]>
Commit | Line | Data |
---|---|---|
3b52c2e7 RE |
1 | |
2 | NEWS | |
3 | ==== | |
4 | ||
5 | This file gives a brief overview of the major changes between each OpenSSL | |
6 | release. For more details please read the CHANGES file. | |
7 | ||
ba442a7e MC |
8 | Major changes between OpenSSL 0.9.8ze and OpenSSL 0.9.8zf [under development] |
9 | ||
c7395fb9 MC |
10 | o Segmentation fault in ASN1_TYPE_cmp fix (CVE-2015-0286) |
11 | o ASN.1 structure reuse memory corruption fix (CVE-2015-0287) | |
12 | o PKCS7 NULL pointer dereferences fix (CVE-2015-0289) | |
13 | o DoS via reachable assert in SSLv2 servers fix (CVE-2015-0293) | |
14 | o Use After Free following d2i_ECPrivatekey error fix (CVE-2015-0209) | |
15 | o X509_to_X509_REQ NULL pointer deref fix (CVE-2015-0288) | |
16 | o Removed the export ciphers from the DEFAULT ciphers | |
ba442a7e | 17 | |
e8ccaee3 | 18 | Major changes between OpenSSL 0.9.8zd and OpenSSL 0.9.8ze [15 Jan 2015] |
bc253b09 | 19 | |
346a46f0 | 20 | o Build fixes for the Windows and OpenVMS platforms |
bc253b09 | 21 | |
b873409e | 22 | Major changes between OpenSSL 0.9.8zc and OpenSSL 0.9.8zd [8 Jan 2015] |
94f735ca | 23 | |
1dc6a544 MC |
24 | o Fix for CVE-2014-3571 |
25 | o Fix for CVE-2014-3569 | |
26 | o Fix for CVE-2014-3572 | |
27 | o Fix for CVE-2015-0204 | |
28 | o Fix for CVE-2014-8275 | |
29 | o Fix for CVE-2014-3570 | |
94f735ca | 30 | |
36216218 | 31 | Major changes between OpenSSL 0.9.8zb and OpenSSL 0.9.8zc [15 Oct 2014]: |
4ff07f4c | 32 | |
53ce5647 MC |
33 | o Fix for CVE-2014-3513 |
34 | o Fix for CVE-2014-3567 | |
35 | o Mitigation for CVE-2014-3566 (SSL protocol vulnerability) | |
36 | o Fix for CVE-2014-3568 | |
4ff07f4c | 37 | |
1c5f396d | 38 | Major changes between OpenSSL 0.9.8za and OpenSSL 0.9.8zb [6 Aug 2014]: |
4a1190be | 39 | |
9fcaaef3 MC |
40 | o Fix for CVE-2014-3510 |
41 | o Fix for CVE-2014-3507 | |
42 | o Fix for CVE-2014-3506 | |
43 | o Fix for CVE-2014-3505 | |
44 | o Fix for CVE-2014-3508 | |
4a1190be | 45 | |
60268907 | 46 | Known issues in OpenSSL 0.9.8za: |
810d2c7f DSH |
47 | |
48 | o Compilation failure of s3_pkt.c on some platforms due to missing | |
49 | <limits.h> include. Fixed in 0.9.8zb-dev. | |
50 | o FIPS capable link failure with missing symbol BN_consttime_swap. | |
51 | Fixed in 0.9.8zb-dev. Workaround is to compile with no-ec: the EC | |
90aef443 | 52 | algorithms are not FIPS approved in OpenSSL 0.9.8 anyway. |
810d2c7f | 53 | |
047ec5d1 | 54 | Major changes between OpenSSL 0.9.8y and OpenSSL 0.9.8za [5 Jun 2014]: |
79f57768 | 55 | |
bb598893 DSH |
56 | o Fix for CVE-2014-0224 |
57 | o Fix for CVE-2014-0221 | |
58 | o Fix for CVE-2014-0195 | |
59 | o Fix for CVE-2014-3470 | |
79f57768 | 60 | o Fix for CVE-2014-0076 |
bb598893 | 61 | o Fix for CVE-2010-5298 |
79f57768 DSH |
62 | o Fix to TLS alert handling. |
63 | ||
42682160 | 64 | Major changes between OpenSSL 0.9.8x and OpenSSL 0.9.8y [5 Feb 2013]: |
32619893 | 65 | |
031cbecf | 66 | o Fix for SSL/TLS/DTLS CBC plaintext recovery attack CVE-2013-0169 |
32619893 DSH |
67 | o Fix OCSP bad key DoS attack CVE-2013-0166 |
68 | ||
42682160 | 69 | Major changes between OpenSSL 0.9.8w and OpenSSL 0.9.8x [10 May 2012]: |
d742f9eb DSH |
70 | |
71 | o Fix DTLS record length checking bug CVE-2012-2333 | |
72 | ||
42682160 | 73 | Major changes between OpenSSL 0.9.8v and OpenSSL 0.9.8w [23 Apr 2012]: |
391ac370 DSH |
74 | |
75 | o Fix for CVE-2012-2131 (corrected fix for 0.9.8 and CVE-2012-2110) | |
76 | ||
42682160 | 77 | Major changes between OpenSSL 0.9.8u and OpenSSL 0.9.8v [19 Apr 2012]: |
64150555 DSH |
78 | |
79 | o Fix for ASN1 overflow bug CVE-2012-2110 | |
80 | ||
42682160 | 81 | Major changes between OpenSSL 0.9.8t and OpenSSL 0.9.8u [12 Mar 2012]: |
b9c3d916 DSH |
82 | |
83 | o Fix for CMS/PKCS#7 MMA CVE-2012-0884 | |
84 | o Corrected fix for CVE-2011-4619 | |
85 | o Various DTLS fixes. | |
86 | ||
42682160 | 87 | Major changes between OpenSSL 0.9.8s and OpenSSL 0.9.8t [18 Jan 2012]: |
6cc5f194 DSH |
88 | |
89 | o Fix for DTLS DoS issue CVE-2012-0050 | |
90 | ||
