----------------
- [OpenSSL 3.2](#openssl-32)
+ - [OpenSSL 3.1](#openssl-31)
- [OpenSSL 3.0](#openssl-30)
- [OpenSSL 1.1.1](#openssl-111)
- [OpenSSL 1.1.0](#openssl-110)
OpenSSL 3.2
-----------
-### Changes between 3.0 and 3.2 [xx XXX xxxx]
+### Changes between 3.1 and 3.2 [xx XXX xxxx]
+
+ * TLS round-trip time calculation was added by a Brigham Young University
+ Capstone team partnering with Sandia National Laboratories. A new function
+ in ssl_lib titled SSL_get_handshake_rtt will calculate and retrieve this
+ value.
+
+ *Jairus Christensen*
+
+ * Added the "-quic" option to s_client to enable connectivity to QUIC servers.
+ QUIC requires the use of ALPN, so this must be specified via the "-alpn"
+ option. Use of the "advanced" s_client command command via the "-adv" option
+ is recommended.
+
+ *Matt Caswell*
+
+ * Reworked the Fix for the Timing Oracle in RSA Decryption ([CVE-2022-4304]).
+ The previous fix for this timing side channel turned out to cause
+ a severe 2-3x performance regression in the typical use case
+ compared to 3.0.7. The new fix uses existing constant time
+ code paths, and restores the previous performance level while
+ fully eliminating all existing timing side channels.
+ The fix was developed by Bernd Edlinger with testing support
+ by Hubert Kario.
+
+ *Bernd Edlinger*
+
+ * Added an "advanced" command mode to s_client. Use this with the "-adv"
+ option. The old "basic" command mode recognises certain letters that must
+ always appear at the start of a line and cannot be escaped. The advanced
+ command mode enables commands to be entered anywhere and there is an
+ escaping mechanism. After starting s_client with "-adv" type "{help}"
+ to show a list of available commands.
+
+ *Matt Caswell*
+
+ * Add Raw Public Key (RFC7250) support. Authentication is supported
+ by matching keys against either local policy (TLSA records synthesised
+ from the expected keys) or DANE (TLSA records obtained by the
+ application from DNS). TLSA records will also match the same key in
+ the server certificate, should RPK use not happen to be negotiated.
+
+ *Todd Short*
+
+ * Added EC_GROUP_to_params which creates an OSSL_PARAM array
+ from a given EC_GROUP.
+
+ *Oliver Mihatsch*
+
+ * Added support for pluggable (provider-based) TLS signature algorithms.
+ This enables TLS 1.3 authentication operations with algorithms embedded
+ in providers not included by default in OpenSSL. In combination with
+ the already available pluggable KEM and X.509 support, this enables
+ for example suitable providers to deliver post-quantum or quantum-safe
+ cryptography to OpenSSL users.
+
+ *Michael Baentsch*
+
+ * Added support for Hybrid Public Key Encryption (HPKE) as defined
+ in RFC9180. HPKE is required for TLS Encrypted ClientHello (ECH),
+ Message Layer Security (MLS) and other IETF specifications.
+ HPKE can also be used by other applications that require
+ encrypting "to" an ECDH public key. External APIs are defined in
+ include/openssl/hpke.h and documented in doc/man3/OSSL_HPKE_CTX_new.pod
+
+ *Stephen Farrell*
+
+ * Add support for certificate compression (RFC8879), including
+ library support for Brotli and Zstandard compression.
+
+ *Todd Short*
* Add the ability to add custom attributes to PKCS12 files. Add a new API
PKCS12_create_ex2, identical to the existing PKCS12_create_ex but allows
*Darshan Sen*
- * RNDR and RNDRRS support in provider functions to provide
- random number generation for Arm CPUs (aarch64).
-
- *Orr Toledano*
-
- * s_client and s_server apps now explicitly say when the TLS version
- does not include the renegotiation mechanism. This avoids confusion
- between that scenario versus when the TLS version includes secure
- renegotiation but the peer lacks support for it.
-
- *Felipe Gasper*
-
- * AES-GCM enabled with AVX512 vAES and vPCLMULQDQ.
-
- *Tomasz Kantecki, Andrey Matyukov*
-
* The default SSL/TLS security level has been changed from 1 to 2. RSA,
DSA and DH keys of 1024 bits and above and less than 2048 bits and ECC keys
of 160 bits and above and less than 224 bits were previously accepted by
will need to load the legacy crypto provider.
