=over 4
-=item -
+=item *
KDF algorithms "SINGLE STEP" and "SSH"
See L<EVP_KDF-SS(7)> and L<EVP_KDF-SSHKDF(7)>
-=item -
+=item *
MAC Algorithms "GMAC" and "KMAC"
See L<EVP_MAC-GMAC(7)> and L<EVP_MAC-KMAC(7)>.
-=item -
+=item *
KEM Algorithm "RSASVE"
See L<EVP_KEM-RSA(7)>.
-=item -
+=item *
Cipher Algorithm "AES-SIV"
See L<EVP_EncryptInit(3)/SIV Mode>.
-=item -
+=item *
AES Key Wrap inverse ciphers supported by EVP layer.
"AES-256-WRAP-INV", "AES-128-WRAP-PAD-INV", "AES-192-WRAP-PAD-INV" and
"AES-256-WRAP-PAD-INV".
-=item AES CTS cipher added to EVP layer.
+=item *
+
+AES CTS cipher added to EVP layer.
The algorithms are "AES-128-CBC-CTS", "AES-192-CBC-CTS" and "AES-256-CBC-CTS".
CS1, CS2 and CS3 variants are supported.
=over 4
-=item -
+=item *
Added CAdES-BES signature verification support.
-=item -
+=item *
Added CAdES-BES signature scheme and attributes support (RFC 5126) to CMS API.
-=item -
+=item *
Added AuthEnvelopedData content type structure (RFC 5083) using AES_GCM
Its purpose is to support encryption and decryption of a digital envelope that
is both authenticated and encrypted using AES GCM mode.
-=item -
+=item *
L<PKCS7_get_octet_string(3)> and L<PKCS7_type_is_other(3)> were made public.
=over 4
-=item 1)
+=item 1.
Ignore the warnings. They are just warnings. The deprecated functions are still present and you may still use them. However be aware that they may be removed from a future version of OpenSSL.
-=item 2)
+=item 2.
Suppress the warnings. Refer to your compiler documentation on how to do this.
-=item 3)
+=item 3.
Remove your usage of the low level APIs. In this case you will need to rewrite your code to use the high level APIs instead
=over 4
-=item 1)
+=item 1.
The build and installation procedure has changed significantly.
to build and install OpenSSL for your platform. Also read the various NOTES
files in the same directory, as applicable for your platform.
-=item 2)
+=item 2.
Many structures have been made opaque in OpenSSL 3.0.
/* This line will now generate compiler errors */
EVP_MD_CTX_init(&md_ctx);
- The code needs to be amended to look like this:
+The code needs to be amended to look like this:
+
EVP_MD_CTX *md_ctx;
md_ctx = EVP_MD_CTX_new();
...
EVP_MD_CTX_free(md_ctx);
-=item 3)
+=item 3.
Support for TLSv1.3 has been added.
=over 4
-=item -
+=item *
L<ASN1_item_new(3)>, L<ASN1_item_d2i(3)>, L<ASN1_item_d2i_fp(3)>,
L<ASN1_item_d2i_bio(3)>, L<ASN1_item_sign(3)> and L<ASN1_item_verify(3)>
-=item -
+=item *
L<BIO_new(3)>
-=item -
+=item *
b2i_RSA_PVK_bio() and i2b_PVK_bio()
-=item -
+=item *
L<BN_CTX_new(3)> and L<BN_CTX_secure_new(3)>
-=item -
+=item *
L<CMS_AuthEnvelopedData_create(3)>, L<CMS_ContentInfo_new(3)>, L<CMS_data_create(3)>,
L<CMS_digest_create(3)>, L<CMS_EncryptedData_encrypt(3)>, L<CMS_encrypt(3)>,
L<CMS_EnvelopedData_create(3)>, L<CMS_ReceiptRequest_create0(3)> and L<CMS_sign(3)>
-=item -
+=item *
L<CONF_modules_load_file(3)>
-=item -
+=item *
L<CTLOG_new(3)>, L<CTLOG_new_from_base64(3)> and L<CTLOG_STORE_new(3)>
-=item -
+=item *
L<CT_POLICY_EVAL_CTX_new(3)>
-=item -
+=item *
L<d2i_AutoPrivateKey(3)>, L<d2i_PrivateKey(3)> and L<d2i_PUBKEY(3)>
-=item -
+=item *
L<d2i_PrivateKey_bio(3)> and L<d2i_PrivateKey_fp(3)>
Use L<d2i_PrivateKey_ex_bio(3)> and L<d2i_PrivateKey_ex_fp(3)>
-=item -
+=item *
L<EC_GROUP_new(3)>
Use L<EC_GROUP_new_by_curve_name_ex(3)> or L<EC_GROUP_new_from_params(3)>.
