1NEWS 2==== 3 4This file gives a brief overview of the major changes between each OpenSSL 5release. For more details please read the CHANGES file. 6 7OpenSSL Releases 8---------------- 9 10 - [OpenSSL 3.5](#openssl-35) 11 - [OpenSSL 3.4](#openssl-34) 12 - [OpenSSL 3.3](#openssl-33) 13 - [OpenSSL 3.2](#openssl-32) 14 - [OpenSSL 3.1](#openssl-31) 15 - [OpenSSL 3.0](#openssl-30) 16 - [OpenSSL 1.1.1](#openssl-111) 17 - [OpenSSL 1.1.0](#openssl-110) 18 - [OpenSSL 1.0.2](#openssl-102) 19 - [OpenSSL 1.0.1](#openssl-101) 20 - [OpenSSL 1.0.0](#openssl-100) 21 - [OpenSSL 0.9.x](#openssl-09x) 22 23OpenSSL 3.5 24----------- 25 26### Major changes between OpenSSL 3.5.0 and OpenSSL 3.5.1 [1 Jul 2025] 27 28OpenSSL 3.5.1 is a security patch release. The most severe CVE fixed in this 29release is Low. 30 31This release incorporates the following bug fixes and mitigations: 32 33 * Fix x509 application adds trusted use instead of rejected use. 34 ([CVE-2025-4575]) 35 36### Major changes between OpenSSL 3.4 and OpenSSL 3.5.0 [8 Apr 2025] 37 38OpenSSL 3.5.0 is a feature release adding significant new functionality to 39OpenSSL. 40 41This release incorporates the following potentially significant or incompatible 42changes: 43 44 * Default encryption cipher for the `req`, `cms`, and `smime` applications 45 changed from `des-ede3-cbc` to `aes-256-cbc`. 46 47 * The default TLS supported groups list has been changed to include and 48 prefer hybrid PQC KEM groups. Some practically unused groups were removed 49 from the default list. 50 51 * The default TLS keyshares have been changed to offer X25519MLKEM768 and 52 and X25519. 53 54 * All `BIO_meth_get_*()` functions were deprecated. 55 56This release adds the following new features: 57 58 * Support for server side QUIC (RFC 9000) 59 60 * Support for 3rd party QUIC stacks including 0-RTT support 61 62 * Support for PQC algorithms (ML-KEM, ML-DSA and SLH-DSA) 63 64 * A new configuration option `no-tls-deprecated-ec` to disable support for 65 TLS groups deprecated in RFC8422 66 67 * A new configuration option `enable-fips-jitter` to make the FIPS provider 68 to use the `JITTER` seed source 69 70 * Support for central key generation in CMP 71 72 * Support added for opaque symmetric key objects (EVP_SKEY) 73 74 * Support for multiple TLS keyshares and improved TLS key establishment group 75 configurability 76 77 * API support for pipelining in provided cipher algorithms 78 79Known issues in 3.5.0 80 81 * <https://github.com/openssl/openssl/issues/27282> 82 Calling SSL_accept on objects returned from SSL_accept_connection 83 results in error. It is expected that making this call will advance 84 the SSL handshake for the passed connection, but currently it does not. 85 This can be handled by calling SSL_do_handshake instead. A fix is planned 86 for OpenSSL 3.5.1 87 88OpenSSL 3.4 89----------- 90 91### Major changes between OpenSSL 3.4.0 and OpenSSL 3.4.1 [11 Feb 2025] 92 93OpenSSL 3.4.1 is a security patch release. The most severe CVE fixed in this 94release is High. 95 96This release incorporates the following bug fixes and mitigations: 97 98 * Fixed RFC7250 handshakes with unauthenticated servers don't abort as expected. 99 ([CVE-2024-12797]) 100 101 * Fixed timing side-channel in ECDSA signature computation. 102 ([CVE-2024-13176]) 103 104### Major changes between OpenSSL 3.3 and OpenSSL 3.4.0 [22 Oct 2024] 105 106OpenSSL 3.4.0 is a feature release adding significant new functionality to 107OpenSSL. 108 109This release incorporates the following potentially significant or incompatible 110changes: 111 112 * Deprecation of TS_VERIFY_CTX_set_* functions and addition of replacement 113 TS_VERIFY_CTX_set0_* functions with improved semantics 114 115 * Redesigned use of OPENSSLDIR/ENGINESDIR/MODULESDIR on Windows such that 116 what were formerly build time locations can now be defined at run time 117 with registry keys 118 119 * The X25519 and X448 key exchange implementation in the FIPS provider 120 is unapproved and has `fips=no` property. 121 122 * SHAKE-128 and SHAKE-256 implementations have no default digest length 123 anymore. That means these algorithms cannot be used with 124 EVP_DigestFinal/_ex() unless the `xoflen` param is set before. 125 126 * Setting `config_diagnostics=1` in the config file will cause errors to 127 be returned from SSL_CTX_new() and SSL_CTX_new_ex() if there is an error 128 in the ssl module configuration. 129 130 * An empty renegotiate extension will be used in TLS client hellos instead 131 of the empty renegotiation SCSV, for all connections with a minimum TLS 132 version > 1.0. 133 134 * Deprecation of SSL_SESSION_get_time(), SSL_SESSION_set_time() and 135 SSL_CTX_flush_sessions() functions in favor of their respective `_ex` 136 functions which are Y2038-safe on platforms with Y2038-safe `time_t` 137 138This release adds the following new features: 139 140 * Support for directly fetched composite signature algorithms such as 141 RSA-SHA2-256 including new API functions 142 143 * FIPS indicators support in the FIPS provider and various updates of the FIPS 144 provider required for future FIPS 140-3 validations 145 146 * Implementation of RFC 9579 (PBMAC1) in PKCS#12 147 148 * An optional additional random seed source RNG `JITTER` using a statically 149 linked jitterentropy library 150 151 * New options `-not_before` and `-not_after` for explicit setting start and 152 end dates of certificates created with the `req` and `x509` apps 153 154 * Support for integrity-only cipher suites TLS_SHA256_SHA256 and 155 TLS_SHA384_SHA384 in TLS 1.3, as defined in RFC 9150 156 157 * Support for retrieving certificate request templates and CRLs in CMP 158 159 * Support for additional X.509v3 extensions related to Attribute Certificates 160 161 * Initial Attribute Certificate (RFC 5755) support 162 163 * Possibility to customize ECC groups initialization to use precomputed values 164 to save CPU time and use of this feature by the P-256 implementation 165 166OpenSSL 3.3 167----------- 168 169### Major changes between OpenSSL 3.3.2 and OpenSSL 3.3.3 [under development] 170 171OpenSSL 3.3.3 is a security patch release. The most severe CVE fixed in this 172release is Low. 173 174This release incorporates the following bug fixes and mitigations: 175 176 * Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic 177 curve parameters. 178 ([CVE-2024-9143]) 179 180### Major changes between OpenSSL 3.3.1 and OpenSSL 3.3.2 [3 Sep 2024] 181 182OpenSSL 3.3.2 is a security patch release. The most severe CVE fixed in this 183release is Moderate. 184 185This release incorporates the following bug fixes and mitigations: 186 187 * Fixed possible denial of service in X.509 name checks 188 ([CVE-2024-6119]) 189 190 * Fixed possible buffer overread in SSL_select_next_proto() 191 ([CVE-2024-5535]) 192 193### Major changes between OpenSSL 3.3.0 and OpenSSL 3.3.1 [4 Jun 2024] 194 195OpenSSL 3.3.1 is a security patch release. The most severe CVE fixed in this 196release is Low. 197 198This release incorporates the following bug fixes and mitigations: 199 200 * Fixed potential use after free after SSL_free_buffers() is called 201 ([CVE-2024-4741]) 202 203 * Fixed an issue where checking excessively long DSA keys or parameters may 204 be very slow 205 ([CVE-2024-4603]) 206 207### Major changes between OpenSSL 3.2 and OpenSSL 3.3.0 [9 Apr 2024] 208 209OpenSSL 3.3.0 is a feature release adding significant new functionality to 210OpenSSL. 211 212This release adds the following new features: 213 214 * Support for qlog for tracing QUIC connections has been added 215 216 * Added APIs to allow configuring the negotiated idle timeout for QUIC 217 connections, and to allow determining the number of additional streams 218 that can currently be created for a QUIC connection. 219 220 * Added APIs to allow disabling implicit QUIC event processing for QUIC SSL 221 objects 222 223 * Added APIs to allow querying the size and utilisation of a QUIC stream's 224 write buffer 225 226 * New API `SSL_write_ex2`, which can be used to send an end-of-stream (FIN) 227 condition in an optimised way when using QUIC. 228 229 * Limited support for polling of QUIC connection and stream objects in a 230 non-blocking manner. 231 232 * Added a new EVP_DigestSqueeze() API. This allows SHAKE to squeeze multiple 233 times with different output sizes. 234 235 * Added exporter for CMake on Unix and Windows, alongside the pkg-config 236 exporter. 237 238 * The BLAKE2s hash algorithm matches BLAKE2b's support for configurable 239 output length. 240 241 * The EVP_PKEY_fromdata function has been augmented to allow for the 242 derivation of CRT (Chinese Remainder Theorem) parameters when requested 243 244 * Added API functions SSL_SESSION_get_time_ex(), SSL_SESSION_set_time_ex() 245 using time_t which is Y2038 safe on 32 bit systems when 64 bit time 246 is enabled 247 248 * Unknown entries in TLS SignatureAlgorithms, ClientSignatureAlgorithms 249 config options and the respective calls to SSL[_CTX]_set1_sigalgs() and 250 SSL[_CTX]_set1_client_sigalgs() that start with `?` character are 251 ignored and the configuration will still be used. 252 253 * Added `-set_issuer` and `-set_subject` options to `openssl x509` to 254 override the Issuer and Subject when creating a certificate. The `-subj` 255 option now is an alias for `-set_subject`. 256 257 * Added several new features of CMPv3 defined in RFC 9480 and RFC 9483 258 259 * New option `SSL_OP_PREFER_NO_DHE_KEX`, which allows configuring a TLS1.3 260 server to prefer session resumption using PSK-only key exchange over PSK 261 with DHE, if both are available. 262 263 * New atexit configuration switch, which controls whether the OPENSSL_cleanup 264 is registered when libcrypto is unloaded. 265 266 * Added X509_STORE_get1_objects to avoid issues with the existing 267 X509_STORE_get0_objects API in multi-threaded applications. 268 269 * Support for using certificate profiles and extened delayed delivery in CMP 270 271This release incorporates the following potentially significant or incompatible 272changes: 273 274 * Applied AES-GCM unroll8 optimisation to Microsoft Azure Cobalt 100 275 276 * Optimized AES-CTR for ARM Neoverse V1 and V2 277 278 * Enable AES and SHA3 optimisations on Apple Silicon M3-based MacOS systems 279 similar to M1/M2. 280 281 * Various optimizations for cryptographic routines using RISC-V vector crypto 282 extensions 283 284 * Added assembly implementation for md5 on loongarch64 285 286 * Accept longer context for TLS 1.2 exporters 287 288 * The activate and soft_load configuration settings for providers in 289 openssl.cnf have been updated to require a value of [1|yes|true|on] 290 (in lower or UPPER case) to enable the setting. Conversely a value 291 of [0|no|false|off] will disable the setting. 292 293 * In `openssl speed`, changed the default hash function used with `hmac` from 294 `md5` to `sha256`. 295 296 * The `-verify` option to the `openssl crl` and `openssl req` will make the 297 program exit with 1 on failure. 298 299 * The d2i_ASN1_GENERALIZEDTIME(), d2i_ASN1_UTCTIME(), ASN1_TIME_check(), and 300 related functions have been augmented to check for a minimum length of 301 the input string, in accordance with ITU-T X.690 section 11.7 and 11.8. 302 303 * OPENSSL_sk_push() and sk_<TYPE>_push() functions now return 0 instead of -1 304 if called with a NULL stack argument. 305 306 * New limit on HTTP response headers is introduced to HTTP client. The 307 default limit is set to 256 header lines. 308 309This release incorporates the following bug fixes and mitigations: 310 311 * The BIO_get_new_index() function can only be called 127 times before it 312 reaches its upper bound of BIO_TYPE_MASK and will now return -1 once its 313 exhausted. 