X-Git-Url: https://git.openssl.org/?a=blobdiff_plain;f=CHANGES;h=fe98cddc6910c7955253fdc05622e8541a7eec1f;hb=6727565a84ce174df591317218e1c5934357f732;hp=cf7c58ce50eebbcd876f9a5642aa3f69ed3145ba;hpb=31db43df0859210a32af3708df08f0149c46ede0;p=openssl.git

diff --git a/CHANGES b/CHANGES
index cf7c58ce50..fe98cddc69 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,27 @@
 
  Changes between 0.9.8k and 1.0  [xx XXX xxxx]
 
+  *) Delete MD2 from algorithm tables. This follows the recommendation in 
+     several standards that it is not used in new applications due to
+     several cryptographic weaknesses. The algorithm is also disabled in
+     the default configuration.
+     [Steve Henson]
+
+  *) In BIO_pop() and BIO_push() use the ctrl argument (which was NULL) to
+     indicate the initial BIO being pushed or popped. This makes it possible
+     to determine whether the BIO is the one explicitly called or as a result
+     of the ctrl being passed down the chain. Fix BIO_pop() and SSL BIOs so
+     it handles reference counts correctly and doesn't zero out the I/O bio
+     when it is not being explicitly popped. WARNING: applications which
+     included workarounds for the old buggy behaviour will need to be modified
+     or they could free up already freed BIOs.
+     [Steve Henson]
+
+  *) Rename uni2asc and asc2uni functions to OPENSSL_uni2asc and
+     OPENSSL_asc2uni the original names were too generic and cause name
+     clashes on Netware.
+     [Guenter <lists@gknw.net>]
+
   *) Add ECDHE and PSK support to DTLS.
      [Michael Tuexen <tuexen@fh-muenster.de>]
 
@@ -793,9 +814,29 @@
 
  Changes between 0.9.8k and 0.9.8l  [xx XXX xxxx]
 
-  *) Don't check self signed certificate signatures in X509_verify_cert():
-     it just wastes time without adding any security. As a useful side effect
-     self signed root CAs with non-FIPS digests are now usable in FIPS mode.
+  *) Add support for --libdir option and LIBDIR variable in makefiles. This
+     makes it possible to install openssl libraries in locations which 
+     have names other than "lib", for example "/usr/lib64" which some
+     systems need.
+     [Steve Henson, based on patch from Jeremy Utley]
+
+  *) Don't allow the use of leading 0x80 in OIDs. This is a violation of
+     X690 8.9.12 and can produce some misleading textual output of OIDs.
+     [Steve Henson, reported by Dan Kaminsky]
+
+  *) Add compression id to {d2i,i2d}_SSL_SESSION so it is correctly saved
+     and restored.
+     [Steve Henson]
+
+  *) Fix the server certificate chain building code to use X509_verify_cert(),
+     it used to have an ad-hoc builder which was unable to cope with anything
+     other than a simple chain.
+     [David Woodhouse <dwmw2@infradead.org>, Steve Henson]
+
+  *) Don't check self signed certificate signatures in X509_verify_cert()
+     by default (a flag can override this): it just wastes time without
+     adding any security. As a useful side effect self signed root CAs
+     with non-FIPS digests are now usable in FIPS mode.
      [Steve Henson]
 
   *) In dtls1_process_out_of_seq_message() the check if the current message