-=item -
+=item *
L<EVP_DigestSignInit(3)> and L<EVP_DigestVerifyInit(3)>
-=item -
+=item *
L<EVP_PBE_CipherInit(3)>, L<EVP_PBE_find(3)> and L<EVP_PBE_scrypt(3)>
-=item -
+=item *
L<PKCS5_PBE_keyivgen(3)>
-=item -
+=item *
L<EVP_PKCS82PKEY(3)>
-=item -
+=item *
L<EVP_PKEY_CTX_new_id(3)>
Use L<EVP_PKEY_CTX_new_from_name(3)>
-=item -
+=item *
L<EVP_PKEY_derive_set_peer(3)>, L<EVP_PKEY_new_raw_private_key(3)>
and L<EVP_PKEY_new_raw_public_key(3)>
-=item -
+=item *
L<EVP_SignFinal(3)> and L<EVP_VerifyFinal(3)>
-=item -
+=item *
L<NCONF_new(3)>
-=item -
+=item *
L<OCSP_RESPID_match(3)> and L<OCSP_RESPID_set_by_key(3)>
-=item -
+=item *
L<OPENSSL_thread_stop(3)>
-=item -
+=item *
L<OSSL_STORE_open(3)>
-=item -
+=item *
L<PEM_read_bio_Parameters(3)>, L<PEM_read_bio_PrivateKey(3)>, L<PEM_read_bio_PUBKEY(3)>,
L<PEM_read_PrivateKey(3)> and L<PEM_read_PUBKEY(3)>
-=item -
+=item *
L<PEM_write_bio_PrivateKey(3)>, L<PEM_write_bio_PUBKEY(3)>, L<PEM_write_PrivateKey(3)>
and L<PEM_write_PUBKEY(3)>
-=item -
+=item *
L<PEM_X509_INFO_read_bio(3)> and L<PEM_X509_INFO_read(3)>
-=item -
+=item *
L<PKCS12_add_key(3)>, L<PKCS12_add_safe(3)>, L<PKCS12_add_safes(3)>,
L<PKCS12_create(3)>, L<PKCS12_decrypt_skey(3)>, L<PKCS12_init(3)>, L<PKCS12_item_decrypt_d2i(3)>,
L<PKCS12_key_gen_utf8(3)>, L<PKCS12_pack_p7encdata(3)>, L<PKCS12_pbe_crypt(3)>,
L<PKCS12_PBE_keyivgen(3)>, L<PKCS12_SAFEBAG_create_pkcs8_encrypt(3)>
-=item -
+=item *
L<PKCS5_pbe_set0_algor(3)>, L<PKCS5_pbe_set(3)>, L<PKCS5_pbe2_set_iv(3)>,
L<PKCS5_pbkdf2_set(3)> and L<PKCS5_v2_scrypt_keyivgen(3)>
-=item -
+=item *
L<PKCS7_encrypt(3)>, L<PKCS7_new(3)> and L<PKCS7_sign(3)>
-=item -
+=item *
L<PKCS8_decrypt(3)>, L<PKCS8_encrypt(3)> and L<PKCS8_set0_pbe(3)>
-=item -
+=item *
L<RAND_bytes(3)> and L<RAND_priv_bytes(3)>
-=item -
+=item *
L<SMIME_write_ASN1(3)>
-=item -
+=item *
L<SSL_load_client_CA_file(3)>
-=item -
+=item *
L<SSL_CTX_new(3)>
-=item -
+=item *
L<TS_RESP_CTX_new(3)>
-=item -
+=item *
L<X509_CRL_new(3)>
-=item -
+=item *
L<X509_load_cert_crl_file(3)> and L<X509_load_cert_file(3)>
-=item -
+=item *
L<X509_LOOKUP_by_subject(3)> and L<X509_LOOKUP_ctrl(3)>
-=item -
+=item *
L<X509_NAME_hash(3)>
-=item -
+=item *
L<X509_new(3)>
-=item -
+=item *
L<X509_REQ_new(3)> and L<X509_REQ_verify(3)>
-=item -
+=item *
L<X509_STORE_CTX_new(3)>, L<X509_STORE_set_default_paths(3)>, L<X509_STORE_load_file(3)>,
L<X509_STORE_load_locations(3)> and L<X509_STORE_load_store(3)>
=over 4
-=item -
+=item *
L<BIO_new_from_core_bio(3)>
-=item -
+=item *
L<EVP_ASYM_CIPHER_fetch(3)> and L<EVP_ASYM_CIPHER_do_all_provided(3)>
-=item -
+=item *
L<EVP_CIPHER_fetch(3)> and L<EVP_CIPHER_do_all_provided(3)>
-=item -
+=item *
L<EVP_default_properties_enable_fips(3)> and
L<EVP_default_properties_is_fips_enabled(3)>
-=item -
+=item *
L<EVP_KDF_fetch(3)> and L<EVP_KDF_do_all_provided(3)>
-=item -
+=item *
L<EVP_KEM_fetch(3)> and L<EVP_KEM_do_all_provided(3)>
-=item -
+=item *
L<EVP_KEYEXCH_fetch(3)> and L<EVP_KEYEXCH_do_all_provided(3)>
-=item -
+=item *
L<EVP_KEYMGMT_fetch(3)> and L<EVP_KEYMGMT_do_all_provided(3)>
-=item -
+=item *
L<EVP_MAC_fetch(3)> and L<EVP_MAC_do_all_provided(3)>
-=item -
+=item *
L<EVP_MD_fetch(3)> and L<EVP_MD_do_all_provided(3)>
-=item -
+=item *
L<EVP_PKEY_CTX_new_from_pkey(3)>
-=item -
+=item *
L<EVP_PKEY_Q_keygen(3)>
-=item -
+=item *
L<EVP_Q_mac(3)> and L<EVP_Q_digest(3)>
-=item -
+=item *
L<EVP_RAND(3)> and L<EVP_RAND_do_all_provided(3)>
-=item -
+=item *
L<EVP_set_default_properties(3)>
-=item -
+=item *
L<EVP_SIGNATURE_fetch(3)> and L<EVP_SIGNATURE_do_all_provided(3)>
-=item -
+=item *
L<OSSL_CMP_CTX_new(3)> and L<OSSL_CMP_SRV_CTX_new(3)>
-=item -
+=item *
L<OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(3)>
-=item -
+=item *
L<OSSL_CRMF_MSG_create_popo(3)> and L<OSSL_CRMF_MSGS_verify_popo(3)>
-=item -
+=item *
L<OSSL_CRMF_pbm_new(3)> and L<OSSL_CRMF_pbmp_new(3)>
-=item -
+=item *
L<OSSL_DECODER_CTX_add_extra(3)> and L<OSSL_DECODER_CTX_new_for_pkey(3)>
-=item -
+=item *
L<OSSL_DECODER_fetch(3)> and L<OSSL_DECODER_do_all_provided(3)>
-=item -
+=item *
L<OSSL_ENCODER_CTX_add_extra(3)>
-=item -
+=item *
L<OSSL_ENCODER_fetch(3)> and L<OSSL_ENCODER_do_all_provided(3)>
-=item -
+=item *
L<OSSL_LIB_CTX_free(3)>, L<OSSL_LIB_CTX_load_config(3)> and L<OSSL_LIB_CTX_set0_default(3)>
-=item -
+=item *
L<OSSL_PROVIDER_add_builtin(3)>, L<OSSL_PROVIDER_available(3)>,
L<OSSL_PROVIDER_do_all(3)>, L<OSSL_PROVIDER_load(3)>,
L<OSSL_PROVIDER_set_default_search_path(3)> and L<OSSL_PROVIDER_try_load(3)>
-=item -
+=item *
L<OSSL_SELF_TEST_get_callback(3)> and L<OSSL_SELF_TEST_set_callback(3)>
-=item -
+=item *
L<OSSL_STORE_attach(3)>
-=item -
+=item *
L<OSSL_STORE_LOADER_fetch(3)> and L<OSSL_STORE_LOADER_do_all_provided(3)>
-=item -
+=item *
L<RAND_get0_primary(3)>, L<RAND_get0_private(3)>, L<RAND_get0_public(3)>,
L<RAND_set_DRBG_type(3)> and L<RAND_set_seed_source_type(3)>
=over 4
-=item -
+=item *
AES_bi_ige_encrypt() and AES_ige_encrypt()
is ever used. The security implications are believed to be minimal, but
this issue was never fixed for backwards compatibility reasons.