42682160 | 91 | Major changes between OpenSSL 0.9.8r and OpenSSL 0.9.8s [4 Jan 2012]: |
7b775145 DSH |
92 | |
93 | o Fix for DTLS plaintext recovery attack CVE-2011-4108 | |
94 | o Fix policy check double free error CVE-2011-4109 | |
95 | o Clear block padding bytes of SSL 3.0 records CVE-2011-4576 | |
96 | o Only allow one SGC handshake restart for SSL/TLS CVE-2011-4619 | |
97 | o Check for malformed RFC3779 data CVE-2011-4577 | |
98 | ||
42682160 | 99 | Major changes between OpenSSL 0.9.8q and OpenSSL 0.9.8r [8 Feb 2011]: |
957ebe98 BM |
100 | |
101 | o Fix for security issue CVE-2011-0014 | |
102 | ||
42682160 | 103 | Major changes between OpenSSL 0.9.8p and OpenSSL 0.9.8q [2 Dec 2010]: |
1948f9e0 | 104 | |
7890b562 | 105 | o Fix for security issue CVE-2010-4180 |
1948f9e0 | 106 | o Fix for CVE-2010-4252 |
1948f9e0 | 107 | |
42682160 | 108 | Major changes between OpenSSL 0.9.8o and OpenSSL 0.9.8p [16 Nov 2010]: |
2ae47ddb DSH |
109 | |
110 | o Fix for security issue CVE-2010-3864. | |
111 | ||
42682160 | 112 | Major changes between OpenSSL 0.9.8n and OpenSSL 0.9.8o [1 Jun 2010]: |
3416d119 | 113 | |
22872a53 | 114 | o Fix for security issue CVE-2010-0742. |
3416d119 DSH |
115 | o Various DTLS fixes. |
116 | o Recognise SHA2 certificates if only SSL algorithms added. | |
117 | o Fix for no-rc4 compilation. | |
118 | o Chil ENGINE unload workaround. | |
119 | ||
42682160 | 120 | Major changes between OpenSSL 0.9.8m and OpenSSL 0.9.8n [24 Mar 2010]: |
4fae8688 DSH |
121 | |
122 | o CFB cipher definition fixes. | |
123 | o Fix security issues CVE-2010-0740 and CVE-2010-0433. | |
124 | ||
42682160 | 125 | Major changes between OpenSSL 0.9.8l and OpenSSL 0.9.8m [25 Feb 2010]: |
8b8a2928 | 126 | |
7070cdba DSH |
127 | o Cipher definition fixes. |
128 | o Workaround for slow RAND_poll() on some WIN32 versions. | |
8b8a2928 DSH |
129 | o Remove MD2 from algorithm tables. |
130 | o SPKAC handling fixes. | |
68be98d1 | 131 | o Support for RFC5746 TLS renegotiation extension. |
8b8a2928 DSH |
132 | o Compression memory leak fixed. |
133 | o Compression session resumption fixed. | |
134 | o Ticket and SNI coexistence fixes. | |
135 | o Many fixes to DTLS handling. | |
136 | ||
42682160 | 137 | Major changes between OpenSSL 0.9.8k and OpenSSL 0.9.8l [5 Nov 2009]: |
8b8a2928 DSH |
138 | |
139 | o Temporary work around for CVE-2009-3555: disable renegotiation. | |
140 | ||
42682160 | 141 | Major changes between OpenSSL 0.9.8j and OpenSSL 0.9.8k [25 Mar 2009]: |
e10051ef DSH |
142 | |
143 | o Fix various build issues. | |
144 | o Fix security issues (CVE-2009-0590, CVE-2009-0591, CVE-2009-0789) | |
145 | ||
42682160 | 146 | Major changes between OpenSSL 0.9.8i and OpenSSL 0.9.8j [7 Jan 2009]: |
6287fa53 DSH |
147 | |
148 | o Fix security issue (CVE-2008-5077) | |
149 | o Merge FIPS 140-2 branch code. | |
150 | ||
42682160 | 151 | Major changes between OpenSSL 0.9.8g and OpenSSL 0.9.8h [28 May 2008]: |
b7e7aa00 DSH |
152 | |
153 | o CryptoAPI ENGINE support. | |
154 | o Various precautionary measures. | |
155 | o Fix for bugs affecting certificate request creation. | |
156 | o Support for local machine keyset attribute in PKCS#12 files. | |
157 | ||
42682160 | 158 | Major changes between OpenSSL 0.9.8f and OpenSSL 0.9.8g [19 Oct 2007]: |
32f1f622 | 159 | |
b7e7aa00 | 160 | o Backport of CMS functionality to 0.9.8. |
32f1f622 LJ |
161 | o Fixes for bugs introduced with 0.9.8f. |
162 | ||
42682160 | 163 | Major changes between OpenSSL 0.9.8e and OpenSSL 0.9.8f [11 Oct 2007]: |
29c0866b | 164 | |
272f9f3d | 165 | o Add gcc 4.2 support. |
29c0866b DSH |
166 | o Add support for AES and SSE2 assembly lanugauge optimization |
167 | for VC++ build. | |
168 | o Support for RFC4507bis and server name extensions if explicitly | |
169 | selected at compile time. | |
dd002667 BL |
170 | o DTLS improvements. |
171 | o RFC4507bis support. | |
172 | o TLS Extensions support. | |
29c0866b | 173 | |
42682160 | 174 | Major changes between OpenSSL 0.9.8d and OpenSSL 0.9.8e [23 Feb 2007]: |
ac319217 DSH |
175 | |
176 | o Various ciphersuite selection fixes. | |
177 | o RFC3779 support. | |
