]>
Commit | Line | Data |
---|---|---|
3b52c2e7 RE |
1 | |
2 | NEWS | |
3 | ==== | |
4 | ||
5 | This file gives a brief overview of the major changes between each OpenSSL | |
6 | release. For more details please read the CHANGES file. | |
7 | ||
d0db2164 DSH |
8 | Major changes between OpenSSL 0.9.7l and OpenSSL 0.9.7m: |
9 | ||
10 | o FIPS 1.1.1 module linking. | |
11 | o Various ciphersuite selection fixes. | |
12 | ||
b2139664 MC |
13 | Major changes between OpenSSL 0.9.7k and OpenSSL 0.9.7l: |
14 | ||
15 | o Introduce limits to prevent malicious key DoS (CVE-2006-2940) | |
16 | o Fix security issues (CVE-2006-2937, CVE-2006-3737, CVE-2006-4343) | |
17 | ||
ffa04072 MC |
18 | Major changes between OpenSSL 0.9.7j and OpenSSL 0.9.7k: |
19 | ||
20 | o Fix Daniel Bleichenbacher forged signature attack, CVE-2006-4339 | |
21 | ||
a5319427 DSH |
22 | Major changes between OpenSSL 0.9.7i and OpenSSL 0.9.7j: |
23 | ||
c2293d2e | 24 | o Visual C++ 2005 fixes. |
a5319427 DSH |
25 | o Update Windows build system for FIPS. |
26 | ||
deab8d93 RL |
27 | Major changes between OpenSSL 0.9.7h and OpenSSL 0.9.7i: |
28 | ||
29 | o Give EVP_MAX_MD_SIZE it's old value, except for a FIPS build. | |
30 | ||
a40916cb MC |
31 | Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.7h: |
32 | ||
ffa04072 | 33 | o Fix SSL 2.0 Rollback, CVE-2005-2969 |
a40916cb MC |
34 | o Allow use of fixed-length exponent on DSA signing |
35 | o Default fixed-window RSA, DSA, DH private-key operations | |
36 | ||
01671ab2 RL |
37 | Major changes between OpenSSL 0.9.7f and OpenSSL 0.9.7g: |
38 | ||
39 | o More compilation issues fixed. | |
40 | o Adaptation to more modern Kerberos API. | |
41 | o Enhanced or corrected configuration for Solaris64, Mingw and Cygwin. | |
42 | o Enhanced x86_64 assembler BIGNUM module. | |
43 | o More constification. | |
44 | o Added processing of proxy certificates (RFC 3820). | |
45 | ||
5c1fd5e3 DSH |
46 | Major changes between OpenSSL 0.9.7e and OpenSSL 0.9.7f: |
47 | ||
48 | o Several compilation issues fixed. | |
49 | o Many memory allocation failure checks added. | |
50 | o Improved comparison of X509 Name type. | |
51 | o Mandatory basic checks on certificates. | |
52 | o Performance improvements. | |
53 | ||
450b38c0 DSH |
54 | Major changes between OpenSSL 0.9.7d and OpenSSL 0.9.7e: |
55 | ||
56 | o Fix race condition in CRL checking code. | |
57 | o Fixes to PKCS#7 (S/MIME) code. | |
58 | ||
82d63d30 MC |
59 | Major changes between OpenSSL 0.9.7c and OpenSSL 0.9.7d: |
60 | ||
61 | o Security: Fix Kerberos ciphersuite SSL/TLS handshaking bug | |
62 | o Security: Fix null-pointer assignment in do_change_cipher_spec() | |
63 | o Allow multiple active certificates with same subject in CA index | |
0286cccb | 64 | o Multiple X509 verification fixes |
82d63d30 MC |
65 | o Speed up HMAC and other operations |
66 | ||
68f0bcfb DSH |
67 | Major changes between OpenSSL 0.9.7b and OpenSSL 0.9.7c: |
68 | ||
69 | o Security: fix various ASN1 parsing bugs. | |
70 | o New -ignore_err option to OCSP utility. | |
71 | o Various interop and bug fixes in S/MIME code. | |
72 | o SSL/TLS protocol fix for unrequested client certificates. | |
73 | ||
e072e16e RL |
74 | Major changes between OpenSSL 0.9.7a and OpenSSL 0.9.7b: |
75 | ||
76 | o Security: counter the Klima-Pokorny-Rosa extension of | |
77 | Bleichbacher's attack | |
78 | o Security: make RSA blinding default. | |
79 | o Configuration: Irix fixes, AIX fixes, better mingw support. | |
80 | o Support for new platforms: linux-ia64-ecc. | |
81 | o Build: shared library support fixes. | |
82 | o ASN.1: treat domainComponent correctly. | |
83 | o Documentation: fixes and additions. | |
84 | ||
6fcf1dbc RL |
