+ Changes between 1.0.2f and 1.1.0 [xx XXX xxxx]
+
+ *) RSA_padding_check_PKCS1_type_1 now accepts inputs with and without
+ the leading 0-byte.
+ [Emilia Käsper]
+
+ *) CRIME protection: disable compression by default, even if OpenSSL is
+ compiled with zlib enabled. Applications can still enable compression
+ by calling SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION), or by
+ using the SSL_CONF library to configure compression.
+ [Emilia Käsper]
+
+ *) The signature of the session callback configured with
+ SSL_CTX_sess_set_get_cb was changed. The read-only input buffer
+ was explicitly marked as 'const unsigned char*' instead of
+ 'unsigned char*'.
+ [Emilia Käsper]
+
+ *) Always DPURIFY. Remove the use of uninitialized memory in the
+ RNG, and other conditional uses of DPURIFY. This makes -DPURIFY a no-op.
+ [Emilia Käsper]
+
+ *) Removed many obsolete configuration items, including
+ DES_PTR, DES_RISC1, DES_RISC2, DES_INT
+ MD2_CHAR, MD2_INT, MD2_LONG
+ BF_PTR, BF_PTR2
+ IDEA_SHORT, IDEA_LONG
+ RC2_SHORT, RC2_LONG, RC4_LONG, RC4_CHUNK, RC4_INDEX
+ [Rich Salz, with advice from Andy Polyakov]
+
+ *) Many BN internals have been moved to an internal header file.
+ [Rich Salz with help from Andy Polyakov]
+
+ *) Configuration and writing out the results from it has changed.
+ Files such as Makefile include/openssl/opensslconf.h and are now
+ produced through general templates, such as Makefile.in and
+ crypto/opensslconf.h.in and some help from the perl module
+ Text::Template.
+
+ Also, the center of configuration information is no longer
+ Makefile. Instead, Configure produces a perl module in
+ configdata.pm which holds most of the config data (in the hash
+ table %config), the target data that comes from the target
+ configuration in one of the Configurations/*.conf files (in
+ %target).
+ [Richard Levitte]
+
+ *) To clarify their intended purposes, the Configure options
+ --prefix and --openssldir change their semantics, and become more
+ straightforward and less interdependent.
+
+ --prefix shall be used exclusively to give the location INSTALLTOP
+ where programs, scripts, libraries, include files and manuals are
+ going to be installed. The default is now /usr/local.
+
+ --openssldir shall be used exclusively to give the default
+ location OPENSSLDIR where certificates, private keys, CRLs are
+ managed. This is also where the default openssl.cnf gets
+ installed.
+ If the directory given with this option is a relative path, the
+ values of both the --prefix value and the --openssldir value will
+ be combined to become OPENSSLDIR.
+ The default for --openssldir is INSTALLTOP/ssl.
+
+ Anyone who uses --openssldir to specify where OpenSSL is to be
+ installed MUST change to use --prefix instead.
+ [Richard Levitte]
+
+ *) The GOST engine was out of date and therefore it has been removed. An up
+ to date GOST engine is now being maintained in an external repository.
+ See: https://wiki.openssl.org/index.php/Binaries. Libssl still retains
+ support for GOST ciphersuites (these are only activated if a GOST engine
+ is present).
+ [Matt Caswell]
+
+ *) EGD is no longer supported by default; use enable-egd when
+ configuring.
+ [Ben Kaduk and Rich Salz]
+
+ *) The distribution now has Makefile.in files, which are used to
+ create Makefile's when Configure is run. *Configure must be run
+ before trying to build now.*
+ [Rich Salz]
+
+ *) The return value for SSL_CIPHER_description() for error conditions
+ has changed.
+ [Rich Salz]
+
+ *) Support for RFC6698/RFC7671 DANE TLSA peer authentication.
+
+ Obtaining and performing DNSSEC validation of TLSA records is
+ the application's responsibility. The application provides
+ the TLSA records of its choice to OpenSSL, and these are then
+ used to authenticate the peer.
+
+ The TLSA records need not even come from DNS. They can, for
+ example, be used to implement local end-entity certificate or
+ trust-anchor "pinning", where the "pin" data takes the form
+ of TLSA records, which can augment or replace verification
+ based on the usual WebPKI public certification authorities.