314 315A more detailed list of changes in this release can be found in the 316[CHANGES.md] file. 317 318Users interested in using the new QUIC functionality are encouraged to read the 319[README file for QUIC][README-QUIC.md], which provides links to relevant 320documentation and example code. 321 322As always, bug reports and issues relating to OpenSSL can be [filed on our issue 323tracker][issue tracker]. 324 325OpenSSL 3.2 326----------- 327 328### Major changes between OpenSSL 3.2.1 and OpenSSL 3.2.2 [under development] 329 330OpenSSL 3.2.2 is a security patch release. The most severe CVE fixed in this 331release is Low. 332 333This release incorporates the following bug fixes and mitigations: 334 335 * Fixed unbounded memory growth with session handling in TLSv1.3 336 ([CVE-2024-2511]) 337 338### Major changes between OpenSSL 3.2.0 and OpenSSL 3.2.1 [30 Jan 2024] 339 340OpenSSL 3.2.1 is a security patch release. The most severe CVE fixed in this 341release is Low. 342 343This release incorporates the following bug fixes and mitigations: 344 345 * Fixed PKCS12 Decoding crashes 346 ([CVE-2024-0727]) 347 348 * Fixed excessive time spent checking invalid RSA public keys 349 ([CVE-2023-6237]) 350 351 * Fixed POLY1305 MAC implementation corrupting vector registers on PowerPC 352 CPUs which support PowerISA 2.07 353 ([CVE-2023-6129]) 354 355### Major changes between OpenSSL 3.1 and OpenSSL 3.2.0 [23 Nov 2023] 356 357OpenSSL 3.2.0 is a feature release adding significant new functionality to 358OpenSSL. 359 360This release incorporates the following potentially significant or incompatible 361changes: 362 363 * The default SSL/TLS security level has been changed from 1 to 2. 364 365 * The `x509`, `ca`, and `req` apps now always produce X.509v3 certificates. 366 367 * Subject or issuer names in X.509 objects are now displayed as UTF-8 strings 368 by default. Also spaces surrounding `=` in DN output are removed. 369 370This release adds the following new features: 371 372 * Support for client side QUIC, including support for 373 multiple streams (RFC 9000) 374 375 * Support for Ed25519ctx, Ed25519ph and Ed448ph in addition 376 to existing support for Ed25519 and Ed448 (RFC 8032) 377 378 * Support for deterministic ECDSA signatures (RFC 6979) 379 380 * Support for AES-GCM-SIV, a nonce-misuse-resistant AEAD (RFC 8452) 381 382 * Support for the Argon2 KDF, along with supporting thread pool 383 functionality (RFC 9106) 384 385 * Support for Hybrid Public Key Encryption (HPKE) (RFC 9180) 386 387 * Support for SM4-XTS 388 389 * Support for Brainpool curves in TLS 1.3 390 391 * Support for TLS Raw Public Keys (RFC 7250) 392 393 * Support for TCP Fast Open on Linux, macOS and FreeBSD, 394 where enabled and supported (RFC 7413) 395 396 * Support for TLS certificate compression, including library 397 support for zlib, Brotli and zstd (RFC 8879) 398 399 * Support for provider-based pluggable signature algorithms 400 in TLS 1.3 with supporting CMS and X.509 functionality 401 402 With a suitable provider this enables the use of post-quantum/quantum-safe 403 cryptography. 404 405 * Support for using the Windows system certificate store as a source of 406 trusted root certificates 407 408 This is not yet enabled by default and must be activated using an 409 environment variable. This is likely to become enabled by default 410 in a future feature release. 411 412 * Support for using the IANA standard names in TLS ciphersuite configuration 413 414 * Multiple new features and improvements to CMP protocol support 415 416The following known issues are present in this release and will be rectified 417in a future release: 418 419 * Provider-based signature algorithms cannot be configured using the 420 SignatureAlgorithms configuration file parameter (#22761) 421 422This release incorporates the following documentation enhancements: 423 424 * Added multiple tutorials on the OpenSSL library and in particular 425 on writing various clients (using TLS and QUIC protocols) with libssl 426 427 See [OpenSSL Guide]. 428 429This release incorporates the following bug fixes and mitigations: 430 431 * Fixed excessive time spent in DH check / generation with large Q parameter 432 value 433 ([CVE-2023-5678]) 434 435A more detailed list of changes in this release can be found in the 436[CHANGES.md] file. 437 438Users interested in using the new QUIC functionality are encouraged to read the 439[README file for QUIC][README-QUIC.md], which provides links to relevant 440documentation and example code. 441 442As always, bug reports and issues relating to OpenSSL can be [filed on our issue 443tracker][issue tracker]. 444 445OpenSSL 3.1 446----------- 447 448### Major changes between OpenSSL 3.1.3 and OpenSSL 3.1.4 [24 Oct 2023] 449 450 * Mitigate incorrect resize handling for symmetric cipher keys and IVs. 451 ([CVE-2023-5363]) 452 453### Major changes between OpenSSL 3.1.2 and OpenSSL 3.1.3 [19 Sep 2023] 454 455 * Fix POLY1305 MAC implementation corrupting XMM registers on Windows 456 ([CVE-2023-4807]) 457 458### Major changes between OpenSSL 3.1.1 and OpenSSL 3.1.2 [1 Aug 2023] 459 460 * Fix excessive time spent checking DH q parameter value ([CVE-2023-3817]) 461 * Fix DH_check() excessive time with over sized modulus ([CVE-2023-3446]) 462 * Do not ignore empty associated data entries with AES-SIV ([CVE-2023-2975]) 463 * When building with the `enable-fips` option and using the resulting 464 FIPS provider, TLS 1.2 will, by default, mandate the use of an 465 extended master secret and the Hash and HMAC DRBGs will not operate 466 with truncated digests. 467 468### Major changes between OpenSSL 3.1.0 and OpenSSL 3.1.1 [30 May 2023] 469 470 * Mitigate for very slow `OBJ_obj2txt()` performance with gigantic OBJECT 471 IDENTIFIER sub-identities. ([CVE-2023-2650]) 472 * Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms 473 ([CVE-2023-1255]) 474 * Fixed documentation of X509_VERIFY_PARAM_add0_policy() ([CVE-2023-0466]) 475 * Fixed handling of invalid certificate policies in leaf certificates 476 ([CVE-2023-0465]) 477 * Limited the number of nodes created in a policy tree ([CVE-2023-0464]) 478 479### Major changes between OpenSSL 3.0 and OpenSSL 3.1.0 [14 Mar 2023] 480 481 * SSL 3, TLS 1.0, TLS 1.1, and DTLS 1.0 only work at security level 0. 482 * Performance enhancements and new platform support including new 483 assembler code algorithm implementations. 484 * Deprecated LHASH statistics functions. 485 * FIPS 140-3 compliance changes. 486 487OpenSSL 3.0 488----------- 489 490### Major changes between OpenSSL 3.0.7 and OpenSSL 3.0.8 [7 Feb 2023] 491 492 * Fixed NULL dereference during PKCS7 data verification ([CVE-2023-0401]) 493 * Fixed X.400 address type confusion in X.509 GeneralName ([CVE-2023-0286]) 494 * Fixed NULL dereference validating DSA public key ([CVE-2023-0217]) 495 * Fixed Invalid pointer dereference in d2i_PKCS7 functions ([CVE-2023-0216]) 496 * Fixed Use-after-free following BIO_new_NDEF ([CVE-2023-0215]) 497 * Fixed Double free after calling PEM_read_bio_ex ([CVE-2022-4450]) 498 * Fixed Timing Oracle in RSA Decryption ([CVE-2022-4304]) 499 * Fixed X.509 Name Constraints Read Buffer Overflow ([CVE-2022-4203]) 500 * Fixed X.509 Policy Constraints Double Locking ([CVE-2022-3996]) 501 502### Major changes between OpenSSL 3.0.6 and OpenSSL 3.0.7 [1 Nov 2022] 503 504 * Added RIPEMD160 to the default provider. 505 * Fixed regressions introduced in 3.0.6 version. 506 * Fixed two buffer overflows in punycode decoding functions. 507 ([CVE-2022-3786]) and ([CVE-2022-3602]) 508 509### Major changes between OpenSSL 3.0.5 and OpenSSL 3.0.6 [11 Oct 2022] 510 511 * Fix for custom ciphers to prevent accidental use of NULL encryption 512 ([CVE-2022-3358]) 513 514### Major changes between OpenSSL 3.0.4 and OpenSSL 3.0.5 [5 Jul 2022] 515 516 * Fixed heap memory corruption with RSA private key operation 517 ([CVE-2022-2274]) 518 * Fixed AES OCB failure to encrypt some bytes on 32-bit x86 platforms 519 ([CVE-2022-2097]) 520 521### Major changes between OpenSSL 3.0.3 and OpenSSL 3.0.4 [21 Jun 2022] 522 523 * Fixed additional bugs in the c_rehash script which was not properly 524 sanitising shell metacharacters to prevent command injection 525 ([CVE-2022-2068]) 526 527### Major changes between OpenSSL 3.0.2 and OpenSSL 3.0.3 [3 May 2022] 528 529 * Fixed a bug in the c_rehash script which was not properly sanitising shell 530 metacharacters to prevent command injection ([CVE-2022-1292]) 531 * Fixed a bug in the function `OCSP_basic_verify` that verifies the signer 532 certificate on an OCSP response ([CVE-2022-1343]) 533 * Fixed a bug where the RC4-MD5 ciphersuite incorrectly used the 534 AAD data as the MAC key ([CVE-2022-1434]) 535 * Fix a bug in the OPENSSL_LH_flush() function that breaks reuse of the memory 536 occupied by the removed hash table entries ([CVE-2022-1473]) 537 538### Major changes between OpenSSL 3.0.1 and OpenSSL 3.0.2 [15 Mar 2022] 539 540 * Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever 541 for non-prime moduli ([CVE-2022-0778]) 542 543### Major changes between OpenSSL 3.0.0 and OpenSSL 3.0.1 [14 Dec 2021] 544 545 * Fixed invalid handling of X509_verify_cert() internal errors in libssl 546 ([CVE-2021-4044]) 547 * Allow fetching an operation from the provider that owns an unexportable key 548 as a fallback if that is still allowed by the property query. 549 550### Major changes between OpenSSL 1.1.1 and OpenSSL 3.0.0 [7 sep 2021] 551 552 * Enhanced 'openssl list' with many new options. 553 * Added migration guide to man7. 554 * Implemented support for fully "pluggable" TLSv1.3 groups. 555 * Added support for Kernel TLS (KTLS). 556 * Changed the license to the Apache License v2.0. 557 * Moved all variations of the EVP ciphers CAST5, BF, IDEA, SEED, RC2, 558 RC4, RC5, and DES to the legacy provider. 559 * Moved the EVP digests MD2, MD4, MDC2, WHIRLPOOL and RIPEMD-160 to the legacy 560 provider. 561 * Added convenience functions for generating asymmetric key pairs. 562 * Deprecated the `OCSP_REQ_CTX` type and functions. 563 * Deprecated the `EC_KEY` and `EC_KEY_METHOD` types and functions. 564 * Deprecated the `RSA` and `RSA_METHOD` types and functions. 565 * Deprecated the `DSA` and `DSA_METHOD` types and functions. 566 * Deprecated the `DH` and `DH_METHOD` types and functions. 567 * Deprecated the `ERR_load_` functions. 568 * Remove the `RAND_DRBG` API. 569 * Deprecated the `ENGINE` API. 570 * Added `OSSL_LIB_CTX`, a libcrypto library context. 571 * Added various `_ex` functions to the OpenSSL API that support using 572 a non-default `OSSL_LIB_CTX`. 573 * Interactive mode is removed from the 'openssl' program. 574 * The X25519, X448, Ed25519, Ed448, SHAKE128 and SHAKE256 algorithms are 575 included in the FIPS provider. 576 * X509 certificates signed using SHA1 are no longer allowed at security 577 level 1 or higher. The default security level for TLS is 1, so 578 certificates signed using SHA1 are by default no longer trusted to 579 authenticate servers or clients. 580 * enable-crypto-mdebug and enable-crypto-mdebug-backtrace were mostly 581 disabled; the project uses address sanitize/leak-detect instead. 582 * Added a Certificate Management Protocol (CMP, RFC 4210) implementation 583 also covering CRMF (RFC 4211) and HTTP transfer (RFC 6712). 584 It is part of the crypto lib and adds a 'cmp' app with a demo configuration. 585 All widely used CMP features are supported for both clients and servers. 586 * Added a proper HTTP client supporting GET with optional redirection, POST, 587 arbitrary request and response content types, TLS, persistent connections, 588 connections via HTTP(s) proxies, connections and exchange via user-defined 589 BIOs (allowing implicit connections), and timeout checks. 590 * Added util/check-format.pl for checking adherence to the coding guidelines. 591 * Added OSSL_ENCODER, a generic encoder API. 592 * Added OSSL_DECODER, a generic decoder API. 593 * Added OSSL_PARAM_BLD, an easier to use API to OSSL_PARAM. 594 * Added error raising macros, ERR_raise() and ERR_raise_data(). 