85 | Major changes between OpenSSL 0.9.7 and OpenSSL 0.9.7a: |
86 | ||
87 | o Security: Important security related bugfixes. | |
88 | o Enhanced compatibility with MIT Kerberos. | |
89 | o Can be built without the ENGINE framework. | |
90 | o IA32 assembler enhancements. | |
91 | o Support for new platforms: FreeBSD/IA64 and FreeBSD/Sparc64. | |
92 | o Configuration: the no-err option now works properly. | |
93 | o SSL/TLS: now handles manual certificate chain building. | |
94 | o SSL/TLS: certain session ID malfunctions corrected. | |
95 | ||
3ba25ee8 | 96 | Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.7: |
83f25717 RL |
97 | |
98 | o New library section OCSP. | |
adcc235e DSH |
99 | o Complete rewrite of ASN1 code. |
100 | o CRL checking in verify code and openssl utility. | |
101 | o Extension copying in 'ca' utility. | |
102 | o Flexible display options in 'ca' utility. | |
103 | o Provisional support for international characters with UTF8. | |
4dec4f64 BM |
104 | o Support for external crypto devices ('engine') is no longer |
105 | a separate distribution. | |
60ed0f94 | 106 | o New elliptic curve library section. |
7018feed | 107 | o New AES (Rijndael) library section. |
aaf7b47a | 108 | o Support for new platforms: Windows CE, Tandem OSS, A/UX, AIX 64-bit, |
13617646 | 109 | Linux x86_64, Linux 64-bit on Sparc v9 |
bc9867e6 RL |
110 | o Extended support for some platforms: VxWorks |
111 | o Enhanced support for shared libraries. | |
13617646 | 112 | o Now only builds PIC code when shared library support is requested. |
bc9867e6 RL |
113 | o Support for pkg-config. |
114 | o Lots of new manuals. | |
13617646 RL |
115 | o Makes symbolic links to or copies of manuals to cover all described |
116 | functions. | |
7018feed LJ |
117 | o Change DES API to clean up the namespace (some applications link also |
118 | against libdes providing similar functions having the same name). | |
119 | Provide macros for backward compatibility (will be removed in the | |
120 | future). | |
f27fa543 BM |
121 | o Unify handling of cryptographic algorithms (software and engine) |
122 | to be available via EVP routines for asymmetric and symmetric ciphers. | |
7018feed LJ |
123 | o NCONF: new configuration handling routines. |
124 | o Change API to use more 'const' modifiers to improve error checking | |
125 | and help optimizers. | |
126 | o Finally remove references to RSAref. | |
127 | o Reworked parts of the BIGNUM code. | |
128 | o Support for new engines: Broadcom ubsec, Accelerated Encryption | |
129 | Processing, IBM 4758. | |
bc9867e6 | 130 | o A few new engines added in the demos area. |
f1058182 | 131 | o Extended and corrected OID (object identifier) table. |
7018feed LJ |
132 | o PRNG: query at more locations for a random device, automatic query for |
133 | EGD style random sources at several locations. | |
134 | o SSL/TLS: allow optional cipher choice according to server's preference. | |
135 | o SSL/TLS: allow server to explicitly set new session ids. | |
136 | o SSL/TLS: support Kerberos cipher suites (RFC2712). | |
aaf7b47a | 137 | Only supports MIT Kerberos for now. |
7018feed LJ |
138 | o SSL/TLS: allow more precise control of renegotiations and sessions. |
139 | o SSL/TLS: add callback to retrieve SSL/TLS messages. | |
5af9fcaf | 140 | o SSL/TLS: support AES cipher suites (RFC3268). |
7018feed | 141 | |
68f0bcfb DSH |
142 | Major changes between OpenSSL 0.9.6j and OpenSSL 0.9.6k: |
143 | ||
144 | o Security: fix various ASN1 parsing bugs. | |
145 | o SSL/TLS protocol fix for unrequested client certificates. | |
146 | ||
110c6f72 RL |
147 | Major changes between OpenSSL 0.9.6i and OpenSSL 0.9.6j: |
148 | ||
149 | o Security: counter the Klima-Pokorny-Rosa extension of | |
