[thirdparty/openssl.git] / CHANGES


 OpenSSL CHANGES
 _______________

 Changes between 1.0.1 and 1.0.2 [xx XXX xxxx]

  *) New functions to retrieve certificate signature and signature
     OID NID.
     [Steve Henson]

  *) New function ssl_set_client_disabled to set a ciphersuite disabled
     mask based on the current session, check mask when sending client
     hello and checking the requested ciphersuite.
     [Steve Henson]

  *) New ctrls to retrieve and set certificate types in a certificate
     request message. Print out received values in s_client. If certificate
     types is not set with custom values set sensible values based on
     supported signature algorithms.
     [Steve Henson]

  *) Support for distinct client and server supported signature algorithms.
     [Steve Henson]

  *) Add certificate callback. If set this is called whenever a certificate
     is required by client or server. An application can decide which
     certificate chain to present based on arbitrary criteria: for example
     supported signature algorithms. Add very simple example to s_server.
     This fixes many of the problems and restrictions of the existing client
     certificate callback: for example you can now clear an existing
     certificate and specify the whole chain.
     [Steve Henson]

  *) Add new "valid_flags" field to CERT_PKEY structure which determines what
     the certificate can be used for (if anything). Set valid_flags field 
     in new tls1_check_chain function. Simplify ssl_set_cert_masks which used
     to have similar checks in it.

     Add new "cert_flags" field to CERT structure and include a "strict mode".
     This enforces some TLS certificate requirements (such as only permitting
     certificate signature algorithms contained in the supported algorithms
     extension) which some implementations ignore: this option should be used
     with caution as it could cause interoperability issues.
     [Steve Henson]

  *) Update and tidy signature algorithm extension processing. Work out
     shared signature algorithms based on preferences and peer algorithms
     and print them out in s_client and s_server. Abort handshake if no
     shared signature algorithms.
     [Steve Henson]

  *) Add new functions to allow customised supported signature algorithms
     for SSL and SSL_CTX structures. Add options to s_client and s_server
     to support them.
     [Steve Henson]

  *) New function SSL_certs_clear() to delete all references to certificates
     from an SSL structure. Before this once a certificate had been added
     it couldn't be removed.
     [Steve Henson]

  *) Integrate hostname, email address and IP address checking with certificate
     verification. New verify options supporting checking in opensl utility.
     [Steve Henson]

  *) Fixes and wildcard matching support to hostname and email checking
     functions. Add manual page.
     [Florian Weimer (Red Hat Product Security Team)]

  *) New functions to check a hostname email or IP address against a
     certificate. Add options x509 utility to print results of checks against
     a certificate.
     [Steve Henson]

  *) Fix OCSP checking.
     [Rob Stradling <rob.stradling@comodo.com> and Ben Laurie]

  *) Backport support for partial chain verification: if an intermediate
     certificate is explicitly trusted (using -addtrust option to x509
     utility for example) the verification is sucessful even if the chain
     is not complete.
     The OCSP checking fix depends on this backport.
     [Steve Henson and Rob Stradling <rob.stradling@comodo.com>]

  *) Add -trusted_first option which attempts to find certificates in the
     trusted store even if an untrusted chain is also supplied.
     [Steve Henson]

  *) MIPS assembly pack updates: support for MIPS32r2 and SmartMIPS ASE,
     platform support for Linux and Android.
     [Andy Polyakov]

  *) Call OCSP Stapling callback after ciphersuite has been chosen, so
     the right response is stapled. Also change current certificate to
     the certificate actually sent.
     See http://rt.openssl.org/Ticket/Display.html?id=2836.
     [Rob Stradling <rob.stradling@comodo.com>]

  *) Support for linux-x32, ILP32 environment in x86_64 framework.
     [Andy Polyakov]

  *) RFC 5878 support.
     [Emilia Kasper, Adam Langley, Ben Laurie (Google)]