595 * Deprecated ERR_put_error(), ERR_get_error_line(), ERR_get_error_line_data(), 596 ERR_peek_error_line_data(), ERR_peek_last_error_line_data() and 597 ERR_func_error_string(). 598 * Added OSSL_PROVIDER_available(), to check provider availability. 599 * Added 'openssl mac' that uses the EVP_MAC API. 600 * Added 'openssl kdf' that uses the EVP_KDF API. 601 * Add OPENSSL_info() and 'openssl info' to get built-in data. 602 * Add support for enabling instrumentation through trace and debug 603 output. 604 * Changed our version number scheme and set the next major release to 605 3.0.0 606 * Added EVP_MAC, an EVP layer MAC API, and a generic EVP_PKEY to EVP_MAC 607 bridge. Supported MACs are: BLAKE2, CMAC, GMAC, HMAC, KMAC, POLY1305 608 and SIPHASH. 609 * Removed the heartbeat message in DTLS feature. 610 * Added EVP_KDF, an EVP layer KDF and PRF API, and a generic EVP_PKEY to 611 EVP_KDF bridge. Supported KDFs are: HKDF, KBKDF, KRB5 KDF, PBKDF2, 612 PKCS12 KDF, SCRYPT, SSH KDF, SSKDF, TLS1 PRF, X9.42 KDF and X9.63 KDF. 613 * All of the low-level MD2, MD4, MD5, MDC2, RIPEMD160, SHA1, SHA224, 614 SHA256, SHA384, SHA512 and Whirlpool digest functions have been 615 deprecated. 616 * All of the low-level AES, Blowfish, Camellia, CAST, DES, IDEA, RC2, 617 RC4, RC5 and SEED cipher functions have been deprecated. 618 * All of the low-level DH, DSA, ECDH, ECDSA and RSA public key functions 619 have been deprecated. 620 * SSL 3, TLS 1.0, TLS 1.1, and DTLS 1.0 only work at security level 0, 621 except when RSA key exchange without SHA1 is used. 622 * Added providers, a new pluggability concept that will replace the 623 ENGINE API and ENGINE implementations. 624 625OpenSSL 1.1.1 626------------- 627 628### Major changes between OpenSSL 1.1.1k and OpenSSL 1.1.1l [24 Aug 2021] 629 630 * Fixed an SM2 Decryption Buffer Overflow ([CVE-2021-3711]) 631 * Fixed various read buffer overruns processing ASN.1 strings ([CVE-2021-3712]) 632 633### Major changes between OpenSSL 1.1.1j and OpenSSL 1.1.1k [25 Mar 2021] 634 635 * Fixed a problem with verifying a certificate chain when using the 636 X509_V_FLAG_X509_STRICT flag ([CVE-2021-3450]) 637 * Fixed an issue where an OpenSSL TLS server may crash if sent a maliciously 638 crafted renegotiation ClientHello message from a client ([CVE-2021-3449]) 639 640### Major changes between OpenSSL 1.1.1i and OpenSSL 1.1.1j [16 Feb 2021] 641 642 * Fixed a NULL pointer deref in the X509_issuer_and_serial_hash() 643 function ([CVE-2021-23841]) 644 * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING 645 padding mode to correctly check for rollback attacks 646 * Fixed an overflow in the EVP_CipherUpdate, EVP_EncryptUpdate and 647 EVP_DecryptUpdate functions ([CVE-2021-23840]) 648 * Fixed SRP_Calc_client_key so that it runs in constant time 649 650### Major changes between OpenSSL 1.1.1h and OpenSSL 1.1.1i [8 Dec 2020] 651 652 * Fixed NULL pointer deref in GENERAL_NAME_cmp ([CVE-2020-1971]) 653 654### Major changes between OpenSSL 1.1.1g and OpenSSL 1.1.1h [22 Sep 2020] 655 656 * Disallow explicit curve parameters in verifications chains when 657 X509_V_FLAG_X509_STRICT is used 658 * Enable 'MinProtocol' and 'MaxProtocol' to configure both TLS and DTLS 659 contexts 660 * Oracle Developer Studio will start reporting deprecation warnings 661 662### Major changes between OpenSSL 1.1.1f and OpenSSL 1.1.1g [21 Apr 2020] 663 664 * Fixed segmentation fault in SSL_check_chain() ([CVE-2020-1967]) 665 666### Major changes between OpenSSL 1.1.1e and OpenSSL 1.1.1f [31 Mar 2020] 667 668 * Revert the unexpected EOF reporting via SSL_ERROR_SSL 669 670### Major changes between OpenSSL 1.1.1d and OpenSSL 1.1.1e [17 Mar 2020] 671 672 * Fixed an overflow bug in the x64_64 Montgomery squaring procedure 673 used in exponentiation with 512-bit moduli ([CVE-2019-1551]) 674 675### Major changes between OpenSSL 1.1.1c and OpenSSL 1.1.1d [10 Sep 2019] 676 677 * Fixed a fork protection issue ([CVE-2019-1549]) 678 * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey 679 ([CVE-2019-1563]) 680 * For built-in EC curves, ensure an EC_GROUP built from the curve name is 681 used even when parsing explicit parameters 682 * Compute ECC cofactors if not provided during EC_GROUP construction 683 ([CVE-2019-1547]) 684 * Early start up entropy quality from the DEVRANDOM seed source has been 685 improved for older Linux systems 686 * Correct the extended master secret constant on EBCDIC systems 687 * Use Windows installation paths in the mingw builds ([CVE-2019-1552]) 688 * Changed DH_check to accept parameters with order q and 2q subgroups 689 * Significantly reduce secure memory usage by the randomness pools 690 * Revert the DEVRANDOM_WAIT feature for Linux systems 691 692### Major changes between OpenSSL 1.1.1b and OpenSSL 1.1.1c [28 May 2019] 693 694 * Prevent over long nonces in ChaCha20-Poly1305 ([CVE-2019-1543]) 695 696### Major changes between OpenSSL 1.1.1a and OpenSSL 1.1.1b [26 Feb 2019] 697 698 * Change the info callback signals for the start and end of a post-handshake 699 message exchange in TLSv1.3. 700 * Fix a bug in DTLS over SCTP. This breaks interoperability with older 701 versions of OpenSSL like OpenSSL 1.1.0 and OpenSSL 1.0.2. 702 703### Major changes between OpenSSL 1.1.1 and OpenSSL 1.1.1a [20 Nov 2018] 704 705 * Timing vulnerability in DSA signature generation ([CVE-2018-0734]) 706 * Timing vulnerability in ECDSA signature generation ([CVE-2018-0735]) 707 708### Major changes between OpenSSL 1.1.0i and OpenSSL 1.1.1 [11 Sep 2018] 709 710 * Support for TLSv1.3 added. The TLSv1.3 implementation includes: 711 * Fully compliant implementation of RFC8446 (TLSv1.3) on by default 712 * Early data (0-RTT) 713 * Post-handshake authentication and key update 714 * Middlebox Compatibility Mode 715 * TLSv1.3 PSKs 716 * Support for all five RFC8446 ciphersuites 717 * RSA-PSS signature algorithms (backported to TLSv1.2) 718 * Configurable session ticket support 719 * Stateless server support 720 * Rewrite of the packet construction code for "safer" packet handling 721 * Rewrite of the extension handling code 722 For further important information, see the [TLS1.3 page]( 723 https://github.com/openssl/openssl/wiki/TLS1.3) in the OpenSSL Wiki. 724 725 * Complete rewrite of the OpenSSL random number generator to introduce the 726 following capabilities 727 * The default RAND method now utilizes an AES-CTR DRBG according to 728 NIST standard SP 800-90Ar1. 729 * Support for multiple DRBG instances with seed chaining. 730 * There is a public and private DRBG instance. 731 * The DRBG instances are fork-safe. 732 * Keep all global DRBG instances on the secure heap if it is enabled. 733 * The public and private DRBG instance are per thread for lock free 734 operation 735 * Support for various new cryptographic algorithms including: 736 * SHA3 737 * SHA512/224 and SHA512/256 738 * EdDSA (both Ed25519 and Ed448) including X509 and TLS support 739 * X448 (adding to the existing X25519 support in 1.1.0) 740 * Multi-prime RSA 741 * SM2 742 * SM3 743 * SM4 744 * SipHash 745 * ARIA (including TLS support) 746 * Significant Side-Channel attack security improvements 747 * Add a new ClientHello callback to provide the ability to adjust the SSL 748 object at an early stage. 749 * Add 'Maximum Fragment Length' TLS extension negotiation and support 750 * A new STORE module, which implements a uniform and URI based reader of 751 stores that can contain keys, certificates, CRLs and numerous other 752 objects. 753 * Move the display of configuration data to configdata.pm. 754 * Allow GNU style "make variables" to be used with Configure. 755 * Claim the namespaces OSSL and OPENSSL, represented as symbol prefixes 756 * Rewrite of devcrypto engine 757 758OpenSSL 1.1.0 759------------- 760 761### Major changes between OpenSSL 1.1.0k and OpenSSL 1.1.0l [10 Sep 2019] 762 763 * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey 764 ([CVE-2019-1563]) 765 * For built-in EC curves, ensure an EC_GROUP built from the curve name is 766 used even when parsing explicit parameters 767 * Compute ECC cofactors if not provided during EC_GROUP construction 768 ([CVE-2019-1547]) 769 * Use Windows installation paths in the mingw builds ([CVE-2019-1552]) 770 771### Major changes between OpenSSL 1.1.0j and OpenSSL 1.1.0k [28 May 2019] 772 773 * Prevent over long nonces in ChaCha20-Poly1305 ([CVE-2019-1543]) 774 775### Major changes between OpenSSL 1.1.0i and OpenSSL 1.1.0j [20 Nov 2018] 776 777 * Timing vulnerability in DSA signature generation ([CVE-2018-0734]) 778 * Timing vulnerability in ECDSA signature generation ([CVE-2018-0735]) 779 780### Major changes between OpenSSL 1.1.0h and OpenSSL 1.1.0i [14 Aug 2018] 781 782 * Client DoS due to large DH parameter ([CVE-2018-0732]) 783 * Cache timing vulnerability in RSA Key Generation ([CVE-2018-0737]) 784 785### Major changes between OpenSSL 1.1.0g and OpenSSL 1.1.0h [27 Mar 2018] 786 787 * Constructed ASN.1 types with a recursive definition could exceed the 788 stack ([CVE-2018-0739]) 789 * Incorrect CRYPTO_memcmp on HP-UX PA-RISC ([CVE-2018-0733]) 790 * rsaz_1024_mul_avx2 overflow bug on x86_64 ([CVE-2017-3738]) 791 792### Major changes between OpenSSL 1.1.0f and OpenSSL 1.1.0g [2 Nov 2017] 793 794 * bn_sqrx8x_internal carry bug on x86_64 ([CVE-2017-3736]) 795 * Malformed X.509 IPAddressFamily could cause OOB read ([CVE-2017-3735]) 796 797### Major changes between OpenSSL 1.1.0e and OpenSSL 1.1.0f [25 May 2017] 798 799 * config now recognises 64-bit mingw and chooses mingw64 instead of mingw 800 801### Major changes between OpenSSL 1.1.0d and OpenSSL 1.1.0e [16 Feb 2017] 802 803 * Encrypt-Then-Mac renegotiation crash ([CVE-2017-3733]) 804 805### Major changes between OpenSSL 1.1.0c and OpenSSL 1.1.0d [26 Jan 2017] 806 807 * Truncated packet could crash via OOB read ([CVE-2017-3731]) 808 * Bad (EC)DHE parameters cause a client crash ([CVE-2017-3730]) 809 * BN_mod_exp may produce incorrect results on x86_64 ([CVE-2017-3732]) 810 811### Major changes between OpenSSL 1.1.0b and OpenSSL 1.1.0c [10 Nov 2016] 812 813 * ChaCha20/Poly1305 heap-buffer-overflow ([CVE-2016-7054]) 814 * CMS Null dereference ([CVE-2016-7053]) 815 * Montgomery multiplication may produce incorrect results ([CVE-2016-7055]) 816 817### Major changes between OpenSSL 1.1.0a and OpenSSL 1.1.0b [26 Sep 2016] 818 819 * Fix Use After Free for large message sizes ([CVE-2016-6309]) 820 821### Major changes between OpenSSL 1.1.0 and OpenSSL 1.1.0a [22 Sep 2016] 822 823 * OCSP Status Request extension unbounded memory growth ([CVE-2016-6304]) 824 * SSL_peek() hang on empty record ([CVE-2016-6305]) 825 * Excessive allocation of memory in tls_get_message_header() 826 ([CVE-2016-6307]) 827 * Excessive allocation of memory in dtls1_preprocess_fragment() 828 ([CVE-2016-6308]) 829 830### Major changes between OpenSSL 1.0.2h and OpenSSL 1.1.0 [25 Aug 2016] 831 832 * Copyright text was shrunk to a boilerplate that points to the license 833 * "shared" builds are now the default when possible 834 * Added support for "pipelining" 835 * Added the AFALG engine 836 * New threading API implemented 837 * Support for ChaCha20 and Poly1305 added to libcrypto and libssl 838 * Support for extended master secret 839 * CCM ciphersuites 840 * Reworked test suite, now based on perl, Test::Harness and Test::More 841 * *Most* libcrypto and libssl public structures were made opaque, 842 including: 843 BIGNUM and associated types, EC_KEY and EC_KEY_METHOD, 844 DH and DH_METHOD, DSA and DSA_METHOD, RSA and RSA_METHOD, 845 BIO and BIO_METHOD, EVP_MD_CTX, EVP_MD, EVP_CIPHER_CTX, 846 EVP_CIPHER, EVP_PKEY and associated types, HMAC_CTX, 847 X509, X509_CRL, X509_OBJECT, X509_STORE_CTX, X509_STORE, 848 X509_LOOKUP, X509_LOOKUP_METHOD 849 * libssl internal structures made opaque 850 * SSLv2 support removed 851 * Kerberos ciphersuite support removed 852 * RC4 removed from DEFAULT ciphersuites in libssl 853 * 40 and 56 bit cipher support removed from libssl 854 * All public header files moved to include/openssl, no more symlinking 855 * SSL/TLS state machine, version negotiation and record layer rewritten 856 * EC revision: now operations use new EC_KEY_METHOD. 