-=item -
+=item *
AES_encrypt(), AES_decrypt(), AES_set_encrypt_key(), AES_set_decrypt_key(),
AES_cbc_encrypt(), AES_cfb128_encrypt(), AES_cfb1_encrypt(), AES_cfb8_encrypt(),
AES_ecb_encrypt(), AES_ofb128_encrypt()
-=item -
+=item *
AES_unwrap_key(), AES_wrap_key()
See L</Deprecated low-level encryption functions>
-=item -
+=item *
AES_options()
There is no replacement. It returned a string indicating if the AES code was unrolled.
-=item -
+=item *
ASN1_digest(), ASN1_sign(), ASN1_verify()
There are no replacements. These old functions are not used, and could be
disabled with the macro NO_ASN1_OLD since OpenSSL 0.9.7.
-=item -
+=item *
ASN1_STRING_length_set()
This was a potentially unsafe function that could change the bounds of a
previously passed in pointer.
-=item -
+=item *
BF_encrypt(), BF_decrypt(), BF_set_key(), BF_cbc_encrypt(), BF_cfb64_encrypt(),
BF_ecb_encrypt(), BF_ofb64_encrypt()
See L</Deprecated low-level encryption functions>.
The Blowfish algorithm has been moved to the L<Legacy Provider|/Legacy Algorithms>.
-=item -
+=item *
BF_options()
There is no replacement. This option returned a constant string.
-=item -
+=item *
BIO_get_callback(), BIO_set_callback(), BIO_debug_callback()
Use the respective non-deprecated _ex() functions.
-=item -
+=item *
BN_is_prime_ex(), BN_is_prime_fasttest_ex()
Use L<BN_check_prime(3)> which that avoids possible misuse and always uses at least
64 rounds of the Miller-Rabin primality test.
-=item -
+=item *
BN_pseudo_rand(), BN_pseudo_rand_range()
Use L<BN_rand(3)> and L<BN_rand_range(3)>.
-=item -
+=item *
BN_X931_derive_prime_ex(), BN_X931_generate_prime_ex(), BN_X931_generate_Xpq()
by RSA_X931_derive_ex() and RSA_X931_generate_key_ex() which are also deprecated.
Use L<EVP_PKEY_keygen(3)> instead.
-=item -
+=item *
Camellia_encrypt(), Camellia_decrypt(), Camellia_set_key(),
Camellia_cbc_encrypt(), Camellia_cfb128_encrypt(), Camellia_cfb1_encrypt(),
See L</Deprecated low-level encryption functions>.
-=item -
+=item *
CAST_encrypt(), CAST_decrypt(), CAST_set_key(), CAST_cbc_encrypt(),
CAST_cfb64_encrypt(), CAST_ecb_encrypt(), CAST_ofb64_encrypt()
See L</Deprecated low-level encryption functions>.
The CAST algorithm has been moved to the L<Legacy Provider|/Legacy Algorithms>.
-=item -
+=item *
CMAC_CTX_new(), CMAC_CTX_cleanup(), CMAC_CTX_copy(), CMAC_CTX_free(),
CMAC_CTX_get0_cipher_ctx()
See L</Deprecated low-level MAC functions>.
-=item -
+=item *
CMAC_Init(), CMAC_Update(), CMAC_Final(), CMAC_resume()
See L</Deprecated low-level MAC functions>.
-=item -
+=item *
CRYPTO_mem_ctrl(), CRYPTO_mem_debug_free(), CRYPTO_mem_debug_malloc(),
CRYPTO_mem_debug_pop(), CRYPTO_mem_debug_push(), CRYPTO_mem_debug_realloc(),
Memory-leak checking has been deprecated in favor of more modern development
tools, such as compiler memory and leak sanitizers or Valgrind.
-=item -
+=item *
d2i_DHparams(), d2i_DHxparams(), d2i_DSAparams(), d2i_DSAPrivateKey(),
d2i_DSAPrivateKey_bio(), d2i_DSAPrivateKey_fp(), d2i_DSA_PUBKEY(),
See L</Deprecated i2d and d2i functions for low-level key types>
-=item -
+=item *
DES_crypt(), DES_fcrypt(), DES_encrypt1(), DES_encrypt2(), DES_encrypt3(),
DES_decrypt3(), DES_ede3_cbc_encrypt(), DES_ede3_cfb64_encrypt(),
Algorithms for "DESX-CBC", "DES-ECB", "DES-CBC", "DES-OFB", "DES-CFB",
"DES-CFB1" and "DES-CFB8" have been moved to the L<Legacy Provider|/Legacy Algorithms>.