178 | ||
42682160 | 179 | Major changes between OpenSSL 0.9.8c and OpenSSL 0.9.8d [28 Sep 2006]: |
951dfbb1 MC |
180 | |
181 | o Introduce limits to prevent malicious key DoS (CVE-2006-2940) | |
182 | o Fix security issues (CVE-2006-2937, CVE-2006-3737, CVE-2006-4343) | |
183 | o Changes to ciphersuite selection algorithm | |
184 | ||
42682160 | 185 | Major changes between OpenSSL 0.9.8b and OpenSSL 0.9.8c [5 Sep 2006]: |
df20b6e7 MC |
186 | |
187 | o Fix Daniel Bleichenbacher forged signature attack, CVE-2006-4339 | |
188 | o New cipher Camellia | |
189 | ||
42682160 | 190 | Major changes between OpenSSL 0.9.8a and OpenSSL 0.9.8b [4 May 2006]: |
df22f59f DSH |
191 | |
192 | o Cipher string fixes. | |
193 | o Fixes for VC++ 2005. | |
194 | o Updated ECC cipher suite support. | |
195 | o New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free(). | |
196 | o Zlib compression usage fixes. | |
197 | o Built in dynamic engine compilation support on Win32. | |
198 | o Fixes auto dynamic engine loading in Win32. | |
199 | ||
42682160 | 200 | Major changes between OpenSSL 0.9.8 and OpenSSL 0.9.8a [11 Oct 2005]: |
64932f9e | 201 | |
df20b6e7 | 202 | o Fix potential SSL 2.0 rollback, CVE-2005-2969 |
64932f9e MC |
203 | o Extended Windows CE support |
204 | ||
42682160 | 205 | Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.8 [5 Jul 2005]: |
e0ee5ea9 RL |
206 | |
207 | o Major work on the BIGNUM library for higher efficiency and to | |
208 | make operations more streamlined and less contradictory. This | |
209 | is the result of a major audit of the BIGNUM library. | |
210 | o Addition of BIGNUM functions for fields GF(2^m) and NIST | |
211 | curves, to support the Elliptic Crypto functions. | |
212 | o Major work on Elliptic Crypto; ECDH and ECDSA added, including | |
213 | the use through EVP, X509 and ENGINE. | |
214 | o New ASN.1 mini-compiler that's usable through the OpenSSL | |
215 | configuration file. | |
216 | o Added support for ASN.1 indefinite length constructed encoding. | |
217 | o New PKCS#12 'medium level' API to manipulate PKCS#12 files. | |
218 | o Complete rework of shared library construction and linking | |
219 | programs with shared or static libraries, through a separate | |
220 | Makefile.shared. | |
1d01c9d4 | 221 | o Rework of the passing of parameters from one Makefile to another. |
e0ee5ea9 RL |
222 | o Changed ENGINE framework to load dynamic engine modules |
223 | automatically from specifically given directories. | |
224 | o New structure and ASN.1 functions for CertificatePair. | |
225 | o Changed the ZLIB compression method to be stateful. | |
226 | o Changed the key-generation and primality testing "progress" | |
227 | mechanism to take a structure that contains the ticker | |
228 | function and an argument. | |
229 | o New engine module: GMP (performs private key exponentiation). | |
230 | o New engine module: VIA PadLOck ACE extension in VIA C3 | |
231 | Nehemiah processors. | |
232 | o Added support for IPv6 addresses in certificate extensions. | |
233 | See RFC 1884, section 2.2. | |
234 | o Added support for certificate policy mappings, policy | |
235 | constraints and name constraints. | |
236 | o Added support for multi-valued AVAs in the OpenSSL | |
237 | configuration file. | |
238 | o Added support for multiple certificates with the same subject | |
239 | in the 'openssl ca' index file. | |
240 | o Make it possible to create self-signed certificates using | |
241 | 'openssl ca -selfsign'. | |
242 | o Make it possible to generate a serial number file with | |
243 | 'openssl ca -create_serial'. | |
244 | o New binary search functions with extended functionality. | |
245 | o New BUF functions. | |
246 | o New STORE structure and library to provide an interface to all | |
247 | sorts of data repositories. Supports storage of public and | |
248 | private keys, certificates, CRLs, numbers and arbitrary blobs. | |
249 | This library is unfortunately unfinished and unused withing | |
250 | OpenSSL. | |
251 | o New control functions for the error stack. | |
252 | o Changed the PKCS#7 library to support one-pass S/MIME | |