+ [Viktor Dukhovni]
+
+ *) Revert default OPENSSL_NO_DEPRECATED setting. Instead OpenSSL
+ continues to support deprecated interfaces in default builds.
+ However, applications are strongly advised to compile their
+ source files with -DOPENSSL_API_COMPAT=0x10100000L, which hides
+ the declarations of all interfaces deprecated in 0.9.8, 1.0.0
+ or the 1.1.0 releases.
+
+ In environments in which all applications have been ported to
+ not use any deprecated interfaces OpenSSL's Configure script
+ should be used with the --api=1.1.0 option to entirely remove
+ support for the deprecated features from the library and
+ unconditionally disable them in the installed headers.
+ Essentially the same effect can be achieved with the "no-deprecated"
+ argument to Configure, except that this will always restrict
+ the build to just the latest API, rather than a fixed API
+ version.
+
+ As applications are ported to future revisions of the API,
+ they should update their compile-time OPENSSL_API_COMPAT define
+ accordingly, but in most cases should be able to continue to
+ compile with later releases.
+
+ The OPENSSL_API_COMPAT versions for 1.0.0, and 0.9.8 are
+ 0x10000000L and 0x00908000L, respectively. However those
+ versions did not support the OPENSSL_API_COMPAT feature, and
+ so applications are not typically tested for explicit support
+ of just the undeprecated features of either release.
+ [Viktor Dukhovni]
+
+ *) Add support for setting the minimum and maximum supported protocol.
+ It can bet set via the SSL_set_min_proto_version() and
+ SSL_set_max_proto_version(), or via the SSL_CONF's MinProtocol and
+ MaxProtcol. It's recommended to use the new APIs to disable
+ protocols instead of disabling individual protocols using
+ SSL_set_options() or SSL_CONF's Protocol. This change also
+ removes support for disabling TLS 1.2 in the OpenSSL TLS
+ client at compile time by defining OPENSSL_NO_TLS1_2_CLIENT.
+ [Kurt Roeckx]
+
+ *) Support for ChaCha20 and Poly1305 added to libcrypto and libssl.
+ [Andy Polyakov]
+
+ *) New EC_KEY_METHOD, this replaces the older ECDSA_METHOD and ECDH_METHOD
+ and integrates ECDSA and ECDH functionality into EC. Implementations can
+ now redirect key generation and no longer need to convert to or from
+ ECDSA_SIG format.
+
+ Note: the ecdsa.h and ecdh.h headers are now no longer needed and just
+ include the ec.h header file instead.
+ [Steve Henson]
+
+ *) Remove support for all 40 and 56 bit ciphers. This includes all the export
+ ciphers who are no longer supported and drops support the ephemeral RSA key
+ exchange. The LOW ciphers currently doesn't have any ciphers in it.
+ [Kurt Roeckx]
+
+ *) Made EVP_MD_CTX, EVP_MD, EVP_CIPHER_CTX, EVP_CIPHER and HMAC_CTX
+ opaque. For HMAC_CTX, the following constructors and destructors
+ were added:
+
+ HMAC_CTX *HMAC_CTX_new(void);
+ void HMAC_CTX_free(HMAC_CTX *ctx);
+
+ For EVP_MD and EVP_CIPHER, complete APIs to create, fill and
+ destroy such methods has been added. See EVP_MD_meth_new(3) and
+ EVP_CIPHER_meth_new(3) for documentation.
+
+ Additional changes:
+ 1) EVP_MD_CTX_cleanup(), EVP_CIPHER_CTX_cleanup() and
+ HMAC_CTX_cleanup() were removed. HMAC_CTX_reset() and
+ EVP_MD_CTX_reset() should be called instead to reinitialise
+ an already created structure.
+ 2) For consistency with the majority of our object creators and
+ destructors, EVP_MD_CTX_(create|destroy) were renamed to
+ EVP_MD_CTX_(new|free). The old names are retained as macros
+ for deprecated builds.