857 * Support for OCB mode added to libcrypto 858 * Support for asynchronous crypto operations added to libcrypto and libssl 859 * Deprecated interfaces can now be disabled at build time either 860 relative to the latest release via the "no-deprecated" Configure 861 argument, or via the "--api=1.1.0|1.0.0|0.9.8" option. 862 * Application software can be compiled with -DOPENSSL_API_COMPAT=version 863 to ensure that features deprecated in that version are not exposed. 864 * Support for RFC6698/RFC7671 DANE TLSA peer authentication 865 * Change of Configure to use --prefix as the main installation 866 directory location rather than --openssldir. The latter becomes 867 the directory for certs, private key and openssl.cnf exclusively. 868 * Reworked BIO networking library, with full support for IPv6. 869 * New "unified" build system 870 * New security levels 871 * Support for scrypt algorithm 872 * Support for X25519 873 * Extended SSL_CONF support using configuration files 874 * KDF algorithm support. Implement TLS PRF as a KDF. 875 * Support for Certificate Transparency 876 * HKDF support. 877 878OpenSSL 1.0.2 879------------- 880 881### Major changes between OpenSSL 1.0.2s and OpenSSL 1.0.2t [10 Sep 2019] 882 883 * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey 884 ([CVE-2019-1563]) 885 * For built-in EC curves, ensure an EC_GROUP built from the curve name is 886 used even when parsing explicit parameters 887 * Compute ECC cofactors if not provided during EC_GROUP construction 888 ([CVE-2019-1547]) 889 * Document issue with installation paths in diverse Windows builds 890 ([CVE-2019-1552]) 891 892### Major changes between OpenSSL 1.0.2r and OpenSSL 1.0.2s [28 May 2019] 893 894 * None 895 896### Major changes between OpenSSL 1.0.2q and OpenSSL 1.0.2r [26 Feb 2019] 897 898 * 0-byte record padding oracle ([CVE-2019-1559]) 899 900### Major changes between OpenSSL 1.0.2p and OpenSSL 1.0.2q [20 Nov 2018] 901 902 * Microarchitecture timing vulnerability in ECC scalar multiplication ([CVE-2018-5407]) 903 * Timing vulnerability in DSA signature generation ([CVE-2018-0734]) 904 905### Major changes between OpenSSL 1.0.2o and OpenSSL 1.0.2p [14 Aug 2018] 906 907 * Client DoS due to large DH parameter ([CVE-2018-0732]) 908 * Cache timing vulnerability in RSA Key Generation ([CVE-2018-0737]) 909 910### Major changes between OpenSSL 1.0.2n and OpenSSL 1.0.2o [27 Mar 2018] 911 912 * Constructed ASN.1 types with a recursive definition could exceed the 913 stack ([CVE-2018-0739]) 914 915### Major changes between OpenSSL 1.0.2m and OpenSSL 1.0.2n [7 Dec 2017] 916 917 * Read/write after SSL object in error state ([CVE-2017-3737]) 918 * rsaz_1024_mul_avx2 overflow bug on x86_64 ([CVE-2017-3738]) 919 920### Major changes between OpenSSL 1.0.2l and OpenSSL 1.0.2m [2 Nov 2017] 921 922 * bn_sqrx8x_internal carry bug on x86_64 ([CVE-2017-3736]) 923 * Malformed X.509 IPAddressFamily could cause OOB read ([CVE-2017-3735]) 924 925### Major changes between OpenSSL 1.0.2k and OpenSSL 1.0.2l [25 May 2017] 926 927 * config now recognises 64-bit mingw and chooses mingw64 instead of mingw 928 929### Major changes between OpenSSL 1.0.2j and OpenSSL 1.0.2k [26 Jan 2017] 930 931 * Truncated packet could crash via OOB read ([CVE-2017-3731]) 932 * BN_mod_exp may produce incorrect results on x86_64 ([CVE-2017-3732]) 933 * Montgomery multiplication may produce incorrect results ([CVE-2016-7055]) 934 935### Major changes between OpenSSL 1.0.2i and OpenSSL 1.0.2j [26 Sep 2016] 936 937 * Missing CRL sanity check ([CVE-2016-7052]) 938 939### Major changes between OpenSSL 1.0.2h and OpenSSL 1.0.2i [22 Sep 2016] 940 941 * OCSP Status Request extension unbounded memory growth ([CVE-2016-6304]) 942 * SWEET32 Mitigation ([CVE-2016-2183]) 943 * OOB write in MDC2_Update() ([CVE-2016-6303]) 944 * Malformed SHA512 ticket DoS ([CVE-2016-6302]) 945 * OOB write in BN_bn2dec() ([CVE-2016-2182]) 946 * OOB read in TS_OBJ_print_bio() ([CVE-2016-2180]) 947 * Pointer arithmetic undefined behaviour ([CVE-2016-2177]) 948 * Constant time flag not preserved in DSA signing ([CVE-2016-2178]) 949 * DTLS buffered message DoS ([CVE-2016-2179]) 950 * DTLS replay protection DoS ([CVE-2016-2181]) 951 * Certificate message OOB reads ([CVE-2016-6306]) 952 953### Major changes between OpenSSL 1.0.2g and OpenSSL 1.0.2h [3 May 2016] 954 955 * Prevent padding oracle in AES-NI CBC MAC check ([CVE-2016-2107]) 956 * Fix EVP_EncodeUpdate overflow ([CVE-2016-2105]) 957 * Fix EVP_EncryptUpdate overflow ([CVE-2016-2106]) 958 * Prevent ASN.1 BIO excessive memory allocation ([CVE-2016-2109]) 959 * EBCDIC overread ([CVE-2016-2176]) 960 * Modify behavior of ALPN to invoke callback after SNI/servername 961 callback, such that updates to the SSL_CTX affect ALPN. 962 * Remove LOW from the DEFAULT cipher list. This removes singles DES from 963 the default. 964 * Only remove the SSLv2 methods with the no-ssl2-method option. 965 966### Major changes between OpenSSL 1.0.2f and OpenSSL 1.0.2g [1 Mar 2016] 967 968 * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL. 969 * Disable SSLv2 default build, default negotiation and weak ciphers 970 ([CVE-2016-0800]) 971 * Fix a double-free in DSA code ([CVE-2016-0705]) 972 * Disable SRP fake user seed to address a server memory leak 973 ([CVE-2016-0798]) 974 * Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption 975 ([CVE-2016-0797]) 976 * Fix memory issues in BIO_*printf functions ([CVE-2016-0799]) 977 * Fix side channel attack on modular exponentiation ([CVE-2016-0702]) 978 979### Major changes between OpenSSL 1.0.2e and OpenSSL 1.0.2f [28 Jan 2016] 980 981 * DH small subgroups ([CVE-2016-0701]) 982 * SSLv2 doesn't block disabled ciphers ([CVE-2015-3197]) 983 984### Major changes between OpenSSL 1.0.2d and OpenSSL 1.0.2e [3 Dec 2015] 985 986 * BN_mod_exp may produce incorrect results on x86_64 ([CVE-2015-3193]) 987 * Certificate verify crash with missing PSS parameter ([CVE-2015-3194]) 988 * X509_ATTRIBUTE memory leak ([CVE-2015-3195]) 989 * Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs 990 * In DSA_generate_parameters_ex, if the provided seed is too short, 991 return an error 992 993### Major changes between OpenSSL 1.0.2c and OpenSSL 1.0.2d [9 Jul 2015] 994 995 * Alternate chains certificate forgery ([CVE-2015-1793]) 996 * Race condition handling PSK identify hint ([CVE-2015-3196]) 997 998### Major changes between OpenSSL 1.0.2b and OpenSSL 1.0.2c [12 Jun 2015] 999 1000 * Fix HMAC ABI incompatibility 1001 1002### Major changes between OpenSSL 1.0.2a and OpenSSL 1.0.2b [11 Jun 2015] 1003 1004 * Malformed ECParameters causes infinite loop ([CVE-2015-1788]) 1005 * Exploitable out-of-bounds read in X509_cmp_time ([CVE-2015-1789]) 1006 * PKCS7 crash with missing EnvelopedContent ([CVE-2015-1790]) 1007 * CMS verify infinite loop with unknown hash function ([CVE-2015-1792]) 1008 * Race condition handling NewSessionTicket ([CVE-2015-1791]) 1009 1010### Major changes between OpenSSL 1.0.2 and OpenSSL 1.0.2a [19 Mar 2015] 1011 1012 * OpenSSL 1.0.2 ClientHello sigalgs DoS fix ([CVE-2015-0291]) 1013 * Multiblock corrupted pointer fix ([CVE-2015-0290]) 1014 * Segmentation fault in DTLSv1_listen fix ([CVE-2015-0207]) 1015 * Segmentation fault in ASN1_TYPE_cmp fix ([CVE-2015-0286]) 1016 * Segmentation fault for invalid PSS parameters fix ([CVE-2015-0208]) 1017 * ASN.1 structure reuse memory corruption fix ([CVE-2015-0287]) 1018 * PKCS7 NULL pointer dereferences fix ([CVE-2015-0289]) 1019 * DoS via reachable assert in SSLv2 servers fix ([CVE-2015-0293]) 1020 * Empty CKE with client auth and DHE fix ([CVE-2015-1787]) 1021 * Handshake with unseeded PRNG fix ([CVE-2015-0285]) 1022 * Use After Free following d2i_ECPrivatekey error fix ([CVE-2015-0209]) 1023 * X509_to_X509_REQ NULL pointer deref fix ([CVE-2015-0288]) 1024 * Removed the export ciphers from the DEFAULT ciphers 1025 1026### Major changes between OpenSSL 1.0.1l and OpenSSL 1.0.2 [22 Jan 2015] 1027 1028 * Suite B support for TLS 1.2 and DTLS 1.2 1029 * Support for DTLS 1.2 1030 * TLS automatic EC curve selection. 1031 * API to set TLS supported signature algorithms and curves 1032 * SSL_CONF configuration API. 1033 * TLS Brainpool support. 1034 * ALPN support. 1035 * CMS support for RSA-PSS, RSA-OAEP, ECDH and X9.42 DH. 1036 1037OpenSSL 1.0.1 1038------------- 1039 1040### Major changes between OpenSSL 1.0.1t and OpenSSL 1.0.1u [22 Sep 2016] 1041 1042 * OCSP Status Request extension unbounded memory growth ([CVE-2016-6304]) 1043 * SWEET32 Mitigation ([CVE-2016-2183]) 1044 * OOB write in MDC2_Update() ([CVE-2016-6303]) 1045 * Malformed SHA512 ticket DoS ([CVE-2016-6302]) 1046 * OOB write in BN_bn2dec() ([CVE-2016-2182]) 1047 * OOB read in TS_OBJ_print_bio() ([CVE-2016-2180]) 1048 * Pointer arithmetic undefined behaviour ([CVE-2016-2177]) 1049 * Constant time flag not preserved in DSA signing ([CVE-2016-2178]) 1050 * DTLS buffered message DoS ([CVE-2016-2179]) 1051 * DTLS replay protection DoS ([CVE-2016-2181]) 1052 * Certificate message OOB reads ([CVE-2016-6306]) 1053 1054### Major changes between OpenSSL 1.0.1s and OpenSSL 1.0.1t [3 May 2016] 1055 1056 * Prevent padding oracle in AES-NI CBC MAC check ([CVE-2016-2107]) 1057 * Fix EVP_EncodeUpdate overflow ([CVE-2016-2105]) 1058 * Fix EVP_EncryptUpdate overflow ([CVE-2016-2106]) 1059 * Prevent ASN.1 BIO excessive memory allocation ([CVE-2016-2109]) 1060 * EBCDIC overread ([CVE-2016-2176]) 1061 * Modify behavior of ALPN to invoke callback after SNI/servername 1062 callback, such that updates to the SSL_CTX affect ALPN. 1063 * Remove LOW from the DEFAULT cipher list. This removes singles DES from 1064 the default. 1065 * Only remove the SSLv2 methods with the no-ssl2-method option. 1066 1067### Major changes between OpenSSL 1.0.1r and OpenSSL 1.0.1s [1 Mar 2016] 1068 1069 * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL. 1070 * Disable SSLv2 default build, default negotiation and weak ciphers 1071 ([CVE-2016-0800]) 1072 * Fix a double-free in DSA code ([CVE-2016-0705]) 1073 * Disable SRP fake user seed to address a server memory leak 1074 ([CVE-2016-0798]) 1075 * Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption 1076 ([CVE-2016-0797]) 1077 * Fix memory issues in BIO_*printf functions ([CVE-2016-0799]) 1078 * Fix side channel attack on modular exponentiation ([CVE-2016-0702]) 1079 1080### Major changes between OpenSSL 1.0.1q and OpenSSL 1.0.1r [28 Jan 2016] 1081 1082 * Protection for DH small subgroup attacks 1083 * SSLv2 doesn't block disabled ciphers ([CVE-2015-3197]) 1084 1085### Major changes between OpenSSL 1.0.1p and OpenSSL 1.0.1q [3 Dec 2015] 1086 1087 * Certificate verify crash with missing PSS parameter ([CVE-2015-3194]) 1088 * X509_ATTRIBUTE memory leak ([CVE-2015-3195]) 1089 * Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs 1090 * In DSA_generate_parameters_ex, if the provided seed is too short, 1091 return an error 1092 1093### Major changes between OpenSSL 1.0.1o and OpenSSL 1.0.1p [9 Jul 2015] 1094 1095 * Alternate chains certificate forgery ([CVE-2015-1793]) 1096 * Race condition handling PSK identify hint ([CVE-2015-3196]) 1097 1098### Major changes between OpenSSL 1.0.1n and OpenSSL 1.0.1o [12 Jun 2015] 1099 1100 * Fix HMAC ABI incompatibility 1101 1102### Major changes between OpenSSL 1.0.1m and OpenSSL 1.0.1n [11 Jun 2015] 1103 1104 * Malformed ECParameters causes infinite loop ([CVE-2015-1788]) 1105 * Exploitable out-of-bounds read in X509_cmp_time ([CVE-2015-1789]) 1106 * PKCS7 crash with missing EnvelopedContent ([CVE-2015-1790]) 1107 * CMS verify infinite loop with unknown hash function ([CVE-2015-1792]) 1108 * Race condition handling NewSessionTicket ([CVE-2015-1791]) 1109 