OpenSSL Releases
----------------
+ - [OpenSSL 3.4](#openssl-34)
- [OpenSSL 3.3](#openssl-33)
- [OpenSSL 3.2](#openssl-32)
- [OpenSSL 3.1](#openssl-31)
- [OpenSSL 1.0.0](#openssl-100)
- [OpenSSL 0.9.x](#openssl-09x)
+OpenSSL 3.4
+-----------
+
+### Changes between 3.3 and 3.4 [xx XXX xxxx]
+
+ * Added options `-not_before` and `-not_after` for explicit setting
+ start and end dates of certificates created with the `req` and `x509`
+ apps. Added the same options also to `ca` app as alias for
+ `-startdate` and `-enddate` options.
+
+ *Stephan Wurm*
+
+ * The X25519 and X448 key exchange implementation in the FIPS provider
+ is unapproved and has `fips=no` property.
+
+ *Tomáš Mráz*
+
+ * SHAKE-128 and SHAKE-256 implementations have no default digest length
+ anymore. That means these algorithms cannot be used with
+ EVP_DigestFinal/_ex() unless the `xoflen` param is set before.
+
+ This change was necessary because the preexisting default lengths were
+ half the size necessary for full collision resistance supported by these
+ algorithms.
+
+ *Tomáš Mráz*
+
+ * Setting `config_diagnostics=1` in the config file will cause errors to
+ be returned from SSL_CTX_new() and SSL_CTX_new_ex() if there is an error
+ in the ssl module configuration.
+
+ *Tomáš Mráz*
+
+ * Use an empty renegotiate extension in TLS client hellos instead of
+ the empty renegotiation SCSV, for all connections with a minimum TLS
+ version > 1.0.
+
+ *Tim Perry*
+
+ * Added support for integrity-only cipher suites TLS_SHA256_SHA256 and
+ TLS_SHA384_SHA384 in TLS 1.3, as defined in RFC 9150.
+
+ This work was sponsored by Siemens AG.
+
+ *Rajeev Ranjan*
+
+ * Added support for requesting CRL in CMP.
+
+ This work was sponsored by Siemens AG.
+
+ *Rajeev Ranjan*
+
+ * Added Attribute Certificate (RFC 5755) support. Attribute
+ Certificates can be created, parsed, modified and printed via the
+ public API. There is no command-line tool support at this time.
+
+ *Damian Hobson-Garcia*
+
+ * Added support to build Position Independent Executables (PIE). Configuration
+ option `enable-pie` configures the cflag '-fPIE' and ldflag '-pie' to
+ support Address Space Layout Randomization (ASLR) in the openssl executable,
+ removes reliance on external toolchain configurations.
+
+ *Craig Lorentzen*
+
OpenSSL 3.3
-----------
-### Changes between 3.2 and 3.3 [xx XXX xxxx]
+### Changes between 3.3.0 and 3.3.1 [xx XXX xxxx]
+
+ * Fixed an issue where checking excessively long DSA keys or parameters may
+ be very slow.
+
+ Applications that use the functions EVP_PKEY_param_check() or
+ EVP_PKEY_public_check() to check a DSA public key or DSA parameters may
+ experience long delays. Where the key or parameters that are being checked
+ have been obtained from an untrusted source this may lead to a Denial of
+ Service.
+
+ To resolve this issue DSA keys larger than OPENSSL_DSA_MAX_MODULUS_BITS
+ will now fail the check immediately with a DSA_R_MODULUS_TOO_LARGE error
+ reason.
+
+ ([CVE-2024-4603])
+
+ *Tomáš Mráz*
+
+### Changes between 3.2 and 3.3.0 [9 Apr 2024]
+
+ * The `-verify` option to the `openssl crl` and `openssl req` will make
+ the program exit with 1 on failure.
+
+ *Vladimír Kotal*
+
+ * The BIO_get_new_index() function can only be called 127 times before it
+ reaches its upper bound of BIO_TYPE_MASK. It will now correctly return an
+ error of -1 once it is exhausted. Users may need to reserve using this
+ function for cases where BIO_find_type() is required. Either BIO_TYPE_NONE
+ or BIO_get_new_index() can be used to supply a type to BIO_meth_new().
+
+ *Shane Lontis*
+
+ * Added API functions SSL_SESSION_get_time_ex(), SSL_SESSION_set_time_ex()
+ using time_t which is Y2038 safe on 32 bit systems when 64 bit time
+ is enabled (e.g via setting glibc macro _TIME_BITS=64).
+
+ *Ijtaba Hussain*
+
+ * The d2i_ASN1_GENERALIZEDTIME(), d2i_ASN1_UTCTIME(), ASN1_TIME_check(), and
+ related functions have been augmented to check for a minimum length of
+ the input string, in accordance with ITU-T X.690 section 11.7 and 11.8.
+
+ *Job Snijders*
+
+ * Unknown entries in TLS SignatureAlgorithms, ClientSignatureAlgorithms
+ config options and the respective calls to SSL[_CTX]_set1_sigalgs() and
+ SSL[_CTX]_set1_client_sigalgs() that start with `?` character are
+ ignored and the configuration will still be used.
+
+ Similarly unknown entries that start with `?` character in a TLS
+ Groups config option or set with SSL[_CTX]_set1_groups_list() are ignored
+ and the configuration will still be used.
+
+ In both cases if the resulting list is empty, an error is returned.
+
+ *Tomáš Mráz*
* The EVP_PKEY_fromdata function has been augmented to allow for the derivation
of CRT (Chinese Remainder Theorem) parameters when requested. See the
- OSSL_PKEY_PARAM_DERIVE_FROM_PQ param in the EVP_PKEY-RSA documentation.
+ OSSL_PKEY_PARAM_RSA_DERIVE_FROM_PQ param in the EVP_PKEY-RSA documentation.