*Paul Dale*
-
- * The various OBJ_* functions have been made thread safe.
-
- *Paul Dale*
-
* CCM8 cipher suites in TLS have been downgraded to security level zero
because they use a short authentication tag which lowers their strength.
*Dmitry Belyavskiy*
- * Parallel dual-prime 1536/2048-bit modular exponentiation for
- AVX512_IFMA capable processors.
-
- *Sergey Kirillov, Andrey Matyukov (Intel Corp)*
-
- * The functions `OPENSSL_LH_stats`, `OPENSSL_LH_node_stats`,
- `OPENSSL_LH_node_usage_stats`, `OPENSSL_LH_stats_bio`,
- `OPENSSL_LH_node_stats_bio` and `OPENSSL_LH_node_usage_stats_bio` are now
- marked deprecated from OpenSSL 3.2 onwards and can be disabled by defining
- `OPENSSL_NO_DEPRECATED_3_2`.
-
- The macro `DEFINE_LHASH_OF` is now deprecated in favour of the macro
- `DEFINE_LHASH_OF_EX`, which omits the corresponding type-specific function
- definitions for these functions regardless of whether
- `OPENSSL_NO_DEPRECATED_3_2` is defined.
-
- Users of `DEFINE_LHASH_OF` may start receiving deprecation warnings for these
- functions regardless of whether they are using them. It is recommended that
- users transition to the new macro, `DEFINE_LHASH_OF_EX`.
+ * Add X.509 certificate codeSigning purpose and related checks on key usage and
+ extended key usage of the leaf certificate according to the CA/Browser Forum.
- *Hugo Landau*
+ * Lutz Jänicke*
- * When generating safe-prime DH parameters set the recommended private key
- length equivalent to minimum key lengths as in RFC 7919.
+ * The `x509`, `ca`, and `req` apps now produce X.509 v3 certificates.
+ The `-x509v1` option of `req` prefers generation of X.509 v1 certificates.
+ `X509_sign()` and `X509_sign_ctx()` make sure that the certificate has
+ X.509 version 3 if the certificate information includes X.509 extensions.
- *Tomáš Mráz*
+ *David von Oheimb*
* Fix and extend certificate handling and the apps `x509`, `verify` etc.
such as adding a trace facility for debugging certificate chain building.
*David von Oheimb*
+ * `CMS_add0_cert()` and `CMS_add1_cert()` no more throw an error
+ if a certificate to be added is already present.
+ * `CMS_sign_ex()` and `CMS_sign()` now ignore any duplicate certificates
+ in their `certs` argument and no longer throw an error for them.
+
+ *David von Oheimb*
+
* Fixed and extended `util/check-format.pl` for checking adherence to the
coding style <https://www.openssl.org/policies/technical/coding-style.html>.
The checks are meanwhile more complete and yield fewer false positives.
*Hugo Landau*
+ * Enable KTLS with the TLS 1.3 CCM mode ciphersuites. Note that some linux
+ kernel versions that support KTLS have a known bug in CCM processing. That
+ has been fixed in stable releases starting from 5.4.164, 5.10.84, 5.15.7,
+ and all releases since 5.16. KTLS with CCM ciphersuites should be only used
+ on these releases.
+
+ *Tianjia Zhang*
+
+ * Zerocopy KTLS sendfile() support on Linux.
+
+ *Maxim Mikityanskiy*
+
+ * Added and enabled by default implicit rejection in RSA PKCS#1 v1.5
+ decryption as a protection against Bleichenbacher-like attacks.
+ The RSA decryption API will now return a randomly generated deterministic
+ message instead of an error in case it detects an error when checking
+ padding during PKCS#1 v1.5 decryption. This is a general protection against
+ issues like CVE-2020-25659 and CVE-2020-25657. This protection can be
+ disabled by calling
+ `EVP_PKEY_CTX_ctrl_str(ctx, "rsa_pkcs1_implicit_rejection". "0")`
+ on the RSA decryption context.
+
+ *Hubert Kario*
+
+ * Support for Argon2d, Argon2i, Argon2id KDFs has been added along with
+ basic thread pool implementation for select platforms.