1110### Major changes between OpenSSL 1.0.1l and OpenSSL 1.0.1m [19 Mar 2015] 1111 1112 * Segmentation fault in ASN1_TYPE_cmp fix ([CVE-2015-0286]) 1113 * ASN.1 structure reuse memory corruption fix ([CVE-2015-0287]) 1114 * PKCS7 NULL pointer dereferences fix ([CVE-2015-0289]) 1115 * DoS via reachable assert in SSLv2 servers fix ([CVE-2015-0293]) 1116 * Use After Free following d2i_ECPrivatekey error fix ([CVE-2015-0209]) 1117 * X509_to_X509_REQ NULL pointer deref fix ([CVE-2015-0288]) 1118 * Removed the export ciphers from the DEFAULT ciphers 1119 1120### Major changes between OpenSSL 1.0.1k and OpenSSL 1.0.1l [15 Jan 2015] 1121 1122 * Build fixes for the Windows and OpenVMS platforms 1123 1124### Major changes between OpenSSL 1.0.1j and OpenSSL 1.0.1k [8 Jan 2015] 1125 1126 * Fix for [CVE-2014-3571] 1127 * Fix for [CVE-2015-0206] 1128 * Fix for [CVE-2014-3569] 1129 * Fix for [CVE-2014-3572] 1130 * Fix for [CVE-2015-0204] 1131 * Fix for [CVE-2015-0205] 1132 * Fix for [CVE-2014-8275] 1133 * Fix for [CVE-2014-3570] 1134 1135### Major changes between OpenSSL 1.0.1i and OpenSSL 1.0.1j [15 Oct 2014] 1136 1137 * Fix for [CVE-2014-3513] 1138 * Fix for [CVE-2014-3567] 1139 * Mitigation for [CVE-2014-3566] (SSL protocol vulnerability) 1140 * Fix for [CVE-2014-3568] 1141 1142### Major changes between OpenSSL 1.0.1h and OpenSSL 1.0.1i [6 Aug 2014] 1143 1144 * Fix for [CVE-2014-3512] 1145 * Fix for [CVE-2014-3511] 1146 * Fix for [CVE-2014-3510] 1147 * Fix for [CVE-2014-3507] 1148 * Fix for [CVE-2014-3506] 1149 * Fix for [CVE-2014-3505] 1150 * Fix for [CVE-2014-3509] 1151 * Fix for [CVE-2014-5139] 1152 * Fix for [CVE-2014-3508] 1153 1154### Major changes between OpenSSL 1.0.1g and OpenSSL 1.0.1h [5 Jun 2014] 1155 1156 * Fix for [CVE-2014-0224] 1157 * Fix for [CVE-2014-0221] 1158 * Fix for [CVE-2014-0198] 1159 * Fix for [CVE-2014-0195] 1160 * Fix for [CVE-2014-3470] 1161 * Fix for [CVE-2010-5298] 1162 1163### Major changes between OpenSSL 1.0.1f and OpenSSL 1.0.1g [7 Apr 2014] 1164 1165 * Fix for [CVE-2014-0160] 1166 * Add TLS padding extension workaround for broken servers. 1167 * Fix for [CVE-2014-0076] 1168 1169### Major changes between OpenSSL 1.0.1e and OpenSSL 1.0.1f [6 Jan 2014] 1170 1171 * Don't include gmt_unix_time in TLS server and client random values 1172 * Fix for TLS record tampering bug ([CVE-2013-4353]) 1173 * Fix for TLS version checking bug ([CVE-2013-6449]) 1174 * Fix for DTLS retransmission bug ([CVE-2013-6450]) 1175 1176### Major changes between OpenSSL 1.0.1d and OpenSSL 1.0.1e [11 Feb 2013] 1177 1178 * Corrected fix for ([CVE-2013-0169]) 1179 1180### Major changes between OpenSSL 1.0.1c and OpenSSL 1.0.1d [4 Feb 2013] 1181 1182 * Fix renegotiation in TLS 1.1, 1.2 by using the correct TLS version. 1183 * Include the fips configuration module. 1184 * Fix OCSP bad key DoS attack ([CVE-2013-0166]) 1185 * Fix for SSL/TLS/DTLS CBC plaintext recovery attack ([CVE-2013-0169]) 1186 * Fix for TLS AESNI record handling flaw ([CVE-2012-2686]) 1187 1188### Major changes between OpenSSL 1.0.1b and OpenSSL 1.0.1c [10 May 2012] 1189 1190 * Fix TLS/DTLS record length checking bug ([CVE-2012-2333]) 1191 * Don't attempt to use non-FIPS composite ciphers in FIPS mode. 1192 1193### Major changes between OpenSSL 1.0.1a and OpenSSL 1.0.1b [26 Apr 2012] 1194 1195 * Fix compilation error on non-x86 platforms. 1196 * Make FIPS capable OpenSSL ciphers work in non-FIPS mode. 1197 * Fix SSL_OP_NO_TLSv1_1 clash with SSL_OP_ALL in OpenSSL 1.0.0 1198 1199### Major changes between OpenSSL 1.0.1 and OpenSSL 1.0.1a [19 Apr 2012] 1200 1201 * Fix for ASN1 overflow bug ([CVE-2012-2110]) 1202 * Workarounds for some servers that hang on long client hellos. 1203 * Fix SEGV in AES code. 1204 1205### Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.1 [14 Mar 2012] 1206 1207 * TLS/DTLS heartbeat support. 1208 * SCTP support. 1209 * RFC 5705 TLS key material exporter. 1210 * RFC 5764 DTLS-SRTP negotiation. 1211 * Next Protocol Negotiation. 1212 * PSS signatures in certificates, requests and CRLs. 1213 * Support for password based recipient info for CMS. 1214 * Support TLS v1.2 and TLS v1.1. 1215 * Preliminary FIPS capability for unvalidated 2.0 FIPS module. 1216 * SRP support. 1217 1218OpenSSL 1.0.0 1219------------- 1220 1221### Major changes between OpenSSL 1.0.0s and OpenSSL 1.0.0t [3 Dec 2015] 1222 1223 * X509_ATTRIBUTE memory leak (([CVE-2015-3195])) 1224 * Race condition handling PSK identify hint ([CVE-2015-3196]) 1225 1226### Major changes between OpenSSL 1.0.0r and OpenSSL 1.0.0s [11 Jun 2015] 1227 1228 * Malformed ECParameters causes infinite loop ([CVE-2015-1788]) 1229 * Exploitable out-of-bounds read in X509_cmp_time ([CVE-2015-1789]) 1230 * PKCS7 crash with missing EnvelopedContent ([CVE-2015-1790]) 1231 * CMS verify infinite loop with unknown hash function ([CVE-2015-1792]) 1232 * Race condition handling NewSessionTicket ([CVE-2015-1791]) 1233 1234### Major changes between OpenSSL 1.0.0q and OpenSSL 1.0.0r [19 Mar 2015] 1235 1236 * Segmentation fault in ASN1_TYPE_cmp fix ([CVE-2015-0286]) 1237 * ASN.1 structure reuse memory corruption fix ([CVE-2015-0287]) 1238 * PKCS7 NULL pointer dereferences fix ([CVE-2015-0289]) 1239 * DoS via reachable assert in SSLv2 servers fix ([CVE-2015-0293]) 1240 * Use After Free following d2i_ECPrivatekey error fix ([CVE-2015-0209]) 1241 * X509_to_X509_REQ NULL pointer deref fix ([CVE-2015-0288]) 1242 * Removed the export ciphers from the DEFAULT ciphers 1243 1244### Major changes between OpenSSL 1.0.0p and OpenSSL 1.0.0q [15 Jan 2015] 1245 1246 * Build fixes for the Windows and OpenVMS platforms 1247 1248### Major changes between OpenSSL 1.0.0o and OpenSSL 1.0.0p [8 Jan 2015] 1249 1250 * Fix for [CVE-2014-3571] 1251 * Fix for [CVE-2015-0206] 1252 * Fix for [CVE-2014-3569] 1253 * Fix for [CVE-2014-3572] 1254 * Fix for [CVE-2015-0204] 1255 * Fix for [CVE-2015-0205] 1256 * Fix for [CVE-2014-8275] 1257 * Fix for [CVE-2014-3570] 1258 1259### Major changes between OpenSSL 1.0.0n and OpenSSL 1.0.0o [15 Oct 2014] 1260 1261 * Fix for [CVE-2014-3513] 1262 * Fix for [CVE-2014-3567] 1263 * Mitigation for [CVE-2014-3566] (SSL protocol vulnerability) 1264 * Fix for [CVE-2014-3568] 1265 1266### Major changes between OpenSSL 1.0.0m and OpenSSL 1.0.0n [6 Aug 2014] 1267 1268 * Fix for [CVE-2014-3510] 1269 * Fix for [CVE-2014-3507] 1270 * Fix for [CVE-2014-3506] 1271 * Fix for [CVE-2014-3505] 1272 * Fix for [CVE-2014-3509] 1273 * Fix for [CVE-2014-3508] 1274 1275 Known issues in OpenSSL 1.0.0m: 1276 1277 * EAP-FAST and other applications using tls_session_secret_cb 1278 won't resume sessions. Fixed in 1.0.0n-dev 1279 * Compilation failure of s3_pkt.c on some platforms due to missing 1280 `<limits.h>` include. Fixed in 1.0.0n-dev 1281 1282### Major changes between OpenSSL 1.0.0l and OpenSSL 1.0.0m [5 Jun 2014] 1283 1284 * Fix for [CVE-2014-0224] 1285 * Fix for [CVE-2014-0221] 1286 * Fix for [CVE-2014-0198] 1287 * Fix for [CVE-2014-0195] 1288 * Fix for [CVE-2014-3470] 1289 * Fix for [CVE-2014-0076] 1290 * Fix for [CVE-2010-5298] 1291 1292### Major changes between OpenSSL 1.0.0k and OpenSSL 1.0.0l [6 Jan 2014] 1293 1294 * Fix for DTLS retransmission bug ([CVE-2013-6450]) 1295 1296### Major changes between OpenSSL 1.0.0j and OpenSSL 1.0.0k [5 Feb 2013] 1297 1298 * Fix for SSL/TLS/DTLS CBC plaintext recovery attack ([CVE-2013-0169]) 1299 * Fix OCSP bad key DoS attack ([CVE-2013-0166]) 1300 1301### Major changes between OpenSSL 1.0.0i and OpenSSL 1.0.0j [10 May 2012] 1302 1303 * Fix DTLS record length checking bug ([CVE-2012-2333]) 1304 1305### Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.0i [19 Apr 2012] 1306 1307 * Fix for ASN1 overflow bug ([CVE-2012-2110]) 1308 1309### Major changes between OpenSSL 1.0.0g and OpenSSL 1.0.0h [12 Mar 2012] 1310 1311 * Fix for CMS/PKCS#7 MMA ([CVE-2012-0884]) 1312 * Corrected fix for ([CVE-2011-4619]) 1313 * Various DTLS fixes. 1314 1315### Major changes between OpenSSL 1.0.0f and OpenSSL 1.0.0g [18 Jan 2012] 1316 1317 * Fix for DTLS DoS issue ([CVE-2012-0050]) 1318 1319### Major changes between OpenSSL 1.0.0e and OpenSSL 1.0.0f [4 Jan 2012] 1320 1321 * Fix for DTLS plaintext recovery attack ([CVE-2011-4108]) 1322 * Clear block padding bytes of SSL 3.0 records ([CVE-2011-4576]) 1323 * Only allow one SGC handshake restart for SSL/TLS ([CVE-2011-4619]) 1324 * Check parameters are not NULL in GOST ENGINE ([CVE-2012-0027]) 1325 * Check for malformed RFC3779 data ([CVE-2011-4577]) 1326 1327### Major changes between OpenSSL 1.0.0d and OpenSSL 1.0.0e [6 Sep 2011] 1328 1329 * Fix for CRL vulnerability issue ([CVE-2011-3207]) 1330 * Fix for ECDH crashes ([CVE-2011-3210]) 1331 * Protection against EC timing attacks. 1332 * Support ECDH ciphersuites for certificates using SHA2 algorithms. 1333 * Various DTLS fixes. 1334 1335### Major changes between OpenSSL 1.0.0c and OpenSSL 1.0.0d [8 Feb 2011] 1336 1337 * Fix for security issue ([CVE-2011-0014]) 1338 1339### Major changes between OpenSSL 1.0.0b and OpenSSL 1.0.0c [2 Dec 2010] 1340 1341 * Fix for security issue ([CVE-2010-4180]) 1342 * Fix for ([CVE-2010-4252]) 1343 * Fix mishandling of absent EC point format extension. 1344 * Fix various platform compilation issues. 1345 * Corrected fix for security issue ([CVE-2010-3864]). 1346 1347### Major changes between OpenSSL 1.0.0a and OpenSSL 1.0.0b [16 Nov 2010] 1348 1349 * Fix for security issue ([CVE-2010-3864]). 1350 * Fix for ([CVE-2010-2939]) 1351 * Fix WIN32 build system for GOST ENGINE. 1352 1353### Major changes between OpenSSL 1.0.0 and OpenSSL 1.0.0a [1 Jun 2010] 1354 1355 * Fix for security issue ([CVE-2010-1633]). 1356 * GOST MAC and CFB fixes. 1357 1358### Major changes between OpenSSL 0.9.8n and OpenSSL 1.0.0 [29 Mar 2010] 1359 1360 * RFC3280 path validation: sufficient to process PKITS tests. 1361 * Integrated support for PVK files and keyblobs. 1362 * Change default private key format to PKCS#8. 1363 * CMS support: able to process all examples in RFC4134 1364 * Streaming ASN1 encode support for PKCS#7 and CMS. 1365 * Multiple signer and signer add support for PKCS#7 and CMS. 1366 * ASN1 printing support. 1367 * Whirlpool hash algorithm added. 1368 * RFC3161 time stamp support. 1369 * New generalised public key API supporting ENGINE based algorithms. 1370 * New generalised public key API utilities. 1371 * New ENGINE supporting GOST algorithms. 1372 * SSL/TLS GOST ciphersuite support. 1373 * PKCS#7 and CMS GOST support. 1374 * RFC4279 PSK ciphersuite support. 1375 * Supported points format extension for ECC ciphersuites. 1376 * ecdsa-with-SHA224/256/384/512 signature types. 1377 * dsa-with-SHA224 and dsa-with-SHA256 signature types. 1378 * Opaque PRF Input TLS extension support. 1379 * Updated time routines to avoid OS limitations. 1380 1381OpenSSL 0.9.x 1382------------- 1383 1384### Major changes between OpenSSL 0.9.8m and OpenSSL 0.9.8n [24 Mar 2010] 1385 1386 * CFB cipher definition fixes. 1387 * Fix security issues [CVE-2010-0740] and [CVE-2010-0433]. 1388 1389### Major changes between OpenSSL 0.9.8l and OpenSSL 0.9.8m [25 Feb 2010] 1390 1391 * Cipher definition fixes. 1392 * Workaround for slow RAND_poll() on some WIN32 versions. 1393 * Remove MD2 from algorithm tables. 1394 * SPKAC handling fixes. 1395 * Support for RFC5746 TLS renegotiation extension. 1396 * Compression memory leak fixed. 1397 * Compression session resumption fixed. 1398 * Ticket and SNI coexistence fixes. 1399 * Many fixes to DTLS handling. 1400 1401### Major changes between OpenSSL 0.9.8k and OpenSSL 0.9.8l [5 Nov 2009] 1402 1403 * Temporary work around for [CVE-2009-3555]: disable renegotiation. 1404 1405### Major changes between OpenSSL 0.9.8j and OpenSSL 0.9.8k [25 Mar 2009] 1406 1407 * Fix various build issues. 1408 * Fix security issues [CVE-2009-0590], [CVE-2009-0591], [CVE-2009-0789] 1409 1410### Major changes between OpenSSL 0.9.8i and OpenSSL 0.9.8j [7 Jan 2009] 1411 1412 * Fix security issue ([CVE-2008-5077]) 1413 * Merge FIPS 140-2 branch code. 1414 1415### Major changes between OpenSSL 0.9.8g and OpenSSL 0.9.8h [28 May 2008] 1416 1417 * CryptoAPI ENGINE support. 