### Major changes between OpenSSL 1.1.1 and OpenSSL 3.0 [under development]
+ * Added migration guide to man7
+ * Implemented support for fully "pluggable" TLSv1.3 groups
+ * Added suport for Kernel TLS (KTLS)
+ * Changed the license to the Apache License v2.0.
+ * Moved all variations of the EVP ciphers CAST5, BF, IDEA, SEED, RC2,
+ RC4, RC5, and DES to the legacy provider.
+ * Moved the EVP digests MD2, MD4, MDC2, WHIRLPOOL and RIPEMD-160 to the legacy
+ provider.
+ * Added convenience functions for generating asymmetric key pairs.
+ * Deprecated the `OCSP_REQ_CTX` type and functions.
+ * Deprecated the `EC_KEY` and `EC_KEY_METHOD` types and functions.
+ * Deprecated the `RSA` and `RSA_METHOD` types and functions.
+ * Deprecated the `DSA` and `DSA_METHOD` types and functions.
+ * Deprecated the `DH` and `DH_METHOD` types and functions.
* Deprecated the `ERR_load_` functions.
* Remove the `RAND_DRBG` API.
* Deprecated the `ENGINE` API.
also covering CRMF (RFC 4211) and HTTP transfer (RFC 6712).
It is part of the crypto lib and adds a 'cmp' app with a demo configuration.
All widely used CMP features are supported for both clients and servers.
- * Added a proper HTTP(S) client to libcrypto supporting GET and POST,
- redirection, plain and ASN.1-encoded contents, proxies, and timeouts.
+ * Added a proper HTTP client supporting GET with optional redirection, POST,
+ arbitrary request and response content types, TLS, persistent connections,
+ connections via HTTP(s) proxies, connections and exchange via user-defined
+ BIOs (allowing implicit connections), and timeout checks.
* Added util/check-format.pl for checking adherence to the coding guidelines.
* Added OSSL_ENCODER, a generic encoder API.
* Added OSSL_PARAM_BLD, an easier to use API to OSSL_PARAM.
OpenSSL 1.1.1
-------------
-### Major changes between OpenSSL 1.1.1h and OpenSSL 1.1.1i [under development]
+### Major changes between OpenSSL 1.1.1j and OpenSSL 1.1.1k [under development]
- *
+ * Fixed a problem with verifying a certificate chain when using the
+ X509_V_FLAG_X509_STRICT flag ([CVE-2021-3450])
+ * Fixed an issue where an OpenSSL TLS server may crash if sent a maliciously
+ crafted renegotiation ClientHello message from a client ([CVE-2021-3449])
+
+### Major changes between OpenSSL 1.1.1i and OpenSSL 1.1.1j [16 Feb 2021]
+
+ * Fixed a NULL pointer deref in the X509_issuer_and_serial_hash()
+ function ([CVE-2021-23841])
+ * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING
+ padding mode to correctly check for rollback attacks
+ * Fixed an overflow in the EVP_CipherUpdate, EVP_EncryptUpdate and
+ EVP_DecryptUpdate functions ([CVE-2021-23840])
+ * Fixed SRP_Calc_client_key so that it runs in constant time
+
+### Major changes between OpenSSL 1.1.1h and OpenSSL 1.1.1i [8 Dec 2020]
+
+ * Fixed NULL pointer deref in GENERAL_NAME_cmp ([CVE-2020-1971])
### Major changes between OpenSSL 1.1.1g and OpenSSL 1.1.1h [22 Sep 2020]
<!-- Links -->
+[CVE-2020-1971]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1971
[CVE-2020-1967]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1967
[CVE-2019-1563]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1563
[CVE-2019-1559]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1559
projects / openssl.git / blobdiff