1NEWS 2==== 3 4This file gives a brief overview of the major changes between each OpenSSL 5release. For more details please read the CHANGES file. 6 7OpenSSL Releases 8---------------- 9 10 - [OpenSSL 3.5](#openssl-35) 11 - [OpenSSL 3.4](#openssl-34) 12 - [OpenSSL 3.3](#openssl-33) 13 - [OpenSSL 3.2](#openssl-32) 14 - [OpenSSL 3.1](#openssl-31) 15 - [OpenSSL 3.0](#openssl-30) 16 - [OpenSSL 1.1.1](#openssl-111) 17 - [OpenSSL 1.1.0](#openssl-110) 18 - [OpenSSL 1.0.2](#openssl-102) 19 - [OpenSSL 1.0.1](#openssl-101) 20 - [OpenSSL 1.0.0](#openssl-100) 21 - [OpenSSL 0.9.x](#openssl-09x) 22 23OpenSSL 3.5 24----------- 25 26### Major changes between OpenSSL 3.5.2 and OpenSSL 3.5.3 [16 Sep 2025] 27 28 * Added FIPS 140-3 PCT on DH key generation. 29 30 *Nikola Pajkovsky* 31 32 * Fixed the synthesised `OPENSSL_VERSION_NUMBER`. 33 34 *Richard Levitte* 35 36### Major changes between OpenSSL 3.5.1 and OpenSSL 3.5.2 [5 Aug 2025] 37 38 * none 39 40### Major changes between OpenSSL 3.5.0 and OpenSSL 3.5.1 [1 Jul 2025] 41 42OpenSSL 3.5.1 is a security patch release. The most severe CVE fixed in this 43release is Low. 44 45This release incorporates the following bug fixes and mitigations: 46 47 * Fix x509 application adds trusted use instead of rejected use. 48 ([CVE-2025-4575]) 49 50### Major changes between OpenSSL 3.4 and OpenSSL 3.5.0 [8 Apr 2025] 51 52OpenSSL 3.5.0 is a feature release adding significant new functionality to 53OpenSSL. 54 55This release incorporates the following potentially significant or incompatible 56changes: 57 58 * Default encryption cipher for the `req`, `cms`, and `smime` applications 59 changed from `des-ede3-cbc` to `aes-256-cbc`. 60 61 * The default TLS supported groups list has been changed to include and 62 prefer hybrid PQC KEM groups. Some practically unused groups were removed 63 from the default list. 64 65 * The default TLS keyshares have been changed to offer X25519MLKEM768 and 66 and X25519. 67 68 * All `BIO_meth_get_*()` functions were deprecated. 69 70This release adds the following new features: 71 72 * Support for server side QUIC (RFC 9000) 73 74 * Support for 3rd party QUIC stacks including 0-RTT support 75 76 * Support for PQC algorithms (ML-KEM, ML-DSA and SLH-DSA) 77 78 * A new configuration option `no-tls-deprecated-ec` to disable support for 79 TLS groups deprecated in RFC8422 80 81 * A new configuration option `enable-fips-jitter` to make the FIPS provider 82 to use the `JITTER` seed source 83 84 * Support for central key generation in CMP 85 86 * Support added for opaque symmetric key objects (EVP_SKEY) 87 88 * Support for multiple TLS keyshares and improved TLS key establishment group 89 configurability 90 91 * API support for pipelining in provided cipher algorithms 92 93Known issues in 3.5.0 94 95 * <https://github.com/openssl/openssl/issues/27282> 96 Calling SSL_accept on objects returned from SSL_accept_connection 97 results in error. It is expected that making this call will advance 98 the SSL handshake for the passed connection, but currently it does not. 99 This can be handled by calling SSL_do_handshake instead. A fix is planned 100 for OpenSSL 3.5.1 101 102OpenSSL 3.4 103----------- 104 105### Major changes between OpenSSL 3.4.0 and OpenSSL 3.4.1 [11 Feb 2025] 106 107OpenSSL 3.4.1 is a security patch release. The most severe CVE fixed in this 108release is High. 109 110This release incorporates the following bug fixes and mitigations: 111 112 * Fixed RFC7250 handshakes with unauthenticated servers don't abort as expected. 113 ([CVE-2024-12797]) 114 115 * Fixed timing side-channel in ECDSA signature computation. 116 ([CVE-2024-13176]) 117 118### Major changes between OpenSSL 3.3 and OpenSSL 3.4.0 [22 Oct 2024] 119 120OpenSSL 3.4.0 is a feature release adding significant new functionality to 121OpenSSL. 122 123This release incorporates the following potentially significant or incompatible 124changes: 125 126 * Deprecation of TS_VERIFY_CTX_set_* functions and addition of replacement 127 TS_VERIFY_CTX_set0_* functions with improved semantics 128 129 * Redesigned use of OPENSSLDIR/ENGINESDIR/MODULESDIR on Windows such that 130 what were formerly build time locations can now be defined at run time 131 with registry keys 132 133 * The X25519 and X448 key exchange implementation in the FIPS provider 134 is unapproved and has `fips=no` property. 135 136 * SHAKE-128 and SHAKE-256 implementations have no default digest length 137 anymore. That means these algorithms cannot be used with 138 EVP_DigestFinal/_ex() unless the `xoflen` param is set before. 139 140 * Setting `config_diagnostics=1` in the config file will cause errors to 141 be returned from SSL_CTX_new() and SSL_CTX_new_ex() if there is an error 142 in the ssl module configuration. 143 144 * An empty renegotiate extension will be used in TLS client hellos instead 145 of the empty renegotiation SCSV, for all connections with a minimum TLS 146 version > 1.0. 147 148 * Deprecation of SSL_SESSION_get_time(), SSL_SESSION_set_time() and 149 SSL_CTX_flush_sessions() functions in favor of their respective `_ex` 150 functions which are Y2038-safe on platforms with Y2038-safe `time_t` 151 152This release adds the following new features: 153 154 * Support for directly fetched composite signature algorithms such as 155 RSA-SHA2-256 including new API functions 156 157 * FIPS indicators support in the FIPS provider and various updates of the FIPS 158 provider required for future FIPS 140-3 validations 159 160 * Implementation of RFC 9579 (PBMAC1) in PKCS#12 161 162 * An optional additional random seed source RNG `JITTER` using a statically 163 linked jitterentropy library 164 165 * New options `-not_before` and `-not_after` for explicit setting start and 166 end dates of certificates created with the `req` and `x509` apps 167 168 * Support for integrity-only cipher suites TLS_SHA256_SHA256 and 169 TLS_SHA384_SHA384 in TLS 1.3, as defined in RFC 9150 170 171 * Support for retrieving certificate request templates and CRLs in CMP 172 173 * Support for additional X.509v3 extensions related to Attribute Certificates 174 175 * Initial Attribute Certificate (RFC 5755) support 176 177 * Possibility to customize ECC groups initialization to use precomputed values 178 to save CPU time and use of this feature by the P-256 implementation 179 180OpenSSL 3.3 181----------- 182 183### Major changes between OpenSSL 3.3.2 and OpenSSL 3.3.3 [under development] 184 185OpenSSL 3.3.3 is a security patch release. The most severe CVE fixed in this 186release is Low. 187 188This release incorporates the following bug fixes and mitigations: 189 190 * Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic 191 curve parameters. 192 ([CVE-2024-9143]) 193 194### Major changes between OpenSSL 3.3.1 and OpenSSL 3.3.2 [3 Sep 2024] 195 196OpenSSL 3.3.2 is a security patch release. The most severe CVE fixed in this 197release is Moderate. 198 199This release incorporates the following bug fixes and mitigations: 200 201 * Fixed possible denial of service in X.509 name checks 202 ([CVE-2024-6119]) 203 204 * Fixed possible buffer overread in SSL_select_next_proto() 205 ([CVE-2024-5535]) 206 207### Major changes between OpenSSL 3.3.0 and OpenSSL 3.3.1 [4 Jun 2024] 208 209OpenSSL 3.3.1 is a security patch release. The most severe CVE fixed in this 210release is Low. 211 212This release incorporates the following bug fixes and mitigations: 213 214 * Fixed potential use after free after SSL_free_buffers() is called 215 ([CVE-2024-4741]) 216 217 * Fixed an issue where checking excessively long DSA keys or parameters may 218 be very slow 219 ([CVE-2024-4603]) 220 221### Major changes between OpenSSL 3.2 and OpenSSL 3.3.0 [9 Apr 2024] 222 223OpenSSL 3.3.0 is a feature release adding significant new functionality to 224OpenSSL. 225 226This release adds the following new features: 227 228 * Support for qlog for tracing QUIC connections has been added 229 230 * Added APIs to allow configuring the negotiated idle timeout for QUIC 231 connections, and to allow determining the number of additional streams 232 that can currently be created for a QUIC connection. 233 234 * Added APIs to allow disabling implicit QUIC event processing for QUIC SSL 235 objects 236 237 * Added APIs to allow querying the size and utilisation of a QUIC stream's 238 write buffer 239 240 * New API `SSL_write_ex2`, which can be used to send an end-of-stream (FIN) 241 condition in an optimised way when using QUIC. 242 243 * Limited support for polling of QUIC connection and stream objects in a 244 non-blocking manner. 245 246 * Added a new EVP_DigestSqueeze() API. This allows SHAKE to squeeze multiple 247 times with different output sizes. 248 249 * Added exporter for CMake on Unix and Windows, alongside the pkg-config 250 exporter. 251 252 * The BLAKE2s hash algorithm matches BLAKE2b's support for configurable 253 output length. 254 255 * The EVP_PKEY_fromdata function has been augmented to allow for the 256 derivation of CRT (Chinese Remainder Theorem) parameters when requested 257 258 * Added API functions SSL_SESSION_get_time_ex(), SSL_SESSION_set_time_ex() 259 using time_t which is Y2038 safe on 32 bit systems when 64 bit time 260 is enabled 261 262 * Unknown entries in TLS SignatureAlgorithms, ClientSignatureAlgorithms 263 config options and the respective calls to SSL[_CTX]_set1_sigalgs() and 264 SSL[_CTX]_set1_client_sigalgs() that start with `?` character are 265 ignored and the configuration will still be used. 266 267 * Added `-set_issuer` and `-set_subject` options to `openssl x509` to 268 override the Issuer and Subject when creating a certificate. The `-subj` 269 option now is an alias for `-set_subject`. 270 271 * Added several new features of CMPv3 defined in RFC 9480 and RFC 9483 272 273 * New option `SSL_OP_PREFER_NO_DHE_KEX`, which allows configuring a TLS1.3 274 server to prefer session resumption using PSK-only key exchange over PSK 275 with DHE, if both are available. 276 277 * New atexit configuration switch, which controls whether the OPENSSL_cleanup 278 is registered when libcrypto is unloaded. 279 280 * Added X509_STORE_get1_objects to avoid issues with the existing 281 X509_STORE_get0_objects API in multi-threaded applications. 282 283 * Support for using certificate profiles and extened delayed delivery in CMP 284 285This release incorporates the following potentially significant or incompatible 286changes: 287 288 * Applied AES-GCM unroll8 optimisation to Microsoft Azure Cobalt 100 289 290 * Optimized AES-CTR for ARM Neoverse V1 and V2 291 292 * Enable AES and SHA3 optimisations on Apple Silicon M3-based MacOS systems 293 similar to M1/M2. 294 295 * Various optimizations for cryptographic routines using RISC-V vector crypto 296 extensions 297 298 * Added assembly implementation for md5 on loongarch64 299 300 * Accept longer context for TLS 1.2 exporters 301 302 * The activate and soft_load configuration settings for providers in 303 openssl.cnf have been updated to require a value of [1|yes|true|on] 304 (in lower or UPPER case) to enable the setting. Conversely a value 305 of [0|no|false|off] will disable the setting. 306 307 * In `openssl speed`, changed the default hash function used with `hmac` from 308 `md5` to `sha256`. 309 310 * The `-verify` option to the `openssl crl` and `openssl req` will make the 311 program exit with 1 on failure. 312 313 * The d2i_ASN1_GENERALIZEDTIME(), d2i_ASN1_UTCTIME(), ASN1_TIME_check(), and 314 related functions have been augmented to check for a minimum length of 315 the input string, in accordance with ITU-T X.690 section 11.7 and 11.8. 316 317 * OPENSSL_sk_push() and sk_<TYPE>_push() functions now return 0 instead of -1 318 if called with a NULL stack argument. 319 320 * New limit on HTTP response headers is introduced to HTTP client. The 321 default limit is set to 256 header lines. 