+
+ *Čestmír Kalina*
+
+OpenSSL 3.1
+-----------
+
+### Changes between 3.1.0 and 3.1.1 [xx XXX xxxx]
+
+ * Mitigate for the time it takes for `OBJ_obj2txt` to translate gigantic
+ OBJECT IDENTIFIER sub-identifiers to canonical numeric text form.
+
+ OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical
+ numeric text form. For gigantic sub-identifiers, this would take a very
+ long time, the time complexity being O(n^2) where n is the size of that
+ sub-identifier. ([CVE-2023-2650])
+
+ To mitigitate this, `OBJ_obj2txt()` will only translate an OBJECT
+ IDENTIFIER to canonical numeric text form if the size of that OBJECT
+ IDENTIFIER is 586 bytes or less, and fail otherwise.
+
+ The basis for this restriction is [RFC 2578 (STD 58), section 3.5]. OBJECT
+ IDENTIFIER values, which stipulates that OBJECT IDENTIFIERS may have at
+ most 128 sub-identifiers, and that the maximum value that each sub-
+ identifier may have is 2^32-1 (4294967295 decimal).
+
+ For each byte of every sub-identifier, only the 7 lower bits are part of
+ the value, so the maximum amount of bytes that an OBJECT IDENTIFIER with
+ these restrictions may occupy is 32 * 128 / 7, which is approximately 586
+ bytes.
+
+ *Richard Levitte*
+
+ * Multiple algorithm implementation fixes for ARM BE platforms.
+
+ *Liu-ErMeng*
+
+ * Added a -pedantic option to fipsinstall that adjusts the various
+ settings to ensure strict FIPS compliance rather than backwards
+ compatibility.
+
+ *Paul Dale*
+
+ * Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms which
+ happens if the buffer size is 4 mod 5 in 16 byte AES blocks. This can
+ trigger a crash of an application using AES-XTS decryption if the memory
+ just after the buffer being decrypted is not mapped.
+ Thanks to Anton Romanov (Amazon) for discovering the issue.
+ ([CVE-2023-1255])
+
+ *Nevine Ebeid*
+
+ * Add FIPS provider configuration option to disallow the use of
+ truncated digests with Hash and HMAC DRBGs (q.v. FIPS 140-3 IG D.R.).
+ The option '-no_drbg_truncated_digests' can optionally be
+ supplied to 'openssl fipsinstall'.
+
+ *Paul Dale*
+
+ * Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention
+ that it does not enable policy checking. Thanks to David Benjamin for
+ discovering this issue.
+ ([CVE-2023-0466])
+
+ *Tomáš Mráz*
+
+ * Fixed an issue where invalid certificate policies in leaf certificates are
+ silently ignored by OpenSSL and other certificate policy checks are skipped
+ for that certificate. A malicious CA could use this to deliberately assert
+ invalid certificate policies in order to circumvent policy checking on the
+ certificate altogether.
+ ([CVE-2023-0465])
+
+ *Matt Caswell*
+
+ * Limited the number of nodes created in a policy tree to mitigate
+ against CVE-2023-0464. The default limit is set to 1000 nodes, which
+ should be sufficient for most installations. If required, the limit
+ can be adjusted by setting the OPENSSL_POLICY_TREE_NODES_MAX build
+ time define to a desired maximum number of nodes or zero to allow
+ unlimited growth.
+ ([CVE-2023-0464])
+
+ *Paul Dale*
+
+### Changes between 3.0 and 3.1.0 [14 Mar 2023]
+
+ * Add FIPS provider configuration option to enforce the
+ Extended Master Secret (EMS) check during the TLS1_PRF KDF.
+ The option '-ems-check' can optionally be supplied to
+ 'openssl fipsinstall'.
+
+ *Shane Lontis*
+
+ * The FIPS provider includes a few non-approved algorithms for
+ backward compatibility purposes and the "fips=yes" property query
+ must be used for all algorithm fetches to ensure FIPS compliance.
+
+ The algorithms that are included but not approved are Triple DES ECB,
+ Triple DES CBC and EdDSA.
+
+ *Paul Dale*
+
+ * Added support for KMAC in KBKDF.
+
+ *Shane Lontis*
+
+ * RNDR and RNDRRS support in provider functions to provide
+ random number generation for Arm CPUs (aarch64).