-=item -
+=item *
DH_bits(), DH_security_bits(), DH_size()
Use L<EVP_PKEY_get_bits(3)>, L<EVP_PKEY_get_security_bits(3)> and
L<EVP_PKEY_get_size(3)>.
-=item -
+=item *
DH_check(), DH_check_ex(), DH_check_params(), DH_check_params_ex(),
DH_check_pub_key(), DH_check_pub_key_ex()
See L</Deprecated low-level validation functions>
-=item -
+=item *
DH_clear_flags(), DH_test_flags(), DH_set_flags()
Use EVP_PKEY_is_a() to determine the type of a key.
There is no replacement for setting these flags.
-=item -
+=item *
DH_compute_key() DH_compute_key_padded()
See L</Deprecated low-level key exchange functions>.
-=item -
+=item *
DH_new(), DH_new_by_nid(), DH_free(), DH_up_ref()
See L</Deprecated low-level object creation>
-=item -
+=item *
DH_generate_key(), DH_generate_parameters_ex()
See L</Deprecated low-level key generation functions>.
-=item -
+=item *
DH_get0_pqg(), DH_get0_p(), DH_get0_q(), DH_get0_g(), DH_get0_key(),
DH_get0_priv_key(), DH_get0_pub_key(), DH_get_length(), DH_get_nid()
See L</Deprecated low-level key parameter getters>
-=item -
+=item *
DH_get_1024_160(), DH_get_2048_224(), DH_get_2048_256()
L<EVP_PKEY-DH(7)/DH parameters>) to one of "dh_1024_160", "dh_2048_224" or
"dh_2048_256" when generating a DH key.
-=item -
+=item *
DH_KDF_X9_42()
Applications should use L<EVP_PKEY_CTX_set_dh_kdf_type(3)> instead.
-=item -
+=item *
DH_get_default_method(), DH_get0_engine(), DH_meth_*(), DH_new_method(),
DH_OpenSSL(), DH_get_ex_data(), DH_set_default_method(), DH_set_method(),
See L</Providers are a replacement for engines and low-level method overrides>
-=item -
+=item *
DHparams_print(), DHparams_print_fp()
See L</Deprecated low-level key printing functions>
-=item -
+=item *
DH_set0_key(), DH_set0_pqg(), DH_set_length()
See L</Deprecated low-level key parameter setters>
-=item -
+=item *
DSA_bits(), DSA_security_bits(), DSA_size()
Use L<EVP_PKEY_get_bits(3)>, L<EVP_PKEY_get_security_bits(3)> and
L<EVP_PKEY_get_size(3)>.
-=item -
+=item *
DHparams_dup(), DSA_dup_DH()
There is no direct replacement. Applications may use L<EVP_PKEY_copy_parameters(3)>
and L<EVP_PKEY_dup(3)> instead.
-=item -
+=item *
DSA_generate_key(), DSA_generate_parameters_ex()
See L</Deprecated low-level key generation functions>.
-=item -
+=item *
DSA_get0_engine(), DSA_get_default_method(), DSA_get_ex_data(),
DSA_get_method(), DSA_meth_*(), DSA_new_method(), DSA_OpenSSL(),
See L</Providers are a replacement for engines and low-level method overrides>.
-=item -
+=item *
DSA_get0_p(), DSA_get0_q(), DSA_get0_g(), DSA_get0_pqg(), DSA_get0_key(),
DSA_get0_priv_key(), DSA_get0_pub_key()
See L</Deprecated low-level key parameter getters>.
-=item -
+=item *
DSA_new(), DSA_free(), DSA_up_ref()
See L</Deprecated low-level object creation>
-=item -
+=item *
DSAparams_dup()
There is no direct replacement. Applications may use L<EVP_PKEY_copy_parameters(3)>
and L<EVP_PKEY_dup(3)> instead.
-=item -
+=item *
DSAparams_print(), DSAparams_print_fp(), DSA_print(), DSA_print_fp()
See L</Deprecated low-level key printing functions>
-=item -
+=item *
DSA_set0_key(), DSA_set0_pqg()
See L</Deprecated low-level key parameter setters>
-=item -
+=item *
DSA_set_flags(), DSA_clear_flags(), DSA_test_flags()
The B<DSA_FLAG_CACHE_MONT_P> flag has been deprecated without replacement.
-=item -
+=item *
DSA_sign(), DSA_do_sign(), DSA_sign_setup(), DSA_verify(), DSA_do_verify()
See L</Deprecated low-level signing functions>.
-=item -
+=item *
ECDH_compute_key()
See L</Deprecated low-level key exchange functions>.
-=item -
+=item *
ECDH_KDF_X9_62()
L<EVP_PKEY_CTX_set_ecdh_kdf_type(3)> or by setting an B<OSSL_PARAM> using the
"kdf-type" as shown in L<EVP_KEYEXCH-ECDH(7)/EXAMPLES>
-=item -
+=item *
ECDSA_sign(), ECDSA_sign_ex(), ECDSA_sign_setup(), ECDSA_do_sign(),
ECDSA_do_sign_ex(), ECDSA_verify(), ECDSA_do_verify()
See L</Deprecated low-level signing functions>.
-=item -
+=item *
ECDSA_size()
Applications should use L<EVP_PKEY_get_size(3)>.
-=item -
+=item *
EC_GF2m_simple_method(), EC_GFp_mont_method(), EC_GFp_nist_method(),
EC_GFp_nistp224_method(), EC_GFp_nistp256_method(), EC_GFp_nistp521_method(),
library automatically assigning a suitable method internally when an EC_GROUP
is constructed.