322 323This release incorporates the following bug fixes and mitigations: 324 325 * The BIO_get_new_index() function can only be called 127 times before it 326 reaches its upper bound of BIO_TYPE_MASK and will now return -1 once its 327 exhausted. 328 329A more detailed list of changes in this release can be found in the 330[CHANGES.md] file. 331 332Users interested in using the new QUIC functionality are encouraged to read the 333[README file for QUIC][README-QUIC.md], which provides links to relevant 334documentation and example code. 335 336As always, bug reports and issues relating to OpenSSL can be [filed on our issue 337tracker][issue tracker]. 338 339OpenSSL 3.2 340----------- 341 342### Major changes between OpenSSL 3.2.1 and OpenSSL 3.2.2 [under development] 343 344OpenSSL 3.2.2 is a security patch release. The most severe CVE fixed in this 345release is Low. 346 347This release incorporates the following bug fixes and mitigations: 348 349 * Fixed unbounded memory growth with session handling in TLSv1.3 350 ([CVE-2024-2511]) 351 352### Major changes between OpenSSL 3.2.0 and OpenSSL 3.2.1 [30 Jan 2024] 353 354OpenSSL 3.2.1 is a security patch release. The most severe CVE fixed in this 355release is Low. 356 357This release incorporates the following bug fixes and mitigations: 358 359 * Fixed PKCS12 Decoding crashes 360 ([CVE-2024-0727]) 361 362 * Fixed excessive time spent checking invalid RSA public keys 363 ([CVE-2023-6237]) 364 365 * Fixed POLY1305 MAC implementation corrupting vector registers on PowerPC 366 CPUs which support PowerISA 2.07 367 ([CVE-2023-6129]) 368 369### Major changes between OpenSSL 3.1 and OpenSSL 3.2.0 [23 Nov 2023] 370 371OpenSSL 3.2.0 is a feature release adding significant new functionality to 372OpenSSL. 373 374This release incorporates the following potentially significant or incompatible 375changes: 376 377 * The default SSL/TLS security level has been changed from 1 to 2. 378 379 * The `x509`, `ca`, and `req` apps now always produce X.509v3 certificates. 380 381 * Subject or issuer names in X.509 objects are now displayed as UTF-8 strings 382 by default. Also spaces surrounding `=` in DN output are removed. 383 384This release adds the following new features: 385 386 * Support for client side QUIC, including support for 387 multiple streams (RFC 9000) 388 389 * Support for Ed25519ctx, Ed25519ph and Ed448ph in addition 390 to existing support for Ed25519 and Ed448 (RFC 8032) 391 392 * Support for deterministic ECDSA signatures (RFC 6979) 393 394 * Support for AES-GCM-SIV, a nonce-misuse-resistant AEAD (RFC 8452) 395 396 * Support for the Argon2 KDF, along with supporting thread pool 397 functionality (RFC 9106) 398 399 * Support for Hybrid Public Key Encryption (HPKE) (RFC 9180) 400 401 * Support for SM4-XTS 402 403 * Support for Brainpool curves in TLS 1.3 404 405 * Support for TLS Raw Public Keys (RFC 7250) 406 407 * Support for TCP Fast Open on Linux, macOS and FreeBSD, 408 where enabled and supported (RFC 7413) 409 410 * Support for TLS certificate compression, including library 411 support for zlib, Brotli and zstd (RFC 8879) 412 413 * Support for provider-based pluggable signature algorithms 414 in TLS 1.3 with supporting CMS and X.509 functionality 415 416 With a suitable provider this enables the use of post-quantum/quantum-safe 417 cryptography. 418 419 * Support for using the Windows system certificate store as a source of 420 trusted root certificates 421 422 This is not yet enabled by default and must be activated using an 423 environment variable. This is likely to become enabled by default 424 in a future feature release. 425 426 * Support for using the IANA standard names in TLS ciphersuite configuration 427 428 * Multiple new features and improvements to CMP protocol support 429 430The following known issues are present in this release and will be rectified 431in a future release: 432 433 * Provider-based signature algorithms cannot be configured using the 434 SignatureAlgorithms configuration file parameter (#22761) 435 436This release incorporates the following documentation enhancements: 437 438 * Added multiple tutorials on the OpenSSL library and in particular 439 on writing various clients (using TLS and QUIC protocols) with libssl 440 441 See [OpenSSL Guide]. 442 443This release incorporates the following bug fixes and mitigations: 444 445 * Fixed excessive time spent in DH check / generation with large Q parameter 446 value 447 ([CVE-2023-5678]) 448 449A more detailed list of changes in this release can be found in the 450[CHANGES.md] file. 451 452Users interested in using the new QUIC functionality are encouraged to read the 453[README file for QUIC][README-QUIC.md], which provides links to relevant 454documentation and example code. 455 456As always, bug reports and issues relating to OpenSSL can be [filed on our issue 457tracker][issue tracker]. 458 459OpenSSL 3.1 460----------- 461 462### Major changes between OpenSSL 3.1.3 and OpenSSL 3.1.4 [24 Oct 2023] 463 464 * Mitigate incorrect resize handling for symmetric cipher keys and IVs. 465 ([CVE-2023-5363]) 466 467### Major changes between OpenSSL 3.1.2 and OpenSSL 3.1.3 [19 Sep 2023] 468 469 * Fix POLY1305 MAC implementation corrupting XMM registers on Windows 470 ([CVE-2023-4807]) 471 472### Major changes between OpenSSL 3.1.1 and OpenSSL 3.1.2 [1 Aug 2023] 473 474 * Fix excessive time spent checking DH q parameter value ([CVE-2023-3817]) 475 * Fix DH_check() excessive time with over sized modulus ([CVE-2023-3446]) 476 * Do not ignore empty associated data entries with AES-SIV ([CVE-2023-2975]) 477 * When building with the `enable-fips` option and using the resulting 478 FIPS provider, TLS 1.2 will, by default, mandate the use of an 479 extended master secret and the Hash and HMAC DRBGs will not operate 480 with truncated digests. 481 482### Major changes between OpenSSL 3.1.0 and OpenSSL 3.1.1 [30 May 2023] 483 484 * Mitigate for very slow `OBJ_obj2txt()` performance with gigantic OBJECT 485 IDENTIFIER sub-identities. ([CVE-2023-2650]) 486 * Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms 487 ([CVE-2023-1255]) 488 * Fixed documentation of X509_VERIFY_PARAM_add0_policy() ([CVE-2023-0466]) 489 * Fixed handling of invalid certificate policies in leaf certificates 490 ([CVE-2023-0465]) 491 * Limited the number of nodes created in a policy tree ([CVE-2023-0464]) 492 493### Major changes between OpenSSL 3.0 and OpenSSL 3.1.0 [14 Mar 2023] 494 495 * SSL 3, TLS 1.0, TLS 1.1, and DTLS 1.0 only work at security level 0. 496 * Performance enhancements and new platform support including new 497 assembler code algorithm implementations. 498 * Deprecated LHASH statistics functions. 499 * FIPS 140-3 compliance changes. 500 501OpenSSL 3.0 502----------- 503 504### Major changes between OpenSSL 3.0.7 and OpenSSL 3.0.8 [7 Feb 2023] 505 506 * Fixed NULL dereference during PKCS7 data verification ([CVE-2023-0401]) 507 * Fixed X.400 address type confusion in X.509 GeneralName ([CVE-2023-0286]) 508 * Fixed NULL dereference validating DSA public key ([CVE-2023-0217]) 509 * Fixed Invalid pointer dereference in d2i_PKCS7 functions ([CVE-2023-0216]) 510 * Fixed Use-after-free following BIO_new_NDEF ([CVE-2023-0215]) 511 * Fixed Double free after calling PEM_read_bio_ex ([CVE-2022-4450]) 512 * Fixed Timing Oracle in RSA Decryption ([CVE-2022-4304]) 513 * Fixed X.509 Name Constraints Read Buffer Overflow ([CVE-2022-4203]) 514 * Fixed X.509 Policy Constraints Double Locking ([CVE-2022-3996]) 515 516### Major changes between OpenSSL 3.0.6 and OpenSSL 3.0.7 [1 Nov 2022] 517 518 * Added RIPEMD160 to the default provider. 519 * Fixed regressions introduced in 3.0.6 version. 520 * Fixed two buffer overflows in punycode decoding functions. 521 ([CVE-2022-3786]) and ([CVE-2022-3602]) 522 523### Major changes between OpenSSL 3.0.5 and OpenSSL 3.0.6 [11 Oct 2022] 524 525 * Fix for custom ciphers to prevent accidental use of NULL encryption 526 ([CVE-2022-3358]) 527 528### Major changes between OpenSSL 3.0.4 and OpenSSL 3.0.5 [5 Jul 2022] 529 530 * Fixed heap memory corruption with RSA private key operation 531 ([CVE-2022-2274]) 532 * Fixed AES OCB failure to encrypt some bytes on 32-bit x86 platforms 533 ([CVE-2022-2097]) 534 535### Major changes between OpenSSL 3.0.3 and OpenSSL 3.0.4 [21 Jun 2022] 536 537 * Fixed additional bugs in the c_rehash script which was not properly 538 sanitising shell metacharacters to prevent command injection 539 ([CVE-2022-2068]) 540 541### Major changes between OpenSSL 3.0.2 and OpenSSL 3.0.3 [3 May 2022] 542 543 * Fixed a bug in the c_rehash script which was not properly sanitising shell 544 metacharacters to prevent command injection ([CVE-2022-1292]) 545 * Fixed a bug in the function `OCSP_basic_verify` that verifies the signer 546 certificate on an OCSP response ([CVE-2022-1343]) 547 * Fixed a bug where the RC4-MD5 ciphersuite incorrectly used the 548 AAD data as the MAC key ([CVE-2022-1434]) 549 * Fix a bug in the OPENSSL_LH_flush() function that breaks reuse of the memory 550 occupied by the removed hash table entries ([CVE-2022-1473]) 551 552### Major changes between OpenSSL 3.0.1 and OpenSSL 3.0.2 [15 Mar 2022] 553 554 * Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever 555 for non-prime moduli ([CVE-2022-0778]) 556 557### Major changes between OpenSSL 3.0.0 and OpenSSL 3.0.1 [14 Dec 2021] 558 559 * Fixed invalid handling of X509_verify_cert() internal errors in libssl 560 ([CVE-2021-4044]) 561 * Allow fetching an operation from the provider that owns an unexportable key 562 as a fallback if that is still allowed by the property query. 563 564### Major changes between OpenSSL 1.1.1 and OpenSSL 3.0.0 [7 sep 2021] 565 566 * Enhanced 'openssl list' with many new options. 567 * Added migration guide to man7. 568 * Implemented support for fully "pluggable" TLSv1.3 groups. 569 * Added support for Kernel TLS (KTLS). 570 * Changed the license to the Apache License v2.0. 571 * Moved all variations of the EVP ciphers CAST5, BF, IDEA, SEED, RC2, 572 RC4, RC5, and DES to the legacy provider. 573 * Moved the EVP digests MD2, MD4, MDC2, WHIRLPOOL and RIPEMD-160 to the legacy 574 provider. 575 * Added convenience functions for generating asymmetric key pairs. 576 * Deprecated the `OCSP_REQ_CTX` type and functions. 577 * Deprecated the `EC_KEY` and `EC_KEY_METHOD` types and functions. 578 * Deprecated the `RSA` and `RSA_METHOD` types and functions. 579 * Deprecated the `DSA` and `DSA_METHOD` types and functions. 580 * Deprecated the `DH` and `DH_METHOD` types and functions. 581 * Deprecated the `ERR_load_` functions. 582 * Remove the `RAND_DRBG` API. 583 * Deprecated the `ENGINE` API. 584 * Added `OSSL_LIB_CTX`, a libcrypto library context. 585 * Added various `_ex` functions to the OpenSSL API that support using 586 a non-default `OSSL_LIB_CTX`. 587 * Interactive mode is removed from the 'openssl' program. 588 * The X25519, X448, Ed25519, Ed448, SHAKE128 and SHAKE256 algorithms are 589 included in the FIPS provider. 590 * X509 certificates signed using SHA1 are no longer allowed at security 591 level 1 or higher. The default security level for TLS is 1, so 592 certificates signed using SHA1 are by default no longer trusted to 593 authenticate servers or clients. 594 * enable-crypto-mdebug and enable-crypto-mdebug-backtrace were mostly 595 disabled; the project uses address sanitize/leak-detect instead. 596 * Added a Certificate Management Protocol (CMP, RFC 4210) implementation 597 also covering CRMF (RFC 4211) and HTTP transfer (RFC 6712). 598 It is part of the crypto lib and adds a 'cmp' app with a demo configuration. 599 All widely used CMP features are supported for both clients and servers. 600 * Added a proper HTTP client supporting GET with optional redirection, POST, 601 arbitrary request and response content types, TLS, persistent connections, 602 connections via HTTP(s) proxies, connections and exchange via user-defined 603 BIOs (allowing implicit connections), and timeout checks. 604 * Added util/check-format.pl for checking adherence to the coding guidelines. 