Changes between 1.0.2 and 1.1.0 [xx XXX xxxx]
+ *) config has been changed so that by default OPENSSL_NO_DEPRECATED is used.
+ Access to deprecated functions can be re-enabled by running config with
+ "enable-deprecated". In addition applications wishing to use deprecated
+ functions must define OPENSSL_USE_DEPRECATED. Note that this new behaviour
+ will, by default, disable some transitive includes that previously existed
+ in the header files (e.g. ec.h will no longer, by default, include bn.h)
+ [Matt Caswell]
+
+ *) Added support for OCB mode. OpenSSL has been granted a patent license
+ compatible with the OpenSSL license for use of OCB. Details are available
+ at https://www.openssl.org/docs/misc/OCB-patent-grant-OpenSSL.pdf. Support
+ for OCB can be removed by calling config with no-ocb.
+ [Matt Caswell]
+
*) SSLv2 support has been removed. It still supports receiving a SSLv2
compatible client hello.
[Kurt Roeckx]
done while fixing the error code for the key-too-small case.
[Annie Yousar <a.yousar@informatik.hu-berlin.de>]
+ *) Remove various unsupported platforms:
+ Sony NEWS4
+ BEOS and BEOS_R5
+ NeXT
+ SUNOS
+ MPE/iX
+ Sinix/ReliantUNIX RM400
+ DGUX
+ NCR
+ Tandem
+ Cray
+ WIN16
+ [Rich Salz]
+
+ *) Start cleaning up OPENSSL_NO_xxx #define's
+ OPENSSL_NO_RIPEMD160, OPENSSL_NO_RIPEMD merged into OPENSSL_NO_RMD160
+ OPENSSL_NO_FP_API merged into OPENSSL_NO_STDIO
+ [Rich Salz]
+
*) Experimental support for a new, fast, unbiased prime candidate generator,
bn_probable_prime_dh_coprime(). Not currently used by any prime generator.
[Felix Laurie von Massenbach <felix@erbridge.co.uk>]
Changes between 1.0.1k and 1.0.2 [xx XXX xxxx]
+ *) Facilitate "universal" ARM builds targeting range of ARM ISAs, e.g.
+ ARMv5 through ARMv8, as opposite to "locking" it to single one.
+ So far those who have to target multiple plaforms would compromise
+ and argue that binary targeting say ARMv5 would still execute on
+ ARMv8. "Universal" build resolves this compromise by providing
+ near-optimal performance even on newer platforms.
+ [Andy Polyakov]
+
*) Accelerated NIST P-256 elliptic curve implementation for x86_64
(other platforms pending).
[Shay Gueron & Vlad Krasnov (Intel Corp), Andy Polyakov]
Changes between 1.0.1j and 1.0.1k [xx XXX xxxx]
+ *) Abort handshake if server key exchange message is omitted for ephemeral
+ ECDH ciphersuites.
+
+ Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for
+ reporting this issue.
+ (CVE-2014-3572)
+ [Steve Henson]
+
+ *) Remove non-export ephemeral RSA code on client and server. This code
+ violated the TLS standard by allowing the use of temporary RSA keys in
+ non-export ciphersuites and could be used by a server to effectively
+ downgrade the RSA key length used to a value smaller than the server
+ certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at
+ INRIA or reporting this issue.
+ (CVE-2015-0204)
+ [Steve Henson]
+
+ *) Ensure that the session ID context of an SSL is updated when its
+ SSL_CTX is updated via SSL_set_SSL_CTX.
+
+ The session ID context is typically set from the parent SSL_CTX,
+ and can vary with the CTX.
+ [Adam Langley]
+
+ *) Fix various certificate fingerprint issues.
+
+ By using non-DER or invalid encodings outside the signed portion of a
+ certificate the fingerprint can be changed without breaking the signature.
+ Although no details of the signed portion of the certificate can be changed
+ this can cause problems with some applications: e.g. those using the
+ certificate fingerprint for blacklists.
+
+ 1. Reject signatures with non zero unused bits.
+
+ If the BIT STRING containing the signature has non zero unused bits reject
+ the signature. All current signature algorithms require zero unused bits.
+
+ 2. Check certificate algorithm consistency.
+
+ Check the AlgorithmIdentifier inside TBS matches the one in the
+ certificate signature. NB: this will result in signature failure
+ errors for some broken certificates.
+
+ Thanks to Konrad Kraszewski from Google for reporting this issue.
+
+ 3. Check DSA/ECDSA signatures use DER.
+
+ Reencode DSA/ECDSA signatures and compare with the original received
+ signature. Return an error if there is a mismatch.
+
+ This will reject various cases including garbage after signature
+ (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
+ program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
+ (negative or with leading zeroes).
+
+ Further analysis was conducted and fixes were developed by Stephen Henson
+ of the OpenSSL core team.
+
+ (CVE-2014-8275)
+ [Steve Henson]
+
*) Do not resume sessions on the server if the negotiated protocol
version does not match the session's version. Resuming with a different
version, while not strictly forbidden by the RFC, is of questionable