OpenSSL 3.0
-----------
-### Changes between 1.1.1 and 3.0 alpha 3 [4 Jun 2020]
+### Changes between 1.1.1 and 3.0 [xx XXX xxxx]
+
+ * Added a library context that applications as well as other
+ libraries can use to form a separate context within which libcrypto
+ operations are performed.
+
+ There are two ways this can be used:
+
+ - Directly, by passing a library context to functions that take
+ such an argument, such as `EVP_CIPHER_fetch` and similar algorithm
+ fetching functions.
+ - Indirectly, by creating a new library context and then assigning
+ it as the new default, with `OPENSSL_CTX_set0_default`.
+
+ All public OpenSSL functions that take an `OPENSSL_CTX` pointer,
+ apart from the functions directly related to `OPENSSL_CTX`, accept
+ NULL to indicate that the default library context should be used.
+
+ Library code that changes the default library context using
+ `OPENSSL_CTX_set0_default` should take care to restore it with a
+ second call before returning to the caller.
+
+ *Richard Levitte*
+
+ * Handshake now fails if Extended Master Secret extension is dropped
+ on renegotiation.
+
+ *Tomas Mraz*
+
+ * Dropped interactive mode from the 'openssl' program. From now on,
+ the `openssl` command without arguments is equivalent to `openssl
+ help`.
+
+ *Richard Levitte*
+
+ * Renamed EVP_PKEY_cmp() to EVP_PKEY_eq() and
+ EVP_PKEY_cmp_parameters() to EVP_PKEY_parameters_eq().
+ While the old function names have been retained for backward compatibility
+ they should not be used in new developments
+ because their return values are confusing: Unlike other `_cmp()` functions
+ they do not return 0 in case their arguments are equal.
+
+ *David von Oheimb*
* Deprecated EC_METHOD_get_field_type(). Applications should switch to
EC_GROUP_get_field_type().
*Paul Dale*
+ * The security strength of SHA1 and MD5 based signatures in TLS has been
+ reduced. This results in SSL 3, TLS 1.0, TLS 1.1 and DTLS 1.0 no longer
+ working at the default security level of 1 and instead requires security
+ level 0. The security level can be changed either using the cipher string
+ with @SECLEVEL, or calling SSL_CTX_set_security_level().
+
+ *Kurt Roeckx*
+
* EVP_PKEY_get0_RSA(), EVP_PKEY_get0_DSA(), EVP_PKEY_get0_DH(), and
EVP_PKEY_get0_EC_KEY() can now handle EVP_PKEYs with provider side
internal keys, if they correspond to one of those built in types.
*David von Oheimb*
+ * BIO_do_connect and BIO_do_handshake have been extended:
+ If domain name resolution yields multiple IP addresses all of them are tried
+ after connect() failures.
+
+ *David von Oheimb*
+
* All of the low level RSA functions have been deprecated including:
RSA_new_method, RSA_size, RSA_security_bits, RSA_get0_pss_params,
and HMAC_CTX_get_md.
Use of these low level functions has been informally discouraged for a long
- time. Instead applications should use L<EVP_MAC_CTX_new(3)>,
- L<EVP_MAC_CTX_free(3)>, L<EVP_MAC_init(3)>, L<EVP_MAC_update(3)>
+ time. Instead applications should use L<EVP_MAC_new_ctx(3)>,
+ L<EVP_MAC_free_ctx(3)>, L<EVP_MAC_init(3)>, L<EVP_MAC_update(3)>
and L<EVP_MAC_final(3)>.
*Paul Dale*
CMAC_CTX_copy, CMAC_Init, CMAC_Update, CMAC_Final and CMAC_resume.
Use of these low level functions has been informally discouraged for a long
- time. Instead applications should use L<EVP_MAC_CTX_new(3)>,
- L<EVP_MAC_CTX_free(3)>, L<EVP_MAC_init(3)>, L<EVP_MAC_update(3)>
+ time. Instead applications should use L<EVP_MAC_new_ctx(3)>,
+ L<EVP_MAC_free_ctx(3)>, L<EVP_MAC_init(3)>, L<EVP_MAC_update(3)>
and L<EVP_MAC_final(3)>.
*Paul Dale*
projects / openssl.git / blobdiff