+
+ *Orr Toledano*
+
+ * s_client and s_server apps now explicitly say when the TLS version
+ does not include the renegotiation mechanism. This avoids confusion
+ between that scenario versus when the TLS version includes secure
+ renegotiation but the peer lacks support for it.
+
+ *Felipe Gasper*
+
+ * AES-GCM enabled with AVX512 vAES and vPCLMULQDQ.
+
+ *Tomasz Kantecki, Andrey Matyukov*
+
+ * The various OBJ_* functions have been made thread safe.
+
+ *Paul Dale*
+
+ * Parallel dual-prime 1536/2048-bit modular exponentiation for
+ AVX512_IFMA capable processors.
+
+ *Sergey Kirillov, Andrey Matyukov (Intel Corp)*
+
+ * The functions `OPENSSL_LH_stats`, `OPENSSL_LH_node_stats`,
+ `OPENSSL_LH_node_usage_stats`, `OPENSSL_LH_stats_bio`,
+ `OPENSSL_LH_node_stats_bio` and `OPENSSL_LH_node_usage_stats_bio` are now
+ marked deprecated from OpenSSL 3.1 onwards and can be disabled by defining
+ `OPENSSL_NO_DEPRECATED_3_1`.
+
+ The macro `DEFINE_LHASH_OF` is now deprecated in favour of the macro
+ `DEFINE_LHASH_OF_EX`, which omits the corresponding type-specific function
+ definitions for these functions regardless of whether
+ `OPENSSL_NO_DEPRECATED_3_1` is defined.
+
+ Users of `DEFINE_LHASH_OF` may start receiving deprecation warnings for these
+ functions regardless of whether they are using them. It is recommended that
+ users transition to the new macro, `DEFINE_LHASH_OF_EX`.
+
+ *Hugo Landau*
+
+ * When generating safe-prime DH parameters set the recommended private key
+ length equivalent to minimum key lengths as in RFC 7919.
+
+ *Tomáš Mráz*
+
+ * Change the default salt length for PKCS#1 RSASSA-PSS signatures to the
+ maximum size that is smaller or equal to the digest length to comply with
+ FIPS 186-4 section 5. This is implemented by a new option
+ `OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX` ("auto-digestmax") for the
+ `rsa_pss_saltlen` parameter, which is now the default. Signature
+ verification is not affected by this change and continues to work as before.
+
+ *Clemens Lang*
+
OpenSSL 3.0
-----------
[Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod
+### Changes between 3.0.7 and 3.0.8 [7 Feb 2023]
+
+ * Fixed NULL dereference during PKCS7 data verification.
+
+ A NULL pointer can be dereferenced when signatures are being
+ verified on PKCS7 signed or signedAndEnveloped data. In case the hash
+ algorithm used for the signature is known to the OpenSSL library but
+ the implementation of the hash algorithm is not available the digest
+ initialization will fail. There is a missing check for the return
+ value from the initialization function which later leads to invalid
+ usage of the digest API most likely leading to a crash.
+ ([CVE-2023-0401])
+
+ PKCS7 data is processed by the SMIME library calls and also by the
+ time stamp (TS) library calls. The TLS implementation in OpenSSL does
+ not call these functions however third party applications would be
+ affected if they call these functions to verify signatures on untrusted
+ data.
+
+ *Tomáš Mráz*
+
+ * Fixed X.400 address type confusion in X.509 GeneralName.
+
+ There is a type confusion vulnerability relating to X.400 address processing
+ inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING
+ but the public structure definition for GENERAL_NAME incorrectly specified
+ the type of the x400Address field as ASN1_TYPE. This field is subsequently
+ interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather
+ than an ASN1_STRING.
+
+ When CRL checking is enabled (i.e. the application sets the
+ X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to
+ pass arbitrary pointers to a memcmp call, enabling them to read memory
+ contents or enact a denial of service.
+ ([CVE-2023-0286])
+
+ *Hugo Landau*
+
+ * Fixed NULL dereference validating DSA public key.
+
+ An invalid pointer dereference on read can be triggered when an
+ application tries to check a malformed DSA public key by the
+ EVP_PKEY_public_check() function. This will most likely lead
+ to an application crash. This function can be called on public
+ keys supplied from untrusted sources which could allow an attacker
+ to cause a denial of service attack.
+
+ The TLS implementation in OpenSSL does not call this function
+ but applications might call the function if there are additional
+ security requirements imposed by standards such as FIPS 140-3.
