]>
Commit | Line | Data |
---|---|---|
1 | ||
2 | NEWS | |
3 | ==== | |
4 | ||
5 | This file gives a brief overview of the major changes between each OpenSSL | |
6 | release. For more details please read the CHANGES file. | |
7 | ||
8 | Major changes between OpenSSL 0.9.7a and OpenSSL 0.9.7b: | |
9 | ||
10 | o Security: counter the Klima-Pokorny-Rosa extension of | |
11 | Bleichbacher's attack | |
12 | o Security: make RSA blinding default. | |
13 | o Configuration: Irix fixes, AIX fixes, better mingw support. | |
14 | o Support for new platforms: linux-ia64-ecc. | |
15 | o Build: shared library support fixes. | |
16 | o ASN.1: treat domainComponent correctly. | |
17 | o Documentation: fixes and additions. | |
18 | ||
19 | Major changes between OpenSSL 0.9.7 and OpenSSL 0.9.7a: | |
20 | ||
21 | o Security: Important security related bugfixes. | |
22 | o Enhanced compatibility with MIT Kerberos. | |
23 | o Can be built without the ENGINE framework. | |
24 | o IA32 assembler enhancements. | |
25 | o Support for new platforms: FreeBSD/IA64 and FreeBSD/Sparc64. | |
26 | o Configuration: the no-err option now works properly. | |
27 | o SSL/TLS: now handles manual certificate chain building. | |
28 | o SSL/TLS: certain session ID malfunctions corrected. | |
29 | ||
30 | Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.7: | |
31 | ||
32 | o New library section OCSP. | |
33 | o Complete rewrite of ASN1 code. | |
34 | o CRL checking in verify code and openssl utility. | |
35 | o Extension copying in 'ca' utility. | |
36 | o Flexible display options in 'ca' utility. | |
37 | o Provisional support for international characters with UTF8. | |
38 | o Support for external crypto devices ('engine') is no longer | |
39 | a separate distribution. | |
40 | o New elliptic curve library section. | |
41 | o New AES (Rijndael) library section. | |
42 | o Support for new platforms: Windows CE, Tandem OSS, A/UX, AIX 64-bit, | |
43 | Linux x86_64 | |
44 | o Extended support for some platforms: VxWorks | |
45 | o Enhanced support for shared libraries. | |
46 | o Support for pkg-config. | |
47 | o Lots of new manuals. | |
48 | o Change DES API to clean up the namespace (some applications link also | |
49 | against libdes providing similar functions having the same name). | |
50 | Provide macros for backward compatibility (will be removed in the | |
51 | future). | |
52 | o Unify handling of cryptographic algorithms (software and engine) | |
53 | to be available via EVP routines for asymmetric and symmetric ciphers. | |
54 | o NCONF: new configuration handling routines. | |
55 | o Change API to use more 'const' modifiers to improve error checking | |
56 | and help optimizers. | |
57 | o Finally remove references to RSAref. | |
58 | o Reworked parts of the BIGNUM code. | |
59 | o Support for new engines: Broadcom ubsec, Accelerated Encryption | |
60 | Processing, IBM 4758. | |
61 | o A few new engines added in the demos area. | |
62 | o Extended and corrected OID (object identifier) table. | |
63 | o PRNG: query at more locations for a random device, automatic query for | |
64 | EGD style random sources at several locations. | |
65 | o SSL/TLS: allow optional cipher choice according to server's preference. | |
66 | o SSL/TLS: allow server to explicitly set new session ids. | |
67 | o SSL/TLS: support Kerberos cipher suites (RFC2712). | |
68 | Only supports MIT Kerberos for now. | |
69 | o SSL/TLS: allow more precise control of renegotiations and sessions. | |
70 | o SSL/TLS: add callback to retrieve SSL/TLS messages. | |
71 | o SSL/TLS: support AES cipher suites (RFC3268). | |
72 | ||
73 | Major changes between OpenSSL 0.9.6h and OpenSSL 0.9.6i: | |
74 | ||
75 | o Important security related bugfixes. | |
76 | ||
77 | Major changes between OpenSSL 0.9.6g and OpenSSL 0.9.6h: | |
78 | ||
79 | o New configuration targets for Tandem OSS and A/UX. | |
80 | o New OIDs for Microsoft attributes. | |
81 | o Better handling of SSL session caching. | |
82 | o Better comparison of distinguished names. | |
83 | o Better handling of shared libraries in a mixed GNU/non-GNU environment. | |
84 | o Support assembler code with Borland C. | |
85 | o Fixes for length problems. | |
86 | o Fixes for uninitialised variables. | |
87 | o Fixes for memory leaks, some unusual crashes and some race conditions. | |
88 | o Fixes for smaller building problems. | |
89 | o Updates of manuals, FAQ and other instructive documents. | |
90 | ||
91 | Major changes between OpenSSL 0.9.6f and OpenSSL 0.9.6g: | |
92 | ||
93 | o Important building fixes on Unix. | |
94 | ||
