Changes between 0.9.4 and 0.9.5 [xx XXX 1999]
+ *) Apply Lutz Behnke's 56bit cipher patch. This should fix the problems with cipher
+ ordering and the new EXPORT1024 ciphers. Only two minor changes have been
+ made, the error reason codes have been altered and the @STRENGTH sorting
+ behaviour changed so eNULL ciphers are also sorted (if present).
+
+ One other addition: the "ciphers" program didn't check the return code
+ of SSL_CTX_set_cipher_list().
+ [Lutz Behnke <behnke@trustcenter.de>, minor changes by Steve Henson]
+
+ *) Minor change to 'x509' utility. The -CAcreateserial option now uses 1
+ for the first serial number and places 2 in the serial number file. This
+ avoids problems when the root CA is created with serial number zero and
+ the first user certificate has the same issuer name and serial number
+ as the root CA.
+ [Steve Henson]
+
+ *) Fixes to X509_ATTRIBUTE utilities, change the 'req' program so it uses
+ the new code. Add documentation for this stuff.
+ [Steve Henson]
+
+ *) Changes to X509_ATTRIBUTE utilities. These have been renamed from
+ X509_*() to X509at_*() on the grounds that they don't handle X509
+ structures and behave in an analagous way to the X509v3 functions:
+ they shouldn't be called directly but wrapper functions should be used
+ instead.
+
+ So we also now have some wrapper functions that call the X509at functions
+ when passed certificate requests. (TO DO: similar things can be done with
+ PKCS#7 signed and unsigned attributes, PKCS#12 attributes and a few other
+ things. Some of these need some d2i or i2d and print functionality
+ because they handle more complex structures.)
+ [Steve Henson]
+
+ *) Add missing #ifndefs that caused missing symbols when building libssl
+ as a shared library without RSA. Use #ifndef NO_SSL2 instead of
+ NO_RSA in ssl/s2*.c.
+ [Kris Kennaway <kris@hub.freebsd.org>, modified by Ulf Möller]
+
*) Precautions against using the PRNG uninitialized: RAND_bytes() now
has a return value which indicates the quality of the random data
(1 = ok, 0 = not seeded). Also an error is recorded on the thread's
- error queue.
- (TO DO: always check the result of RAND_bytes when it is used in the
- library, because leaving the error in the error queue but reporting
- success in a function that uses RAND_bytes could confuse things
- considerably.)
+ error queue. New function RAND_pseudo_bytes() generates output that is
+ guaranteed to be unique but not unpredictable.
[Ulf Möller]
*) Do more iterations of Rabin-Miller probable prime test (specifically,