+ ([CVE-2023-0217])
+
+ *Shane Lontis, Tomáš Mráz*
+
+ * Fixed Invalid pointer dereference in d2i_PKCS7 functions.
+
+ An invalid pointer dereference on read can be triggered when an
+ application tries to load malformed PKCS7 data with the
+ d2i_PKCS7(), d2i_PKCS7_bio() or d2i_PKCS7_fp() functions.
+
+ The result of the dereference is an application crash which could
+ lead to a denial of service attack. The TLS implementation in OpenSSL
+ does not call this function however third party applications might
+ call these functions on untrusted data.
+ ([CVE-2023-0216])
+
+ *Tomáš Mráz*
+
+ * Fixed Use-after-free following BIO_new_NDEF.
+
+ The public API function BIO_new_NDEF is a helper function used for
+ streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL
+ to support the SMIME, CMS and PKCS7 streaming capabilities, but may also
+ be called directly by end user applications.
+
+ The function receives a BIO from the caller, prepends a new BIO_f_asn1
+ filter BIO onto the front of it to form a BIO chain, and then returns
+ the new head of the BIO chain to the caller. Under certain conditions,
+ for example if a CMS recipient public key is invalid, the new filter BIO
+ is freed and the function returns a NULL result indicating a failure.
+ However, in this case, the BIO chain is not properly cleaned up and the
+ BIO passed by the caller still retains internal pointers to the previously
+ freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO
+ then a use-after-free will occur. This will most likely result in a crash.
+ ([CVE-2023-0215])
+
+ *Viktor Dukhovni, Matt Caswell*
+
+ * Fixed Double free after calling PEM_read_bio_ex.
+
+ The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and
+ decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload
+ data. If the function succeeds then the "name_out", "header" and "data"
+ arguments are populated with pointers to buffers containing the relevant
+ decoded data. The caller is responsible for freeing those buffers. It is
+ possible to construct a PEM file that results in 0 bytes of payload data.
+ In this case PEM_read_bio_ex() will return a failure code but will populate
+ the header argument with a pointer to a buffer that has already been freed.
+ If the caller also frees this buffer then a double free will occur. This
+ will most likely lead to a crash.
+
+ The functions PEM_read_bio() and PEM_read() are simple wrappers around
+ PEM_read_bio_ex() and therefore these functions are also directly affected.
+
+ These functions are also called indirectly by a number of other OpenSSL
+ functions including PEM_X509_INFO_read_bio_ex() and
+ SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL
+ internal uses of these functions are not vulnerable because the caller does
+ not free the header argument if PEM_read_bio_ex() returns a failure code.
+ ([CVE-2022-4450])
+
+ *Kurt Roeckx, Matt Caswell*
+
+ * Fixed Timing Oracle in RSA Decryption.
+
+ A timing based side channel exists in the OpenSSL RSA Decryption
+ implementation which could be sufficient to recover a plaintext across
+ a network in a Bleichenbacher style attack. To achieve a successful
+ decryption an attacker would have to be able to send a very large number
+ of trial messages for decryption. The vulnerability affects all RSA padding
+ modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
+ ([CVE-2022-4304])
+
+ *Dmitry Belyavsky, Hubert Kario*
+
+ * Fixed X.509 Name Constraints Read Buffer Overflow.
+
+ A read buffer overrun can be triggered in X.509 certificate verification,
+ specifically in name constraint checking. The read buffer overrun might
+ result in a crash which could lead to a denial of service attack.
+ In a TLS client, this can be triggered by connecting to a malicious
+ server. In a TLS server, this can be triggered if the server requests
+ client authentication and a malicious client connects.
+ ([CVE-2022-4203])
+
+ *Viktor Dukhovni*
+
+ * Fixed X.509 Policy Constraints Double Locking security issue.
+
+ If an X.509 certificate contains a malformed policy constraint and
+ policy processing is enabled, then a write lock will be taken twice
+ recursively. On some operating systems (most widely: Windows) this
+ results in a denial of service when the affected process hangs. Policy
+ processing being enabled on a publicly facing server is not considered
+ to be a common setup.