605 * Added OSSL_ENCODER, a generic encoder API. 606 * Added OSSL_DECODER, a generic decoder API. 607 * Added OSSL_PARAM_BLD, an easier to use API to OSSL_PARAM. 608 * Added error raising macros, ERR_raise() and ERR_raise_data(). 609 * Deprecated ERR_put_error(), ERR_get_error_line(), ERR_get_error_line_data(), 610 ERR_peek_error_line_data(), ERR_peek_last_error_line_data() and 611 ERR_func_error_string(). 612 * Added OSSL_PROVIDER_available(), to check provider availability. 613 * Added 'openssl mac' that uses the EVP_MAC API. 614 * Added 'openssl kdf' that uses the EVP_KDF API. 615 * Add OPENSSL_info() and 'openssl info' to get built-in data. 616 * Add support for enabling instrumentation through trace and debug 617 output. 618 * Changed our version number scheme and set the next major release to 619 3.0.0 620 * Added EVP_MAC, an EVP layer MAC API, and a generic EVP_PKEY to EVP_MAC 621 bridge. Supported MACs are: BLAKE2, CMAC, GMAC, HMAC, KMAC, POLY1305 622 and SIPHASH. 623 * Removed the heartbeat message in DTLS feature. 624 * Added EVP_KDF, an EVP layer KDF and PRF API, and a generic EVP_PKEY to 625 EVP_KDF bridge. Supported KDFs are: HKDF, KBKDF, KRB5 KDF, PBKDF2, 626 PKCS12 KDF, SCRYPT, SSH KDF, SSKDF, TLS1 PRF, X9.42 KDF and X9.63 KDF. 627 * All of the low-level MD2, MD4, MD5, MDC2, RIPEMD160, SHA1, SHA224, 628 SHA256, SHA384, SHA512 and Whirlpool digest functions have been 629 deprecated. 630 * All of the low-level AES, Blowfish, Camellia, CAST, DES, IDEA, RC2, 631 RC4, RC5 and SEED cipher functions have been deprecated. 632 * All of the low-level DH, DSA, ECDH, ECDSA and RSA public key functions 633 have been deprecated. 634 * SSL 3, TLS 1.0, TLS 1.1, and DTLS 1.0 only work at security level 0, 635 except when RSA key exchange without SHA1 is used. 636 * Added providers, a new pluggability concept that will replace the 637 ENGINE API and ENGINE implementations. 638 639OpenSSL 1.1.1 640------------- 641 642### Major changes between OpenSSL 1.1.1k and OpenSSL 1.1.1l [24 Aug 2021] 643 644 * Fixed an SM2 Decryption Buffer Overflow ([CVE-2021-3711]) 645 * Fixed various read buffer overruns processing ASN.1 strings ([CVE-2021-3712]) 646 647### Major changes between OpenSSL 1.1.1j and OpenSSL 1.1.1k [25 Mar 2021] 648 649 * Fixed a problem with verifying a certificate chain when using the 650 X509_V_FLAG_X509_STRICT flag ([CVE-2021-3450]) 651 * Fixed an issue where an OpenSSL TLS server may crash if sent a maliciously 652 crafted renegotiation ClientHello message from a client ([CVE-2021-3449]) 653 654### Major changes between OpenSSL 1.1.1i and OpenSSL 1.1.1j [16 Feb 2021] 655 656 * Fixed a NULL pointer deref in the X509_issuer_and_serial_hash() 657 function ([CVE-2021-23841]) 658 * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING 659 padding mode to correctly check for rollback attacks 660 * Fixed an overflow in the EVP_CipherUpdate, EVP_EncryptUpdate and 661 EVP_DecryptUpdate functions ([CVE-2021-23840]) 662 * Fixed SRP_Calc_client_key so that it runs in constant time 663 664### Major changes between OpenSSL 1.1.1h and OpenSSL 1.1.1i [8 Dec 2020] 665 666 * Fixed NULL pointer deref in GENERAL_NAME_cmp ([CVE-2020-1971]) 667 668### Major changes between OpenSSL 1.1.1g and OpenSSL 1.1.1h [22 Sep 2020] 669 670 * Disallow explicit curve parameters in verifications chains when 671 X509_V_FLAG_X509_STRICT is used 672 * Enable 'MinProtocol' and 'MaxProtocol' to configure both TLS and DTLS 673 contexts 674 * Oracle Developer Studio will start reporting deprecation warnings 675 676### Major changes between OpenSSL 1.1.1f and OpenSSL 1.1.1g [21 Apr 2020] 677 678 * Fixed segmentation fault in SSL_check_chain() ([CVE-2020-1967]) 679 680### Major changes between OpenSSL 1.1.1e and OpenSSL 1.1.1f [31 Mar 2020] 681 682 * Revert the unexpected EOF reporting via SSL_ERROR_SSL 683 684### Major changes between OpenSSL 1.1.1d and OpenSSL 1.1.1e [17 Mar 2020] 685 686 * Fixed an overflow bug in the x64_64 Montgomery squaring procedure 687 used in exponentiation with 512-bit moduli ([CVE-2019-1551]) 688 689### Major changes between OpenSSL 1.1.1c and OpenSSL 1.1.1d [10 Sep 2019] 690 691 * Fixed a fork protection issue ([CVE-2019-1549]) 692 * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey 693 ([CVE-2019-1563]) 694 * For built-in EC curves, ensure an EC_GROUP built from the curve name is 695 used even when parsing explicit parameters 696 * Compute ECC cofactors if not provided during EC_GROUP construction 697 ([CVE-2019-1547]) 698 * Early start up entropy quality from the DEVRANDOM seed source has been 699 improved for older Linux systems 700 * Correct the extended master secret constant on EBCDIC systems 701 * Use Windows installation paths in the mingw builds ([CVE-2019-1552]) 702 * Changed DH_check to accept parameters with order q and 2q subgroups 703 * Significantly reduce secure memory usage by the randomness pools 704 * Revert the DEVRANDOM_WAIT feature for Linux systems 705 706### Major changes between OpenSSL 1.1.1b and OpenSSL 1.1.1c [28 May 2019] 707 708 * Prevent over long nonces in ChaCha20-Poly1305 ([CVE-2019-1543]) 709 710### Major changes between OpenSSL 1.1.1a and OpenSSL 1.1.1b [26 Feb 2019] 711 712 * Change the info callback signals for the start and end of a post-handshake 713 message exchange in TLSv1.3. 714 * Fix a bug in DTLS over SCTP. This breaks interoperability with older 715 versions of OpenSSL like OpenSSL 1.1.0 and OpenSSL 1.0.2. 716 717### Major changes between OpenSSL 1.1.1 and OpenSSL 1.1.1a [20 Nov 2018] 718 719 * Timing vulnerability in DSA signature generation ([CVE-2018-0734]) 720 * Timing vulnerability in ECDSA signature generation ([CVE-2018-0735]) 721 722### Major changes between OpenSSL 1.1.0i and OpenSSL 1.1.1 [11 Sep 2018] 723 724 * Support for TLSv1.3 added. The TLSv1.3 implementation includes: 725 * Fully compliant implementation of RFC8446 (TLSv1.3) on by default 726 * Early data (0-RTT) 727 * Post-handshake authentication and key update 728 * Middlebox Compatibility Mode 729 * TLSv1.3 PSKs 730 * Support for all five RFC8446 ciphersuites 731 * RSA-PSS signature algorithms (backported to TLSv1.2) 732 * Configurable session ticket support 733 * Stateless server support 734 * Rewrite of the packet construction code for "safer" packet handling 735 * Rewrite of the extension handling code 736 For further important information, see the [TLS1.3 page]( 737 https://github.com/openssl/openssl/wiki/TLS1.3) in the OpenSSL Wiki. 738 739 * Complete rewrite of the OpenSSL random number generator to introduce the 740 following capabilities 741 * The default RAND method now utilizes an AES-CTR DRBG according to 742 NIST standard SP 800-90Ar1. 743 * Support for multiple DRBG instances with seed chaining. 744 * There is a public and private DRBG instance. 745 * The DRBG instances are fork-safe. 746 * Keep all global DRBG instances on the secure heap if it is enabled. 747 * The public and private DRBG instance are per thread for lock free 748 operation 749 * Support for various new cryptographic algorithms including: 750 * SHA3 751 * SHA512/224 and SHA512/256 752 * EdDSA (both Ed25519 and Ed448) including X509 and TLS support 753 * X448 (adding to the existing X25519 support in 1.1.0) 754 * Multi-prime RSA 755 * SM2 756 * SM3 757 * SM4 758 * SipHash 759 * ARIA (including TLS support) 760 * Significant Side-Channel attack security improvements 761 * Add a new ClientHello callback to provide the ability to adjust the SSL 762 object at an early stage. 763 * Add 'Maximum Fragment Length' TLS extension negotiation and support 764 * A new STORE module, which implements a uniform and URI based reader of 765 stores that can contain keys, certificates, CRLs and numerous other 766 objects. 767 * Move the display of configuration data to configdata.pm. 768 * Allow GNU style "make variables" to be used with Configure. 769 * Claim the namespaces OSSL and OPENSSL, represented as symbol prefixes 770 * Rewrite of devcrypto engine 771 772OpenSSL 1.1.0 773------------- 774 775### Major changes between OpenSSL 1.1.0k and OpenSSL 1.1.0l [10 Sep 2019] 776 777 * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey 778 ([CVE-2019-1563]) 779 * For built-in EC curves, ensure an EC_GROUP built from the curve name is 780 used even when parsing explicit parameters 781 * Compute ECC cofactors if not provided during EC_GROUP construction 782 ([CVE-2019-1547]) 783 * Use Windows installation paths in the mingw builds ([CVE-2019-1552]) 784 785### Major changes between OpenSSL 1.1.0j and OpenSSL 1.1.0k [28 May 2019] 786 787 * Prevent over long nonces in ChaCha20-Poly1305 ([CVE-2019-1543]) 788 789### Major changes between OpenSSL 1.1.0i and OpenSSL 1.1.0j [20 Nov 2018] 790 791 * Timing vulnerability in DSA signature generation ([CVE-2018-0734]) 792 * Timing vulnerability in ECDSA signature generation ([CVE-2018-0735]) 793 794### Major changes between OpenSSL 1.1.0h and OpenSSL 1.1.0i [14 Aug 2018] 795 796 * Client DoS due to large DH parameter ([CVE-2018-0732]) 797 * Cache timing vulnerability in RSA Key Generation ([CVE-2018-0737]) 798 799### Major changes between OpenSSL 1.1.0g and OpenSSL 1.1.0h [27 Mar 2018] 800 801 * Constructed ASN.1 types with a recursive definition could exceed the 802 stack ([CVE-2018-0739]) 803 * Incorrect CRYPTO_memcmp on HP-UX PA-RISC ([CVE-2018-0733]) 804 * rsaz_1024_mul_avx2 overflow bug on x86_64 ([CVE-2017-3738]) 805 806### Major changes between OpenSSL 1.1.0f and OpenSSL 1.1.0g [2 Nov 2017] 807 808 * bn_sqrx8x_internal carry bug on x86_64 ([CVE-2017-3736]) 809 * Malformed X.509 IPAddressFamily could cause OOB read ([CVE-2017-3735]) 810 811### Major changes between OpenSSL 1.1.0e and OpenSSL 1.1.0f [25 May 2017] 812 813 * config now recognises 64-bit mingw and chooses mingw64 instead of mingw 814 815### Major changes between OpenSSL 1.1.0d and OpenSSL 1.1.0e [16 Feb 2017] 816 817 * Encrypt-Then-Mac renegotiation crash ([CVE-2017-3733]) 818 819### Major changes between OpenSSL 1.1.0c and OpenSSL 1.1.0d [26 Jan 2017] 820 821 * Truncated packet could crash via OOB read ([CVE-2017-3731]) 822 * Bad (EC)DHE parameters cause a client crash ([CVE-2017-3730]) 823 * BN_mod_exp may produce incorrect results on x86_64 ([CVE-2017-3732]) 824 825### Major changes between OpenSSL 1.1.0b and OpenSSL 1.1.0c [10 Nov 2016] 826 827 * ChaCha20/Poly1305 heap-buffer-overflow ([CVE-2016-7054]) 828 * CMS Null dereference ([CVE-2016-7053]) 829 * Montgomery multiplication may produce incorrect results ([CVE-2016-7055]) 830 831### Major changes between OpenSSL 1.1.0a and OpenSSL 1.1.0b [26 Sep 2016] 832 833 * Fix Use After Free for large message sizes ([CVE-2016-6309]) 834 835### Major changes between OpenSSL 1.1.0 and OpenSSL 1.1.0a [22 Sep 2016] 836 837 * OCSP Status Request extension unbounded memory growth ([CVE-2016-6304]) 838 * SSL_peek() hang on empty record ([CVE-2016-6305]) 839 * Excessive allocation of memory in tls_get_message_header() 840 ([CVE-2016-6307]) 841 * Excessive allocation of memory in dtls1_preprocess_fragment() 842 ([CVE-2016-6308]) 843 844### Major changes between OpenSSL 1.0.2h and OpenSSL 1.1.0 [25 Aug 2016] 845 846 * Copyright text was shrunk to a boilerplate that points to the license 847 * "shared" builds are now the default when possible 848 * Added support for "pipelining" 849 * Added the AFALG engine 850 * New threading API implemented 851 * Support for ChaCha20 and Poly1305 added to libcrypto and libssl 852 * Support for extended master secret 853 * CCM ciphersuites 854 * Reworked test suite, now based on perl, Test::Harness and Test::More 855 * *Most* libcrypto and libssl public structures were made opaque, 856 including: 857 BIGNUM and associated types, EC_KEY and EC_KEY_METHOD, 858 DH and DH_METHOD, DSA and DSA_METHOD, RSA and RSA_METHOD, 859 BIO and BIO_METHOD, EVP_MD_CTX, EVP_MD, EVP_CIPHER_CTX, 860 EVP_CIPHER, EVP_PKEY and associated types, HMAC_CTX, 861 X509, X509_CRL, X509_OBJECT, X509_STORE_CTX, X509_STORE, 862 X509_LOOKUP, X509_LOOKUP_METHOD 863 * libssl internal structures made opaque 864 * SSLv2 support removed 865 * Kerberos ciphersuite support removed 866 * RC4 removed from DEFAULT ciphersuites in libssl 867 * 40 and 56 bit cipher support removed from libssl 868 * All public header files moved to include/openssl, no more symlinking 869 * SSL/TLS state machine, version negotiation and record layer rewritten 870 * EC revision: now operations use new EC_KEY_METHOD. 