Releases: quarckster/openssl
Releases · quarckster/openssl
OpenSSL 1.1.1m
Changelog
- None
OpenSSL 3.0.0
Changelog
- Enhanced 'openssl list' with many new options.
- Added migration guide to man7.
- Implemented support for fully "pluggable" TLSv1.3 groups.
- Added suport for Kernel TLS (KTLS).
- Changed the license to the Apache License v2.0.
- Moved all variations of the EVP ciphers CAST5, BF, IDEA, SEED, RC2,
RC4, RC5, and DES to the legacy provider. - Moved the EVP digests MD2, MD4, MDC2, WHIRLPOOL and RIPEMD-160 to the legacy
provider. - Added convenience functions for generating asymmetric key pairs.
- Deprecated the
OCSP_REQ_CTX
type and functions. - Deprecated the
EC_KEY
andEC_KEY_METHOD
types and functions. - Deprecated the
RSA
andRSA_METHOD
types and functions. - Deprecated the
DSA
andDSA_METHOD
types and functions. - Deprecated the
DH
andDH_METHOD
types and functions. - Deprecated the
ERR_load_
functions. - Remove the
RAND_DRBG
API. - Deprecated the
ENGINE
API. - Added
OSSL_LIB_CTX
, a libcrypto library context. - Added various
_ex
functions to the OpenSSL API that support using
a non-defaultOSSL_LIB_CTX
. - Interactive mode is removed from the 'openssl' program.
- The X25519, X448, Ed25519, Ed448, SHAKE128 and SHAKE256 algorithms are
included in the FIPS provider. - X509 certificates signed using SHA1 are no longer allowed at security
level 1 or higher. The default security level for TLS is 1, so
certificates signed using SHA1 are by default no longer trusted to
authenticate servers or clients. - enable-crypto-mdebug and enable-crypto-mdebug-backtrace were mostly
disabled; the project uses address sanitize/leak-detect instead. - Added a Certificate Management Protocol (CMP, RFC 4210) implementation
also covering CRMF (RFC 4211) and HTTP transfer (RFC 6712).
It is part of the crypto lib and adds a 'cmp' app with a demo configuration.
All widely used CMP features are supported for both clients and servers. - Added a proper HTTP client supporting GET with optional redirection, POST,
arbitrary request and response content types, TLS, persistent connections,
connections via HTTP(s) proxies, connections and exchange via user-defined
BIOs (allowing implicit connections), and timeout checks. - Added util/check-format.pl for checking adherence to the coding guidelines.
- Added OSSL_ENCODER, a generic encoder API.
- Added OSSL_DECODER, a generic decoder API.
- Added OSSL_PARAM_BLD, an easier to use API to OSSL_PARAM.
- Added error raising macros, ERR_raise() and ERR_raise_data().
- Deprecated ERR_put_error(), ERR_get_error_line(), ERR_get_error_line_data(),
ERR_peek_error_line_data(), ERR_peek_last_error_line_data() and
ERR_func_error_string(). - Added OSSL_PROVIDER_available(), to check provider availibility.
- Added 'openssl mac' that uses the EVP_MAC API.
- Added 'openssl kdf' that uses the EVP_KDF API.
- Add OPENSSL_info() and 'openssl info' to get built-in data.
- Add support for enabling instrumentation through trace and debug
output. - Changed our version number scheme and set the next major release to
3.0.0 - Added EVP_MAC, an EVP layer MAC API, and a generic EVP_PKEY to EVP_MAC
bridge. Supported MACs are: BLAKE2, CMAC, GMAC, HMAC, KMAC, POLY1305
and SIPHASH. - Removed the heartbeat message in DTLS feature.
- Added EVP_KDF, an EVP layer KDF and PRF API, and a generic EVP_PKEY to
EVP_KDF bridge. Supported KDFs are: HKDF, KBKDF, KRB5 KDF, PBKDF2,
PKCS12 KDF, SCRYPT, SSH KDF, SSKDF, TLS1 PRF, X9.42 KDF and X9.63 KDF. - All of the low-level MD2, MD4, MD5, MDC2, RIPEMD160, SHA1, SHA224,
SHA256, SHA384, SHA512 and Whirlpool digest functions have been
deprecated. - All of the low-level AES, Blowfish, Camellia, CAST, DES, IDEA, RC2,
RC4, RC5 and SEED cipher functions have been deprecated. - All of the low-level DH, DSA, ECDH, ECDSA and RSA public key functions
have been deprecated. - SSL 3, TLS 1.0, TLS 1.1, and DTLS 1.0 only work at security level 0.
- Added providers, a new pluggability concept that will replace the
ENGINE API and ENGINE implementations.
OpenSSL 1.1.1l
Changelog
- Fixed an SM2 Decryption Buffer Overflow (CVE-2021-3711)
- Fixed various read buffer overruns processing ASN.1 strings (CVE-2021-3712)
OpenSSL 3.0.0-beta2
openssl-3.0.0-beta2 OpenSSL 3.0.0-beta2 release tag
OpenSSL 3.0.0-beta1
openssl-3.0.0-beta1 OpenSSL 3.0.0-beta1 release tag
OpenSSL 3.0.0-alpha17
openssl-3.0.0-alpha17 OpenSSL 3.0.0-alpha17 release tag
OpenSSL 3.0.0-alpha16
openssl-3.0.0-alpha16 OpenSSL 3.0.0-alpha16 release tag
OpenSSL 3.0.0-alpha15
openssl-3.0.0-alpha15 OpenSSL 3.0.0-alpha15 release tag
OpenSSL 3.0.0-alpha14
openssl-3.0.0-alpha14 OpenSSL 3.0.0-alpha14 release tag
OpenSSL 1.1.1k
Changelog
- Fixed a problem with verifying a certificate chain when using the
X509_V_FLAG_X509_STRICT flag (CVE-2021-3450) - Fixed an issue where an OpenSSL TLS server may crash if sent a
maliciously crafted renegotiation ClientHello message from a client
(CVE-2021-3449)