+ ([CVE-2022-3996])
+
+ *Paul Dale*
+
+ * Our provider implementations of `OSSL_FUNC_KEYMGMT_EXPORT` and
+ `OSSL_FUNC_KEYMGMT_GET_PARAMS` for EC and SM2 keys now honor
+ `OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT` as set (and
+ default to `POINT_CONVERSION_UNCOMPRESSED`) when exporting
+ `OSSL_PKEY_PARAM_PUB_KEY`, instead of unconditionally using
+ `POINT_CONVERSION_COMPRESSED` as in previous 3.x releases.
+ For symmetry, our implementation of `EVP_PKEY_ASN1_METHOD->export_to`
+ for legacy EC and SM2 keys is also changed similarly to honor the
+ equivalent conversion format flag as specified in the underlying
+ `EC_KEY` object being exported to a provider, when this function is
+ called through `EVP_PKEY_export()`.
+
+ *Nicola Tuveri*
+
+### Changes between 3.0.6 and 3.0.7 [1 Nov 2022]
+
+ * Fixed two buffer overflows in punycode decoding functions.
+
+ A buffer overrun can be triggered in X.509 certificate verification,
+ specifically in name constraint checking. Note that this occurs after
+ certificate chain signature verification and requires either a CA to
+ have signed the malicious certificate or for the application to continue
+ certificate verification despite failure to construct a path to a trusted
+ issuer.
+
+ In a TLS client, this can be triggered by connecting to a malicious
+ server. In a TLS server, this can be triggered if the server requests
+ client authentication and a malicious client connects.
+
+ An attacker can craft a malicious email address to overflow
+ an arbitrary number of bytes containing the `.` character (decimal 46)
+ on the stack. This buffer overflow could result in a crash (causing a
+ denial of service).
+ ([CVE-2022-3786])
+
+ An attacker can craft a malicious email address to overflow four
+ attacker-controlled bytes on the stack. This buffer overflow could
+ result in a crash (causing a denial of service) or potentially remote code
+ execution depending on stack layout for any given platform/compiler.
+ ([CVE-2022-3602])
+
+ *Paul Dale*
+
+ * Removed all references to invalid OSSL_PKEY_PARAM_RSA names for CRT
+ parameters in OpenSSL code.
+ Applications should not use the names OSSL_PKEY_PARAM_RSA_FACTOR,
+ OSSL_PKEY_PARAM_RSA_EXPONENT and OSSL_PKEY_PARAM_RSA_COEFFICIENT.
+ Use the numbered names such as OSSL_PKEY_PARAM_RSA_FACTOR1 instead.
+ Using these invalid names may cause algorithms to use slower methods
+ that ignore the CRT parameters.
+
+ *Shane Lontis*
+
+ * Fixed a regression introduced in 3.0.6 version raising errors on some stack
+ operations.
+
+ *Tomáš Mráz*
+
+ * Fixed a regression introduced in 3.0.6 version not refreshing the certificate
+ data to be signed before signing the certificate.
+
+ *Gibeom Gwon*
+
+ * Added RIPEMD160 to the default provider.
+
+ *Paul Dale*
+
+ * Ensured that the key share group sent or accepted for the key exchange
+ is allowed for the protocol version.
+
+ *Matt Caswell*
+
### Changes between 3.0.5 and 3.0.6 [11 Oct 2022]
* OpenSSL supports creating a custom cipher via the legacy
*Ralf S. Engelschall*
* Incorporated the popular no-RSA/DSA-only patches
- which allow to compile a RSA-free SSLeay.
+ which allow to compile an RSA-free SSLeay.
*Andrew Cooke / Interrader Ldt., Ralf S. Engelschall*
<!-- Links -->
+[RFC 2578 (STD 58), section 3.5]: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5
+[CVE-2023-2650]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2650
+[CVE-2023-1255]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-1255
+[CVE-2023-0466]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466
+[CVE-2023-0465]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0465
+[CVE-2023-0464]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0464
+[CVE-2023-0401]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0401
+[CVE-2023-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0286
+[CVE-2023-0217]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0217
+[CVE-2023-0216]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0216
+[CVE-2023-0215]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0215
+[CVE-2022-4450]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4450
+[CVE-2022-4304]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4304
+[CVE-2022-4203]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4203
+[CVE-2022-3996]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-3996
+[CVE-2022-2274]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2274
+[CVE-2022-2097]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2097
[CVE-2020-1971]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1971
[CVE-2020-1967]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1967
[CVE-2019-1563]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1563
projects / openssl.git / blobdiff