343
20102 [CVE-2006-4339]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-4339
20103 [CVE-2006-3738]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-3738
20104 [CVE-2006-2940]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-2940
20105 [CVE-2006-2937]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-2937
20106 [CVE-2005-2969]: https://www.openssl.org/news/vulnerabilities.html#CVE-2005-2969
20107 [CVE-2004-0112]: https://www.openssl.org/news/vulnerabilities.html#CVE-2004-0112
20108 [CVE-2004-0079]: https://www.openssl.org/news/vulnerabilities.html#CVE-2004-0079
20109 [CVE-2003-0851]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0851
20110 [CVE-2003-0545]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0545
20111 [CVE-2003-0544]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0544
20112 [CVE-2003-0543]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0543
20113 [CVE-2003-0078]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0078
20114 [CVE-2002-0659]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0659
20115 [CVE-2002-0657]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0657
20116 [CVE-2002-0656]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0656
20117 [CVE-2002-0655]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0655