871 * Support for OCB mode added to libcrypto 872 * Support for asynchronous crypto operations added to libcrypto and libssl 873 * Deprecated interfaces can now be disabled at build time either 874 relative to the latest release via the "no-deprecated" Configure 875 argument, or via the "--api=1.1.0|1.0.0|0.9.8" option. 876 * Application software can be compiled with -DOPENSSL_API_COMPAT=version 877 to ensure that features deprecated in that version are not exposed. 878 * Support for RFC6698/RFC7671 DANE TLSA peer authentication 879 * Change of Configure to use --prefix as the main installation 880 directory location rather than --openssldir. The latter becomes 881 the directory for certs, private key and openssl.cnf exclusively. 882 * Reworked BIO networking library, with full support for IPv6. 883 * New "unified" build system 884 * New security levels 885 * Support for scrypt algorithm 886 * Support for X25519 887 * Extended SSL_CONF support using configuration files 888 * KDF algorithm support. Implement TLS PRF as a KDF. 889 * Support for Certificate Transparency 890 * HKDF support. 891 892OpenSSL 1.0.2 893------------- 894 895### Major changes between OpenSSL 1.0.2s and OpenSSL 1.0.2t [10 Sep 2019] 896 897 * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey 898 ([CVE-2019-1563]) 899 * For built-in EC curves, ensure an EC_GROUP built from the curve name is 900 used even when parsing explicit parameters 901 * Compute ECC cofactors if not provided during EC_GROUP construction 902 ([CVE-2019-1547]) 903 * Document issue with installation paths in diverse Windows builds 904 ([CVE-2019-1552]) 905 906### Major changes between OpenSSL 1.0.2r and OpenSSL 1.0.2s [28 May 2019] 907 908 * None 909 910### Major changes between OpenSSL 1.0.2q and OpenSSL 1.0.2r [26 Feb 2019] 911 912 * 0-byte record padding oracle ([CVE-2019-1559]) 913 914### Major changes between OpenSSL 1.0.2p and OpenSSL 1.0.2q [20 Nov 2018] 915 916 * Microarchitecture timing vulnerability in ECC scalar multiplication ([CVE-2018-5407]) 917 * Timing vulnerability in DSA signature generation ([CVE-2018-0734]) 918 919### Major changes between OpenSSL 1.0.2o and OpenSSL 1.0.2p [14 Aug 2018] 920 921 * Client DoS due to large DH parameter ([CVE-2018-0732]) 922 * Cache timing vulnerability in RSA Key Generation ([CVE-2018-0737]) 923 924### Major changes between OpenSSL 1.0.2n and OpenSSL 1.0.2o [27 Mar 2018] 925 926 * Constructed ASN.1 types with a recursive definition could exceed the 927 stack ([CVE-2018-0739]) 928 929### Major changes between OpenSSL 1.0.2m and OpenSSL 1.0.2n [7 Dec 2017] 930 931 * Read/write after SSL object in error state ([CVE-2017-3737]) 932 * rsaz_1024_mul_avx2 overflow bug on x86_64 ([CVE-2017-3738]) 933 934### Major changes between OpenSSL 1.0.2l and OpenSSL 1.0.2m [2 Nov 2017] 935 936 * bn_sqrx8x_internal carry bug on x86_64 ([CVE-2017-3736]) 937 * Malformed X.509 IPAddressFamily could cause OOB read ([CVE-2017-3735]) 938 939### Major changes between OpenSSL 1.0.2k and OpenSSL 1.0.2l [25 May 2017] 940 941 * config now recognises 64-bit mingw and chooses mingw64 instead of mingw 942 943### Major changes between OpenSSL 1.0.2j and OpenSSL 1.0.2k [26 Jan 2017] 944 945 * Truncated packet could crash via OOB read ([CVE-2017-3731]) 946 * BN_mod_exp may produce incorrect results on x86_64 ([CVE-2017-3732]) 947 * Montgomery multiplication may produce incorrect results ([CVE-2016-7055]) 948 949### Major changes between OpenSSL 1.0.2i and OpenSSL 1.0.2j [26 Sep 2016] 950 951 * Missing CRL sanity check ([CVE-2016-7052]) 952 953### Major changes between OpenSSL 1.0.2h and OpenSSL 1.0.2i [22 Sep 2016] 954 955 * OCSP Status Request extension unbounded memory growth ([CVE-2016-6304]) 956 * SWEET32 Mitigation ([CVE-2016-2183]) 957 * OOB write in MDC2_Update() ([CVE-2016-6303]) 958 * Malformed SHA512 ticket DoS ([CVE-2016-6302]) 959 * OOB write in BN_bn2dec() ([CVE-2016-2182]) 960 * OOB read in TS_OBJ_print_bio() ([CVE-2016-2180]) 961 * Pointer arithmetic undefined behaviour ([CVE-2016-2177]) 962 * Constant time flag not preserved in DSA signing ([CVE-2016-2178]) 963 * DTLS buffered message DoS ([CVE-2016-2179]) 964 * DTLS replay protection DoS ([CVE-2016-2181]) 965 * Certificate message OOB reads ([CVE-2016-6306]) 966 967### Major changes between OpenSSL 1.0.2g and OpenSSL 1.0.2h [3 May 2016] 968 969 * Prevent padding oracle in AES-NI CBC MAC check ([CVE-2016-2107]) 970 * Fix EVP_EncodeUpdate overflow ([CVE-2016-2105]) 971 * Fix EVP_EncryptUpdate overflow ([CVE-2016-2106]) 972 * Prevent ASN.1 BIO excessive memory allocation ([CVE-2016-2109]) 973 * EBCDIC overread ([CVE-2016-2176]) 974 * Modify behavior of ALPN to invoke callback after SNI/servername 975 callback, such that updates to the SSL_CTX affect ALPN. 976 * Remove LOW from the DEFAULT cipher list. This removes singles DES from 977 the default. 978 * Only remove the SSLv2 methods with the no-ssl2-method option. 979 980### Major changes between OpenSSL 1.0.2f and OpenSSL 1.0.2g [1 Mar 2016] 981 982 * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL. 983 * Disable SSLv2 default build, default negotiation and weak ciphers 984 ([CVE-2016-0800]) 985 * Fix a double-free in DSA code ([CVE-2016-0705]) 986 * Disable SRP fake user seed to address a server memory leak 987 ([CVE-2016-0798]) 988 * Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption 989 ([CVE-2016-0797]) 990 * Fix memory issues in BIO_*printf functions ([CVE-2016-0799]) 991 * Fix side channel attack on modular exponentiation ([CVE-2016-0702]) 992 993### Major changes between OpenSSL 1.0.2e and OpenSSL 1.0.2f [28 Jan 2016] 994 995 * DH small subgroups ([CVE-2016-0701]) 996 * SSLv2 doesn't block disabled ciphers ([CVE-2015-3197]) 997 998### Major changes between OpenSSL 1.0.2d and OpenSSL 1.0.2e [3 Dec 2015] 999 1000 * BN_mod_exp may produce incorrect results on x86_64 ([CVE-2015-3193]) 1001 * Certificate verify crash with missing PSS parameter ([CVE-2015-3194]) 1002 * X509_ATTRIBUTE memory leak ([CVE-2015-3195]) 1003 * Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs 1004 * In DSA_generate_parameters_ex, if the provided seed is too short, 1005 return an error 1006 1007### Major changes between OpenSSL 1.0.2c and OpenSSL 1.0.2d [9 Jul 2015] 1008 1009 * Alternate chains certificate forgery ([CVE-2015-1793]) 1010 * Race condition handling PSK identify hint ([CVE-2015-3196]) 1011 1012### Major changes between OpenSSL 1.0.2b and OpenSSL 1.0.2c [12 Jun 2015] 1013 1014 * Fix HMAC ABI incompatibility 1015 1016### Major changes between OpenSSL 1.0.2a and OpenSSL 1.0.2b [11 Jun 2015] 1017 1018 * Malformed ECParameters causes infinite loop ([CVE-2015-1788]) 1019 * Exploitable out-of-bounds read in X509_cmp_time ([CVE-2015-1789]) 1020 * PKCS7 crash with missing EnvelopedContent ([CVE-2015-1790]) 1021 * CMS verify infinite loop with unknown hash function ([CVE-2015-1792]) 1022 * Race condition handling NewSessionTicket ([CVE-2015-1791]) 1023 1024### Major changes between OpenSSL 1.0.2 and OpenSSL 1.0.2a [19 Mar 2015] 1025 1026 * OpenSSL 1.0.2 ClientHello sigalgs DoS fix ([CVE-2015-0291]) 1027 * Multiblock corrupted pointer fix ([CVE-2015-0290]) 1028 * Segmentation fault in DTLSv1_listen fix ([CVE-2015-0207]) 1029 * Segmentation fault in ASN1_TYPE_cmp fix ([CVE-2015-0286]) 1030 * Segmentation fault for invalid PSS parameters fix ([CVE-2015-0208]) 1031 * ASN.1 structure reuse memory corruption fix ([CVE-2015-0287]) 1032 * PKCS7 NULL pointer dereferences fix ([CVE-2015-0289]) 1033 * DoS via reachable assert in SSLv2 servers fix ([CVE-2015-0293]) 1034 * Empty CKE with client auth and DHE fix ([CVE-2015-1787]) 1035 * Handshake with unseeded PRNG fix ([CVE-2015-0285]) 1036 * Use After Free following d2i_ECPrivatekey error fix ([CVE-2015-0209]) 1037 * X509_to_X509_REQ NULL pointer deref fix ([CVE-2015-0288]) 1038 * Removed the export ciphers from the DEFAULT ciphers 1039 1040### Major changes between OpenSSL 1.0.1l and OpenSSL 1.0.2 [22 Jan 2015] 1041 1042 * Suite B support for TLS 1.2 and DTLS 1.2 1043 * Support for DTLS 1.2 1044 * TLS automatic EC curve selection. 1045 * API to set TLS supported signature algorithms and curves 1046 * SSL_CONF configuration API. 1047 * TLS Brainpool support. 1048 * ALPN support. 1049 * CMS support for RSA-PSS, RSA-OAEP, ECDH and X9.42 DH. 1050 1051OpenSSL 1.0.1 1052------------- 1053 1054### Major changes between OpenSSL 1.0.1t and OpenSSL 1.0.1u [22 Sep 2016] 1055 1056 * OCSP Status Request extension unbounded memory growth ([CVE-2016-6304]) 1057 * SWEET32 Mitigation ([CVE-2016-2183]) 1058 * OOB write in MDC2_Update() ([CVE-2016-6303]) 1059 * Malformed SHA512 ticket DoS ([CVE-2016-6302]) 1060 * OOB write in BN_bn2dec() ([CVE-2016-2182]) 1061 * OOB read in TS_OBJ_print_bio() ([CVE-2016-2180]) 1062 * Pointer arithmetic undefined behaviour ([CVE-2016-2177]) 1063 * Constant time flag not preserved in DSA signing ([CVE-2016-2178]) 1064 * DTLS buffered message DoS ([CVE-2016-2179]) 1065 * DTLS replay protection DoS ([CVE-2016-2181]) 1066 * Certificate message OOB reads ([CVE-2016-6306]) 1067 1068### Major changes between OpenSSL 1.0.1s and OpenSSL 1.0.1t [3 May 2016] 1069 1070 * Prevent padding oracle in AES-NI CBC MAC check ([CVE-2016-2107]) 1071 * Fix EVP_EncodeUpdate overflow ([CVE-2016-2105]) 1072 * Fix EVP_EncryptUpdate overflow ([CVE-2016-2106]) 1073 * Prevent ASN.1 BIO excessive memory allocation ([CVE-2016-2109]) 1074 * EBCDIC overread ([CVE-2016-2176]) 1075 * Modify behavior of ALPN to invoke callback after SNI/servername 1076 callback, such that updates to the SSL_CTX affect ALPN. 1077 * Remove LOW from the DEFAULT cipher list. This removes singles DES from 1078 the default. 1079 * Only remove the SSLv2 methods with the no-ssl2-method option. 