253 | processing. | |
254 | o Added the possibility to compile without old deprecated | |
255 | functionality with the OPENSSL_NO_DEPRECATED macro or the | |
256 | 'no-deprecated' argument to the config and Configure scripts. | |
257 | o Constification of all ASN.1 conversion functions, and other | |
258 | affected functions. | |
259 | o Improved platform support for PowerPC. | |
260 | o New FIPS 180-2 algorithms (SHA-224, -256, -384 and -512). | |
261 | o New X509_VERIFY_PARAM structure to support parametrisation | |
262 | of X.509 path validation. | |
263 | o Major overhaul of RC4 performance on Intel P4, IA-64 and | |
264 | AMD64. | |
265 | o Changed the Configure script to have some algorithms disabled | |
266 | by default. Those can be explicitely enabled with the new | |
267 | argument form 'enable-xxx'. | |
268 | o Change the default digest in 'openssl' commands from MD5 to | |
269 | SHA-1. | |
b2d27e37 | 270 | o Added support for DTLS. |
e0ee5ea9 | 271 | o New BIGNUM blinding. |
b257c152 RL |
272 | o Added support for the RSA-PSS encryption scheme |
273 | o Added support for the RSA X.931 padding. | |
b2d27e37 RL |
274 | o Added support for BSD sockets on NetWare. |
275 | o Added support for files larger than 2GB. | |
1d01c9d4 RL |
276 | o Added initial support for Win64. |
277 | o Added alternate pkg-config files. | |
e0ee5ea9 | 278 | |
42682160 | 279 | Major changes between OpenSSL 0.9.7l and OpenSSL 0.9.7m [23 Feb 2007]: |
8ea45317 BM |
280 | |
281 | o FIPS 1.1.1 module linking. | |
282 | o Various ciphersuite selection fixes. | |
283 | ||
42682160 | 284 | Major changes between OpenSSL 0.9.7k and OpenSSL 0.9.7l [28 Sep 2006]: |
bd869183 BM |
285 | |
286 | o Introduce limits to prevent malicious key DoS (CVE-2006-2940) | |
287 | o Fix security issues (CVE-2006-2937, CVE-2006-3737, CVE-2006-4343) | |
288 | ||
42682160 | 289 | Major changes between OpenSSL 0.9.7j and OpenSSL 0.9.7k [5 Sep 2006]: |
df20b6e7 MC |
290 | |
291 | o Fix Daniel Bleichenbacher forged signature attack, CVE-2006-4339 | |
292 | ||
42682160 | 293 | Major changes between OpenSSL 0.9.7i and OpenSSL 0.9.7j [4 May 2006]: |
df22f59f DSH |
294 | |
295 | o Visual C++ 2005 fixes. | |
296 | o Update Windows build system for FIPS. | |
297 | ||
42682160 | 298 | Major changes between OpenSSL 0.9.7h and OpenSSL 0.9.7i [14 Oct 2005]: |
df22f59f DSH |
299 | |
300 | o Give EVP_MAX_MD_SIZE it's old value, except for a FIPS build. | |
301 | ||
42682160 | 302 | Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.7h [11 Oct 2005]: |
df22f59f | 303 | |
df20b6e7 | 304 | o Fix SSL 2.0 Rollback, CVE-2005-2969 |
df22f59f DSH |
305 | o Allow use of fixed-length exponent on DSA signing |
306 | o Default fixed-window RSA, DSA, DH private-key operations | |
307 | ||
42682160 | 308 | Major changes between OpenSSL 0.9.7f and OpenSSL 0.9.7g [11 Apr 2005]: |
36521f01 RL |
309 | |
310 | o More compilation issues fixed. | |
311 | o Adaptation to more modern Kerberos API. | |
312 | o Enhanced or corrected configuration for Solaris64, Mingw and Cygwin. | |
313 | o Enhanced x86_64 assembler BIGNUM module. | |
314 | o More constification. | |
315 | o Added processing of proxy certificates (RFC 3820). | |
316 | ||
42682160 | 317 | Major changes between OpenSSL 0.9.7e and OpenSSL 0.9.7f [22 Mar 2005]: |
36521f01 RL |
318 | |
319 | o Several compilation issues fixed. | |
320 | o Many memory allocation failure checks added. | |
321 | o Improved comparison of X509 Name type. | |
322 | o Mandatory basic checks on certificates. | |
323 | o Performance improvements. | |
324 | ||
42682160 | 325 | Major changes between OpenSSL 0.9.7d and OpenSSL 0.9.7e [25 Oct 2004]: |
03386677 DSH |
326 | |
327 | o Fix race condition in CRL checking code. | |
328 | o Fixes to PKCS#7 (S/MIME) code. | |
329 | ||
42682160 | 330 | Major changes between OpenSSL 0.9.7c and OpenSSL 0.9.7d [17 Mar 2004]: |
03386677 DSH |
331 | |
332 | o Security: Fix Kerberos ciphersuite SSL/TLS handshaking bug | |
333 | o Security: Fix null-pointer assignment in do_change_cipher_spec() | |
