_______________
Changes between 1.0.2 and 1.1.0 [xx XXX xxxx]
+ *) Given the pervasive nature of TLS extensions it is inadvisable to run
+ OpenSSL without support for them. It also means that maintaining
+ the OPENSSL_NO_TLSEXT option within the code is very invasive (and probably
+ not well tested). Therefore the OPENSSL_NO_TLSEXT option has been removed.
+ [Matt Caswell]
+
+ *) Removed support for the two export grade static DH ciphersuites
+ EXP-DH-RSA-DES-CBC-SHA and EXP-DH-DSS-DES-CBC-SHA. These two ciphersuites
+ were newly added (along with a number of other static DH ciphersuites) to
+ 1.0.2. However the two export ones have *never* worked since they were
+ introduced. It seems strange in any case to be adding new export
+ ciphersuites, and given "logjam" it also does not seem correct to fix them.
+ [Matt Caswell]
+
+ *) Version negotiation has been rewritten. In particular SSLv23_method(),
+ SSLv23_client_method() and SSLv23_server_method() have been deprecated,
+ and turned into macros which simply call the new preferred function names
+ TLS_method(), TLS_client_method() and TLS_server_method(). All new code
+ should use the new names instead. Also as part of this change the ssl23.h
+ header file has been removed.
+ [Matt Caswell]
+
+ *) Support for Kerberos ciphersuites in TLS (RFC2712) has been removed. This
+ code and the associated standard is no longer considered fit-for-purpose.
+ [Matt Caswell]
+
+ *) Added HTTP GET support to the ocsp command.
+ [Rich Salz]
+
+ *) RAND_pseudo_bytes has been deprecated. Users should use RAND_bytes instead.
+ [Matt Caswell]
*) Added support for TLS extended master secret from
draft-ietf-tls-session-hash-03.txt. Thanks for Alfredo Pironti for an
done while fixing the error code for the key-too-small case.
[Annie Yousar <a.yousar@informatik.hu-berlin.de>]
+ *) CA.sh has been removmed; use CA.pl instead.
+ [Rich Salz]
+
*) Removed old DES API.
[Rich Salz]
Remove all but one '#ifdef undef' which is to be looked at.
[Rich Salz]
+ *) Clean up calling of xxx_free routines.
+ Just like free(), fix most of the xxx_free routines to accept
+ NULL. Remove the non-null checks from callers. Save much code.
+ [Rich Salz]
+
*) Experimental support for a new, fast, unbiased prime candidate generator,
bn_probable_prime_dh_coprime(). Not currently used by any prime generator.
[Felix Laurie von Massenbach <felix@erbridge.co.uk>]
whose return value is often ignored.
[Steve Henson]
- Changes between 1.0.2 and 1.0.2a [xx XXX xxxx]
+ Changes between 1.0.2a and 1.0.2b [xx XXX xxxx]
+
+ *) Only support 256-bit or stronger elliptic curves with the
+ 'ecdh_auto' setting (server) or by default (client). Of supported
+ curves, prefer P-256 (both).
+ [Emilia Kasper]
+
+ Changes between 1.0.2 and 1.0.2a [19 Mar 2015]
*) ClientHello sigalgs DoS fix
done
To be absolutely sure not to disturb the source tree, a "make clean"
- is a good thing. If it isn't successfull, don't worry about it,
+ is a good thing. If it isn't successful, don't worry about it,
it probably means the source directory is very clean.
[Richard Levitte]
[Bodo Moeller; problems reported by Anders Gertz <gertz@epact.se>]
*) Correct util/mkdef.pl to be selective about disabled algorithms.
- Previously, it would create entries for disableed algorithms no
+ Previously, it would create entries for disabled algorithms no
matter what.
[Richard Levitte]