1418 * Various precautionary measures. 1419 * Fix for bugs affecting certificate request creation. 1420 * Support for local machine keyset attribute in PKCS#12 files. 1421 1422### Major changes between OpenSSL 0.9.8f and OpenSSL 0.9.8g [19 Oct 2007] 1423 1424 * Backport of CMS functionality to 0.9.8. 1425 * Fixes for bugs introduced with 0.9.8f. 1426 1427### Major changes between OpenSSL 0.9.8e and OpenSSL 0.9.8f [11 Oct 2007] 1428 1429 * Add gcc 4.2 support. 1430 * Add support for AES and SSE2 assembly language optimization 1431 for VC++ build. 1432 * Support for RFC4507bis and server name extensions if explicitly 1433 selected at compile time. 1434 * DTLS improvements. 1435 * RFC4507bis support. 1436 * TLS Extensions support. 1437 1438### Major changes between OpenSSL 0.9.8d and OpenSSL 0.9.8e [23 Feb 2007] 1439 1440 * Various ciphersuite selection fixes. 1441 * RFC3779 support. 1442 1443### Major changes between OpenSSL 0.9.8c and OpenSSL 0.9.8d [28 Sep 2006] 1444 1445 * Introduce limits to prevent malicious key DoS ([CVE-2006-2940]) 1446 * Fix security issues [CVE-2006-2937], [CVE-2006-3737], [CVE-2006-4343] 1447 * Changes to ciphersuite selection algorithm 1448 1449### Major changes between OpenSSL 0.9.8b and OpenSSL 0.9.8c [5 Sep 2006] 1450 1451 * Fix Daniel Bleichenbacher forged signature attack, [CVE-2006-4339] 1452 * New cipher Camellia 1453 1454### Major changes between OpenSSL 0.9.8a and OpenSSL 0.9.8b [4 May 2006] 1455 1456 * Cipher string fixes. 1457 * Fixes for VC++ 2005. 1458 * Updated ECC cipher suite support. 1459 * New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free(). 1460 * Zlib compression usage fixes. 1461 * Built in dynamic engine compilation support on Win32. 1462 * Fixes auto dynamic engine loading in Win32. 1463 1464### Major changes between OpenSSL 0.9.8 and OpenSSL 0.9.8a [11 Oct 2005] 1465 1466 * Fix potential SSL 2.0 rollback ([CVE-2005-2969]) 1467 * Extended Windows CE support 1468 1469### Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.8 [5 Jul 2005] 1470 1471 * Major work on the BIGNUM library for higher efficiency and to 1472 make operations more streamlined and less contradictory. This 1473 is the result of a major audit of the BIGNUM library. 1474 * Addition of BIGNUM functions for fields GF(2^m) and NIST 1475 curves, to support the Elliptic Crypto functions. 1476 * Major work on Elliptic Crypto; ECDH and ECDSA added, including 1477 the use through EVP, X509 and ENGINE. 1478 * New ASN.1 mini-compiler that's usable through the OpenSSL 1479 configuration file. 1480 * Added support for ASN.1 indefinite length constructed encoding. 1481 * New PKCS#12 'medium level' API to manipulate PKCS#12 files. 1482 * Complete rework of shared library construction and linking 1483 programs with shared or static libraries, through a separate 1484 Makefile.shared. 1485 * Rework of the passing of parameters from one Makefile to another. 1486 * Changed ENGINE framework to load dynamic engine modules 1487 automatically from specifically given directories. 1488 * New structure and ASN.1 functions for CertificatePair. 1489 * Changed the ZLIB compression method to be stateful. 1490 * Changed the key-generation and primality testing "progress" 1491 mechanism to take a structure that contains the ticker 1492 function and an argument. 1493 * New engine module: GMP (performs private key exponentiation). 1494 * New engine module: VIA PadLOck ACE extension in VIA C3 1495 Nehemiah processors. 1496 * Added support for IPv6 addresses in certificate extensions. 1497 See RFC 1884, section 2.2. 1498 * Added support for certificate policy mappings, policy 1499 constraints and name constraints. 1500 * Added support for multi-valued AVAs in the OpenSSL 1501 configuration file. 1502 * Added support for multiple certificates with the same subject 1503 in the 'openssl ca' index file. 1504 * Make it possible to create self-signed certificates using 1505 'openssl ca -selfsign'. 1506 * Make it possible to generate a serial number file with 1507 'openssl ca -create_serial'. 1508 * New binary search functions with extended functionality. 1509 * New BUF functions. 1510 * New STORE structure and library to provide an interface to all 1511 sorts of data repositories. Supports storage of public and 1512 private keys, certificates, CRLs, numbers and arbitrary blobs. 1513 This library is unfortunately unfinished and unused within 1514 OpenSSL. 1515 * New control functions for the error stack. 1516 * Changed the PKCS#7 library to support one-pass S/MIME 1517 processing. 1518 * Added the possibility to compile without old deprecated 1519 functionality with the OPENSSL_NO_DEPRECATED macro or the 1520 'no-deprecated' argument to the config and Configure scripts. 1521 * Constification of all ASN.1 conversion functions, and other 1522 affected functions. 1523 * Improved platform support for PowerPC. 1524 * New FIPS 180-2 algorithms (SHA-224, -256, -384 and -512). 1525 * New X509_VERIFY_PARAM structure to support parameterisation 1526 of X.509 path validation. 1527 * Major overhaul of RC4 performance on Intel P4, IA-64 and 1528 AMD64. 1529 * Changed the Configure script to have some algorithms disabled 1530 by default. Those can be explicitly enabled with the new 1531 argument form 'enable-xxx'. 1532 * Change the default digest in 'openssl' commands from MD5 to 1533 SHA-1. 1534 * Added support for DTLS. 1535 * New BIGNUM blinding. 1536 * Added support for the RSA-PSS encryption scheme 1537 * Added support for the RSA X.931 padding. 1538 * Added support for BSD sockets on NetWare. 1539 * Added support for files larger than 2GB. 1540 * Added initial support for Win64. 1541 * Added alternate pkg-config files. 1542 1543### Major changes between OpenSSL 0.9.7l and OpenSSL 0.9.7m [23 Feb 2007] 1544 1545 * FIPS 1.1.1 module linking. 1546 * Various ciphersuite selection fixes. 1547 1548### Major changes between OpenSSL 0.9.7k and OpenSSL 0.9.7l [28 Sep 2006] 1549 1550 * Introduce limits to prevent malicious key DoS ([CVE-2006-2940]) 1551 * Fix security issues [CVE-2006-2937], [CVE-2006-3737], [CVE-2006-4343] 1552 1553### Major changes between OpenSSL 0.9.7j and OpenSSL 0.9.7k [5 Sep 2006] 1554 1555 * Fix Daniel Bleichenbacher forged signature attack, [CVE-2006-4339] 1556 1557### Major changes between OpenSSL 0.9.7i and OpenSSL 0.9.7j [4 May 2006] 1558 1559 * Visual C++ 2005 fixes. 1560 * Update Windows build system for FIPS. 1561 1562### Major changes between OpenSSL 0.9.7h and OpenSSL 0.9.7i [14 Oct 2005] 1563 1564 * Give EVP_MAX_MD_SIZE its old value, except for a FIPS build. 1565 1566### Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.7h [11 Oct 2005] 1567 1568 * Fix SSL 2.0 Rollback ([CVE-2005-2969]) 1569 * Allow use of fixed-length exponent on DSA signing 1570 * Default fixed-window RSA, DSA, DH private-key operations 1571 1572### Major changes between OpenSSL 0.9.7f and OpenSSL 0.9.7g [11 Apr 2005] 1573 1574 * More compilation issues fixed. 1575 * Adaptation to more modern Kerberos API. 1576 * Enhanced or corrected configuration for Solaris64, Mingw and Cygwin. 1577 * Enhanced x86_64 assembler BIGNUM module. 1578 * More constification. 1579 * Added processing of proxy certificates (RFC 3820). 1580 1581### Major changes between OpenSSL 0.9.7e and OpenSSL 0.9.7f [22 Mar 2005] 1582 1583 * Several compilation issues fixed. 1584 * Many memory allocation failure checks added. 1585 * Improved comparison of X509 Name type. 1586 * Mandatory basic checks on certificates. 1587 * Performance improvements. 1588 1589### Major changes between OpenSSL 0.9.7d and OpenSSL 0.9.7e [25 Oct 2004] 1590 1591 * Fix race condition in CRL checking code. 1592 * Fixes to PKCS#7 (S/MIME) code. 1593 1594### Major changes between OpenSSL 0.9.7c and OpenSSL 0.9.7d [17 Mar 2004] 1595 1596 * Security: Fix Kerberos ciphersuite SSL/TLS handshaking bug 1597 * Security: Fix null-pointer assignment in do_change_cipher_spec() 1598 * Allow multiple active certificates with same subject in CA index 1599 * Multiple X509 verification fixes 1600 * Speed up HMAC and other operations 1601 1602### Major changes between OpenSSL 0.9.7b and OpenSSL 0.9.7c [30 Sep 2003] 1603 1604 * Security: fix various ASN1 parsing bugs. 1605 * New -ignore_err option to OCSP utility. 1606 * Various interop and bug fixes in S/MIME code. 1607 * SSL/TLS protocol fix for unrequested client certificates. 1608 1609### Major changes between OpenSSL 0.9.7a and OpenSSL 0.9.7b [10 Apr 2003] 1610 1611 * Security: counter the Klima-Pokorny-Rosa extension of 1612 Bleichbacher's attack 1613 * Security: make RSA blinding default. 1614 * Configuration: Irix fixes, AIX fixes, better mingw support. 1615 * Support for new platforms: linux-ia64-ecc. 1616 * Build: shared library support fixes. 1617 * ASN.1: treat domainComponent correctly. 1618 * Documentation: fixes and additions. 1619 1620### Major changes between OpenSSL 0.9.7 and OpenSSL 0.9.7a [19 Feb 2003] 1621 1622 * Security: Important security related bugfixes. 1623 * Enhanced compatibility with MIT Kerberos. 1624 * Can be built without the ENGINE framework. 1625 * IA32 assembler enhancements. 1626 * Support for new platforms: FreeBSD/IA64 and FreeBSD/Sparc64. 1627 * Configuration: the no-err option now works properly. 1628 * SSL/TLS: now handles manual certificate chain building. 1629 * SSL/TLS: certain session ID malfunctions corrected. 1630 1631### Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.7 [30 Dec 2002] 1632 1633 * New library section OCSP. 1634 * Complete rewrite of ASN1 code. 1635 * CRL checking in verify code and openssl utility. 1636 * Extension copying in 'ca' utility. 1637 * Flexible display options in 'ca' utility. 1638 * Provisional support for international characters with UTF8. 1639 * Support for external crypto devices ('engine') is no longer 1640 a separate distribution. 1641 * New elliptic curve library section. 1642 * New AES (Rijndael) library section. 1643 * Support for new platforms: Windows CE, Tandem OSS, A/UX, AIX 64-bit, 1644 Linux x86_64, Linux 64-bit on Sparc v9 1645 * Extended support for some platforms: VxWorks 1646 * Enhanced support for shared libraries. 1647 * Now only builds PIC code when shared library support is requested. 1648 * Support for pkg-config. 1649 * Lots of new manuals. 1650 * Makes symbolic links to or copies of manuals to cover all described 1651 functions. 1652 * Change DES API to clean up the namespace (some applications link also 1653 against libdes providing similar functions having the same name). 1654 Provide macros for backward compatibility (will be removed in the 1655 future). 1656 * Unify handling of cryptographic algorithms (software and engine) 1657 to be available via EVP routines for asymmetric and symmetric ciphers. 1658 * NCONF: new configuration handling routines. 1659 * Change API to use more 'const' modifiers to improve error checking 1660 and help optimizers. 1661 * Finally remove references to RSAref. 1662 * Reworked parts of the BIGNUM code. 1663 * Support for new engines: Broadcom ubsec, Accelerated Encryption 1664 Processing, IBM 4758. 1665 * A few new engines added in the demos area. 1666 * Extended and corrected OID (object identifier) table. 1667 * PRNG: query at more locations for a random device, automatic query for 1668 EGD style random sources at several locations. 1669 * SSL/TLS: allow optional cipher choice according to server's preference. 1670 * SSL/TLS: allow server to explicitly set new session ids. 1671 * SSL/TLS: support Kerberos cipher suites (RFC2712). 1672 Only supports MIT Kerberos for now. 1673 * SSL/TLS: allow more precise control of renegotiations and sessions. 1674 * SSL/TLS: add callback to retrieve SSL/TLS messages. 1675 * SSL/TLS: support AES cipher suites (RFC3268). 