334 | o Allow multiple active certificates with same subject in CA index | |
335 | o Multiple X509 verification fixes | |
336 | o Speed up HMAC and other operations | |
337 | ||
42682160 | 338 | Major changes between OpenSSL 0.9.7b and OpenSSL 0.9.7c [30 Sep 2003]: |
29902449 DSH |
339 | |
340 | o Security: fix various ASN1 parsing bugs. | |
341 | o New -ignore_err option to OCSP utility. | |
342 | o Various interop and bug fixes in S/MIME code. | |
343 | o SSL/TLS protocol fix for unrequested client certificates. | |
344 | ||
42682160 | 345 | Major changes between OpenSSL 0.9.7a and OpenSSL 0.9.7b [10 Apr 2003]: |
1774e22d RL |
346 | |
347 | o Security: counter the Klima-Pokorny-Rosa extension of | |
348 | Bleichbacher's attack | |
349 | o Security: make RSA blinding default. | |
350 | o Configuration: Irix fixes, AIX fixes, better mingw support. | |
351 | o Support for new platforms: linux-ia64-ecc. | |
352 | o Build: shared library support fixes. | |
353 | o ASN.1: treat domainComponent correctly. | |
354 | o Documentation: fixes and additions. | |
355 | ||
42682160 | 356 | Major changes between OpenSSL 0.9.7 and OpenSSL 0.9.7a [19 Feb 2003]: |
d8cbc935 RL |
357 | |
358 | o Security: Important security related bugfixes. | |
359 | o Enhanced compatibility with MIT Kerberos. | |
360 | o Can be built without the ENGINE framework. | |
361 | o IA32 assembler enhancements. | |
362 | o Support for new platforms: FreeBSD/IA64 and FreeBSD/Sparc64. | |
363 | o Configuration: the no-err option now works properly. | |
364 | o SSL/TLS: now handles manual certificate chain building. | |
365 | o SSL/TLS: certain session ID malfunctions corrected. | |
366 | ||
42682160 | 367 | Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.7 [30 Dec 2002]: |
83f25717 RL |
368 | |
369 | o New library section OCSP. | |
e4fb4977 LJ |
370 | o Complete rewrite of ASN1 code. |
371 | o CRL checking in verify code and openssl utility. | |
372 | o Extension copying in 'ca' utility. | |
373 | o Flexible display options in 'ca' utility. | |
374 | o Provisional support for international characters with UTF8. | |
4dec4f64 BM |
375 | o Support for external crypto devices ('engine') is no longer |
376 | a separate distribution. | |
e4fb4977 LJ |
377 | o New elliptic curve library section. |
378 | o New AES (Rijndael) library section. | |
1fc73fef | 379 | o Support for new platforms: Windows CE, Tandem OSS, A/UX, AIX 64-bit, |
29902449 | 380 | Linux x86_64, Linux 64-bit on Sparc v9 |
9801fb61 RL |
381 | o Extended support for some platforms: VxWorks |
382 | o Enhanced support for shared libraries. | |
29902449 | 383 | o Now only builds PIC code when shared library support is requested. |
9801fb61 RL |
384 | o Support for pkg-config. |
385 | o Lots of new manuals. | |
29902449 DSH |
386 | o Makes symbolic links to or copies of manuals to cover all described |
387 | functions. | |
e4fb4977 LJ |
388 | o Change DES API to clean up the namespace (some applications link also |
389 | against libdes providing similar functions having the same name). | |
390 | Provide macros for backward compatibility (will be removed in the | |
391 | future). | |
ece0bdf1 BM |
392 | o Unify handling of cryptographic algorithms (software and engine) |
393 | to be available via EVP routines for asymmetric and symmetric ciphers. | |
e4fb4977 LJ |
394 | o NCONF: new configuration handling routines. |
395 | o Change API to use more 'const' modifiers to improve error checking | |
396 | and help optimizers. | |
397 | o Finally remove references to RSAref. | |
398 | o Reworked parts of the BIGNUM code. | |
399 | o Support for new engines: Broadcom ubsec, Accelerated Encryption | |
400 | Processing, IBM 4758. | |
9801fb61 | 401 | o A few new engines added in the demos area. |
e1f7ea25 | 402 | o Extended and corrected OID (object identifier) table. |
e4fb4977 LJ |
403 | o PRNG: query at more locations for a random device, automatic query for |
404 | EGD style random sources at several locations. | |
405 | o SSL/TLS: allow optional cipher choice according to server's preference. | |
