This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
- Major changes between OpenSSL 1.0.2g and OpenSSL 1.1.0 [in pre-release]
+ Major changes between OpenSSL 1.1.0b and OpenSSL 1.1.0c [under development]
+ o
+
+ Major changes between OpenSSL 1.1.0a and OpenSSL 1.1.0b [26 Sep 2016]
+
+ o Fix Use After Free for large message sizes (CVE-2016-6309)
+
+ Major changes between OpenSSL 1.1.0 and OpenSSL 1.1.0a [22 Sep 2016]
+
+ o OCSP Status Request extension unbounded memory growth (CVE-2016-6304)
+ o SSL_peek() hang on empty record (CVE-2016-6305)
+ o Excessive allocation of memory in tls_get_message_header()
+ (CVE-2016-6307)
+ o Excessive allocation of memory in dtls1_preprocess_fragment()
+ (CVE-2016-6308)
+
+ Major changes between OpenSSL 1.0.2h and OpenSSL 1.1.0 [25 Aug 2016]
+
+ o Copyright text was shrunk to a boilerplate that points to the license
+ o "shared" builds are now the default when possible
+ o Added support for "pipelining"
+ o Added the AFALG engine
+ o New threading API implemented
o Support for ChaCha20 and Poly1305 added to libcrypto and libssl
o Support for extended master secret
o CCM ciphersuites
o Reworked test suite, now based on perl, Test::Harness and Test::More
- o Various libcrypto structures made opaque including: BIGNUM, EVP_MD,
- EVP_MD_CTX, HMAC_CTX, EVP_CIPHER and EVP_CIPHER_CTX.
+ o *Most* libcrypto and libssl public structures were made opaque,
+ including:
+ BIGNUM and associated types, EC_KEY and EC_KEY_METHOD,
+ DH and DH_METHOD, DSA and DSA_METHOD, RSA and RSA_METHOD,
+ BIO and BIO_METHOD, EVP_MD_CTX, EVP_MD, EVP_CIPHER_CTX,
+ EVP_CIPHER, EVP_PKEY and associated types, HMAC_CTX,
+ X509, X509_CRL, X509_OBJECT, X509_STORE_CTX, X509_STORE,
+ X509_LOOKUP, X509_LOOKUP_METHOD
o libssl internal structures made opaque
o SSLv2 support removed
o Kerberos ciphersuite support removed
the directory for certs, private key and openssl.cnf exclusively.
o Reworked BIO networking library, with full support for IPv6.
o New "unified" build system
+ o New security levels
+ o Support for scrypt algorithm
+ o Support for X25519
+ o Extended SSL_CONF support using configuration files
+ o KDF algorithm support. Implement TLS PRF as a KDF.
+ o Support for Certificate Transparency
+ o HKDF support.
+
+ Major changes between OpenSSL 1.0.2g and OpenSSL 1.0.2h [3 May 2016]
+
+ o Prevent padding oracle in AES-NI CBC MAC check (CVE-2016-2107)
+ o Fix EVP_EncodeUpdate overflow (CVE-2016-2105)
+ o Fix EVP_EncryptUpdate overflow (CVE-2016-2106)
+ o Prevent ASN.1 BIO excessive memory allocation (CVE-2016-2109)
+ o EBCDIC overread (CVE-2016-2176)
+ o Modify behavior of ALPN to invoke callback after SNI/servername
+ callback, such that updates to the SSL_CTX affect ALPN.
+ o Remove LOW from the DEFAULT cipher list. This removes singles DES from
+ the default.
+ o Only remove the SSLv2 methods with the no-ssl2-method option.
Major changes between OpenSSL 1.0.2f and OpenSSL 1.0.2g [1 Mar 2016]
o New STORE structure and library to provide an interface to all
sorts of data repositories. Supports storage of public and
private keys, certificates, CRLs, numbers and arbitrary blobs.
- This library is unfortunately unfinished and unused withing
- OpenSSL.
+ This library is unfortunately unfinished and unused within
+ OpenSSL.
o New control functions for the error stack.
o Changed the PKCS#7 library to support one-pass S/MIME
processing.
o Major overhaul of RC4 performance on Intel P4, IA-64 and
AMD64.
o Changed the Configure script to have some algorithms disabled
- by default. Those can be explicitely enabled with the new
+ by default. Those can be explicitly enabled with the new
argument form 'enable-xxx'.
o Change the default digest in 'openssl' commands from MD5 to
SHA-1.