150 | Bleichbacher's attack | |
151 | o Security: make RSA blinding default. | |
152 | o Build: shared library support fixes. | |
153 | ||
6fcf1dbc RL |
154 | Major changes between OpenSSL 0.9.6h and OpenSSL 0.9.6i: |
155 | ||
156 | o Important security related bugfixes. | |
157 | ||
bc9867e6 RL |
158 | Major changes between OpenSSL 0.9.6g and OpenSSL 0.9.6h: |
159 | ||
160 | o New configuration targets for Tandem OSS and A/UX. | |
161 | o New OIDs for Microsoft attributes. | |
162 | o Better handling of SSL session caching. | |
163 | o Better comparison of distinguished names. | |
164 | o Better handling of shared libraries in a mixed GNU/non-GNU environment. | |
165 | o Support assembler code with Borland C. | |
166 | o Fixes for length problems. | |
167 | o Fixes for uninitialised variables. | |
168 | o Fixes for memory leaks, some unusual crashes and some race conditions. | |
169 | o Fixes for smaller building problems. | |
170 | o Updates of manuals, FAQ and other instructive documents. | |
171 | ||
ddf76024 RL |
172 | Major changes between OpenSSL 0.9.6f and OpenSSL 0.9.6g: |
173 | ||
174 | o Important building fixes on Unix. | |
175 | ||
00c8546d RL |
176 | Major changes between OpenSSL 0.9.6e and OpenSSL 0.9.6f: |
177 | ||
178 | o Various important bugfixes. | |
179 | ||
e970fa00 | 180 | Major changes between OpenSSL 0.9.6d and OpenSSL 0.9.6e: |
458bb156 LJ |
181 | |
182 | o Important security related bugfixes. | |
183 | o Various SSL/TLS library bugfixes. | |
184 | ||
1dc03ef7 | 185 | Major changes between OpenSSL 0.9.6c and OpenSSL 0.9.6d: |
7018feed LJ |
186 | |
187 | o Various SSL/TLS library bugfixes. | |
188 | o Fix DH parameter generation for 'non-standard' generators. | |
4dec4f64 | 189 | |
1dc03ef7 | 190 | Major changes between OpenSSL 0.9.6b and OpenSSL 0.9.6c: |
ae52ec98 BM |
191 | |
192 | o Various SSL/TLS library bugfixes. | |
193 | o BIGNUM library fixes. | |
ef5f6a08 RL |
194 | o RSA OAEP and random number generation fixes. |
195 | o Object identifiers corrected and added. | |
196 | o Add assembler BN routines for IA64. | |
197 | o Add support for OS/390 Unix, UnixWare with gcc, OpenUNIX 8, | |
198 | MIPS Linux; shared library support for Irix, HP-UX. | |
a3790c0d | 199 | o Add crypto accelerator support for AEP, Baltimore SureWare, |
ef5f6a08 RL |
200 | Broadcom and Cryptographic Appliance's keyserver |
201 | [in 0.9.6c-engine release]. | |
ae52ec98 | 202 | |
1dc03ef7 | 203 | Major changes between OpenSSL 0.9.6a and OpenSSL 0.9.6b: |
4dec4f64 BM |
204 | |
205 | o Security fix: PRNG improvements. | |
206 | o Security fix: RSA OAEP check. | |
207 | o Security fix: Reinsert and fix countermeasure to Bleichbacher's | |
208 | attack. | |
209 | o MIPS bug fix in BIGNUM. | |
210 | o Bug fix in "openssl enc". | |
211 | o Bug fix in X.509 printing routine. | |
212 | o Bug fix in DSA verification routine and DSA S/MIME verification. | |
213 | o Bug fix to make PRNG thread-safe. | |
214 | o Bug fix in RAND_file_name(). | |
215 | o Bug fix in compatibility mode trust settings. | |
216 | o Bug fix in blowfish EVP. | |
217 | o Increase default size for BIO buffering filter. | |
218 | o Compatibility fixes in some scripts. | |
83f25717 | 219 | |
7cdd2aa1 RL |
220 | Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.6a: |
221 | ||
222 | o Security fix: change behavior of OpenSSL to avoid using | |
223 | environment variables when running as root. | |
224 | o Security fix: check the result of RSA-CRT to reduce the | |
225 | possibility of deducing the private key from an incorrectly | |
226 | calculated signature. | |
227 | o Security fix: prevent Bleichenbacher's DSA attack. | |
228 | o Security fix: Zero the premaster secret after deriving the | |