406 | o SSL/TLS: allow server to explicitly set new session ids. | |
407 | o SSL/TLS: support Kerberos cipher suites (RFC2712). | |
1fc73fef | 408 | Only supports MIT Kerberos for now. |
e4fb4977 LJ |
409 | o SSL/TLS: allow more precise control of renegotiations and sessions. |
410 | o SSL/TLS: add callback to retrieve SSL/TLS messages. | |
ea4f109c | 411 | o SSL/TLS: support AES cipher suites (RFC3268). |
e4fb4977 | 412 | |
42682160 | 413 | Major changes between OpenSSL 0.9.6j and OpenSSL 0.9.6k [30 Sep 2003]: |
29902449 DSH |
414 | |
415 | o Security: fix various ASN1 parsing bugs. | |
416 | o SSL/TLS protocol fix for unrequested client certificates. | |
417 | ||
42682160 | 418 | Major changes between OpenSSL 0.9.6i and OpenSSL 0.9.6j [10 Apr 2003]: |
138f970e RL |
419 | |
420 | o Security: counter the Klima-Pokorny-Rosa extension of | |
421 | Bleichbacher's attack | |
422 | o Security: make RSA blinding default. | |
423 | o Build: shared library support fixes. | |
424 | ||
42682160 | 425 | Major changes between OpenSSL 0.9.6h and OpenSSL 0.9.6i [19 Feb 2003]: |
d8cbc935 RL |
426 | |
427 | o Important security related bugfixes. | |
428 | ||
42682160 | 429 | Major changes between OpenSSL 0.9.6g and OpenSSL 0.9.6h [5 Dec 2002]: |
9801fb61 RL |
430 | |
431 | o New configuration targets for Tandem OSS and A/UX. | |
432 | o New OIDs for Microsoft attributes. | |
433 | o Better handling of SSL session caching. | |
434 | o Better comparison of distinguished names. | |
435 | o Better handling of shared libraries in a mixed GNU/non-GNU environment. | |
436 | o Support assembler code with Borland C. | |
437 | o Fixes for length problems. | |
438 | o Fixes for uninitialised variables. | |
439 | o Fixes for memory leaks, some unusual crashes and some race conditions. | |
440 | o Fixes for smaller building problems. | |
441 | o Updates of manuals, FAQ and other instructive documents. | |
442 | ||
42682160 | 443 | Major changes between OpenSSL 0.9.6f and OpenSSL 0.9.6g [9 Aug 2002]: |
36969082 RL |
444 | |
445 | o Important building fixes on Unix. | |
446 | ||
42682160 | 447 | Major changes between OpenSSL 0.9.6e and OpenSSL 0.9.6f [8 Aug 2002]: |
fbe792f0 RL |
448 | |
449 | o Various important bugfixes. | |
450 | ||
42682160 | 451 | Major changes between OpenSSL 0.9.6d and OpenSSL 0.9.6e [30 Jul 2002]: |
b218af2b LJ |
452 | |
453 | o Important security related bugfixes. | |
454 | o Various SSL/TLS library bugfixes. | |
455 | ||
42682160 | 456 | Major changes between OpenSSL 0.9.6c and OpenSSL 0.9.6d [9 May 2002]: |
e4fb4977 LJ |
457 | |
458 | o Various SSL/TLS library bugfixes. | |
459 | o Fix DH parameter generation for 'non-standard' generators. | |
4dec4f64 | 460 | |
42682160 | 461 | Major changes between OpenSSL 0.9.6b and OpenSSL 0.9.6c [21 Dec 2001]: |
ae52ec98 BM |
462 | |
463 | o Various SSL/TLS library bugfixes. | |
464 | o BIGNUM library fixes. | |
ef5f6a08 RL |
465 | o RSA OAEP and random number generation fixes. |
466 | o Object identifiers corrected and added. | |
467 | o Add assembler BN routines for IA64. | |
468 | o Add support for OS/390 Unix, UnixWare with gcc, OpenUNIX 8, | |
469 | MIPS Linux; shared library support for Irix, HP-UX. | |
a3790c0d | 470 | o Add crypto accelerator support for AEP, Baltimore SureWare, |
ef5f6a08 RL |
471 | Broadcom and Cryptographic Appliance's keyserver |
472 | [in 0.9.6c-engine release]. | |
ae52ec98 | 473 | |
42682160 | 474 | Major changes between OpenSSL 0.9.6a and OpenSSL 0.9.6b [9 Jul 2001]: |
4dec4f64 BM |
475 | |
476 | o Security fix: PRNG improvements. | |
477 | o Security fix: RSA OAEP check. | |
478 | o Security fix: Reinsert and fix countermeasure to Bleichbacher's | |
479 | attack. | |
480 | o MIPS bug fix in BIGNUM. | |
481 | o Bug fix in "openssl enc". | |
482 | o Bug fix in X.509 printing routine. | |
483 | o Bug fix in DSA verification routine and DSA S/MIME verification. | |
484 | o Bug fix to make PRNG thread-safe. | |
485 | o Bug fix in RAND_file_name(). | |
486 | o Bug fix in compatibility mode trust settings. | |
487 | o Bug fix in blowfish EVP. | |
488 | o Increase default size for BIO buffering filter. | |