95 | Major changes between OpenSSL 0.9.6e and OpenSSL 0.9.6f: | |
96 | ||
97 | o Various important bugfixes. | |
98 | ||
99 | Major changes between OpenSSL 0.9.6d and OpenSSL 0.9.6e: | |
100 | ||
101 | o Important security related bugfixes. | |
102 | o Various SSL/TLS library bugfixes. | |
103 | ||
104 | Major changes between OpenSSL 0.9.6c and OpenSSL 0.9.6d: | |
105 | ||
106 | o Various SSL/TLS library bugfixes. | |
107 | o Fix DH parameter generation for 'non-standard' generators. | |
108 | ||
109 | Major changes between OpenSSL 0.9.6b and OpenSSL 0.9.6c: | |
110 | ||
111 | o Various SSL/TLS library bugfixes. | |
112 | o BIGNUM library fixes. | |
113 | o RSA OAEP and random number generation fixes. | |
114 | o Object identifiers corrected and added. | |
115 | o Add assembler BN routines for IA64. | |
116 | o Add support for OS/390 Unix, UnixWare with gcc, OpenUNIX 8, | |
117 | MIPS Linux; shared library support for Irix, HP-UX. | |
118 | o Add crypto accelerator support for AEP, Baltimore SureWare, | |
119 | Broadcom and Cryptographic Appliance's keyserver | |
120 | [in 0.9.6c-engine release]. | |
121 | ||
122 | Major changes between OpenSSL 0.9.6a and OpenSSL 0.9.6b: | |
123 | ||
124 | o Security fix: PRNG improvements. | |
125 | o Security fix: RSA OAEP check. | |
126 | o Security fix: Reinsert and fix countermeasure to Bleichbacher's | |
127 | attack. | |
128 | o MIPS bug fix in BIGNUM. | |
129 | o Bug fix in "openssl enc". | |
130 | o Bug fix in X.509 printing routine. | |
131 | o Bug fix in DSA verification routine and DSA S/MIME verification. | |
132 | o Bug fix to make PRNG thread-safe. | |
133 | o Bug fix in RAND_file_name(). | |
134 | o Bug fix in compatibility mode trust settings. | |
135 | o Bug fix in blowfish EVP. | |
136 | o Increase default size for BIO buffering filter. | |
137 | o Compatibility fixes in some scripts. | |
138 | ||
139 | Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.6a: | |
140 | ||
141 | o Security fix: change behavior of OpenSSL to avoid using | |
142 | environment variables when running as root. | |
143 | o Security fix: check the result of RSA-CRT to reduce the | |
144 | possibility of deducing the private key from an incorrectly | |
145 | calculated signature. | |
146 | o Security fix: prevent Bleichenbacher's DSA attack. | |
147 | o Security fix: Zero the premaster secret after deriving the | |
148 | master secret in DH ciphersuites. | |
149 | o Reimplement SSL_peek(), which had various problems. | |
150 | o Compatibility fix: the function des_encrypt() renamed to | |
151 | des_encrypt1() to avoid clashes with some Unixen libc. | |
152 | o Bug fixes for Win32, HP/UX and Irix. | |
153 | o Bug fixes in BIGNUM, SSL, PKCS#7, PKCS#12, X.509, CONF and | |
154 | memory checking routines. | |
155 | o Bug fixes for RSA operations in threaded environments. | |
156 | o Bug fixes in misc. openssl applications. | |
157 | o Remove a few potential memory leaks. | |
158 | o Add tighter checks of BIGNUM routines. | |
159 | o Shared library support has been reworked for generality. | |
160 | o More documentation. | |
161 | o New function BN_rand_range(). | |
162 | o Add "-rand" option to openssl s_client and s_server. | |
163 | ||
164 | Major changes between OpenSSL 0.9.5a and OpenSSL 0.9.6: | |
165 | ||
166 | o Some documentation for BIO and SSL libraries. | |
167 | o Enhanced chain verification using key identifiers. | |
168 | o New sign and verify options to 'dgst' application. | |
169 | o Support for DER and PEM encoded messages in 'smime' application. | |
170 | o New 'rsautl' application, low level RSA utility. | |
171 | o MD4 now included. | |
172 | o Bugfix for SSL rollback padding check. | |
173 | o Support for external crypto devices [1]. | |
174 | o Enhanced EVP interface. | |
175 | ||
176 | [1] The support for external crypto devices is currently a separate | |
177 | distribution. See the file README.ENGINE. | |
178 | ||
179 | Major changes between OpenSSL 0.9.5 and OpenSSL 0.9.5a: | |
180 | ||
181 | o Bug fixes for Win32, SuSE Linux, NeXTSTEP and FreeBSD 2.2.8 | |
182 | o Shared library support for HPUX and Solaris-gcc | |
183 | o Support of Linux/IA64 | |
184 | o Assembler support for Mingw32 | |
185 | o New 'rand' application | |
186 | o New way to check for existence of algorithms from scripts | |
187 | ||
188 | Major changes between OpenSSL 0.9.4 and OpenSSL 0.9.5: | |
189 | ||
190 | o S/MIME support in new 'smime' command | |
191 | o Documentation for the OpenSSL command line application | |
192 | o Automation of 'req' application | |
193 | o Fixes to make s_client, s_server work under Windows | |