  *) Experimental multi-implementation support for FIPS capable OpenSSL.
     When in FIPS mode the approved implementations are used as normal,
     when not in FIPS mode the internal unapproved versions are used instead.
     This means that the FIPS capable OpenSSL isn't forced to use the
     (often lower perfomance) FIPS implementations outside FIPS mode.
     [Steve Henson]

  *) Transparently support X9.42 DH parameters when calling
     PEM_read_bio_DHparameters. This means existing applications can handle
     the new parameter format automatically.
     [Steve Henson]

  *) Initial experimental support for X9.42 DH parameter format: mainly
     to support use of 'q' parameter for RFC5114 parameters.
     [Steve Henson]

  *) Add DH parameters from RFC5114 including test data to dhtest.
     [Steve Henson]

  *) Support for automatic EC temporary key parameter selection. If enabled
     the most preferred EC parameters are automatically used instead of
     hardcoded fixed parameters. Now a server just has to call:
     SSL_CTX_set_ecdh_auto(ctx, 1) and the server will automatically
     support ECDH and use the most appropriate parameters.
     [Steve Henson]

  *) Enhance and tidy EC curve and point format TLS extension code. Use
     static structures instead of allocation if default values are used.
     New ctrls to set curves we wish to support and to retrieve shared curves.
     Print out shared curves in s_server. New options to s_server and s_client
     to set list of supported curves.
     [Steve Henson]

  *) New ctrls to retrieve supported signature algorithms and 
     supported curve values as an array of NIDs. Extend openssl utility
     to print out received values.
     [Steve Henson]

  *) Add new APIs EC_curve_nist2nid and EC_curve_nid2nist which convert
     between NIDs and the more common NIST names such as "P-256". Enhance
     ecparam utility and ECC method to recognise the NIST names for curves.
     [Steve Henson]

  *) Enhance SSL/TLS certificate chain handling to support different
     chains for each certificate instead of one chain in the parent SSL_CTX.
     [Steve Henson]

  *) Support for fixed DH ciphersuite client authentication: where both
     server and client use DH certificates with common parameters.
     [Steve Henson]

  *) Support for fixed DH ciphersuites: those requiring DH server
     certificates.
     [Steve Henson]

 Changes between 1.0.1c and 1.0.1d [xx XXX xxxx]

  *) Make openssl verify return errors.
     [Chris Palmer <palmer@google.com> and Ben Laurie]

  *) Fix possible deadlock when decoding public keys.
     [Steve Henson]

  *) Don't use TLS 1.0 record version number in initial client hello
     if renegotiating.
     [Steve Henson]

 Changes between 1.0.1b and 1.0.1c [10 May 2012]

  *) Sanity check record length before skipping explicit IV in TLS
     1.2, 1.1 and DTLS to avoid DoS attack.

     Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
     fuzzing as a service testing platform.
     (CVE-2012-2333)
     [Steve Henson]

  *) Initialise tkeylen properly when encrypting CMS messages.
     Thanks to Solar Designer of Openwall for reporting this issue.
     [Steve Henson]

  *) In FIPS mode don't try to use composite ciphers as they are not
     approved.
     [Steve Henson]

 Changes between 1.0.1a and 1.0.1b [26 Apr 2012]

  *) OpenSSL 1.0.0 sets SSL_OP_ALL to 0x80000FFFL and OpenSSL 1.0.1 and
     1.0.1a set SSL_OP_NO_TLSv1_1 to 0x00000400L which would unfortunately
     mean any application compiled against OpenSSL 1.0.0 headers setting
     SSL_OP_ALL would also set SSL_OP_NO_TLSv1_1, unintentionally disablng
     TLS 1.1 also. Fix this by changing the value of SSL_OP_NO_TLSv1_1 to
     0x10000000L Any application which was previously compiled against
     OpenSSL 1.0.1 or 1.0.1a headers and which cares about SSL_OP_NO_TLSv1_1
     will need to be recompiled as a result. Letting be results in
     inability to disable specifically TLS 1.1 and in client context,
     in unlike event, limit maximum offered version to TLS 1.0 [see below].
     [Steve Henson]