1676 1677### Major changes between OpenSSL 0.9.6j and OpenSSL 0.9.6k [30 Sep 2003] 1678 1679 * Security: fix various ASN1 parsing bugs. 1680 * SSL/TLS protocol fix for unrequested client certificates. 1681 1682### Major changes between OpenSSL 0.9.6i and OpenSSL 0.9.6j [10 Apr 2003] 1683 1684 * Security: counter the Klima-Pokorny-Rosa extension of 1685 Bleichbacher's attack 1686 * Security: make RSA blinding default. 1687 * Build: shared library support fixes. 1688 1689### Major changes between OpenSSL 0.9.6h and OpenSSL 0.9.6i [19 Feb 2003] 1690 1691 * Important security related bugfixes. 1692 1693### Major changes between OpenSSL 0.9.6g and OpenSSL 0.9.6h [5 Dec 2002] 1694 1695 * New configuration targets for Tandem OSS and A/UX. 1696 * New OIDs for Microsoft attributes. 1697 * Better handling of SSL session caching. 1698 * Better comparison of distinguished names. 1699 * Better handling of shared libraries in a mixed GNU/non-GNU environment. 1700 * Support assembler code with Borland C. 1701 * Fixes for length problems. 1702 * Fixes for uninitialised variables. 1703 * Fixes for memory leaks, some unusual crashes and some race conditions. 1704 * Fixes for smaller building problems. 1705 * Updates of manuals, FAQ and other instructive documents. 1706 1707### Major changes between OpenSSL 0.9.6f and OpenSSL 0.9.6g [9 Aug 2002] 1708 1709 * Important building fixes on Unix. 1710 1711### Major changes between OpenSSL 0.9.6e and OpenSSL 0.9.6f [8 Aug 2002] 1712 1713 * Various important bugfixes. 1714 1715### Major changes between OpenSSL 0.9.6d and OpenSSL 0.9.6e [30 Jul 2002] 1716 1717 * Important security related bugfixes. 1718 * Various SSL/TLS library bugfixes. 1719 1720### Major changes between OpenSSL 0.9.6c and OpenSSL 0.9.6d [9 May 2002] 1721 1722 * Various SSL/TLS library bugfixes. 1723 * Fix DH parameter generation for 'non-standard' generators. 1724 1725### Major changes between OpenSSL 0.9.6b and OpenSSL 0.9.6c [21 Dec 2001] 1726 1727 * Various SSL/TLS library bugfixes. 1728 * BIGNUM library fixes. 1729 * RSA OAEP and random number generation fixes. 1730 * Object identifiers corrected and added. 1731 * Add assembler BN routines for IA64. 1732 * Add support for OS/390 Unix, UnixWare with gcc, OpenUNIX 8, 1733 MIPS Linux; shared library support for Irix, HP-UX. 1734 * Add crypto accelerator support for AEP, Baltimore SureWare, 1735 Broadcom and Cryptographic Appliance's keyserver 1736 [in 0.9.6c-engine release]. 1737 1738### Major changes between OpenSSL 0.9.6a and OpenSSL 0.9.6b [9 Jul 2001] 1739 1740 * Security fix: PRNG improvements. 1741 * Security fix: RSA OAEP check. 1742 * Security fix: Reinsert and fix countermeasure to Bleichbacher's 1743 attack. 1744 * MIPS bug fix in BIGNUM. 1745 * Bug fix in "openssl enc". 1746 * Bug fix in X.509 printing routine. 1747 * Bug fix in DSA verification routine and DSA S/MIME verification. 1748 * Bug fix to make PRNG thread-safe. 1749 * Bug fix in RAND_file_name(). 1750 * Bug fix in compatibility mode trust settings. 1751 * Bug fix in blowfish EVP. 1752 * Increase default size for BIO buffering filter. 1753 * Compatibility fixes in some scripts. 1754 1755### Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.6a [5 Apr 2001] 1756 1757 * Security fix: change behavior of OpenSSL to avoid using 1758 environment variables when running as root. 1759 * Security fix: check the result of RSA-CRT to reduce the 1760 possibility of deducing the private key from an incorrectly 1761 calculated signature. 1762 * Security fix: prevent Bleichenbacher's DSA attack. 1763 * Security fix: Zero the premaster secret after deriving the 1764 master secret in DH ciphersuites. 1765 * Reimplement SSL_peek(), which had various problems. 1766 * Compatibility fix: the function des_encrypt() renamed to 1767 des_encrypt1() to avoid clashes with some Unixen libc. 1768 * Bug fixes for Win32, HP/UX and Irix. 1769 * Bug fixes in BIGNUM, SSL, PKCS#7, PKCS#12, X.509, CONF and 1770 memory checking routines. 1771 * Bug fixes for RSA operations in threaded environments. 1772 * Bug fixes in misc. openssl applications. 1773 * Remove a few potential memory leaks. 1774 * Add tighter checks of BIGNUM routines. 1775 * Shared library support has been reworked for generality. 1776 * More documentation. 1777 * New function BN_rand_range(). 1778 * Add "-rand" option to openssl s_client and s_server. 1779 1780### Major changes between OpenSSL 0.9.5a and OpenSSL 0.9.6 [10 Oct 2000] 1781 1782 * Some documentation for BIO and SSL libraries. 1783 * Enhanced chain verification using key identifiers. 1784 * New sign and verify options to 'dgst' application. 1785 * Support for DER and PEM encoded messages in 'smime' application. 1786 * New 'rsautl' application, low-level RSA utility. 1787 * MD4 now included. 1788 * Bugfix for SSL rollback padding check. 1789 * Support for external crypto devices [1]. 1790 * Enhanced EVP interface. 1791 1792 [1] The support for external crypto devices is currently a separate 1793 distribution. See the file README-Engine.md. 1794 1795### Major changes between OpenSSL 0.9.5 and OpenSSL 0.9.5a [1 Apr 2000] 1796 1797 * Bug fixes for Win32, SuSE Linux, NeXTSTEP and FreeBSD 2.2.8 1798 * Shared library support for HPUX and Solaris-gcc 1799 * Support of Linux/IA64 1800 * Assembler support for Mingw32 1801 * New 'rand' application 1802 * New way to check for existence of algorithms from scripts 1803 1804### Major changes between OpenSSL 0.9.4 and OpenSSL 0.9.5 [25 May 2000] 1805 1806 * S/MIME support in new 'smime' command 1807 * Documentation for the OpenSSL command line application 1808 * Automation of 'req' application 1809 * Fixes to make s_client, s_server work under Windows 1810 * Support for multiple fieldnames in SPKACs 1811 * New SPKAC command line utility and associated library functions 1812 * Options to allow passwords to be obtained from various sources 1813 * New public key PEM format and options to handle it 1814 * Many other fixes and enhancements to command line utilities 1815 * Usable certificate chain verification 1816 * Certificate purpose checking 1817 * Certificate trust settings 1818 * Support of authority information access extension 1819 * Extensions in certificate requests 1820 * Simplified X509 name and attribute routines 1821 * Initial (incomplete) support for international character sets 1822 * New DH_METHOD, DSA_METHOD and enhanced RSA_METHOD 1823 * Read only memory BIOs and simplified creation function 1824 * TLS/SSL protocol bugfixes: Accept TLS 'client hello' in SSL 3.0 1825 record; allow fragmentation and interleaving of handshake and other 1826 data 1827 * TLS/SSL code now "tolerates" MS SGC 1828 * Work around for Netscape client certificate hang bug 1829 * RSA_NULL option that removes RSA patent code but keeps other 1830 RSA functionality 1831 * Memory leak detection now allows applications to add extra information 1832 via a per-thread stack 1833 * PRNG robustness improved 1834 * EGD support 1835 * BIGNUM library bug fixes 1836 * Faster DSA parameter generation 1837 * Enhanced support for Alpha Linux 1838 * Experimental macOS support 1839 1840### Major changes between OpenSSL 0.9.3 and OpenSSL 0.9.4 [9 Aug 1999] 1841 1842 * Transparent support for PKCS#8 format private keys: these are used 1843 by several software packages and are more secure than the standard 1844 form 1845 * PKCS#5 v2.0 implementation 1846 * Password callbacks have a new void * argument for application data 1847 * Avoid various memory leaks 1848 * New pipe-like BIO that allows using the SSL library when actual I/O 1849 must be handled by the application (BIO pair) 1850 1851### Major changes between OpenSSL 0.9.2b and OpenSSL 0.9.3 [24 May 1999] 1852 1853 * Lots of enhancements and cleanups to the Configuration mechanism 1854 * RSA OEAP related fixes 1855 * Added "openssl ca -revoke" option for revoking a certificate 1856 * Source cleanups: const correctness, type-safe stacks and ASN.1 SETs 1857 * Source tree cleanups: removed lots of obsolete files 1858 * Thawte SXNet, certificate policies and CRL distribution points 1859 extension support 1860 * Preliminary (experimental) S/MIME support 1861 * Support for ASN.1 UTF8String and VisibleString 1862 * Full integration of PKCS#12 code 1863 * Sparc assembler bignum implementation, optimized hash functions 1864 * Option to disable selected ciphers 1865 1866### Major changes between OpenSSL 0.9.1c and OpenSSL 0.9.2b [22 Mar 1999] 1867 1868 * Fixed a security hole related to session resumption 1869 * Fixed RSA encryption routines for the p < q case 1870 * "ALL" in cipher lists now means "everything except NULL ciphers" 1871 * Support for Triple-DES CBCM cipher 1872 * Support of Optimal Asymmetric Encryption Padding (OAEP) for RSA 1873 * First support for new TLSv1 ciphers 1874 * Added a few new BIOs (syslog BIO, reliable BIO) 1875 * Extended support for DSA certificate/keys. 1876 * Extended support for Certificate Signing Requests (CSR) 1877 * Initial support for X.509v3 extensions 1878 * Extended support for compression inside the SSL record layer 1879 * Overhauled Win32 builds 1880 * Cleanups and fixes to the Big Number (BN) library 1881 * Support for ASN.1 GeneralizedTime 1882 * Split ASN.1 SETs from SEQUENCEs 1883 * ASN1 and PEM support for Netscape Certificate Sequences 1884 * Overhauled Perl interface 1885 * Lots of source tree cleanups. 1886 * Lots of memory leak fixes. 1887 * Lots of bug fixes. 1888 1889### Major changes between SSLeay 0.9.0b and OpenSSL 0.9.1c [23 Dec 1998] 1890 1891 * Integration of the popular NO_RSA/NO_DSA patches 1892 * Initial support for compression inside the SSL record layer 1893 * Added BIO proxy and filtering functionality 1894 * Extended Big Number (BN) library 1895 * Added RIPE MD160 message digest 1896 * Added support for RC2/64bit cipher 1897 * Extended ASN.1 parser routines 1898 * Adjustments of the source tree for CVS 1899 * Support for various new platforms 1900 1901<!-- Links --> 1902[CVE-2025-4575]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-4575 1903[CVE-2024-13176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176 1904[CVE-2024-9143]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143 1905[CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119 1906[CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535 1907[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741 1908[CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603 1909[CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511 1910[CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727 1911[CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237 1912[CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129 1913[CVE-2023-5678]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5678 1914[CVE-2023-5363]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5363 1915[CVE-2023-4807]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-4807 1916[CVE-2023-3817]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3817 1917[CVE-2023-3446]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3446 1918[CVE-2023-2975]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2975 1919[CVE-2023-2650]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2650 1920[CVE-2023-1255]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-1255 1921[CVE-2023-0466]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466 1922[CVE-2023-0465]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0465 1923[CVE-2023-0464]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0464 1924[CVE-2023-0401]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0401 1925[CVE-2023-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0286 1926[CVE-2023-0217]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0217 1927[CVE-2023-0216]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0216 1928[CVE-2023-0215]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0215 1929[CVE-2022-4450]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4450 