1080 1081### Major changes between OpenSSL 1.0.1r and OpenSSL 1.0.1s [1 Mar 2016] 1082 1083 * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL. 1084 * Disable SSLv2 default build, default negotiation and weak ciphers 1085 ([CVE-2016-0800]) 1086 * Fix a double-free in DSA code ([CVE-2016-0705]) 1087 * Disable SRP fake user seed to address a server memory leak 1088 ([CVE-2016-0798]) 1089 * Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption 1090 ([CVE-2016-0797]) 1091 * Fix memory issues in BIO_*printf functions ([CVE-2016-0799]) 1092 * Fix side channel attack on modular exponentiation ([CVE-2016-0702]) 1093 1094### Major changes between OpenSSL 1.0.1q and OpenSSL 1.0.1r [28 Jan 2016] 1095 1096 * Protection for DH small subgroup attacks 1097 * SSLv2 doesn't block disabled ciphers ([CVE-2015-3197]) 1098 1099### Major changes between OpenSSL 1.0.1p and OpenSSL 1.0.1q [3 Dec 2015] 1100 1101 * Certificate verify crash with missing PSS parameter ([CVE-2015-3194]) 1102 * X509_ATTRIBUTE memory leak ([CVE-2015-3195]) 1103 * Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs 1104 * In DSA_generate_parameters_ex, if the provided seed is too short, 1105 return an error 1106 1107### Major changes between OpenSSL 1.0.1o and OpenSSL 1.0.1p [9 Jul 2015] 1108 1109 * Alternate chains certificate forgery ([CVE-2015-1793]) 1110 * Race condition handling PSK identify hint ([CVE-2015-3196]) 1111 1112### Major changes between OpenSSL 1.0.1n and OpenSSL 1.0.1o [12 Jun 2015] 1113 1114 * Fix HMAC ABI incompatibility 1115 1116### Major changes between OpenSSL 1.0.1m and OpenSSL 1.0.1n [11 Jun 2015] 1117 1118 * Malformed ECParameters causes infinite loop ([CVE-2015-1788]) 1119 * Exploitable out-of-bounds read in X509_cmp_time ([CVE-2015-1789]) 1120 * PKCS7 crash with missing EnvelopedContent ([CVE-2015-1790]) 1121 * CMS verify infinite loop with unknown hash function ([CVE-2015-1792]) 1122 * Race condition handling NewSessionTicket ([CVE-2015-1791]) 1123 1124### Major changes between OpenSSL 1.0.1l and OpenSSL 1.0.1m [19 Mar 2015] 1125 1126 * Segmentation fault in ASN1_TYPE_cmp fix ([CVE-2015-0286]) 1127 * ASN.1 structure reuse memory corruption fix ([CVE-2015-0287]) 1128 * PKCS7 NULL pointer dereferences fix ([CVE-2015-0289]) 1129 * DoS via reachable assert in SSLv2 servers fix ([CVE-2015-0293]) 1130 * Use After Free following d2i_ECPrivatekey error fix ([CVE-2015-0209]) 1131 * X509_to_X509_REQ NULL pointer deref fix ([CVE-2015-0288]) 1132 * Removed the export ciphers from the DEFAULT ciphers 1133 1134### Major changes between OpenSSL 1.0.1k and OpenSSL 1.0.1l [15 Jan 2015] 1135 1136 * Build fixes for the Windows and OpenVMS platforms 1137 1138### Major changes between OpenSSL 1.0.1j and OpenSSL 1.0.1k [8 Jan 2015] 1139 1140 * Fix for [CVE-2014-3571] 1141 * Fix for [CVE-2015-0206] 1142 * Fix for [CVE-2014-3569] 1143 * Fix for [CVE-2014-3572] 1144 * Fix for [CVE-2015-0204] 1145 * Fix for [CVE-2015-0205] 1146 * Fix for [CVE-2014-8275] 1147 * Fix for [CVE-2014-3570] 1148 1149### Major changes between OpenSSL 1.0.1i and OpenSSL 1.0.1j [15 Oct 2014] 1150 1151 * Fix for [CVE-2014-3513] 1152 * Fix for [CVE-2014-3567] 1153 * Mitigation for [CVE-2014-3566] (SSL protocol vulnerability) 1154 * Fix for [CVE-2014-3568] 1155 1156### Major changes between OpenSSL 1.0.1h and OpenSSL 1.0.1i [6 Aug 2014] 1157 1158 * Fix for [CVE-2014-3512] 1159 * Fix for [CVE-2014-3511] 1160 * Fix for [CVE-2014-3510] 1161 * Fix for [CVE-2014-3507] 1162 * Fix for [CVE-2014-3506] 1163 * Fix for [CVE-2014-3505] 1164 * Fix for [CVE-2014-3509] 1165 * Fix for [CVE-2014-5139] 1166 * Fix for [CVE-2014-3508] 1167 1168### Major changes between OpenSSL 1.0.1g and OpenSSL 1.0.1h [5 Jun 2014] 1169 1170 * Fix for [CVE-2014-0224] 1171 * Fix for [CVE-2014-0221] 1172 * Fix for [CVE-2014-0198] 1173 * Fix for [CVE-2014-0195] 1174 * Fix for [CVE-2014-3470] 1175 * Fix for [CVE-2010-5298] 1176 1177### Major changes between OpenSSL 1.0.1f and OpenSSL 1.0.1g [7 Apr 2014] 1178 1179 * Fix for [CVE-2014-0160] 1180 * Add TLS padding extension workaround for broken servers. 1181 * Fix for [CVE-2014-0076] 1182 1183### Major changes between OpenSSL 1.0.1e and OpenSSL 1.0.1f [6 Jan 2014] 1184 1185 * Don't include gmt_unix_time in TLS server and client random values 1186 * Fix for TLS record tampering bug ([CVE-2013-4353]) 1187 * Fix for TLS version checking bug ([CVE-2013-6449]) 1188 * Fix for DTLS retransmission bug ([CVE-2013-6450]) 1189 1190### Major changes between OpenSSL 1.0.1d and OpenSSL 1.0.1e [11 Feb 2013] 1191 1192 * Corrected fix for ([CVE-2013-0169]) 1193 1194### Major changes between OpenSSL 1.0.1c and OpenSSL 1.0.1d [4 Feb 2013] 1195 1196 * Fix renegotiation in TLS 1.1, 1.2 by using the correct TLS version. 1197 * Include the fips configuration module. 1198 * Fix OCSP bad key DoS attack ([CVE-2013-0166]) 1199 * Fix for SSL/TLS/DTLS CBC plaintext recovery attack ([CVE-2013-0169]) 1200 * Fix for TLS AESNI record handling flaw ([CVE-2012-2686]) 1201 1202### Major changes between OpenSSL 1.0.1b and OpenSSL 1.0.1c [10 May 2012] 1203 1204 * Fix TLS/DTLS record length checking bug ([CVE-2012-2333]) 1205 * Don't attempt to use non-FIPS composite ciphers in FIPS mode. 1206 1207### Major changes between OpenSSL 1.0.1a and OpenSSL 1.0.1b [26 Apr 2012] 1208 1209 * Fix compilation error on non-x86 platforms. 1210 * Make FIPS capable OpenSSL ciphers work in non-FIPS mode. 1211 * Fix SSL_OP_NO_TLSv1_1 clash with SSL_OP_ALL in OpenSSL 1.0.0 1212 1213### Major changes between OpenSSL 1.0.1 and OpenSSL 1.0.1a [19 Apr 2012] 1214 1215 * Fix for ASN1 overflow bug ([CVE-2012-2110]) 1216 * Workarounds for some servers that hang on long client hellos. 1217 * Fix SEGV in AES code. 1218 1219### Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.1 [14 Mar 2012] 1220 1221 * TLS/DTLS heartbeat support. 1222 * SCTP support. 1223 * RFC 5705 TLS key material exporter. 1224 * RFC 5764 DTLS-SRTP negotiation. 1225 * Next Protocol Negotiation. 1226 * PSS signatures in certificates, requests and CRLs. 1227 * Support for password based recipient info for CMS. 1228 * Support TLS v1.2 and TLS v1.1. 1229 * Preliminary FIPS capability for unvalidated 2.0 FIPS module. 1230 * SRP support. 1231 1232OpenSSL 1.0.0 1233------------- 1234 1235### Major changes between OpenSSL 1.0.0s and OpenSSL 1.0.0t [3 Dec 2015] 1236 1237 * X509_ATTRIBUTE memory leak (([CVE-2015-3195])) 1238 * Race condition handling PSK identify hint ([CVE-2015-3196]) 1239 1240### Major changes between OpenSSL 1.0.0r and OpenSSL 1.0.0s [11 Jun 2015] 1241 1242 * Malformed ECParameters causes infinite loop ([CVE-2015-1788]) 1243 * Exploitable out-of-bounds read in X509_cmp_time ([CVE-2015-1789]) 1244 * PKCS7 crash with missing EnvelopedContent ([CVE-2015-1790]) 1245 * CMS verify infinite loop with unknown hash function ([CVE-2015-1792]) 1246 * Race condition handling NewSessionTicket ([CVE-2015-1791]) 1247 1248### Major changes between OpenSSL 1.0.0q and OpenSSL 1.0.0r [19 Mar 2015] 1249 1250 * Segmentation fault in ASN1_TYPE_cmp fix ([CVE-2015-0286]) 1251 * ASN.1 structure reuse memory corruption fix ([CVE-2015-0287]) 1252 * PKCS7 NULL pointer dereferences fix ([CVE-2015-0289]) 1253 * DoS via reachable assert in SSLv2 servers fix ([CVE-2015-0293]) 1254 * Use After Free following d2i_ECPrivatekey error fix ([CVE-2015-0209]) 1255 * X509_to_X509_REQ NULL pointer deref fix ([CVE-2015-0288]) 1256 * Removed the export ciphers from the DEFAULT ciphers 1257 1258### Major changes between OpenSSL 1.0.0p and OpenSSL 1.0.0q [15 Jan 2015] 1259 1260 * Build fixes for the Windows and OpenVMS platforms 1261 1262### Major changes between OpenSSL 1.0.0o and OpenSSL 1.0.0p [8 Jan 2015] 1263 1264 * Fix for [CVE-2014-3571] 1265 * Fix for [CVE-2015-0206] 1266 * Fix for [CVE-2014-3569] 1267 * Fix for [CVE-2014-3572] 1268 * Fix for [CVE-2015-0204] 1269 * Fix for [CVE-2015-0205] 1270 * Fix for [CVE-2014-8275] 1271 * Fix for [CVE-2014-3570] 1272 1273### Major changes between OpenSSL 1.0.0n and OpenSSL 1.0.0o [15 Oct 2014] 1274 1275 * Fix for [CVE-2014-3513] 1276 * Fix for [CVE-2014-3567] 1277 * Mitigation for [CVE-2014-3566] (SSL protocol vulnerability) 1278 * Fix for [CVE-2014-3568] 1279 1280### Major changes between OpenSSL 1.0.0m and OpenSSL 1.0.0n [6 Aug 2014] 1281 1282 * Fix for [CVE-2014-3510] 1283 * Fix for [CVE-2014-3507] 1284 * Fix for [CVE-2014-3506] 1285 * Fix for [CVE-2014-3505] 1286 * Fix for [CVE-2014-3509] 1287 * Fix for [CVE-2014-3508] 1288 1289 Known issues in OpenSSL 1.0.0m: 1290 1291 * EAP-FAST and other applications using tls_session_secret_cb 1292 won't resume sessions. Fixed in 1.0.0n-dev 1293 * Compilation failure of s3_pkt.c on some platforms due to missing 1294 `<limits.h>` include. Fixed in 1.0.0n-dev 1295 1296### Major changes between OpenSSL 1.0.0l and OpenSSL 1.0.0m [5 Jun 2014] 1297 1298 * Fix for [CVE-2014-0224] 1299 * Fix for [CVE-2014-0221] 1300 * Fix for [CVE-2014-0198] 1301 * Fix for [CVE-2014-0195] 1302 * Fix for [CVE-2014-3470] 1303 * Fix for [CVE-2014-0076] 1304 * Fix for [CVE-2010-5298] 1305 1306### Major changes between OpenSSL 1.0.0k and OpenSSL 1.0.0l [6 Jan 2014] 1307 1308 * Fix for DTLS retransmission bug ([CVE-2013-6450]) 1309 1310### Major changes between OpenSSL 1.0.0j and OpenSSL 1.0.0k [5 Feb 2013] 1311 1312 * Fix for SSL/TLS/DTLS CBC plaintext recovery attack ([CVE-2013-0169]) 1313 * Fix OCSP bad key DoS attack ([CVE-2013-0166]) 1314 1315### Major changes between OpenSSL 1.0.0i and OpenSSL 1.0.0j [10 May 2012] 1316 1317 * Fix DTLS record length checking bug ([CVE-2012-2333]) 1318 1319### Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.0i [19 Apr 2012] 1320 1321 * Fix for ASN1 overflow bug ([CVE-2012-2110]) 1322 1323### Major changes between OpenSSL 1.0.0g and OpenSSL 1.0.0h [12 Mar 2012] 1324 1325 * Fix for CMS/PKCS#7 MMA ([CVE-2012-0884]) 1326 * Corrected fix for ([CVE-2011-4619]) 1327 * Various DTLS fixes. 1328 1329### Major changes between OpenSSL 1.0.0f and OpenSSL 1.0.0g [18 Jan 2012] 1330 1331 * Fix for DTLS DoS issue ([CVE-2012-0050]) 1332 1333### Major changes between OpenSSL 1.0.0e and OpenSSL 1.0.0f [4 Jan 2012] 1334 1335 * Fix for DTLS plaintext recovery attack ([CVE-2011-4108]) 1336 * Clear block padding bytes of SSL 3.0 records ([CVE-2011-4576]) 1337 * Only allow one SGC handshake restart for SSL/TLS ([CVE-2011-4619]) 1338 * Check parameters are not NULL in GOST ENGINE ([CVE-2012-0027]) 1339 * Check for malformed RFC3779 data ([CVE-2011-4577]) 1340 1341### Major changes between OpenSSL 1.0.0d and OpenSSL 1.0.0e [6 Sep 2011] 1342 1343 * Fix for CRL vulnerability issue ([CVE-2011-3207]) 1344 * Fix for ECDH crashes ([CVE-2011-3210]) 1345 * Protection against EC timing attacks. 1346 * Support ECDH ciphersuites for certificates using SHA2 algorithms. 1347 * Various DTLS fixes. 1348 1349### Major changes between OpenSSL 1.0.0c and OpenSSL 1.0.0d [8 Feb 2011] 1350 1351 * Fix for security issue ([CVE-2011-0014]) 1352 1353### Major changes between OpenSSL 1.0.0b and OpenSSL 1.0.0c [2 Dec 2010] 1354 1355 * Fix for security issue ([CVE-2010-4180]) 1356 * Fix for ([CVE-2010-4252]) 1357 * Fix mishandling of absent EC point format extension. 1358 * Fix various platform compilation issues. 1359 * Corrected fix for security issue ([CVE-2010-3864]). 1360 1361### Major changes between OpenSSL 1.0.0a and OpenSSL 1.0.0b [16 Nov 2010] 1362 1363 * Fix for security issue ([CVE-2010-3864]). 1364 * Fix for ([CVE-2010-2939]) 1365 * Fix WIN32 build system for GOST ENGINE. 1366 1367### Major changes between OpenSSL 1.0.0 and OpenSSL 1.0.0a [1 Jun 2010] 1368 1369 * Fix for security issue ([CVE-2010-1633]). 1370 * GOST MAC and CFB fixes. 1371 1372### Major changes between OpenSSL 0.9.8n and OpenSSL 1.0.0 [29 Mar 2010] 1373 1374 * RFC3280 path validation: sufficient to process PKITS tests. 1375 * Integrated support for PVK files and keyblobs. 1376 * Change default private key format to PKCS#8. 1377 * CMS support: able to process all examples in RFC4134 1378 * Streaming ASN1 encode support for PKCS#7 and CMS. 1379 * Multiple signer and signer add support for PKCS#7 and CMS. 1380 * ASN1 printing support. 1381 * Whirlpool hash algorithm added. 1382 * RFC3161 time stamp support. 1383 * New generalised public key API supporting ENGINE based algorithms. 1384 * New generalised public key API utilities. 1385 * New ENGINE supporting GOST algorithms. 1386 * SSL/TLS GOST ciphersuite support. 1387 * PKCS#7 and CMS GOST support. 1388 * RFC4279 PSK ciphersuite support. 1389 * Supported points format extension for ECC ciphersuites. 1390 * ecdsa-with-SHA224/256/384/512 signature types. 1391 * dsa-with-SHA224 and dsa-with-SHA256 signature types. 1392 * Opaque PRF Input TLS extension support. 1393 * Updated time routines to avoid OS limitations. 1394 1395OpenSSL 0.9.x 1396------------- 1397 1398### Major changes between OpenSSL 0.9.8m and OpenSSL 0.9.8n [24 Mar 2010] 1399 1400 * CFB cipher definition fixes. 1401 * Fix security issues [CVE-2010-0740] and [CVE-2010-0433]. 1402 1403### Major changes between OpenSSL 0.9.8l and OpenSSL 0.9.8m [25 Feb 2010] 1404 1405 * Cipher definition fixes. 1406 * Workaround for slow RAND_poll() on some WIN32 versions. 1407 * Remove MD2 from algorithm tables. 1408 * SPKAC handling fixes. 1409 * Support for RFC5746 TLS renegotiation extension. 1410 * Compression memory leak fixed. 1411 * Compression session resumption fixed. 1412 * Ticket and SNI coexistence fixes. 1413 * Many fixes to DTLS handling. 1414 1415### Major changes between OpenSSL 0.9.8k and OpenSSL 0.9.8l [5 Nov 2009] 1416 1417 * Temporary work around for [CVE-2009-3555]: disable renegotiation. 1418 1419### Major changes between OpenSSL 0.9.8j and OpenSSL 0.9.8k [25 Mar 2009] 1420 1421 * Fix various build issues. 