  *) In order to ensure interoperabilty SSL_OP_NO_protocolX does not
     disable just protocol X, but all protocols above X *if* there are
     protocols *below* X still enabled. In more practical terms it means
     that if application wants to disable TLS1.0 in favor of TLS1.1 and
     above, it's not sufficient to pass SSL_OP_NO_TLSv1, one has to pass
     SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2. This applies to
     client side.
     [Andy Polyakov]

 Changes between 1.0.1 and 1.0.1a [19 Apr 2012]

  *) Check for potentially exploitable overflows in asn1_d2i_read_bio
     BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
     in CRYPTO_realloc_clean.

     Thanks to Tavis Ormandy, Google Security Team, for discovering this
     issue and to Adam Langley <agl@chromium.org> for fixing it.
     (CVE-2012-2110)
     [Adam Langley (Google), Tavis Ormandy, Google Security Team]

  *) Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections.
     [Adam Langley]

  *) Workarounds for some broken servers that "hang" if a client hello
     record length exceeds 255 bytes:
 
     1. Do not use record version number > TLS 1.0 in initial client
        hello: some (but not all) hanging servers will now work.
     2. If we set OPENSSL_MAX_TLS1_2_CIPHER_LENGTH this will truncate
        the number of ciphers sent in the client hello. This should be
        set to an even number, such as 50, for example by passing:
        -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure.
        Most broken servers should now work.
     3. If all else fails setting OPENSSL_NO_TLS1_2_CLIENT will disable
        TLS 1.2 client support entirely.
     [Steve Henson]

  *) Fix SEGV in Vector Permutation AES module observed in OpenSSH.
     [Andy Polyakov]

 Changes between 1.0.0h and 1.0.1  [14 Mar 2012]

  *) Add compatibility with old MDC2 signatures which use an ASN1 OCTET
     STRING form instead of a DigestInfo.
     [Steve Henson]

  *) The format used for MDC2 RSA signatures is inconsistent between EVP
     and the RSA_sign/RSA_verify functions. This was made more apparent when
     OpenSSL used RSA_sign/RSA_verify for some RSA signatures in particular
     those which went through EVP_PKEY_METHOD in 1.0.0 and later. Detect 
     the correct format in RSA_verify so both forms transparently work.
     [Steve Henson]

  *) Some servers which support TLS 1.0 can choke if we initially indicate
     support for TLS 1.2 and later renegotiate using TLS 1.0 in the RSA
     encrypted premaster secret. As a workaround use the maximum pemitted
     client version in client hello, this should keep such servers happy
     and still work with previous versions of OpenSSL.
     [Steve Henson]

  *) Add support for TLS/DTLS heartbeats.
     [Robin Seggelmann <seggelmann@fh-muenster.de>]

  *) Add support for SCTP.
     [Robin Seggelmann <seggelmann@fh-muenster.de>]

  *) Improved PRNG seeding for VOS.
     [Paul Green <Paul.Green@stratus.com>]

  *) Extensive assembler packs updates, most notably:

	- x86[_64]:     AES-NI, PCLMULQDQ, RDRAND support;
	- x86[_64]:     SSSE3 support (SHA1, vector-permutation AES);
	- x86_64:       bit-sliced AES implementation;
	- ARM:          NEON support, contemporary platforms optimizations;
	- s390x:        z196 support;
	- *:            GHASH and GF(2^m) multiplication implementations;

     [Andy Polyakov]

  *) Make TLS-SRP code conformant with RFC 5054 API cleanup
     (removal of unnecessary code)
     [Peter Sylvester <peter.sylvester@edelweb.fr>]

  *) Add TLS key material exporter from RFC 5705.
     [Eric Rescorla]

  *) Add DTLS-SRTP negotiation from RFC 5764.
     [Eric Rescorla]

  *) Add Next Protocol Negotiation,
     http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-00. Can be
     disabled with a no-npn flag to config or Configure. Code donated
     by Google.
     [Adam Langley <agl@google.com> and Ben Laurie]

  *) Add optional 64-bit optimized implementations of elliptic curves NIST-P224,
     NIST-P256, NIST-P521, with constant-time single point multiplication on
     typical inputs. Compiler support for the nonstandard type __uint128_t is
     required to use this (present in gcc 4.4 and later, for 64-bit builds).
     Code made available under Apache License version 2.0.