*Neil Horman*
*Hugo Landau*
+ * New atexit configuration switch, which controls whether the OPENSSL_cleanup
+ is registered when libcrypto is unloaded. This is turned off on NonStop
+ configurations because of loader differences on that platform compared to
+ Linux.
+
+ *Randall S. Becker*
+
+ * Support for qlog for tracing QUIC connections has been added.
+
+ The qlog output from OpenSSL currently uses a pre-standard draft version of
+ qlog. The output from OpenSSL will change in incompatible ways in future
+ releases, and is not subject to any format stability or compatibility
+ guarantees at this time. This functionality can be
+ disabled with the build-time option `no-unstable-qlog`. See the
+ openssl-qlog(7) manpage for details.
+
+ *Hugo Landau*
+
+ * Added APIs to allow configuring the negotiated idle timeout for QUIC
+ connections, and to allow determining the number of additional streams
+ that can currently be created for a QUIC connection.
+
+ *Hugo Landau*
+
+ * Added APIs to allow disabling implicit QUIC event processing for
+ QUIC SSL objects, allowing applications to control when event handling
+ occurs. Refer to the SSL_get_value_uint(3) manpage for details.
+
+ *Hugo Landau*
+
+ * Limited support for polling of QUIC connection and stream objects in a
+ non-blocking manner. Refer to the SSL_poll(3) manpage for details.
+
+ *Hugo Landau*
+
+ * Added APIs to allow querying the size and utilisation of a QUIC stream's
+ write buffer. Refer to the SSL_get_value_uint(3) manpage for details.
+
+ *Hugo Landau*
+
+ * New limit on HTTP response headers is introduced to HTTP client. The
+ default limit is set to 256 header lines. If limit is exceeded the
+ response processing stops with error HTTP_R_RESPONSE_TOO_MANY_HDRLINES.
+ Application may call OSSL_HTTP_REQ_CTX_set_max_response_hdr_lines(3)
+ to change the default. Setting the value to 0 disables the limit.
+
+ *Alexandr Nedvedicky*
+
+ * Applied AES-GCM unroll8 optimisation to Microsoft Azure Cobalt 100
+
+ *Tom Cosgrove*
+
+ * Added X509_STORE_get1_objects to avoid issues with the existing
+ X509_STORE_get0_objects API in multi-threaded applications. Refer to the
+ documentation for details.
+
+ *David Benjamin*
+
+ * Added assembly implementation for md5 on loongarch64
+
+ *Min Zhou*
+
+ * Optimized AES-CTR for ARM Neoverse V1 and V2
+
+ *Fisher Yu*
+
+ * Enable AES and SHA3 optimisations on Applie Silicon M3-based MacOS systems
+ similar to M1/M2.
+
+ *Tom Cosgrove*
+
+ * Added a new EVP_DigestSqueeze() API. This allows SHAKE to squeeze multiple
+ times with different output sizes.
+
+ *Shane Lontis, Holger Dengler*
+
+ * Various optimizations for cryptographic routines using RISC-V vector crypto
+ extensions
+
+ *Christoph Müllner, Charalampos Mitrodimas, Ard Biesheuvel, Phoebe Chen,
+ Jerry Shih*
+
+ * Accept longer context for TLS 1.2 exporters
+
+ While RFC 5705 implies that the maximum length of a context for exporters is
+ 65535 bytes as the length is embedded in uint16, the previous implementation
+ enforced a much smaller limit, which is less than 1024 bytes. This
+ restriction has been removed.
+
+ *Daiki Ueno*
+
OpenSSL 3.2
-----------
-### Changes between 3.2.0 and 3.2.1 [xx XXX xxxx]
+### Changes between 3.2.1 and 3.2.2 [xx XXX xxxx]
+
+ * Fixed an issue where some non-default TLS server configurations can cause
+ unbounded memory growth when processing TLSv1.3 sessions. An attacker may
+ exploit certain server configurations to trigger unbounded memory growth that
+ would lead to a Denial of Service
+
+ This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option
+ is being used (but not if early_data is also configured and the default
+ anti-replay protection is in use). In this case, under certain conditions,
+ the session cache can get into an incorrect state and it will fail to flush
+ properly as it fills. The session cache will continue to grow in an unbounded
+ manner. A malicious client could deliberately create the scenario for this
+ failure to force a Denial of Service. It may also happen by accident in
+ normal operation.
+
+ ([CVE-2024-2511])
+
+ *Matt Caswell*
+
+ * Fixed bug where SSL_export_keying_material() could not be used with QUIC
+ connections. (#23560)
+
+ *Hugo Landau*
+
+### Changes between 3.2.0 and 3.2.1 [30 Jan 2024]
* A file in PKCS12 format can contain certificates and keys and may come from
an untrusted source. The PKCS12 specification allows certain fields to be
*Rohan McLure*
+ * Disable building QUIC server utility when OpenSSL is configured with
+ `no-apps`.
+
+ *Vitalii Koshura*
+
+### Changes between 3.1 and 3.2.0 [23 Nov 2023]
+
* Fix excessive time spent in DH check / generation with large Q parameter
value.
*Richard Levitte*
- * Disable building QUIC server utility when OpenSSL is configured with
- `no-apps`.
-
- *Vitalii Koshura*
-
-### Changes between 3.1 and 3.2.0 [23 Nov 2023]
-
* The BLAKE2b hash algorithm supports a configurable output length
by setting the "size" parameter.
*Paul Dale*
* Subject or issuer names in X.509 objects are now displayed as UTF-8 strings
- by default.
+ by default. Also spaces surrounding `=` in DN output are removed.
*Dmitry Belyavskiy*
<!-- Links -->
+[CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511
[CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727
[CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237
[CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129