1422 * Fix security issues [CVE-2009-0590], [CVE-2009-0591], [CVE-2009-0789] 1423 1424### Major changes between OpenSSL 0.9.8i and OpenSSL 0.9.8j [7 Jan 2009] 1425 1426 * Fix security issue ([CVE-2008-5077]) 1427 * Merge FIPS 140-2 branch code. 1428 1429### Major changes between OpenSSL 0.9.8g and OpenSSL 0.9.8h [28 May 2008] 1430 1431 * CryptoAPI ENGINE support. 1432 * Various precautionary measures. 1433 * Fix for bugs affecting certificate request creation. 1434 * Support for local machine keyset attribute in PKCS#12 files. 1435 1436### Major changes between OpenSSL 0.9.8f and OpenSSL 0.9.8g [19 Oct 2007] 1437 1438 * Backport of CMS functionality to 0.9.8. 1439 * Fixes for bugs introduced with 0.9.8f. 1440 1441### Major changes between OpenSSL 0.9.8e and OpenSSL 0.9.8f [11 Oct 2007] 1442 1443 * Add gcc 4.2 support. 1444 * Add support for AES and SSE2 assembly language optimization 1445 for VC++ build. 1446 * Support for RFC4507bis and server name extensions if explicitly 1447 selected at compile time. 1448 * DTLS improvements. 1449 * RFC4507bis support. 1450 * TLS Extensions support. 1451 1452### Major changes between OpenSSL 0.9.8d and OpenSSL 0.9.8e [23 Feb 2007] 1453 1454 * Various ciphersuite selection fixes. 1455 * RFC3779 support. 1456 1457### Major changes between OpenSSL 0.9.8c and OpenSSL 0.9.8d [28 Sep 2006] 1458 1459 * Introduce limits to prevent malicious key DoS ([CVE-2006-2940]) 1460 * Fix security issues [CVE-2006-2937], [CVE-2006-3737], [CVE-2006-4343] 1461 * Changes to ciphersuite selection algorithm 1462 1463### Major changes between OpenSSL 0.9.8b and OpenSSL 0.9.8c [5 Sep 2006] 1464 1465 * Fix Daniel Bleichenbacher forged signature attack, [CVE-2006-4339] 1466 * New cipher Camellia 1467 1468### Major changes between OpenSSL 0.9.8a and OpenSSL 0.9.8b [4 May 2006] 1469 1470 * Cipher string fixes. 1471 * Fixes for VC++ 2005. 1472 * Updated ECC cipher suite support. 1473 * New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free(). 1474 * Zlib compression usage fixes. 1475 * Built in dynamic engine compilation support on Win32. 1476 * Fixes auto dynamic engine loading in Win32. 1477 1478### Major changes between OpenSSL 0.9.8 and OpenSSL 0.9.8a [11 Oct 2005] 1479 1480 * Fix potential SSL 2.0 rollback ([CVE-2005-2969]) 1481 * Extended Windows CE support 1482 1483### Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.8 [5 Jul 2005] 1484 1485 * Major work on the BIGNUM library for higher efficiency and to 1486 make operations more streamlined and less contradictory. This 1487 is the result of a major audit of the BIGNUM library. 1488 * Addition of BIGNUM functions for fields GF(2^m) and NIST 1489 curves, to support the Elliptic Crypto functions. 1490 * Major work on Elliptic Crypto; ECDH and ECDSA added, including 1491 the use through EVP, X509 and ENGINE. 1492 * New ASN.1 mini-compiler that's usable through the OpenSSL 1493 configuration file. 1494 * Added support for ASN.1 indefinite length constructed encoding. 1495 * New PKCS#12 'medium level' API to manipulate PKCS#12 files. 1496 * Complete rework of shared library construction and linking 1497 programs with shared or static libraries, through a separate 1498 Makefile.shared. 1499 * Rework of the passing of parameters from one Makefile to another. 1500 * Changed ENGINE framework to load dynamic engine modules 1501 automatically from specifically given directories. 1502 * New structure and ASN.1 functions for CertificatePair. 1503 * Changed the ZLIB compression method to be stateful. 1504 * Changed the key-generation and primality testing "progress" 1505 mechanism to take a structure that contains the ticker 1506 function and an argument. 1507 * New engine module: GMP (performs private key exponentiation). 1508 * New engine module: VIA PadLOck ACE extension in VIA C3 1509 Nehemiah processors. 1510 * Added support for IPv6 addresses in certificate extensions. 1511 See RFC 1884, section 2.2. 1512 * Added support for certificate policy mappings, policy 1513 constraints and name constraints. 1514 * Added support for multi-valued AVAs in the OpenSSL 1515 configuration file. 1516 * Added support for multiple certificates with the same subject 1517 in the 'openssl ca' index file. 1518 * Make it possible to create self-signed certificates using 1519 'openssl ca -selfsign'. 1520 * Make it possible to generate a serial number file with 1521 'openssl ca -create_serial'. 1522 * New binary search functions with extended functionality. 1523 * New BUF functions. 1524 * New STORE structure and library to provide an interface to all 1525 sorts of data repositories. Supports storage of public and 1526 private keys, certificates, CRLs, numbers and arbitrary blobs. 1527 This library is unfortunately unfinished and unused within 1528 OpenSSL. 1529 * New control functions for the error stack. 1530 * Changed the PKCS#7 library to support one-pass S/MIME 1531 processing. 1532 * Added the possibility to compile without old deprecated 1533 functionality with the OPENSSL_NO_DEPRECATED macro or the 1534 'no-deprecated' argument to the config and Configure scripts. 1535 * Constification of all ASN.1 conversion functions, and other 1536 affected functions. 1537 * Improved platform support for PowerPC. 1538 * New FIPS 180-2 algorithms (SHA-224, -256, -384 and -512). 1539 * New X509_VERIFY_PARAM structure to support parameterisation 1540 of X.509 path validation. 1541 * Major overhaul of RC4 performance on Intel P4, IA-64 and 1542 AMD64. 1543 * Changed the Configure script to have some algorithms disabled 1544 by default. Those can be explicitly enabled with the new 1545 argument form 'enable-xxx'. 1546 * Change the default digest in 'openssl' commands from MD5 to 1547 SHA-1. 1548 * Added support for DTLS. 1549 * New BIGNUM blinding. 1550 * Added support for the RSA-PSS encryption scheme 1551 * Added support for the RSA X.931 padding. 1552 * Added support for BSD sockets on NetWare. 1553 * Added support for files larger than 2GB. 1554 * Added initial support for Win64. 1555 * Added alternate pkg-config files. 1556 1557### Major changes between OpenSSL 0.9.7l and OpenSSL 0.9.7m [23 Feb 2007] 1558 1559 * FIPS 1.1.1 module linking. 1560 * Various ciphersuite selection fixes. 1561 1562### Major changes between OpenSSL 0.9.7k and OpenSSL 0.9.7l [28 Sep 2006] 1563 1564 * Introduce limits to prevent malicious key DoS ([CVE-2006-2940]) 1565 * Fix security issues [CVE-2006-2937], [CVE-2006-3737], [CVE-2006-4343] 1566 1567### Major changes between OpenSSL 0.9.7j and OpenSSL 0.9.7k [5 Sep 2006] 1568 1569 * Fix Daniel Bleichenbacher forged signature attack, [CVE-2006-4339] 1570 1571### Major changes between OpenSSL 0.9.7i and OpenSSL 0.9.7j [4 May 2006] 1572 1573 * Visual C++ 2005 fixes. 1574 * Update Windows build system for FIPS. 1575 1576### Major changes between OpenSSL 0.9.7h and OpenSSL 0.9.7i [14 Oct 2005] 1577 1578 * Give EVP_MAX_MD_SIZE its old value, except for a FIPS build. 1579 1580### Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.7h [11 Oct 2005] 1581 1582 * Fix SSL 2.0 Rollback ([CVE-2005-2969]) 1583 * Allow use of fixed-length exponent on DSA signing 1584 * Default fixed-window RSA, DSA, DH private-key operations 1585 1586### Major changes between OpenSSL 0.9.7f and OpenSSL 0.9.7g [11 Apr 2005] 1587 1588 * More compilation issues fixed. 1589 * Adaptation to more modern Kerberos API. 1590 * Enhanced or corrected configuration for Solaris64, Mingw and Cygwin. 1591 * Enhanced x86_64 assembler BIGNUM module. 1592 * More constification. 1593 * Added processing of proxy certificates (RFC 3820). 1594 1595### Major changes between OpenSSL 0.9.7e and OpenSSL 0.9.7f [22 Mar 2005] 1596 1597 * Several compilation issues fixed. 1598 * Many memory allocation failure checks added. 1599 * Improved comparison of X509 Name type. 1600 * Mandatory basic checks on certificates. 1601 * Performance improvements. 1602 1603### Major changes between OpenSSL 0.9.7d and OpenSSL 0.9.7e [25 Oct 2004] 1604 1605 * Fix race condition in CRL checking code. 1606 * Fixes to PKCS#7 (S/MIME) code. 1607 1608### Major changes between OpenSSL 0.9.7c and OpenSSL 0.9.7d [17 Mar 2004] 1609 1610 * Security: Fix Kerberos ciphersuite SSL/TLS handshaking bug 1611 * Security: Fix null-pointer assignment in do_change_cipher_spec() 1612 * Allow multiple active certificates with same subject in CA index 1613 * Multiple X509 verification fixes 1614 * Speed up HMAC and other operations 1615 1616### Major changes between OpenSSL 0.9.7b and OpenSSL 0.9.7c [30 Sep 2003] 1617 1618 * Security: fix various ASN1 parsing bugs. 1619 * New -ignore_err option to OCSP utility. 1620 * Various interop and bug fixes in S/MIME code. 1621 * SSL/TLS protocol fix for unrequested client certificates. 1622 1623### Major changes between OpenSSL 0.9.7a and OpenSSL 0.9.7b [10 Apr 2003] 1624 1625 * Security: counter the Klima-Pokorny-Rosa extension of 1626 Bleichbacher's attack 1627 * Security: make RSA blinding default. 1628 * Configuration: Irix fixes, AIX fixes, better mingw support. 1629 * Support for new platforms: linux-ia64-ecc. 1630 * Build: shared library support fixes. 1631 * ASN.1: treat domainComponent correctly. 1632 * Documentation: fixes and additions. 1633 1634### Major changes between OpenSSL 0.9.7 and OpenSSL 0.9.7a [19 Feb 2003] 1635 1636 * Security: Important security related bugfixes. 1637 * Enhanced compatibility with MIT Kerberos. 1638 * Can be built without the ENGINE framework. 1639 * IA32 assembler enhancements. 1640 * Support for new platforms: FreeBSD/IA64 and FreeBSD/Sparc64. 1641 * Configuration: the no-err option now works properly. 1642 * SSL/TLS: now handles manual certificate chain building. 1643 * SSL/TLS: certain session ID malfunctions corrected. 1644 1645### Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.7 [30 Dec 2002] 1646 1647 * New library section OCSP. 1648 * Complete rewrite of ASN1 code. 1649 * CRL checking in verify code and openssl utility. 1650 * Extension copying in 'ca' utility. 1651 * Flexible display options in 'ca' utility. 1652 * Provisional support for international characters with UTF8. 1653 * Support for external crypto devices ('engine') is no longer 1654 a separate distribution. 1655 * New elliptic curve library section. 1656 * New AES (Rijndael) library section. 1657 * Support for new platforms: Windows CE, Tandem OSS, A/UX, AIX 64-bit, 1658 Linux x86_64, Linux 64-bit on Sparc v9 1659 * Extended support for some platforms: VxWorks 1660 * Enhanced support for shared libraries. 1661 * Now only builds PIC code when shared library support is requested. 1662 * Support for pkg-config. 1663 * Lots of new manuals. 1664 * Makes symbolic links to or copies of manuals to cover all described 1665 functions. 1666 * Change DES API to clean up the namespace (some applications link also 1667 against libdes providing similar functions having the same name). 1668 Provide macros for backward compatibility (will be removed in the 1669 future). 1670 * Unify handling of cryptographic algorithms (software and engine) 1671 to be available via EVP routines for asymmetric and symmetric ciphers. 1672 * NCONF: new configuration handling routines. 1673 * Change API to use more 'const' modifiers to improve error checking 1674 and help optimizers. 1675 * Finally remove references to RSAref. 1676 * Reworked parts of the BIGNUM code. 1677 * Support for new engines: Broadcom ubsec, Accelerated Encryption 1678 Processing, IBM 4758. 1679 * A few new engines added in the demos area. 1680 * Extended and corrected OID (object identifier) table. 1681 * PRNG: query at more locations for a random device, automatic query for 1682 EGD style random sources at several locations. 1683 * SSL/TLS: allow optional cipher choice according to server's preference. 1684 * SSL/TLS: allow server to explicitly set new session ids. 1685 * SSL/TLS: support Kerberos cipher suites (RFC2712). 1686 Only supports MIT Kerberos for now. 1687 * SSL/TLS: allow more precise control of renegotiations and sessions. 1688 * SSL/TLS: add callback to retrieve SSL/TLS messages. 