194 | o Support for multiple fieldnames in SPKACs | |
195 | o New SPKAC command line utilty and associated library functions | |
196 | o Options to allow passwords to be obtained from various sources | |
197 | o New public key PEM format and options to handle it | |
198 | o Many other fixes and enhancements to command line utilities | |
199 | o Usable certificate chain verification | |
200 | o Certificate purpose checking | |
201 | o Certificate trust settings | |
202 | o Support of authority information access extension | |
203 | o Extensions in certificate requests | |
204 | o Simplified X509 name and attribute routines | |
205 | o Initial (incomplete) support for international character sets | |
206 | o New DH_METHOD, DSA_METHOD and enhanced RSA_METHOD | |
207 | o Read only memory BIOs and simplified creation function | |
208 | o TLS/SSL protocol bugfixes: Accept TLS 'client hello' in SSL 3.0 | |
209 | record; allow fragmentation and interleaving of handshake and other | |
210 | data | |
211 | o TLS/SSL code now "tolerates" MS SGC | |
212 | o Work around for Netscape client certificate hang bug | |
213 | o RSA_NULL option that removes RSA patent code but keeps other | |
214 | RSA functionality | |
215 | o Memory leak detection now allows applications to add extra information | |
216 | via a per-thread stack | |
217 | o PRNG robustness improved | |
218 | o EGD support | |
219 | o BIGNUM library bug fixes | |
220 | o Faster DSA parameter generation | |
221 | o Enhanced support for Alpha Linux | |
222 | o Experimental MacOS support | |
223 | ||
224 | Major changes between OpenSSL 0.9.3 and OpenSSL 0.9.4: | |
225 | ||
226 | o Transparent support for PKCS#8 format private keys: these are used | |
227 | by several software packages and are more secure than the standard | |
228 | form | |
229 | o PKCS#5 v2.0 implementation | |
230 | o Password callbacks have a new void * argument for application data | |
231 | o Avoid various memory leaks | |
232 | o New pipe-like BIO that allows using the SSL library when actual I/O | |
233 | must be handled by the application (BIO pair) | |
234 | ||
235 | Major changes between OpenSSL 0.9.2b and OpenSSL 0.9.3: | |
236 | o Lots of enhancements and cleanups to the Configuration mechanism | |
237 | o RSA OEAP related fixes | |
238 | o Added `openssl ca -revoke' option for revoking a certificate | |
239 | o Source cleanups: const correctness, type-safe stacks and ASN.1 SETs | |
240 | o Source tree cleanups: removed lots of obsolete files | |
241 | o Thawte SXNet, certificate policies and CRL distribution points | |
242 | extension support | |
243 | o Preliminary (experimental) S/MIME support | |
244 | o Support for ASN.1 UTF8String and VisibleString | |
245 | o Full integration of PKCS#12 code | |
246 | o Sparc assembler bignum implementation, optimized hash functions | |
247 | o Option to disable selected ciphers | |
248 | ||
249 | Major changes between OpenSSL 0.9.1c and OpenSSL 0.9.2b: | |
250 | o Fixed a security hole related to session resumption | |
251 | o Fixed RSA encryption routines for the p < q case | |
252 | o "ALL" in cipher lists now means "everything except NULL ciphers" | |
253 | o Support for Triple-DES CBCM cipher | |
254 | o Support of Optimal Asymmetric Encryption Padding (OAEP) for RSA | |
255 | o First support for new TLSv1 ciphers | |
256 | o Added a few new BIOs (syslog BIO, reliable BIO) | |
257 | o Extended support for DSA certificate/keys. | |
258 | o Extended support for Certificate Signing Requests (CSR) | |
259 | o Initial support for X.509v3 extensions | |
260 | o Extended support for compression inside the SSL record layer | |
261 | o Overhauled Win32 builds | |
262 | o Cleanups and fixes to the Big Number (BN) library | |
263 | o Support for ASN.1 GeneralizedTime | |
264 | o Splitted ASN.1 SETs from SEQUENCEs | |
265 | o ASN1 and PEM support for Netscape Certificate Sequences | |
266 | o Overhauled Perl interface | |
267 | o Lots of source tree cleanups. | |
268 | o Lots of memory leak fixes. | |
269 | o Lots of bug fixes. | |
270 | ||
271 | Major changes between SSLeay 0.9.0b and OpenSSL 0.9.1c: | |
272 | o Integration of the popular NO_RSA/NO_DSA patches | |
273 | o Initial support for compression inside the SSL record layer | |
274 | o Added BIO proxy and filtering functionality | |
275 | o Extended Big Number (BN) library | |
276 | o Added RIPE MD160 message digest | |
277 | o Addeed support for RC2/64bit cipher | |
278 | o Extended ASN.1 parser routines | |
279 | o Adjustations of the source tree for CVS | |
280 | o Support for various new platforms | |
281 |