229 | master secret in DH ciphersuites. | |
4fea8145 | 230 | o Reimplement SSL_peek(), which had various problems. |
307bf4da RL |
231 | o Compatibility fix: the function des_encrypt() renamed to |
232 | des_encrypt1() to avoid clashes with some Unixen libc. | |
7cdd2aa1 RL |
233 | o Bug fixes for Win32, HP/UX and Irix. |
234 | o Bug fixes in BIGNUM, SSL, PKCS#7, PKCS#12, X.509, CONF and | |
235 | memory checking routines. | |
5fc041cc | 236 | o Bug fixes for RSA operations in threaded environments. |
7cdd2aa1 RL |
237 | o Bug fixes in misc. openssl applications. |
238 | o Remove a few potential memory leaks. | |
239 | o Add tighter checks of BIGNUM routines. | |
240 | o Shared library support has been reworked for generality. | |
241 | o More documentation. | |
4fea8145 | 242 | o New function BN_rand_range(). |
7cdd2aa1 RL |
243 | o Add "-rand" option to openssl s_client and s_server. |
244 | ||
4e87e05b DSH |
245 | Major changes between OpenSSL 0.9.5a and OpenSSL 0.9.6: |
246 | ||
247 | o Some documentation for BIO and SSL libraries. | |
248 | o Enhanced chain verification using key identifiers. | |
249 | o New sign and verify options to 'dgst' application. | |
250 | o Support for DER and PEM encoded messages in 'smime' application. | |
251 | o New 'rsautl' application, low level RSA utility. | |
b38d84d8 BM |
252 | o MD4 now included. |
253 | o Bugfix for SSL rollback padding check. | |
4dec4f64 | 254 | o Support for external crypto devices [1]. |
fda05b21 | 255 | o Enhanced EVP interface. |
b22bda21 | 256 | |
4dec4f64 BM |
257 | [1] The support for external crypto devices is currently a separate |
258 | distribution. See the file README.ENGINE. | |
259 | ||
35a79ecb RL |
260 | Major changes between OpenSSL 0.9.5 and OpenSSL 0.9.5a: |
261 | ||
b7a81df4 | 262 | o Bug fixes for Win32, SuSE Linux, NeXTSTEP and FreeBSD 2.2.8 |
35a79ecb RL |
263 | o Shared library support for HPUX and Solaris-gcc |
264 | o Support of Linux/IA64 | |
b7a81df4 | 265 | o Assembler support for Mingw32 |
35a79ecb RL |
266 | o New 'rand' application |
267 | o New way to check for existence of algorithms from scripts | |
268 | ||
0c235249 UM |
269 | Major changes between OpenSSL 0.9.4 and OpenSSL 0.9.5: |
270 | ||
90644dd7 | 271 | o S/MIME support in new 'smime' command |
0c235249 | 272 | o Documentation for the OpenSSL command line application |
90644dd7 DSH |
273 | o Automation of 'req' application |
274 | o Fixes to make s_client, s_server work under Windows | |
275 | o Support for multiple fieldnames in SPKACs | |
276 | o New SPKAC command line utilty and associated library functions | |
ae1bb4e5 | 277 | o Options to allow passwords to be obtained from various sources |
90644dd7 DSH |
278 | o New public key PEM format and options to handle it |
279 | o Many other fixes and enhancements to command line utilities | |
280 | o Usable certificate chain verification | |
281 | o Certificate purpose checking | |
282 | o Certificate trust settings | |
283 | o Support of authority information access extension | |
284 | o Extensions in certificate requests | |
285 | o Simplified X509 name and attribute routines | |
ae1bb4e5 | 286 | o Initial (incomplete) support for international character sets |
90644dd7 DSH |
287 | o New DH_METHOD, DSA_METHOD and enhanced RSA_METHOD |
288 | o Read only memory BIOs and simplified creation function | |
8bd5b794 BM |
289 | o TLS/SSL protocol bugfixes: Accept TLS 'client hello' in SSL 3.0 |
290 | record; allow fragmentation and interleaving of handshake and other | |
291 | data | |
90644dd7 | 292 | o TLS/SSL code now "tolerates" MS SGC |
8bd5b794 | 293 | o Work around for Netscape client certificate hang bug |
90644dd7 DSH |
