OpenSSL Releases
----------------
+ - [OpenSSL 3.1](#openssl-31)
- [OpenSSL 3.0](#openssl-30)
- [OpenSSL 1.1.1](#openssl-111)
- [OpenSSL 1.1.0](#openssl-110)
- [OpenSSL 1.0.0](#openssl-100)
- [OpenSSL 0.9.x](#openssl-09x)
+OpenSSL 3.1
+-----------
+
+### Major changes between OpenSSL 3.0 and OpenSSL 3.1 [under development]
+
+ * Subject or issuer names in X.509 objects are now displayed as UTF-8 strings
+ by default.
+ * TCP Fast Open (RFC7413) support is available on Linux, macOS, and FreeBSD
+ where enabled and supported.
+ * SSL 3, TLS 1.0, TLS 1.1, and DTLS 1.0 only work at security level 0.
+
OpenSSL 3.0
-----------
-### Major changes between OpenSSL 1.1.1 and OpenSSL 3.0 [under development]
+### Major changes between OpenSSL 3.0.3 and OpenSSL 3.0.4 [21 Jun 2022]
+
+ * Fixed additional bugs in the c_rehash script which was not properly
+ sanitising shell metacharacters to prevent command injection
+ ([CVE-2022-2068])
+
+### Major changes between OpenSSL 3.0.2 and OpenSSL 3.0.3 [3 May 2022]
+
+ * Fixed a bug in the c_rehash script which was not properly sanitising shell
+ metacharacters to prevent command injection ([CVE-2022-1292])
+ * Fixed a bug in the function `OCSP_basic_verify` that verifies the signer
+ certificate on an OCSP response ([CVE-2022-1343])
+ * Fixed a bug where the RC4-MD5 ciphersuite incorrectly used the
+ AAD data as the MAC key ([CVE-2022-1434])
+ * Fix a bug in the OPENSSL_LH_flush() function that breaks reuse of the memory
+ occuppied by the removed hash table entries ([CVE-2022-1473])
- * Added migration guide to man7
- * Implemented support for fully "pluggable" TLSv1.3 groups
- * Added suport for Kernel TLS (KTLS)
+### Major changes between OpenSSL 3.0.1 and OpenSSL 3.0.2
+
+ * Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever
+ for non-prime moduli ([CVE-2022-0778])
+
+### Major changes between OpenSSL 3.0.0 and OpenSSL 3.0.1
+
+ * Fixed invalid handling of X509_verify_cert() internal errors in libssl
+ ([CVE-2021-4044])
+ * Allow fetching an operation from the provider that owns an unexportable key
+ as a fallback if that is still allowed by the property query.
+
+### Major changes between OpenSSL 1.1.1 and OpenSSL 3.0.0
+
+ * Enhanced 'openssl list' with many new options.
+ * Added migration guide to man7.
+ * Implemented support for fully "pluggable" TLSv1.3 groups.
+ * Added suport for Kernel TLS (KTLS).
* Changed the license to the Apache License v2.0.
* Moved all variations of the EVP ciphers CAST5, BF, IDEA, SEED, RC2,
RC4, RC5, and DES to the legacy provider.
* Remove the `RAND_DRBG` API.
* Deprecated the `ENGINE` API.
* Added `OSSL_LIB_CTX`, a libcrypto library context.
+ * Added various `_ex` functions to the OpenSSL API that support using
+ a non-default `OSSL_LIB_CTX`.
* Interactive mode is removed from the 'openssl' program.
* The X25519, X448, Ed25519, Ed448, SHAKE128 and SHAKE256 algorithms are
included in the FIPS provider.
BIOs (allowing implicit connections), and timeout checks.
* Added util/check-format.pl for checking adherence to the coding guidelines.
* Added OSSL_ENCODER, a generic encoder API.
+ * Added OSSL_DECODER, a generic decoder API.
* Added OSSL_PARAM_BLD, an easier to use API to OSSL_PARAM.
* Added error raising macros, ERR_raise() and ERR_raise_data().
* Deprecated ERR_put_error(), ERR_get_error_line(), ERR_get_error_line_data(),
RC4, RC5 and SEED cipher functions have been deprecated.
* All of the low-level DH, DSA, ECDH, ECDSA and RSA public key functions
have been deprecated.
- * SSL 3, TLS 1.0, TLS 1.1, and DTLS 1.0 only work at security level 0.
+ * SSL 3, TLS 1.0, TLS 1.1, and DTLS 1.0 only work at security level 0,
+ except when RSA key exchange without SHA1 is used.
+ * Added providers, a new pluggability concept that will replace the
+ ENGINE API and ENGINE implementations.
OpenSSL 1.1.1
-------------
-### Major changes between OpenSSL 1.1.1j and OpenSSL 1.1.1k [under development]
+### Major changes between OpenSSL 1.1.1k and OpenSSL 1.1.1l [24 Aug 2021]
+
+ * Fixed an SM2 Decryption Buffer Overflow ([CVE-2021-3711])
+ * Fixed various read buffer overruns processing ASN.1 strings ([CVE-2021-3712])
+
+### Major changes between OpenSSL 1.1.1j and OpenSSL 1.1.1k [25 Mar 2021]
* Fixed a problem with verifying a certificate chain when using the
X509_V_FLAG_X509_STRICT flag ([CVE-2021-3450])