-=item -
+=item *
EC_GROUP_clear_free()
Use L<EC_GROUP_free(3)> instead.
-=item -
+=item *
EC_GROUP_get_curve_GF2m(), EC_GROUP_get_curve_GFp(), EC_GROUP_set_curve_GF2m(),
EC_GROUP_set_curve_GFp()
Applications should use L<EC_GROUP_get_curve(3)> and L<EC_GROUP_set_curve(3)>.
-=item -
+=item *
EC_GROUP_have_precompute_mult(), EC_GROUP_precompute_mult(),
EC_KEY_precompute_mult()
These functions are not widely used. Applications should instead switch to
named curves which OpenSSL has hardcoded lookup tables for.
-=item -
+=item *
EC_GROUP_new(), EC_GROUP_method_of(), EC_POINT_method_of()
internally without application intervention.
Users of EC_GROUP_new() should switch to a different suitable constructor.
-=item -
+=item *
EC_KEY_can_sign()
Applications should use L<EVP_PKEY_can_sign(3)> instead.
-=item -
+=item *
EC_KEY_check_key()
See L</Deprecated low-level validation functions>
-=item -
+=item *
EC_KEY_set_flags(), EC_KEY_get_flags(), EC_KEY_clear_flags()
B<OSSL_PKEY_PARAM_EC_INCLUDE_PUBLIC>.
See also L<EVP_PKEY-EC(7)/EXAMPLES>
-=item -
+=item *
EC_KEY_dup(), EC_KEY_copy()
There is no direct replacement. Applications may use L<EVP_PKEY_copy_parameters(3)>
and L<EVP_PKEY_dup(3)> instead.
-=item -
+=item *
EC_KEY_decoded_from_explicit_params()
There is no replacement.
-=item -
+=item *
EC_KEY_generate_key()
See L</Deprecated low-level key generation functions>.
-=item -
+=item *
EC_KEY_get0_group(), EC_KEY_get0_private_key(), EC_KEY_get0_public_key(),
EC_KEY_get_conv_form(), EC_KEY_get_enc_flags()
See L</Deprecated low-level key parameter getters>.
-=item -
+=item *
EC_KEY_get0_engine(), EC_KEY_get_default_method(), EC_KEY_get_method(),
EC_KEY_new_method(), EC_KEY_get_ex_data(), EC_KEY_OpenSSL(),
See L</Providers are a replacement for engines and low-level method overrides>
-=item -
+=item *
EC_METHOD_get_field_type()
Use L<EC_GROUP_get_field_type(3)> instead.
See L</Providers are a replacement for engines and low-level method overrides>
-=item -
+=item *
EC_KEY_key2buf(), EC_KEY_oct2key(), EC_KEY_oct2priv(), EC_KEY_priv2buf(),
EC_KEY_priv2oct()
There are no replacements for these.
-=item -
+=item *
EC_KEY_new(), EC_KEY_new_by_curve_name(), EC_KEY_free(), EC_KEY_up_ref()
See L</Deprecated low-level object creation>
-=item -
+=item *
EC_KEY_print(), EC_KEY_print_fp()
See L</Deprecated low-level key printing functions>
-=item -
+=item *
EC_KEY_set_asn1_flag(), EC_KEY_set_conv_form(), EC_KEY_set_enc_flags()
See L</Deprecated low-level key parameter setters>.
-=item -
+=item *
EC_KEY_set_group(), EC_KEY_set_private_key(), EC_KEY_set_public_key(),
EC_KEY_set_public_key_affine_coordinates()
See L</Deprecated low-level key parameter setters>.
-=item -
+=item *
ECParameters_print(), ECParameters_print_fp(), ECPKParameters_print(),
ECPKParameters_print_fp()
See L</Deprecated low-level key printing functions>
-=item -
+=item *
EC_POINT_bn2point(), EC_POINT_point2bn()
These functions were not particularly useful, since EC point serialization
formats are not individual big-endian integers.
-=item -
+=item *
EC_POINT_get_affine_coordinates_GF2m(), EC_POINT_get_affine_coordinates_GFp(),
EC_POINT_set_affine_coordinates_GF2m(), EC_POINT_set_affine_coordinates_GFp()
Applications should use L<EC_POINT_get_affine_coordinates(3)> and
L<EC_POINT_set_affine_coordinates(3)> instead.
-=item -
+=item *
EC_POINT_get_Jprojective_coordinates_GFp(), EC_POINT_set_Jprojective_coordinates_GFp()
L<EC_POINT_set_affine_coordinates(3)> and L<EC_POINT_get_affine_coordinates(3)>
functions.
-=item -
+=item *
EC_POINT_make_affine(), EC_POINTs_make_affine()
There is no replacement. These functions were not widely used, and OpenSSL
automatically performs this conversion when needed.
-=item -
+=item *
EC_POINT_set_compressed_coordinates_GF2m(), EC_POINT_set_compressed_coordinates_GFp()
Applications should use L<EC_POINT_set_compressed_coordinates(3)> instead.
-=item -
+=item *
EC_POINTs_mul()
This function is not widely used. Applications should instead use the
L<EC_POINT_mul(3)> function.
-=item -
+=item *
B<ENGINE_*()>
All engine functions are deprecated. An engine should be rewritten as a provider.
See L</Providers are a replacement for engines and low-level method overrides>.
-=item -
+=item *
B<ERR_load_*()>, ERR_func_error_string(), ERR_get_error_line(),
ERR_get_error_line_data(), ERR_get_state()
OpenSSL now loads error strings automatically so these functions are not needed.
-=item -
+=item *
ERR_peek_error_line_data(), ERR_peek_last_error_line_data()
with ERR_peek functions and finish off with getting the error code by using
L<ERR_get_error(3)>.
-=item -
+=item *
EVP_CIPHER_CTX_iv(), EVP_CIPHER_CTX_iv_noconst(), EVP_CIPHER_CTX_original_iv()
respectively.