1930[CVE-2022-4304]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4304 1931[CVE-2022-4203]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4203 1932[CVE-2022-3996]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-3996 1933[CVE-2022-2274]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2274 1934[CVE-2022-2097]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2097 1935[CVE-2020-1971]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1971 1936[CVE-2020-1967]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1967 1937[CVE-2019-1563]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1563 1938[CVE-2019-1559]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1559 1939[CVE-2019-1552]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1552 1940[CVE-2019-1551]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1551 1941[CVE-2019-1549]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1549 1942[CVE-2019-1547]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1547 1943[CVE-2019-1543]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1543 1944[CVE-2018-5407]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-5407 1945[CVE-2018-0739]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0739 1946[CVE-2018-0737]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0737 1947[CVE-2018-0735]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0735 1948[CVE-2018-0734]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0734 1949[CVE-2018-0733]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0733 1950[CVE-2018-0732]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0732 1951[CVE-2017-3738]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3738 1952[CVE-2017-3737]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3737 1953[CVE-2017-3736]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3736 1954[CVE-2017-3735]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3735 1955[CVE-2017-3733]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3733 1956[CVE-2017-3732]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3732 1957[CVE-2017-3731]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3731 1958[CVE-2017-3730]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3730 1959[CVE-2016-7055]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7055 1960[CVE-2016-7054]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7054 1961[CVE-2016-7053]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7053 1962[CVE-2016-7052]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7052 1963[CVE-2016-6309]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6309 1964[CVE-2016-6308]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6308 1965[CVE-2016-6307]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6307 1966[CVE-2016-6306]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6306 1967[CVE-2016-6305]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6305 1968[CVE-2016-6304]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6304 1969[CVE-2016-6303]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6303 1970[CVE-2016-6302]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6302 1971[CVE-2016-2183]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2183 1972[CVE-2016-2182]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2182 1973[CVE-2016-2181]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2181 1974[CVE-2016-2180]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2180 1975[CVE-2016-2179]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2179 1976[CVE-2016-2178]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2178 1977[CVE-2016-2177]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2177 1978[CVE-2016-2176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2176 1979[CVE-2016-2109]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2109 1980[CVE-2016-2107]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2107 1981[CVE-2016-2106]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2106 1982[CVE-2016-2105]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2105 1983[CVE-2016-0800]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0800 1984[CVE-2016-0799]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0799 1985[CVE-2016-0798]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0798 1986[CVE-2016-0797]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0797 1987[CVE-2016-0705]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0705 1988[CVE-2016-0702]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0702 1989[CVE-2016-0701]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0701 1990[CVE-2015-3197]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3197 1991[CVE-2015-3196]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3196 1992[CVE-2015-3195]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3195 1993[CVE-2015-3194]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3194 1994[CVE-2015-3193]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3193 1995[CVE-2015-1793]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1793 1996[CVE-2015-1792]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1792 1997[CVE-2015-1791]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1791 1998[CVE-2015-1790]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1790 1999[CVE-2015-1789]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1789 2000[CVE-2015-1788]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1788 2001[CVE-2015-1787]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1787 2002[CVE-2015-0293]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0293 2003[CVE-2015-0291]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0291 2004[CVE-2015-0290]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0290 2005[CVE-2015-0289]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0289 2006[CVE-2015-0288]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0288 2007[CVE-2015-0287]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0287 2008[CVE-2015-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0286 2009[CVE-2015-0285]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0285 2010[CVE-2015-0209]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0209 2011[CVE-2015-0208]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0208 2012[CVE-2015-0207]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0207 2013[CVE-2015-0206]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0206 2014[CVE-2015-0205]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0205 2015[CVE-2015-0204]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0204 2016[CVE-2014-8275]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-8275 2017[CVE-2014-5139]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-5139 2018[CVE-2014-3572]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3572 2019[CVE-2014-3571]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3571 2020[CVE-2014-3570]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3570 2021[CVE-2014-3569]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3569 2022[CVE-2014-3568]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3568 2023[CVE-2014-3567]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3567 2024[CVE-2014-3566]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3566 2025[CVE-2014-3513]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3513 2026[CVE-2014-3512]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3512 2027[CVE-2014-3511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3511 2028[CVE-2014-3510]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3510 2029[CVE-2014-3509]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3509 2030[CVE-2014-3508]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3508 2031[CVE-2014-3507]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3507 2032[CVE-2014-3506]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3506 2033[CVE-2014-3505]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3505 2034[CVE-2014-3470]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3470 2035[CVE-2014-0224]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0224 2036[CVE-2014-0221]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0221 2037[CVE-2014-0198]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0198 2038[CVE-2014-0195]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0195 2039[CVE-2014-0160]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0160 2040[CVE-2014-0076]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0076 2041[CVE-2013-6450]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-6450 2042[CVE-2013-6449]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-6449 2043[CVE-2013-4353]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-4353 2044[CVE-2013-0169]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-0169 2045[CVE-2013-0166]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-0166 2046[CVE-2012-2686]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2686 2047[CVE-2012-2333]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2333 2048[CVE-2012-2110]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2110 2049[CVE-2012-0884]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0884 2050[CVE-2012-0050]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0050 2051[CVE-2012-0027]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0027 2052[CVE-2011-4619]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4619 2053[CVE-2011-4577]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4577 2054[CVE-2011-4576]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4576 2055[CVE-2011-4108]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4108 2056[CVE-2011-3210]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-3210 2057[CVE-2011-3207]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-3207 2058[CVE-2011-0014]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-0014 2059[CVE-2010-5298]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-5298 2060[CVE-2010-4252]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-4252 2061[CVE-2010-4180]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-4180 2062[CVE-2010-3864]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-3864 2063[CVE-2010-2939]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-2939 2064[CVE-2010-1633]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-1633 2065[CVE-2010-0740]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-0740 2066[CVE-2010-0433]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-0433 2067[CVE-2009-3555]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-3555 2068[CVE-2009-0789]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0789 2069[CVE-2009-0591]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0591 2070[CVE-2009-0590]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0590 2071[CVE-2008-5077]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-5077 2072[CVE-2006-4343]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-4343 2073[CVE-2006-4339]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-4339 2074[CVE-2006-3737]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-3737 2075[CVE-2006-2940]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-2940 2076[CVE-2006-2937]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-2937 2077[CVE-2005-2969]: https://www.openssl.org/news/vulnerabilities.html#CVE-2005-2969 2078[OpenSSL Guide]: https://www.openssl.org/docs/manmaster/man7/ossl-guide-introduction.html 2079[CHANGES.md]: ./CHANGES.md 2080[README-QUIC.md]: ./README-QUIC.md 2081[issue tracker]: https://github.com/openssl/openssl/issues 2082[CMVP]: https://csrc.nist.gov/projects/cryptographic-module-validation-program 2083[ESV]: https://csrc.nist.gov/Projects/cryptographic-module-validation-program/entropy-validations 2084[jitterentropy-library]: https://github.com/smuellerDD/jitterentropy-library 2085