     Specify "enable-ec_nistp_64_gcc_128" on the Configure (or config) command
     line to include this in your build of OpenSSL, and run "make depend" (or
     "make update"). This enables the following EC_METHODs:

         EC_GFp_nistp224_method()
         EC_GFp_nistp256_method()
         EC_GFp_nistp521_method()

     EC_GROUP_new_by_curve_name() will automatically use these (while
     EC_GROUP_new_curve_GFp() currently prefers the more flexible
     implementations).
Commit	Line	Data
	1
	2	OpenSSL CHANGES
	3	_______________
	4
	5	Changes between 1.0.1 and 1.0.2 [xx XXX xxxx]
	6
	7	*) New functions to retrieve certificate signature and signature
	8	OID NID.
	9	[Steve Henson]
	10
	11	*) New function ssl_set_client_disabled to set a ciphersuite disabled
	12	mask based on the current session, check mask when sending client
	13	hello and checking the requested ciphersuite.
	14	[Steve Henson]
	15
	16	*) New ctrls to retrieve and set certificate types in a certificate
	17	request message. Print out received values in s_client. If certificate
	18	types is not set with custom values set sensible values based on
	19	supported signature algorithms.
	20	[Steve Henson]
	21
	22	*) Support for distinct client and server supported signature algorithms.
	23	[Steve Henson]
	24
	25	*) Add certificate callback. If set this is called whenever a certificate
	26	is required by client or server. An application can decide which
	27	certificate chain to present based on arbitrary criteria: for example
	28	supported signature algorithms. Add very simple example to s_server.
	29	This fixes many of the problems and restrictions of the existing client
	30	certificate callback: for example you can now clear an existing
	31	certificate and specify the whole chain.
	32	[Steve Henson]
	33
	34	*) Add new "valid_flags" field to CERT_PKEY structure which determines what
	35	the certificate can be used for (if anything). Set valid_flags field
	36	in new tls1_check_chain function. Simplify ssl_set_cert_masks which used
	37	to have similar checks in it.
	38
	39	Add new "cert_flags" field to CERT structure and include a "strict mode".
	40	This enforces some TLS certificate requirements (such as only permitting
	41	certificate signature algorithms contained in the supported algorithms
	42	extension) which some implementations ignore: this option should be used
	43	with caution as it could cause interoperability issues.
	44	[Steve Henson]
	45
	46	*) Update and tidy signature algorithm extension processing. Work out
	47	shared signature algorithms based on preferences and peer algorithms
	48	and print them out in s_client and s_server. Abort handshake if no
	49	shared signature algorithms.
	50	[Steve Henson]
	51
	52	*) Add new functions to allow customised supported signature algorithms
	53	for SSL and SSL_CTX structures. Add options to s_client and s_server
	54	to support them.
	55	[Steve Henson]
	56
	57	*) New function SSL_certs_clear() to delete all references to certificates
	58	from an SSL structure. Before this once a certificate had been added
	59	it couldn't be removed.
	60	[Steve Henson]
	61
	62	*) Integrate hostname, email address and IP address checking with certificate
	63	verification. New verify options supporting checking in opensl utility.
	64	[Steve Henson]
	65
	66	*) Fixes and wildcard matching support to hostname and email checking
	67	functions. Add manual page.
	68	[Florian Weimer (Red Hat Product Security Team)]
	69
	70	*) New functions to check a hostname email or IP address against a