See L<EVP_CIPHER_CTX_get_original_iv(3)> for further information.
-=item -
+=item *
B<EVP_CIPHER_meth_*()>, EVP_MD_CTX_set_update_fn(), EVP_MD_CTX_update_fn(),
B<EVP_MD_meth_*()>
See L</Providers are a replacement for engines and low-level method overrides>.
-=item -
+=item *
EVP_PKEY_CTRL_PKCS7_ENCRYPT(), EVP_PKEY_CTRL_PKCS7_DECRYPT(),
EVP_PKEY_CTRL_PKCS7_SIGN(), EVP_PKEY_CTRL_CMS_ENCRYPT(),
are replaced by direct checks of the key operation against the key type
when the operation is initialized.
-=item -
+=item *
EVP_PKEY_CTX_get0_dh_kdf_ukm(), EVP_PKEY_CTX_get0_ecdh_kdf_ukm()
L<EVP_KEYEXCH-ECDH(7)/ECDH Key Exchange parameters>.
These functions are obsolete and should not be required.
-=item -
+=item *
EVP_PKEY_CTX_set_rsa_keygen_pubexp()
Applications should use L<EVP_PKEY_CTX_set1_rsa_keygen_pubexp(3)> instead.
-=item -
+=item *
EVP_PKEY_cmp(), EVP_PKEY_cmp_parameters()
Applications should use L<EVP_PKEY_eq(3)> and L<EVP_PKEY_parameters_eq(3)> instead.
See L<EVP_PKEY_copy_parameters(3)> for further details.
-=item -
+=item *
EVP_PKEY_encrypt_old(), EVP_PKEY_decrypt_old(),
Applications should use L<EVP_PKEY_encrypt_init(3)> and L<EVP_PKEY_encrypt(3)> or
L<EVP_PKEY_decrypt_init(3)> and L<EVP_PKEY_decrypt(3)> instead.
-=item -
+=item *
EVP_PKEY_get0()
This function returns NULL if the key comes from a provider.
-=item -
+=item *
EVP_PKEY_get0_DH(), EVP_PKEY_get0_DSA(), EVP_PKEY_get0_EC_KEY(), EVP_PKEY_get0_RSA(),
EVP_PKEY_get1_DH(), EVP_PKEY_get1_DSA(), EVP_PKEY_get1_EC_KEY and EVP_PKEY_get1_RSA(),
See L</Functions that return an internal key should be treated as read only>.
-=item -
+=item *
B<EVP_PKEY_meth_*()>
See L</Providers are a replacement for engines and low-level method overrides>.
-=item -
+=item *
EVP_PKEY_new_CMAC_key()
See L</Deprecated low-level MAC functions>.
-=item -
+=item *
EVP_PKEY_assign(), EVP_PKEY_set1_DH(), EVP_PKEY_set1_DSA(),
EVP_PKEY_set1_EC_KEY(), EVP_PKEY_set1_RSA()
See L</Deprecated low-level key object getters and setters>
-=item -
+=item *
EVP_PKEY_set1_tls_encodedpoint() EVP_PKEY_get1_tls_encodedpoint()
The old versions have been converted to deprecated macros that just call the
new functions.
-=item -
+=item *
EVP_PKEY_set1_engine(), EVP_PKEY_get0_engine()
See L</Providers are a replacement for engines and low-level method overrides>.
-=item -
+=item *
EVP_PKEY_set_alias_type()
This function has been removed. There is no replacement.
See L</EVP_PKEY_set_alias_type() method has been removed>
-=item -
+=item *
HMAC_Init_ex(), HMAC_Update(), HMAC_Final(), HMAC_size()
See L</Deprecated low-level MAC functions>.
-=item -
+=item *
HMAC_CTX_new(), HMAC_CTX_free(), HMAC_CTX_copy(), HMAC_CTX_reset(),
HMAC_CTX_set_flags(), HMAC_CTX_get_md()
See L</Deprecated low-level MAC functions>.
-=item -
+=item *
i2d_DHparams(), i2d_DHxparams()
See L</Deprecated low-level key reading and writing functions>
and L<d2i_RSAPrivateKey(3)/Migration>
-=item -
+=item *
i2d_DSAparams(), i2d_DSAPrivateKey(), i2d_DSAPrivateKey_bio(),
i2d_DSAPrivateKey_fp(), i2d_DSA_PUBKEY(), i2d_DSA_PUBKEY_bio(),
See L</Deprecated low-level key reading and writing functions>
and L<d2i_RSAPrivateKey(3)/Migration>
-=item -
+=item *
i2d_ECParameters(), i2d_ECPrivateKey(), i2d_ECPrivateKey_bio(),
i2d_ECPrivateKey_fp(), i2d_EC_PUBKEY(), i2d_EC_PUBKEY_bio(),
See L</Deprecated low-level key reading and writing functions>
and L<d2i_RSAPrivateKey(3)/Migration>
-=item -
+=item *
i2d_RSAPrivateKey(), i2d_RSAPrivateKey_bio(), i2d_RSAPrivateKey_fp(),
i2d_RSA_PUBKEY(), i2d_RSA_PUBKEY_bio(), i2d_RSA_PUBKEY_fp(),
See L</Deprecated low-level key reading and writing functions>
and L<d2i_RSAPrivateKey(3)/Migration>
-=item -
+=item *
IDEA_encrypt(), IDEA_set_decrypt_key(), IDEA_set_encrypt_key(),
IDEA_cbc_encrypt(), IDEA_cfb64_encrypt(), IDEA_ecb_encrypt(),
See L</Deprecated low-level encryption functions>.
IDEA has been moved to the L<Legacy Provider|/Legacy Algorithms>.
-=item -
+=item *
IDEA_options()
There is no replacement. This function returned a constant string.