294 | o RSA_NULL option that removes RSA patent code but keeps other |
295 | RSA functionality | |
07e6dbde BM |
296 | o Memory leak detection now allows applications to add extra information |
297 | via a per-thread stack | |
298 | o PRNG robustness improved | |
4d524e10 | 299 | o EGD support |
6d9ca500 | 300 | o BIGNUM library bug fixes |
4d524e10 | 301 | o Faster DSA parameter generation |
74235cc9 UM |
302 | o Enhanced support for Alpha Linux |
303 | o Experimental MacOS support | |
0c235249 | 304 | |
ed7f60fb DSH |
305 | Major changes between OpenSSL 0.9.3 and OpenSSL 0.9.4: |
306 | ||
307 | o Transparent support for PKCS#8 format private keys: these are used | |
c97cbcb3 BM |
308 | by several software packages and are more secure than the standard |
309 | form | |
310 | o PKCS#5 v2.0 implementation | |
311 | o Password callbacks have a new void * argument for application data | |
312 | o Avoid various memory leaks | |
313 | o New pipe-like BIO that allows using the SSL library when actual I/O | |
314 | must be handled by the application (BIO pair) | |
ed7f60fb | 315 | |
8e8a8a5f | 316 | Major changes between OpenSSL 0.9.2b and OpenSSL 0.9.3: |
9de649ff UM |
317 | o Lots of enhancements and cleanups to the Configuration mechanism |
318 | o RSA OEAP related fixes | |
8e8a8a5f RE |
319 | o Added `openssl ca -revoke' option for revoking a certificate |
320 | o Source cleanups: const correctness, type-safe stacks and ASN.1 SETs | |
321 | o Source tree cleanups: removed lots of obsolete files | |
703126f0 | 322 | o Thawte SXNet, certificate policies and CRL distribution points |
a03dd7a6 | 323 | extension support |
703126f0 DSH |
324 | o Preliminary (experimental) S/MIME support |
325 | o Support for ASN.1 UTF8String and VisibleString | |
326 | o Full integration of PKCS#12 code | |
2cf9fcda | 327 | o Sparc assembler bignum implementation, optimized hash functions |
b0759f87 | 328 | o Option to disable selected ciphers |
8e8a8a5f | 329 | |
d343d272 | 330 | Major changes between OpenSSL 0.9.1c and OpenSSL 0.9.2b: |
738769ff RE |
331 | o Fixed a security hole related to session resumption |
332 | o Fixed RSA encryption routines for the p < q case | |
333 | o "ALL" in cipher lists now means "everything except NULL ciphers" | |
3b52c2e7 RE |
334 | o Support for Triple-DES CBCM cipher |
335 | o Support of Optimal Asymmetric Encryption Padding (OAEP) for RSA | |
336 | o First support for new TLSv1 ciphers | |
337 | o Added a few new BIOs (syslog BIO, reliable BIO) | |
338 | o Extended support for DSA certificate/keys. | |
03e20a1a | 339 | o Extended support for Certificate Signing Requests (CSR) |
3b52c2e7 RE |
340 | o Initial support for X.509v3 extensions |
341 | o Extended support for compression inside the SSL record layer | |
342 | o Overhauled Win32 builds | |
343 | o Cleanups and fixes to the Big Number (BN) library | |
344 | o Support for ASN.1 GeneralizedTime | |
345 | o Splitted ASN.1 SETs from SEQUENCEs | |
346 | o ASN1 and PEM support for Netscape Certificate Sequences | |
347 | o Overhauled Perl interface | |
348 | o Lots of source tree cleanups. | |
349 | o Lots of memory leak fixes. | |
350 | o Lots of bug fixes. | |
351 | ||
352 | Major changes between SSLeay 0.9.0b and OpenSSL 0.9.1c: | |
353 | o Integration of the popular NO_RSA/NO_DSA patches | |
354 | o Initial support for compression inside the SSL record layer | |
355 | o Added BIO proxy and filtering functionality | |
356 | o Extended Big Number (BN) library | |
357 | o Added RIPE MD160 message digest | |
358 | o Addeed support for RC2/64bit cipher | |
359 | o Extended ASN.1 parser routines | |
360 | o Adjustations of the source tree for CVS | |
361 | o Support for various new platforms | |
362 |