	71	certificate. Add options x509 utility to print results of checks against
	72	a certificate.
	73	[Steve Henson]
	74
	75	*) Fix OCSP checking.
	76	[Rob Stradling <rob.stradling@comodo.com> and Ben Laurie]
	77
	78	*) Backport support for partial chain verification: if an intermediate
	79	certificate is explicitly trusted (using -addtrust option to x509
	80	utility for example) the verification is sucessful even if the chain
	81	is not complete.
	82	The OCSP checking fix depends on this backport.
	83	[Steve Henson and Rob Stradling <rob.stradling@comodo.com>]
	84
	85	*) Add -trusted_first option which attempts to find certificates in the
	86	trusted store even if an untrusted chain is also supplied.
	87	[Steve Henson]
	88
	89	*) MIPS assembly pack updates: support for MIPS32r2 and SmartMIPS ASE,
	90	platform support for Linux and Android.
	91	[Andy Polyakov]
	92
	93	*) Call OCSP Stapling callback after ciphersuite has been chosen, so
	94	the right response is stapled. Also change current certificate to
	95	the certificate actually sent.
	96	See http://rt.openssl.org/Ticket/Display.html?id=2836.
	97	[Rob Stradling <rob.stradling@comodo.com>]
	98
	99	*) Support for linux-x32, ILP32 environment in x86_64 framework.
	100	[Andy Polyakov]
	101
	102	*) RFC 5878 support.
	103	[Emilia Kasper, Adam Langley, Ben Laurie (Google)]
	104
	105	*) Experimental multi-implementation support for FIPS capable OpenSSL.
	106	When in FIPS mode the approved implementations are used as normal,
	107	when not in FIPS mode the internal unapproved versions are used instead.
	108	This means that the FIPS capable OpenSSL isn't forced to use the
	109	(often lower perfomance) FIPS implementations outside FIPS mode.
	110	[Steve Henson]
	111
	112	*) Transparently support X9.42 DH parameters when calling
	113	PEM_read_bio_DHparameters. This means existing applications can handle
	114	the new parameter format automatically.
	115	[Steve Henson]
	116
	117	*) Initial experimental support for X9.42 DH parameter format: mainly
	118	to support use of 'q' parameter for RFC5114 parameters.
	119	[Steve Henson]
	120
	121	*) Add DH parameters from RFC5114 including test data to dhtest.
	122	[Steve Henson]
	123
	124	*) Support for automatic EC temporary key parameter selection. If enabled
	125	the most preferred EC parameters are automatically used instead of
	126	hardcoded fixed parameters. Now a server just has to call:
	127	SSL_CTX_set_ecdh_auto(ctx, 1) and the server will automatically
	128	support ECDH and use the most appropriate parameters.
	129	[Steve Henson]
	130
	131	*) Enhance and tidy EC curve and point format TLS extension code. Use
	132	static structures instead of allocation if default values are used.
	133	New ctrls to set curves we wish to support and to retrieve shared curves.
	134	Print out shared curves in s_server. New options to s_server and s_client
	135	to set list of supported curves.
	136	[Steve Henson]
	137
	138	*) New ctrls to retrieve supported signature algorithms and
	139	supported curve values as an array of NIDs. Extend openssl utility
	140	to print out received values.
	141	[Steve Henson]
	142
	143	*) Add new APIs EC_curve_nist2nid and EC_curve_nid2nist which convert
	144	between NIDs and the more common NIST names such as "P-256". Enhance
	145	ecparam utility and ECC method to recognise the NIST names for curves.
	146	[Steve Henson]
	147
	148	*) Enhance SSL/TLS certificate chain handling to support different