-=item -
+=item *
MD2(), MD2_Init(), MD2_Update(), MD2_Final()
See L</Deprecated low-level encryption functions>.
MD2 has been moved to the L<Legacy Provider|/Legacy Algorithms>.
-=item -
+=item *
MD2_options()
There is no replacement. This function returned a constant string.
-=item -
+=item *
MD4(), MD4_Init(), MD4_Update(), MD4_Final(), MD4_Transform()
See L</Deprecated low-level encryption functions>.
MD4 has been moved to the L<Legacy Provider|/Legacy Algorithms>.
-=item -
+=item *
MDC2(), MDC2_Init(), MDC2_Update(), MDC2_Final()
See L</Deprecated low-level encryption functions>.
MDC2 has been moved to the L<Legacy Provider|/Legacy Algorithms>.
-=item -
+=item *
MD5(), MD5_Init(), MD5_Update(), MD5_Final(), MD5_Transform()
See L</Deprecated low-level encryption functions>.
-=item -
+=item *
NCONF_WIN32()
This undocumented function has no replacement.
See L<config(5)/HISTORY> for more details.
-=item -
+=item *
OCSP_parse_url()
Use L<OSSL_HTTP_parse_url(3)> instead.
-=item -
+=item *
B<OCSP_REQ_CTX> type and B<OCSP_REQ_CTX_*()> functions
with B<OSSL_HTTP_REQ_CTX_*()>. See L<OSSL_HTTP_REQ_CTX(3)> for additional
details.
-=item -
+=item *
OPENSSL_fork_child(), OPENSSL_fork_parent(), OPENSSL_fork_prepare()
There is no replacement for these functions. These pthread fork support methods
were unused by OpenSSL.
-=item -
+=item *
OSSL_STORE_ctrl(), OSSL_STORE_do_all_loaders(), OSSL_STORE_LOADER_get0_engine(),
OSSL_STORE_LOADER_get0_scheme(), OSSL_STORE_LOADER_new(),
schemes they supported. These are all deprecated and discouraged in favour of
provider implementations, see L<provider-storemgmt(7)>.
-=item -
+=item *
PEM_read_DHparams(), PEM_read_bio_DHparams(),
PEM_read_DSAparams(), PEM_read_bio_DSAparams(),
See L</Deprecated low-level key reading and writing functions>
-=item -
+=item *
PKCS1_MGF1()
See L</Deprecated low-level encryption functions>.
-=item -
+=item *
RAND_get_rand_method(), RAND_set_rand_method(), RAND_OpenSSL(),
RAND_set_rand_engine()
L<EVP_RAND(3)> and L<EVP_RAND(7)>.
See L<RAND_set_rand_method(3)> for more details.
-=item -
+=item *
RC2_encrypt(), RC2_decrypt(), RC2_set_key(), RC2_cbc_encrypt(), RC2_cfb64_encrypt(),
RC2_ecb_encrypt(), RC2_ofb64_encrypt(),
See L</Deprecated low-level encryption functions>.
The Algorithms "RC2", "RC4" and "RC5" have been moved to the L<Legacy Provider|/Legacy Algorithms>.
-=item -
+=item *
RIPEMD160(), RIPEMD160_Init(), RIPEMD160_Update(), RIPEMD160_Final(),
RIPEMD160_Transform()
See L</Deprecated low-level digest functions>.
The RIPE algorithm has been moved to the L<Legacy Provider|/Legacy Algorithms>.
-=item -
+=item *
RSA_bits(), RSA_security_bits(), RSA_size()
Use L<EVP_PKEY_get_bits(3)>, L<EVP_PKEY_get_security_bits(3)> and
L<EVP_PKEY_get_size(3)>.
-=item -
+=item *
RSA_check_key(), RSA_check_key_ex()
See L</Deprecated low-level validation functions>
-=item -
+=item *
RSA_clear_flags(), RSA_flags(), RSA_set_flags(), RSA_test_flags(),
RSA_setup_blinding(), RSA_blinding_off(), RSA_blinding_on()
B<RSA_FLAG_EXT_PKEY>, B<RSA_FLAG_NO_BLINDING>, B<RSA_FLAG_THREAD_SAFE>
B<RSA_METHOD_FLAG_NO_CHECK>
-=item -
+=item *
RSA_generate_key_ex(), RSA_generate_multi_prime_key()
See L</Deprecated low-level key generation functions>.
-=item -
+=item *
RSA_get0_engine()
See L</Providers are a replacement for engines and low-level method overrides>
-=item -
+=item *
RSA_get0_crt_params(), RSA_get0_d(), RSA_get0_dmp1(), RSA_get0_dmq1(),
RSA_get0_e(), RSA_get0_factors(), RSA_get0_iqmp(), RSA_get0_key(),
See L</Deprecated low-level key parameter getters>
-=item -
+=item *
RSA_new(), RSA_free(), RSA_up_ref()
See L</Deprecated low-level object creation>.
-=item -
+=item *
RSA_get_default_method(), RSA_get_ex_data and RSA_get_method()
See L</Providers are a replacement for engines and low-level method overrides>.
-=item -
+=item *
RSA_get_version()
There is no replacement.
-=item -
+=item *
B<RSA_meth_*()>, RSA_new_method(), RSA_null_method and RSA_PKCS1_OpenSSL()
See L</Providers are a replacement for engines and low-level method overrides>.
-=item -
+=item *
B<RSA_padding_add_*()>, B<RSA_padding_check_*()>
See L</Deprecated low-level signing functions> and
L</Deprecated low-level encryption functions>.
-=item -
+=item *
RSA_print(), RSA_print_fp()
See L</Deprecated low-level key printing functions>
-=item -
+=item *
RSA_public_encrypt(), RSA_private_decrypt()
See L</Deprecated low-level encryption functions>
-=item -
+=item *
RSA_private_encrypt(), RSA_public_decrypt()
This is equivalent to doing sign and verify recover operations (with a padding
mode of none). See L</Deprecated low-level signing functions>.