489 | o Compatibility fixes in some scripts. | |
83f25717 | 490 | |
42682160 | 491 | Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.6a [5 Apr 2001]: |
7cdd2aa1 RL |
492 | |
493 | o Security fix: change behavior of OpenSSL to avoid using | |
494 | environment variables when running as root. | |
495 | o Security fix: check the result of RSA-CRT to reduce the | |
496 | possibility of deducing the private key from an incorrectly | |
497 | calculated signature. | |
498 | o Security fix: prevent Bleichenbacher's DSA attack. | |
499 | o Security fix: Zero the premaster secret after deriving the | |
500 | master secret in DH ciphersuites. | |
4fea8145 | 501 | o Reimplement SSL_peek(), which had various problems. |
307bf4da RL |
502 | o Compatibility fix: the function des_encrypt() renamed to |
503 | des_encrypt1() to avoid clashes with some Unixen libc. | |
7cdd2aa1 RL |
504 | o Bug fixes for Win32, HP/UX and Irix. |
505 | o Bug fixes in BIGNUM, SSL, PKCS#7, PKCS#12, X.509, CONF and | |
506 | memory checking routines. | |
5012158a | 507 | o Bug fixes for RSA operations in threaded environments. |
7cdd2aa1 RL |
508 | o Bug fixes in misc. openssl applications. |
509 | o Remove a few potential memory leaks. | |
510 | o Add tighter checks of BIGNUM routines. | |
511 | o Shared library support has been reworked for generality. | |
512 | o More documentation. | |
4fea8145 | 513 | o New function BN_rand_range(). |
7cdd2aa1 RL |
514 | o Add "-rand" option to openssl s_client and s_server. |
515 | ||
42682160 | 516 | Major changes between OpenSSL 0.9.5a and OpenSSL 0.9.6 [10 Oct 2000]: |
4e87e05b DSH |
517 | |
518 | o Some documentation for BIO and SSL libraries. | |
519 | o Enhanced chain verification using key identifiers. | |
520 | o New sign and verify options to 'dgst' application. | |
521 | o Support for DER and PEM encoded messages in 'smime' application. | |
522 | o New 'rsautl' application, low level RSA utility. | |
b38d84d8 BM |
523 | o MD4 now included. |
524 | o Bugfix for SSL rollback padding check. | |
4dec4f64 | 525 | o Support for external crypto devices [1]. |
fda05b21 | 526 | o Enhanced EVP interface. |
b22bda21 | 527 | |
4dec4f64 BM |
528 | [1] The support for external crypto devices is currently a separate |
529 | distribution. See the file README.ENGINE. | |
530 | ||
42682160 | 531 | Major changes between OpenSSL 0.9.5 and OpenSSL 0.9.5a [1 Apr 2000]: |
35a79ecb | 532 | |
b7a81df4 | 533 | o Bug fixes for Win32, SuSE Linux, NeXTSTEP and FreeBSD 2.2.8 |
35a79ecb RL |
534 | o Shared library support for HPUX and Solaris-gcc |
535 | o Support of Linux/IA64 | |
b7a81df4 | 536 | o Assembler support for Mingw32 |
35a79ecb RL |
537 | o New 'rand' application |
538 | o New way to check for existence of algorithms from scripts | |
539 | ||
42682160 | 540 | Major changes between OpenSSL 0.9.4 and OpenSSL 0.9.5 [25 May 2000]: |
0c235249 | 541 | |
90644dd7 | 542 | o S/MIME support in new 'smime' command |
0c235249 | 543 | o Documentation for the OpenSSL command line application |
90644dd7 DSH |
544 | o Automation of 'req' application |
545 | o Fixes to make s_client, s_server work under Windows | |
546 | o Support for multiple fieldnames in SPKACs | |
547 | o New SPKAC command line utilty and associated library functions | |
ae1bb4e5 | 548 | o Options to allow passwords to be obtained from various sources |
90644dd7 DSH |
549 | o New public key PEM format and options to handle it |
550 | o Many other fixes and enhancements to command line utilities | |
551 | o Usable certificate chain verification | |
552 | o Certificate purpose checking | |
553 | o Certificate trust settings | |
554 | o Support of authority information access extension | |
555 | o Extensions in certificate requests | |
556 | o Simplified X509 name and attribute routines | |
ae1bb4e5 | 557 | o Initial (incomplete) support for international character sets |
90644dd7 DSH |
558 | o New DH_METHOD, DSA_METHOD and enhanced RSA_METHOD |
559 | o Read only memory BIOs and simplified creation function | |
8bd5b794 BM |