1689 * SSL/TLS: support AES cipher suites (RFC3268). 1690 1691### Major changes between OpenSSL 0.9.6j and OpenSSL 0.9.6k [30 Sep 2003] 1692 1693 * Security: fix various ASN1 parsing bugs. 1694 * SSL/TLS protocol fix for unrequested client certificates. 1695 1696### Major changes between OpenSSL 0.9.6i and OpenSSL 0.9.6j [10 Apr 2003] 1697 1698 * Security: counter the Klima-Pokorny-Rosa extension of 1699 Bleichbacher's attack 1700 * Security: make RSA blinding default. 1701 * Build: shared library support fixes. 1702 1703### Major changes between OpenSSL 0.9.6h and OpenSSL 0.9.6i [19 Feb 2003] 1704 1705 * Important security related bugfixes. 1706 1707### Major changes between OpenSSL 0.9.6g and OpenSSL 0.9.6h [5 Dec 2002] 1708 1709 * New configuration targets for Tandem OSS and A/UX. 1710 * New OIDs for Microsoft attributes. 1711 * Better handling of SSL session caching. 1712 * Better comparison of distinguished names. 1713 * Better handling of shared libraries in a mixed GNU/non-GNU environment. 1714 * Support assembler code with Borland C. 1715 * Fixes for length problems. 1716 * Fixes for uninitialised variables. 1717 * Fixes for memory leaks, some unusual crashes and some race conditions. 1718 * Fixes for smaller building problems. 1719 * Updates of manuals, FAQ and other instructive documents. 1720 1721### Major changes between OpenSSL 0.9.6f and OpenSSL 0.9.6g [9 Aug 2002] 1722 1723 * Important building fixes on Unix. 1724 1725### Major changes between OpenSSL 0.9.6e and OpenSSL 0.9.6f [8 Aug 2002] 1726 1727 * Various important bugfixes. 1728 1729### Major changes between OpenSSL 0.9.6d and OpenSSL 0.9.6e [30 Jul 2002] 1730 1731 * Important security related bugfixes. 1732 * Various SSL/TLS library bugfixes. 1733 1734### Major changes between OpenSSL 0.9.6c and OpenSSL 0.9.6d [9 May 2002] 1735 1736 * Various SSL/TLS library bugfixes. 1737 * Fix DH parameter generation for 'non-standard' generators. 1738 1739### Major changes between OpenSSL 0.9.6b and OpenSSL 0.9.6c [21 Dec 2001] 1740 1741 * Various SSL/TLS library bugfixes. 1742 * BIGNUM library fixes. 1743 * RSA OAEP and random number generation fixes. 1744 * Object identifiers corrected and added. 1745 * Add assembler BN routines for IA64. 1746 * Add support for OS/390 Unix, UnixWare with gcc, OpenUNIX 8, 1747 MIPS Linux; shared library support for Irix, HP-UX. 1748 * Add crypto accelerator support for AEP, Baltimore SureWare, 1749 Broadcom and Cryptographic Appliance's keyserver 1750 [in 0.9.6c-engine release]. 1751 1752### Major changes between OpenSSL 0.9.6a and OpenSSL 0.9.6b [9 Jul 2001] 1753 1754 * Security fix: PRNG improvements. 1755 * Security fix: RSA OAEP check. 1756 * Security fix: Reinsert and fix countermeasure to Bleichbacher's 1757 attack. 1758 * MIPS bug fix in BIGNUM. 1759 * Bug fix in "openssl enc". 1760 * Bug fix in X.509 printing routine. 1761 * Bug fix in DSA verification routine and DSA S/MIME verification. 1762 * Bug fix to make PRNG thread-safe. 1763 * Bug fix in RAND_file_name(). 1764 * Bug fix in compatibility mode trust settings. 1765 * Bug fix in blowfish EVP. 1766 * Increase default size for BIO buffering filter. 1767 * Compatibility fixes in some scripts. 1768 1769### Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.6a [5 Apr 2001] 1770 1771 * Security fix: change behavior of OpenSSL to avoid using 1772 environment variables when running as root. 1773 * Security fix: check the result of RSA-CRT to reduce the 1774 possibility of deducing the private key from an incorrectly 1775 calculated signature. 1776 * Security fix: prevent Bleichenbacher's DSA attack. 1777 * Security fix: Zero the premaster secret after deriving the 1778 master secret in DH ciphersuites. 1779 * Reimplement SSL_peek(), which had various problems. 1780 * Compatibility fix: the function des_encrypt() renamed to 1781 des_encrypt1() to avoid clashes with some Unixen libc. 1782 * Bug fixes for Win32, HP/UX and Irix. 1783 * Bug fixes in BIGNUM, SSL, PKCS#7, PKCS#12, X.509, CONF and 1784 memory checking routines. 1785 * Bug fixes for RSA operations in threaded environments. 1786 * Bug fixes in misc. openssl applications. 1787 * Remove a few potential memory leaks. 1788 * Add tighter checks of BIGNUM routines. 1789 * Shared library support has been reworked for generality. 1790 * More documentation. 1791 * New function BN_rand_range(). 1792 * Add "-rand" option to openssl s_client and s_server. 1793 1794### Major changes between OpenSSL 0.9.5a and OpenSSL 0.9.6 [10 Oct 2000] 1795 1796 * Some documentation for BIO and SSL libraries. 1797 * Enhanced chain verification using key identifiers. 1798 * New sign and verify options to 'dgst' application. 1799 * Support for DER and PEM encoded messages in 'smime' application. 1800 * New 'rsautl' application, low-level RSA utility. 1801 * MD4 now included. 1802 * Bugfix for SSL rollback padding check. 1803 * Support for external crypto devices [1]. 1804 * Enhanced EVP interface. 1805 1806 [1] The support for external crypto devices is currently a separate 1807 distribution. See the file README-Engine.md. 1808 1809### Major changes between OpenSSL 0.9.5 and OpenSSL 0.9.5a [1 Apr 2000] 1810 1811 * Bug fixes for Win32, SuSE Linux, NeXTSTEP and FreeBSD 2.2.8 1812 * Shared library support for HPUX and Solaris-gcc 1813 * Support of Linux/IA64 1814 * Assembler support for Mingw32 1815 * New 'rand' application 1816 * New way to check for existence of algorithms from scripts 1817 1818### Major changes between OpenSSL 0.9.4 and OpenSSL 0.9.5 [25 May 2000] 1819 1820 * S/MIME support in new 'smime' command 1821 * Documentation for the OpenSSL command line application 1822 * Automation of 'req' application 1823 * Fixes to make s_client, s_server work under Windows 1824 * Support for multiple fieldnames in SPKACs 1825 * New SPKAC command line utility and associated library functions 1826 * Options to allow passwords to be obtained from various sources 1827 * New public key PEM format and options to handle it 1828 * Many other fixes and enhancements to command line utilities 1829 * Usable certificate chain verification 1830 * Certificate purpose checking 1831 * Certificate trust settings 1832 * Support of authority information access extension 1833 * Extensions in certificate requests 1834 * Simplified X509 name and attribute routines 1835 * Initial (incomplete) support for international character sets 1836 * New DH_METHOD, DSA_METHOD and enhanced RSA_METHOD 1837 * Read only memory BIOs and simplified creation function 1838 * TLS/SSL protocol bugfixes: Accept TLS 'client hello' in SSL 3.0 1839 record; allow fragmentation and interleaving of handshake and other 1840 data 1841 * TLS/SSL code now "tolerates" MS SGC 1842 * Work around for Netscape client certificate hang bug 1843 * RSA_NULL option that removes RSA patent code but keeps other 1844 RSA functionality 1845 * Memory leak detection now allows applications to add extra information 1846 via a per-thread stack 1847 * PRNG robustness improved 1848 * EGD support 1849 * BIGNUM library bug fixes 1850 * Faster DSA parameter generation 1851 * Enhanced support for Alpha Linux 1852 * Experimental macOS support 1853 1854### Major changes between OpenSSL 0.9.3 and OpenSSL 0.9.4 [9 Aug 1999] 1855 1856 * Transparent support for PKCS#8 format private keys: these are used 1857 by several software packages and are more secure than the standard 1858 form 1859 * PKCS#5 v2.0 implementation 1860 * Password callbacks have a new void * argument for application data 1861 * Avoid various memory leaks 1862 * New pipe-like BIO that allows using the SSL library when actual I/O 1863 must be handled by the application (BIO pair) 1864 1865### Major changes between OpenSSL 0.9.2b and OpenSSL 0.9.3 [24 May 1999] 1866 1867 * Lots of enhancements and cleanups to the Configuration mechanism 1868 * RSA OEAP related fixes 1869 * Added "openssl ca -revoke" option for revoking a certificate 1870 * Source cleanups: const correctness, type-safe stacks and ASN.1 SETs 1871 * Source tree cleanups: removed lots of obsolete files 1872 * Thawte SXNet, certificate policies and CRL distribution points 1873 extension support 1874 * Preliminary (experimental) S/MIME support 1875 * Support for ASN.1 UTF8String and VisibleString 1876 * Full integration of PKCS#12 code 1877 * Sparc assembler bignum implementation, optimized hash functions 1878 * Option to disable selected ciphers 1879 1880### Major changes between OpenSSL 0.9.1c and OpenSSL 0.9.2b [22 Mar 1999] 1881 1882 * Fixed a security hole related to session resumption 1883 * Fixed RSA encryption routines for the p < q case 1884 * "ALL" in cipher lists now means "everything except NULL ciphers" 1885 * Support for Triple-DES CBCM cipher 1886 * Support of Optimal Asymmetric Encryption Padding (OAEP) for RSA 1887 * First support for new TLSv1 ciphers 1888 * Added a few new BIOs (syslog BIO, reliable BIO) 1889 * Extended support for DSA certificate/keys. 1890 * Extended support for Certificate Signing Requests (CSR) 1891 * Initial support for X.509v3 extensions 1892 * Extended support for compression inside the SSL record layer 1893 * Overhauled Win32 builds 1894 * Cleanups and fixes to the Big Number (BN) library 1895 * Support for ASN.1 GeneralizedTime 1896 * Split ASN.1 SETs from SEQUENCEs 1897 * ASN1 and PEM support for Netscape Certificate Sequences 1898 * Overhauled Perl interface 1899 * Lots of source tree cleanups. 1900 * Lots of memory leak fixes. 1901 * Lots of bug fixes. 1902 1903### Major changes between SSLeay 0.9.0b and OpenSSL 0.9.1c [23 Dec 1998] 1904 1905 * Integration of the popular NO_RSA/NO_DSA patches 1906 * Initial support for compression inside the SSL record layer 1907 * Added BIO proxy and filtering functionality 1908 * Extended Big Number (BN) library 1909 * Added RIPE MD160 message digest 1910 * Added support for RC2/64bit cipher 1911 * Extended ASN.1 parser routines 1912 * Adjustments of the source tree for CVS 1913 * Support for various new platforms 1914 1915<!-- Links --> 1916[CVE-2025-4575]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-4575 1917[CVE-2024-13176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176 1918[CVE-2024-9143]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143 1919[CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119 1920[CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535 1921[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741 1922[CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603 1923[CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511 1924[CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727 1925[CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237 1926[CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129 1927[CVE-2023-5678]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5678 1928[CVE-2023-5363]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5363 1929[CVE-2023-4807]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-4807 1930[CVE-2023-3817]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3817 1931[CVE-2023-3446]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3446 1932[CVE-2023-2975]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2975 1933[CVE-2023-2650]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2650 1934[CVE-2023-1255]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-1255 1935[CVE-2023-0466]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466 1936[CVE-2023-0465]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0465 1937[CVE-2023-0464]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0464 1938[CVE-2023-0401]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0401 1939[CVE-2023-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0286 1940[CVE-2023-0217]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0217 1941[CVE-2023-0216]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0216 1942[CVE-2023-0215]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0215 