	149	chains for each certificate instead of one chain in the parent SSL_CTX.
	150	[Steve Henson]
	151
	152	*) Support for fixed DH ciphersuite client authentication: where both
	153	server and client use DH certificates with common parameters.
	154	[Steve Henson]
	155
	156	*) Support for fixed DH ciphersuites: those requiring DH server
	157	certificates.
	158	[Steve Henson]
	159
	160	Changes between 1.0.1c and 1.0.1d [xx XXX xxxx]
	161
	162	*) Make openssl verify return errors.
	163	[Chris Palmer <palmer@google.com> and Ben Laurie]
	164
	165	*) Fix possible deadlock when decoding public keys.
	166	[Steve Henson]
	167
	168	*) Don't use TLS 1.0 record version number in initial client hello
	169	if renegotiating.
	170	[Steve Henson]
	171
	172	Changes between 1.0.1b and 1.0.1c [10 May 2012]
	173
	174	*) Sanity check record length before skipping explicit IV in TLS
	175	1.2, 1.1 and DTLS to avoid DoS attack.
	176
	177	Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
	178	fuzzing as a service testing platform.
	179	(CVE-2012-2333)
	180	[Steve Henson]
	181
	182	*) Initialise tkeylen properly when encrypting CMS messages.
	183	Thanks to Solar Designer of Openwall for reporting this issue.
	184	[Steve Henson]
	185
	186	*) In FIPS mode don't try to use composite ciphers as they are not
	187	approved.
	188	[Steve Henson]
	189
	190	Changes between 1.0.1a and 1.0.1b [26 Apr 2012]
	191
	192	*) OpenSSL 1.0.0 sets SSL_OP_ALL to 0x80000FFFL and OpenSSL 1.0.1 and
	193	1.0.1a set SSL_OP_NO_TLSv1_1 to 0x00000400L which would unfortunately
	194	mean any application compiled against OpenSSL 1.0.0 headers setting
	195	SSL_OP_ALL would also set SSL_OP_NO_TLSv1_1, unintentionally disablng
	196	TLS 1.1 also. Fix this by changing the value of SSL_OP_NO_TLSv1_1 to
	197	0x10000000L Any application which was previously compiled against
	198	OpenSSL 1.0.1 or 1.0.1a headers and which cares about SSL_OP_NO_TLSv1_1
	199	will need to be recompiled as a result. Letting be results in
	200	inability to disable specifically TLS 1.1 and in client context,
	201	in unlike event, limit maximum offered version to TLS 1.0 [see below].
	202	[Steve Henson]
	203
	204	*) In order to ensure interoperabilty SSL_OP_NO_protocolX does not
	205	disable just protocol X, but all protocols above X if there are
	206	protocols below X still enabled. In more practical terms it means
	207	that if application wants to disable TLS1.0 in favor of TLS1.1 and
	208	above, it's not sufficient to pass SSL_OP_NO_TLSv1, one has to pass
	209	SSL_OP_NO_TLSv1\|SSL_OP_NO_SSLv3\|SSL_OP_NO_SSLv2. This applies to
	210	client side.
	211	[Andy Polyakov]
	212
	213	Changes between 1.0.1 and 1.0.1a [19 Apr 2012]
	214
	215	*) Check for potentially exploitable overflows in asn1_d2i_read_bio
	216	BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
	217	in CRYPTO_realloc_clean.
	218
	219	Thanks to Tavis Ormandy, Google Security Team, for discovering this
	220	issue and to Adam Langley <agl@chromium.org> for fixing it.
	221	(CVE-2012-2110)
	222	[Adam Langley (Google), Tavis Ormandy, Google Security Team]
	223
	224	*) Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections.
	225	[Adam Langley]
	226
	227	*) Workarounds for some broken servers that "hang" if a client hello
	228	record length exceeds 255 bytes:
	229
	230	1. Do not use record version number > TLS 1.0 in initial client
	231	hello: some (but not all) hanging servers will now work.
	232	2. If we set OPENSSL_MAX_TLS1_2_CIPHER_LENGTH this will truncate
	233	the number of ciphers sent in the client hello. This should be