+ [Richard Levitte]
+
+ *) Added ASYNC support. Libcrypto now includes the async sub-library to enable
+ cryptographic operations to be performed asynchronously as long as an
+ asynchronous capable engine is used. See the ASYNC_start_job() man page for
+ further details. Libssl has also had this capability integrated with the
+ introduction of the new mode SSL_MODE_ASYNC and associated error
+ SSL_ERROR_WANT_ASYNC. See the SSL_CTX_set_mode() and SSL_get_error() man
+ pages. This work was developed in partnership with Intel Corp.
+ [Matt Caswell]
+
+ *) SSL_{CTX_}set_ecdh_auto() has been removed and ECDH is support is
+ always enabled now. If you want to disable the support you should
+ exclude it using the list of supported ciphers. This also means that the
+ "-no_ecdhe" option has been removed from s_server.
+ [Kurt Roeckx]
+
+ *) SSL_{CTX}_set_tmp_ecdh() which can set 1 EC curve now internally calls
+ SSL_{CTX_}set1_curves() which can set a list.
+ [Kurt Roeckx]
+
+ *) Remove support for SSL_{CTX_}set_tmp_ecdh_callback(). You should set the
+ curve you want to support using SSL_{CTX_}set1_curves().
+ [Kurt Roeckx]
+
+ *) State machine rewrite. The state machine code has been significantly
+ refactored in order to remove much duplication of code and solve issues
+ with the old code (see ssl/statem/README for further details). This change
+ does have some associated API changes. Notably the SSL_state() function
+ has been removed and replaced by SSL_get_state which now returns an
+ "OSSL_HANDSHAKE_STATE" instead of an int. SSL_set_state() has been removed
+ altogether. The previous handshake states defined in ssl.h and ssl3.h have
+ also been removed.
+ [Matt Caswell]
+
+ *) All instances of the string "ssleay" in the public API were replaced
+ with OpenSSL (case-matching; e.g., OPENSSL_VERSION for #define's)
+ Some error codes related to internal RSA_eay API's were renamed.
+ [Rich Salz]
+
+ *) The demo files in crypto/threads were moved to demo/threads.
+ [Rich Salz]
+
+ *) Removed obsolete engines: 4758cca, aep, atalla, cswift, nuron, gmp,
+ and sureware.
+ [Matt Caswell, Rich Salz]
+
+ *) New ASN.1 embed macro.
+
+ New ASN.1 macro ASN1_EMBED. This is the same as ASN1_SIMPLE except the
+ structure is not allocated: it is part of the parent. That is instead of
+
+ FOO *x;
+
+ it must be:
+
+ FOO x;
+
+ This reduces memory fragmentation and make it impossible to accidentally
+ set a mandatory field to NULL.
+
+ This currently only works for some fields specifically a SEQUENCE, CHOICE,
+ or ASN1_STRING type which is part of a parent SEQUENCE. Since it is
+ equivalent to ASN1_SIMPLE it cannot be tagged, OPTIONAL, SET OF or
+ SEQUENCE OF.
+ [Steve Henson]
+
+ *) Remove EVP_CHECK_DES_KEY, a compile-time option that never compiled.
+ [Emilia Käsper]
+
+ *) Removed DES and RC4 ciphersuites from DEFAULT. Also removed RC2 although
+ in 1.0.2 EXPORT was already removed and the only RC2 ciphersuite is also
+ an EXPORT one. COMPLEMENTOFDEFAULT has been updated accordingly to add
+ DES and RC4 ciphersuites.
+ [Matt Caswell]
+
+ *) Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs.
+ This changes the decoding behaviour for some invalid messages,
+ though the change is mostly in the more lenient direction, and
+ legacy behaviour is preserved as much as possible.
+ [Emilia Käsper]
+
+ *) Fix no-stdio build.
+ [ David Woodhouse <David.Woodhouse@intel.com> and also
+ Ivan Nestlerode <ivan.nestlerode@sonos.com> ]
+
+ *) New testing framework
+ The testing framework has been largely rewritten and is now using
+ perl and the perl modules Test::Harness and an extended variant of
+ Test::More called OpenSSL::Test to do its work. All test scripts in
+ test/ have been rewritten into test recipes, and all direct calls to
+ executables in test/Makefile have become individual recipes using the
+ simplified testing OpenSSL::Test::Simple.