560 | o TLS/SSL protocol bugfixes: Accept TLS 'client hello' in SSL 3.0 |
561 | record; allow fragmentation and interleaving of handshake and other | |
562 | data | |
90644dd7 | 563 | o TLS/SSL code now "tolerates" MS SGC |
8bd5b794 | 564 | o Work around for Netscape client certificate hang bug |
90644dd7 DSH |
565 | o RSA_NULL option that removes RSA patent code but keeps other |
566 | RSA functionality | |
07e6dbde BM |
567 | o Memory leak detection now allows applications to add extra information |
568 | via a per-thread stack | |
569 | o PRNG robustness improved | |
4d524e10 | 570 | o EGD support |
6d9ca500 | 571 | o BIGNUM library bug fixes |
4d524e10 | 572 | o Faster DSA parameter generation |
74235cc9 UM |
573 | o Enhanced support for Alpha Linux |
574 | o Experimental MacOS support | |
0c235249 | 575 | |
42682160 | 576 | Major changes between OpenSSL 0.9.3 and OpenSSL 0.9.4 [9 Aug 1999]: |
ed7f60fb DSH |
577 | |
578 | o Transparent support for PKCS#8 format private keys: these are used | |
c97cbcb3 BM |
579 | by several software packages and are more secure than the standard |
580 | form | |
581 | o PKCS#5 v2.0 implementation | |
582 | o Password callbacks have a new void * argument for application data | |
583 | o Avoid various memory leaks | |
584 | o New pipe-like BIO that allows using the SSL library when actual I/O | |
585 | must be handled by the application (BIO pair) | |
ed7f60fb | 586 | |
42682160 | 587 | Major changes between OpenSSL 0.9.2b and OpenSSL 0.9.3 [24 May 1999]: |
9de649ff UM |
588 | o Lots of enhancements and cleanups to the Configuration mechanism |
589 | o RSA OEAP related fixes | |
8e8a8a5f RE |
590 | o Added `openssl ca -revoke' option for revoking a certificate |
591 | o Source cleanups: const correctness, type-safe stacks and ASN.1 SETs | |
592 | o Source tree cleanups: removed lots of obsolete files | |
703126f0 | 593 | o Thawte SXNet, certificate policies and CRL distribution points |
a03dd7a6 | 594 | extension support |
703126f0 DSH |
595 | o Preliminary (experimental) S/MIME support |
596 | o Support for ASN.1 UTF8String and VisibleString | |
597 | o Full integration of PKCS#12 code | |
2cf9fcda | 598 | o Sparc assembler bignum implementation, optimized hash functions |
b0759f87 | 599 | o Option to disable selected ciphers |
8e8a8a5f | 600 | |
42682160 | 601 | Major changes between OpenSSL 0.9.1c and OpenSSL 0.9.2b [22 Mar 1999]: |
738769ff RE |
602 | o Fixed a security hole related to session resumption |
603 | o Fixed RSA encryption routines for the p < q case | |
604 | o "ALL" in cipher lists now means "everything except NULL ciphers" | |
3b52c2e7 RE |
605 | o Support for Triple-DES CBCM cipher |
606 | o Support of Optimal Asymmetric Encryption Padding (OAEP) for RSA | |
607 | o First support for new TLSv1 ciphers | |
608 | o Added a few new BIOs (syslog BIO, reliable BIO) | |
609 | o Extended support for DSA certificate/keys. | |
03e20a1a | 610 | o Extended support for Certificate Signing Requests (CSR) |
3b52c2e7 RE |
611 | o Initial support for X.509v3 extensions |
612 | o Extended support for compression inside the SSL record layer | |
613 | o Overhauled Win32 builds | |
614 | o Cleanups and fixes to the Big Number (BN) library | |
615 | o Support for ASN.1 GeneralizedTime | |
616 | o Splitted ASN.1 SETs from SEQUENCEs | |
617 | o ASN1 and PEM support for Netscape Certificate Sequences | |
618 | o Overhauled Perl interface | |
619 | o Lots of source tree cleanups. | |
620 | o Lots of memory leak fixes. | |
621 | o Lots of bug fixes. | |
622 | ||
42682160 | 623 | Major changes between SSLeay 0.9.0b and OpenSSL 0.9.1c [23 Dec 1998]: |
3b52c2e7 RE |
624 | o Integration of the popular NO_RSA/NO_DSA patches |
625 | o Initial support for compression inside the SSL record layer | |
626 | o Added BIO proxy and filtering functionality | |
627 | o Extended Big Number (BN) library | |
628 | o Added RIPE MD160 message digest | |
629 | o Addeed support for RC2/64bit cipher | |
630 | o Extended ASN.1 parser routines | |
631 | o Adjustations of the source tree for CVS | |
632 | o Support for various new platforms | |
633 |