Changes between 1.1.1 and 3.0.0 [xx XXX xxxx]
+ *) X509 certificates signed using SHA1 are no longer allowed at security
+ level 1 and above.
+ In TLS/SSL the default security level is 1. It can be set either
+ using the cipher string with @SECLEVEL, or calling
+ SSL_CTX_set_security_level(). If the leaf certificate is signed with SHA-1,
+ a call to SSL_CTX_use_certificate() will fail if the security level is not
+ lowered first.
+ Outside TLS/SSL, the default security level is -1 (effectively 0). It can
+ be set using X509_VERIFY_PARAM_set_auth_level() or using the -auth_level
+ options of the apps.
+ [Kurt Roeckx]
+
*) Reworked the treatment of EC EVP_PKEYs with the SM2 curve to
automatically become EVP_PKEY_SM2 rather than EVP_PKEY_EC.
This means that applications don't have to look at the curve NID and
and L<EVP_MAC_final(3)>.
[Paul Dale]
+ *) Over two thousand fixes were made to the documentation, including:
+ - Common options (such as -rand/-writerand, TLS version control, etc)
+ were refactored and point to newly-enhanced descriptions in openssl.pod.
+ - Added style conformance for all options (with help from Richard Levitte),
+ documented all reported missing options, added a CI build to check
+ that all options are documented and that no unimplemented options
+ are documented.
+ - Documented some internals, such as all use of environment variables.
+ - Addressed all internal broken L<> references.
+ [Rich Salz]
+
*) All of the low level MD2, MD4, MD5, MDC2, RIPEMD160, SHA1, SHA224, SHA256,
SHA384, SHA512 and Whirlpool digest functions have been deprecated.
These include:
pages for further details.
[Matt Caswell]
- *) Most common options (such as -rand/-writerand, TLS version control, etc)
- were refactored and point to newly-enhanced descriptions in openssl.pod
- [Rich Salz]
-
- *) Over two thousand fixes were made to the documentation, including:
- adding missing command flags, better style conformance, documentation
- of internals, etc.
- [Rich Salz, Richard Levitte]
-
*) s390x assembly pack: add hardware-support for P-256, P-384, P-521,
X25519, X448, Ed25519 and Ed448.
[Patrick Steuer]
bytes long. In theory it is permissible in SSLv3 - TLSv1.2 to fragment such
alerts across multiple records (some of which could be empty). In practice
it make no sense to send an empty alert record, or to fragment one. TLSv1.3
- prohibts this altogether and other libraries (BoringSSL, NSS) do not
+ prohibits this altogether and other libraries (BoringSSL, NSS) do not
support this at all. Supporting it adds significant complexity to the
- record layer, and its removal is unlikely to cause inter-operability
+ record layer, and its removal is unlikely to cause interoperability
issues.
[Matt Caswell]
implementations).
[Emilia Käsper, Adam Langley, Bodo Moeller (Google)]
- *) Use type ossl_ssize_t instad of ssize_t which isn't available on
+ *) Use type ossl_ssize_t instead of ssize_t which isn't available on
all platforms. Move ssize_t definition from e_os.h to the public
header file e_os2.h as it now appears in public header file cms.h
[Steve Henson]
*) New OCSP utility. Allows OCSP requests to be generated or
read. The request can be sent to a responder and the output
- parsed, outputed or printed in text form. Not complete yet:
+ parsed, outputted or printed in text form. Not complete yet:
still needs to check the OCSP response validity.
[Steve Henson]
[Andy Polyakov]
*) Modified SSL library such that the verify_callback that has been set
- specificly for an SSL object with SSL_set_verify() is actually being
+ specifically for an SSL object with SSL_set_verify() is actually being
used. Before the change, a verify_callback set with this function was
ignored and the verify_callback() set in the SSL_CTX at the time of
the call was used. New function X509_STORE_CTX_set_verify_cb() introduced
as other interfaces in OpenSSL, like the BIO interface.
NCONF_dump_* dump the internal storage of the configuration file,
which is useful for debugging. All other functions take the same
- arguments as the old CONF_* functions wth the exception of the
+ arguments as the old CONF_* functions with the exception of the
first that must be a `CONF *' instead of a `LHASH *'.
- To make it easer to use the new classes with the old CONF_* functions,
+ To make it easier to use the new classes with the old CONF_* functions,
the function CONF_set_default_method is provided.
[Richard Levitte]
than the old method: it now uses a modified version of Ulf's parser to
read the ANSI prototypes in all header files (thus the old K&R definitions
aren't needed for error creation any more) and do a better job of
- translating function codes into names. The old 'ASN1 error code imbedded
+ translating function codes into names. The old 'ASN1 error code embedded
in a comment' is no longer necessary and it doesn't use .err files which
have now been deleted. Also the error code call doesn't have to appear all
on one line (which resulted in some large lines...).
*) Add a useful kludge to allow package maintainers to specify compiler and
other platforms details on the command line without having to patch the
- Configure script everytime: One now can use ``perl Configure
+ Configure script every time: One now can use ``perl Configure
<id>:<details>'', i.e. platform ids are allowed to have details appended
to them (separated by colons). This is treated as there would be a static
pre-configured entry in Configure's %table under key <id> with value