+
+ For documentation on our testing modules, do:
+
+ perldoc test/testlib/OpenSSL/Test/Simple.pm
+ perldoc test/testlib/OpenSSL/Test.pm
+
+ [Richard Levitte]
+
+ *) Revamped memory debug; only -DCRYPTO_MDEBUG and -DCRYPTO_MDEBUG_ABORT
+ are used; the latter aborts on memory leaks (usually checked on exit).
+ Some undocumented "set malloc, etc., hooks" functions were removed
+ and others were changed. All are now documented.
+ [Rich Salz]
+
+ *) In DSA_generate_parameters_ex, if the provided seed is too short,
+ return an error
+ [Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>]
+
+ *) Rewrite PSK to support ECDHE_PSK, DHE_PSK and RSA_PSK. Add ciphersuites
+ from RFC4279, RFC4785, RFC5487, RFC5489.
+
+ Thanks to Christian J. Dietrich and Giuseppe D'Angelo for the
+ original RSA_PSK patch.
+ [Steve Henson]
+
+ *) Dropped support for the SSL3_FLAGS_DELAY_CLIENT_FINISHED flag. This SSLeay
+ era flag was never set throughout the codebase (only read). Also removed
+ SSL3_FLAGS_POP_BUFFER which was only used if
+ SSL3_FLAGS_DELAY_CLIENT_FINISHED was also set.
+ [Matt Caswell]
+
+ *) Changed the default name options in the "ca", "crl", "req" and "x509"
+ to be "oneline" instead of "compat".
+ [Richard Levitte]
+
+ *) Remove SSL_OP_TLS_BLOCK_PADDING_BUG. This is SSLeay legacy, we're
+ not aware of clients that still exhibit this bug, and the workaround
+ hasn't been working properly for a while.
+ [Emilia Käsper]
+
+ *) The return type of BIO_number_read() and BIO_number_written() as well as
+ the corresponding num_read and num_write members in the BIO structure has
+ changed from unsigned long to uint64_t. On platforms where an unsigned
+ long is 32 bits (e.g. Windows) these counters could overflow if >4Gb is
+ transferred.
+ [Matt Caswell]
+
+ *) Given the pervasive nature of TLS extensions it is inadvisable to run
+ OpenSSL without support for them. It also means that maintaining
+ the OPENSSL_NO_TLSEXT option within the code is very invasive (and probably
+ not well tested). Therefore the OPENSSL_NO_TLSEXT option has been removed.
+ [Matt Caswell]
+
+ *) Removed support for the two export grade static DH ciphersuites
+ EXP-DH-RSA-DES-CBC-SHA and EXP-DH-DSS-DES-CBC-SHA. These two ciphersuites
+ were newly added (along with a number of other static DH ciphersuites) to
+ 1.0.2. However the two export ones have *never* worked since they were
+ introduced. It seems strange in any case to be adding new export
+ ciphersuites, and given "logjam" it also does not seem correct to fix them.
+ [Matt Caswell]
+
+ *) Version negotiation has been rewritten. In particular SSLv23_method(),
+ SSLv23_client_method() and SSLv23_server_method() have been deprecated,
+ and turned into macros which simply call the new preferred function names
+ TLS_method(), TLS_client_method() and TLS_server_method(). All new code
+ should use the new names instead. Also as part of this change the ssl23.h
+ header file has been removed.
+ [Matt Caswell]
+
+ *) Support for Kerberos ciphersuites in TLS (RFC2712) has been removed. This
+ code and the associated standard is no longer considered fit-for-purpose.
+ [Matt Caswell]
+
+ *) RT2547 was closed. When generating a private key, try to make the
+ output file readable only by the owner. This behavior change might
+ be noticeable when interacting with other software.
+
+ *) Documented all exdata functions. Added CRYPTO_free_ex_index.
+ Added a test.
+ [Rich Salz]
+
+ *) Added HTTP GET support to the ocsp command.
+ [Rich Salz]
+
+ *) Changed default digest for the dgst and enc commands from MD5 to
+ sha256
+ [Rich Salz]
+
+ *) RAND_pseudo_bytes has been deprecated. Users should use RAND_bytes instead.
+ [Matt Caswell]
+
+ *) Added support for TLS extended master secret from
+ draft-ietf-tls-session-hash-03.txt. Thanks for Alfredo Pironti for an
+ initial patch which was a great help during development.
+ [Steve Henson]
+