	234	set to an even number, such as 50, for example by passing:
	235	-DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure.
	236	Most broken servers should now work.
	237	3. If all else fails setting OPENSSL_NO_TLS1_2_CLIENT will disable
	238	TLS 1.2 client support entirely.
	239	[Steve Henson]
	240
	241	*) Fix SEGV in Vector Permutation AES module observed in OpenSSH.
	242	[Andy Polyakov]
	243
	244	Changes between 1.0.0h and 1.0.1 [14 Mar 2012]
	245
	246	*) Add compatibility with old MDC2 signatures which use an ASN1 OCTET
	247	STRING form instead of a DigestInfo.
	248	[Steve Henson]
	249
	250	*) The format used for MDC2 RSA signatures is inconsistent between EVP
	251	and the RSA_sign/RSA_verify functions. This was made more apparent when
	252	OpenSSL used RSA_sign/RSA_verify for some RSA signatures in particular
	253	those which went through EVP_PKEY_METHOD in 1.0.0 and later. Detect
	254	the correct format in RSA_verify so both forms transparently work.
	255	[Steve Henson]
	256
	257	*) Some servers which support TLS 1.0 can choke if we initially indicate
	258	support for TLS 1.2 and later renegotiate using TLS 1.0 in the RSA
	259	encrypted premaster secret. As a workaround use the maximum pemitted
	260	client version in client hello, this should keep such servers happy
	261	and still work with previous versions of OpenSSL.
	262	[Steve Henson]
	263
	264	*) Add support for TLS/DTLS heartbeats.
	265	[Robin Seggelmann <seggelmann@fh-muenster.de>]
	266
	267	*) Add support for SCTP.
	268	[Robin Seggelmann <seggelmann@fh-muenster.de>]
	269
	270	*) Improved PRNG seeding for VOS.
	271	[Paul Green <Paul.Green@stratus.com>]
	272
	273	*) Extensive assembler packs updates, most notably:
	274
	275	- x86[_64]: AES-NI, PCLMULQDQ, RDRAND support;
	276	- x86[_64]: SSSE3 support (SHA1, vector-permutation AES);
	277	- x86_64: bit-sliced AES implementation;
	278	- ARM: NEON support, contemporary platforms optimizations;
	279	- s390x: z196 support;
	280	- *: GHASH and GF(2^m) multiplication implementations;
	281
	282	[Andy Polyakov]
	283
	284	*) Make TLS-SRP code conformant with RFC 5054 API cleanup
	285	(removal of unnecessary code)
	286	[Peter Sylvester <peter.sylvester@edelweb.fr>]
	287
	288	*) Add TLS key material exporter from RFC 5705.
	289	[Eric Rescorla]
	290
	291	*) Add DTLS-SRTP negotiation from RFC 5764.
	292	[Eric Rescorla]
	293
	294	*) Add Next Protocol Negotiation,
	295	http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-00. Can be
	296	disabled with a no-npn flag to config or Configure. Code donated
	297	by Google.
	298	[Adam Langley <agl@google.com> and Ben Laurie]
	299
	300	*) Add optional 64-bit optimized implementations of elliptic curves NIST-P224,
	301	NIST-P256, NIST-P521, with constant-time single point multiplication on
	302	typical inputs. Compiler support for the nonstandard type __uint128_t is
	303	required to use this (present in gcc 4.4 and later, for 64-bit builds).
	304	Code made available under Apache License version 2.0.
	305
	306	Specify "enable-ec_nistp_64_gcc_128" on the Configure (or config) command
	307	line to include this in your build of OpenSSL, and run "make depend" (or
	308	"make update"). This enables the following EC_METHODs:
	309
	310	EC_GFp_nistp224_method()
	311	EC_GFp_nistp256_method()
	312	EC_GFp_nistp521_method()
	313
	314	EC_GROUP_new_by_curve_name() will automatically use these (while
	315	EC_GROUP_new_curve_GFp() currently prefers the more flexible
	316	implementations).
	317