1943[CVE-2022-4450]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4450 1944[CVE-2022-4304]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4304 1945[CVE-2022-4203]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4203 1946[CVE-2022-3996]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-3996 1947[CVE-2022-2274]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2274 1948[CVE-2022-2097]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2097 1949[CVE-2020-1971]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1971 1950[CVE-2020-1967]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1967 1951[CVE-2019-1563]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1563 1952[CVE-2019-1559]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1559 1953[CVE-2019-1552]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1552 1954[CVE-2019-1551]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1551 1955[CVE-2019-1549]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1549 1956[CVE-2019-1547]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1547 1957[CVE-2019-1543]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1543 1958[CVE-2018-5407]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-5407 1959[CVE-2018-0739]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0739 1960[CVE-2018-0737]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0737 1961[CVE-2018-0735]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0735 1962[CVE-2018-0734]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0734 1963[CVE-2018-0733]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0733 1964[CVE-2018-0732]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0732 1965[CVE-2017-3738]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3738 1966[CVE-2017-3737]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3737 1967[CVE-2017-3736]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3736 1968[CVE-2017-3735]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3735 1969[CVE-2017-3733]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3733 1970[CVE-2017-3732]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3732 1971[CVE-2017-3731]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3731 1972[CVE-2017-3730]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3730 1973[CVE-2016-7055]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7055 1974[CVE-2016-7054]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7054 1975[CVE-2016-7053]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7053 1976[CVE-2016-7052]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7052 1977[CVE-2016-6309]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6309 1978[CVE-2016-6308]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6308 1979[CVE-2016-6307]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6307 1980[CVE-2016-6306]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6306 1981[CVE-2016-6305]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6305 1982[CVE-2016-6304]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6304 1983[CVE-2016-6303]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6303 1984[CVE-2016-6302]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6302 1985[CVE-2016-2183]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2183 1986[CVE-2016-2182]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2182 1987[CVE-2016-2181]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2181 1988[CVE-2016-2180]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2180 1989[CVE-2016-2179]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2179 1990[CVE-2016-2178]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2178 1991[CVE-2016-2177]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2177 1992[CVE-2016-2176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2176 1993[CVE-2016-2109]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2109 1994[CVE-2016-2107]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2107 1995[CVE-2016-2106]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2106 1996[CVE-2016-2105]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2105 1997[CVE-2016-0800]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0800 1998[CVE-2016-0799]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0799 1999[CVE-2016-0798]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0798 2000[CVE-2016-0797]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0797 2001[CVE-2016-0705]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0705 2002[CVE-2016-0702]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0702 2003[CVE-2016-0701]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0701 2004[CVE-2015-3197]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3197 2005[CVE-2015-3196]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3196 2006[CVE-2015-3195]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3195 2007[CVE-2015-3194]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3194 2008[CVE-2015-3193]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3193 2009[CVE-2015-1793]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1793 2010[CVE-2015-1792]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1792 2011[CVE-2015-1791]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1791 2012[CVE-2015-1790]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1790 2013[CVE-2015-1789]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1789 2014[CVE-2015-1788]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1788 2015[CVE-2015-1787]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1787 2016[CVE-2015-0293]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0293 2017[CVE-2015-0291]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0291 2018[CVE-2015-0290]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0290 2019[CVE-2015-0289]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0289 2020[CVE-2015-0288]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0288 2021[CVE-2015-0287]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0287 2022[CVE-2015-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0286 2023[CVE-2015-0285]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0285 2024[CVE-2015-0209]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0209 2025[CVE-2015-0208]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0208 2026[CVE-2015-0207]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0207 2027[CVE-2015-0206]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0206 2028[CVE-2015-0205]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0205 2029[CVE-2015-0204]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0204 2030[CVE-2014-8275]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-8275 2031[CVE-2014-5139]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-5139 2032[CVE-2014-3572]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3572 2033[CVE-2014-3571]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3571 2034[CVE-2014-3570]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3570 2035[CVE-2014-3569]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3569 2036[CVE-2014-3568]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3568 2037[CVE-2014-3567]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3567 2038[CVE-2014-3566]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3566 2039[CVE-2014-3513]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3513 2040[CVE-2014-3512]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3512 2041[CVE-2014-3511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3511 2042[CVE-2014-3510]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3510 2043[CVE-2014-3509]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3509 2044[CVE-2014-3508]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3508 2045[CVE-2014-3507]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3507 2046[CVE-2014-3506]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3506 2047[CVE-2014-3505]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3505 2048[CVE-2014-3470]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3470 2049[CVE-2014-0224]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0224 2050[CVE-2014-0221]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0221 2051[CVE-2014-0198]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0198 2052[CVE-2014-0195]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0195 2053[CVE-2014-0160]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0160 2054[CVE-2014-0076]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0076 2055[CVE-2013-6450]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-6450 2056[CVE-2013-6449]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-6449 2057[CVE-2013-4353]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-4353 2058[CVE-2013-0169]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-0169 2059[CVE-2013-0166]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-0166 2060[CVE-2012-2686]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2686 2061[CVE-2012-2333]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2333 2062[CVE-2012-2110]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2110 2063[CVE-2012-0884]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0884 2064[CVE-2012-0050]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0050 2065[CVE-2012-0027]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0027 2066[CVE-2011-4619]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4619 2067[CVE-2011-4577]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4577 2068[CVE-2011-4576]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4576 2069[CVE-2011-4108]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4108 2070[CVE-2011-3210]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-3210 2071[CVE-2011-3207]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-3207 2072[CVE-2011-0014]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-0014 2073[CVE-2010-5298]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-5298 2074[CVE-2010-4252]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-4252 2075[CVE-2010-4180]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-4180 2076[CVE-2010-3864]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-3864 2077[CVE-2010-2939]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-2939 2078[CVE-2010-1633]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-1633 2079[CVE-2010-0740]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-0740 2080[CVE-2010-0433]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-0433 2081[CVE-2009-3555]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-3555 2082[CVE-2009-0789]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0789 2083[CVE-2009-0591]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0591 2084[CVE-2009-0590]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0590 2085[CVE-2008-5077]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-5077 2086[CVE-2006-4343]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-4343 2087[CVE-2006-4339]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-4339 2088[CVE-2006-3737]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-3737 2089[CVE-2006-2940]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-2940 2090[CVE-2006-2937]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-2937 2091[CVE-2005-2969]: https://www.openssl.org/news/vulnerabilities.html#CVE-2005-2969 2092[OpenSSL Guide]: https://www.openssl.org/docs/manmaster/man7/ossl-guide-introduction.html 2093[CHANGES.md]: ./CHANGES.md 2094[README-QUIC.md]: ./README-QUIC.md 2095[issue tracker]: https://github.com/openssl/openssl/issues 2096[CMVP]: https://csrc.nist.gov/projects/cryptographic-module-validation-program 2097[ESV]: https://csrc.nist.gov/Projects/cryptographic-module-validation-program/entropy-validations 2098[jitterentropy-library]: https://github.com/smuellerDD/jitterentropy-library 2099