-=item -
+=item *
RSAPrivateKey_dup(), RSAPublicKey_dup()
There is no direct replacement. Applications may use L<EVP_PKEY_dup(3)>.
-=item -
+=item *
RSAPublicKey_it(), RSAPrivateKey_it()
See L</Deprecated low-level key reading and writing functions>
-=item -
+=item *
RSA_set0_crt_params(), RSA_set0_factors(), RSA_set0_key(),
RSA_set0_multi_prime_params()
See L</Deprecated low-level key parameter setters>.
-=item -
+=item *
RSA_set_default_method(), RSA_set_method(), RSA_set_ex_data()
See L</Providers are a replacement for engines and low-level method overrides>
-=item -
+=item *
RSA_sign(), RSA_sign_ASN1_OCTET_STRING(), RSA_verify(),
RSA_verify_ASN1_OCTET_STRING(), RSA_verify_PKCS1_PSS(),
See L</Deprecated low-level signing functions>.
-=item -
+=item *
RSA_X931_derive_ex(), RSA_X931_generate_key_ex(), RSA_X931_hash_id()
X931 padding can be set using L<EVP_SIGNATURE-RSA(7)/Signature Parameters>.
See B<OSSL_SIGNATURE_PARAM_PAD_MODE>.
-=item -
+=item *
SEED_encrypt(), SEED_decrypt(), SEED_set_key(), SEED_cbc_encrypt(),
SEED_cfb128_encrypt(), SEED_ecb_encrypt(), SEED_ofb128_encrypt()
See L</Deprecated low-level encryption functions>.
The SEED algorithm has been moved to the L<Legacy Provider|/Legacy Algorithms>.
-=item -
+=item *
SHA1_Init(), SHA1_Update(), SHA1_Final(), SHA1_Transform(),
SHA224_Init(), SHA224_Update(), SHA224_Final(),
See L</Deprecated low-level digest functions>.
-=item -
+=item *
SRP_Calc_A(), SRP_Calc_B(), SRP_Calc_client_key(), SRP_Calc_server_key(),
SRP_Calc_u(), SRP_Calc_x(), SRP_check_known_gN_param(), SRP_create_verifier(),
There are no replacements for the SRP functions.
-=item -
+=item *
SSL_CTX_set_tmp_dh_callback(), SSL_set_tmp_dh_callback(),
SSL_CTX_set_tmp_dh(), SSL_set_tmp_dh()
longer supported by OpenSSL. Use of the callback functions should be replaced
by one of the other methods described above.
-=item -
+=item *
SSL_CTX_set_tlsext_ticket_key_cb()
Use the new L<SSL_CTX_set_tlsext_ticket_key_evp_cb(3)> function instead.
-=item -
+=item *
WHIRLPOOL(), WHIRLPOOL_Init(), WHIRLPOOL_Update(), WHIRLPOOL_Final(),
WHIRLPOOL_BitUpdate()
See L</Deprecated low-level digest functions>.
The Whirlpool algorithm has been moved to the L<Legacy Provider|/Legacy Algorithms>.
-=item -
+=item *
X509_certificate_type()
This was an undocumented function. Applications can use L<X509_get0_pubkey(3)>
and L<X509_get0_signature(3)> instead.
-=item -
+=item *
X509_http_nbio(), X509_CRL_http_nbio()
=over 4
-=item -
+=item *
TLS 1.3 FFDHE key exchange support added
This uses DH safe prime named groups.
-=item -
+=item *
Support for fully "pluggable" TLSv1.3 groups.
either the "key exchange" or the "key encapsulation" methods) which will
automatically be detected and used by libssl.
-=item -
+=item *
SSL and SSL_CTX options are now 64 bit instead of 32 bit.
See L<SSL_CTX_get_options(3)>, L<SSL_CTX_set_options(3)>,
L<SSL_get_options(3)> and L<SSL_set_options(3)>.
-=item -
+=item *
SSL_set1_host() and SSL_add1_host() Changes
These functions now take IP literal addresses as well as actual hostnames.
-=item -
+=item *
Added SSL option SSL_OP_CLEANSE_PLAINTEXT
the application is still responsible for cleansing other copies
(e.g.: data received by L<SSL_read(3)>).
-=item -
+=item *
Client-initiated renegotiation is disabled by default.
the B<SSL_OP_ALLOW_CLIENT_RENEGOTIATION> flag, or the C<ClientRenegotiation>
config parameter as appropriate.
-=item -
+=item *
Secure renegotiation is now required by default for TLS connections
SSL_OP_LEGACY_SERVER_CONNECT. Accordingly, SSL_OP_LEGACY_SERVER_CONNECT
is no longer set as part of SSL_OP_ALL.
-=item -
+=item *
Combining the Configure options no-ec and no-dh no longer disables TLSv1.3
using third party provider groups may result in handshake failures. TLSv1.3
can be disabled at compile time using the "no-tls1_3" Configure option.
-=item -
+=item *
SSL_CTX_set_ciphersuites() and SSL_set_ciphersuites() changes.
The methods now ignore unknown ciphers.
-=item -
+=item *
Security callback change.
of the other locations. Therefore this client side call has been changed to
pass an EVP_PKEY instead.
-=item -
+=item *
New SSL option SSL_OP_IGNORE_UNEXPECTED_EOF
is set, an unexpected EOF is ignored, it pretends a close notify was received
instead and so the returned error becomes SSL_ERROR_ZERO_RETURN.
-=item -
+=item *
The security strength of SHA1 and MD5 based signatures in TLS has been reduced.
OpenSSL will fallback to a default set of signature algorithms. This default
set requires the availability of SHA1.
-=item -
+=item *
X509 certificates signed using SHA1 are no longer allowed at security level 1 and above.