OpenSSL Releases
----------------
+ - [OpenSSL 3.3](#openssl-33)
- [OpenSSL 3.2](#openssl-32)
- [OpenSSL 3.1](#openssl-31)
- [OpenSSL 3.0](#openssl-30)
- [OpenSSL 1.0.0](#openssl-100)
- [OpenSSL 0.9.x](#openssl-09x)
+OpenSSL 3.4
+-----------
+
+### Major changes between OpenSSL 3.3 and OpenSSL 3.4 [under development]
+
+OpenSSL 3.4.0 is a feature release adding significant new functionality to
+OpenSSL.
+
+This release is in development.
+
+ * Added initial Attribute Certificate (RFC 5755) support.
+
+OpenSSL 3.3
+-----------
+
+### Major changes between OpenSSL 3.2 and OpenSSL 3.3 [under development]
+
+OpenSSL 3.3.0 is a feature release adding significant new functionality to
+OpenSSL.
+
+This release adds the following new features:
+
+ * Support for qlog for tracing QUIC connections has been added
+
+ * Added APIs to allow configuring the negotiated idle timeout for QUIC
+ connections, and to allow determining the number of additional streams
+ that can currently be created for a QUIC connection.
+
+ * Added APIs to allow disabling implicit QUIC event processing for QUIC SSL
+ objects
+
+ * Added APIs to allow querying the size and utilisation of a QUIC stream's
+ write buffer
+
+ * New API `SSL_write_ex2`, which can be used to send an end-of-stream (FIN)
+ condition in an optimised way when using QUIC.
+
+ * Limited support for polling of QUIC connection and stream objects in a
+ non-blocking manner.
+
+ * Added a new EVP_DigestSqueeze() API. This allows SHAKE to squeeze multiple
+ times with different output sizes.
+
+ * Added exporter for CMake on Unix and Windows, alongside the pkg-config
+ exporter.
+
+ * The BLAKE2s hash algorithm matches BLAKE2b's support for configurable
+ output length.
+
+ * The EVP_PKEY_fromdata function has been augmented to allow for the
+ derivation of CRT (Chinese Remainder Theorem) parameters when requested
+
+ * Added API functions SSL_SESSION_get_time_ex(), SSL_SESSION_set_time_ex()
+ using time_t which is Y2038 safe on 32 bit systems when 64 bit time
+ is enabled
+
+ * Unknown entries in TLS SignatureAlgorithms, ClientSignatureAlgorithms
+ config options and the respective calls to SSL[_CTX]_set1_sigalgs() and
+ SSL[_CTX]_set1_client_sigalgs() that start with `?` character are
+ ignored and the configuration will still be used.
+
+ * Added `-set_issuer` and `-set_subject` options to `openssl x509` to
+ override the Issuer and Subject when creating a certificate. The `-subj`
+ option now is an alias for `-set_subject`.
+
+ * Added several new features of CMPv3 defined in RFC 9480 and RFC 9483
+
+ * New option `SSL_OP_PREFER_NO_DHE_KEX`, which allows configuring a TLS1.3
+ server to prefer session resumption using PSK-only key exchange over PSK
+ with DHE, if both are available.
+
+ * New atexit configuration switch, which controls whether the OPENSSL_cleanup
+ is registered when libcrypto is unloaded.
+
+ * Added X509_STORE_get1_objects to avoid issues with the existing
+ X509_STORE_get0_objects API in multi-threaded applications.
+
+This release incorporates the following potentially significant or incompatible
+changes:
+
+ * Applied AES-GCM unroll8 optimisation to Microsoft Azure Cobalt 100
+
+ * Optimized AES-CTR for ARM Neoverse V1 and V2
+
+ * Enable AES and SHA3 optimisations on Applie Silicon M3-based MacOS systems
+ similar to M1/M2.
+
+ * Various optimizations for cryptographic routines using RISC-V vector crypto
+ extensions
+
+ * Added assembly implementation for md5 on loongarch64
+
+ * Accept longer context for TLS 1.2 exporters
+
+ * The activate and soft_load configuration settings for providers in
+ openssl.cnf have been updated to require a value of [1|yes|true|on]
+ (in lower or UPPER case) to enable the setting. Conversely a value
+ of [0|no|false|off] will disable the setting.
+
+ * In `openssl speed`, changed the default hash function used with `hmac` from
+ `md5` to `sha256`.
+
+ * The `-verify` option to the `openssl crl` and `openssl req` will make the
+ program exit with 1 on failure.
+
+ * The d2i_ASN1_GENERALIZEDTIME(), d2i_ASN1_UTCTIME(), ASN1_TIME_check(), and
+ related functions have been augmented to check for a minimum length of
+ the input string, in accordance with ITU-T X.690 section 11.7 and 11.8.
+
+ * OPENSSL_sk_push() and sk_<TYPE>_push() functions now return 0 instead of -1
+ if called with a NULL stack argument.
+
+ * New limit on HTTP response headers is introduced to HTTP client. The
+ default limit is set to 256 header lines.
+
+This release incorporates the following bug fixes and mitigations:
+
+ * The BIO_get_new_index() function can only be called 127 times before it
+ reaches its upper bound of BIO_TYPE_MASK and will now return -1 once its
+ exhausted.
+
+A more detailed list of changes in this release can be found in the
+[CHANGES.md] file.
+
+Users interested in using the new QUIC functionality are encouraged to read the
+[README file for QUIC][README-QUIC.md], which provides links to relevant
+documentation and example code.
+
+As always, bug reports and issues relating to OpenSSL can be [filed on our issue
+tracker][issue tracker].
+
OpenSSL 3.2
-----------
-### Major changes between OpenSSL 3.1 and OpenSSL 3.2 alpha 2 [in pre-release]
+### Major changes between OpenSSL 3.2.1 and OpenSSL 3.2.2 [under development]
+
+OpenSSL 3.2.2 is a security patch release. The most severe CVE fixed in this
+release is Low.
+
+This release incorporates the following bug fixes and mitigations:
+
+ * Fixed unbounded memory growth with session handling in TLSv1.3
+ ([CVE-2024-2511])
+
+### Major changes between OpenSSL 3.2.0 and OpenSSL 3.2.1 [30 Jan 2024]
+
+OpenSSL 3.2.1 is a security patch release. The most severe CVE fixed in this
+release is Low.
+
+This release incorporates the following bug fixes and mitigations:
+
+ * Fixed PKCS12 Decoding crashes
+ ([CVE-2024-0727])
+ * Fixed excessive time spent checking invalid RSA public keys
+ ([CVE-2023-6237])
+ * Fixed POLY1305 MAC implementation corrupting vector registers on PowerPC
+ CPUs which support PowerISA 2.07
+ ([CVE-2023-6129])
+
+### Major changes between OpenSSL 3.1 and OpenSSL 3.2.0 [23 Nov 2023]
+
+OpenSSL 3.2.0 is a feature release adding significant new functionality to
+OpenSSL.
+
+This release incorporates the following potentially significant or incompatible
+changes:
- * Added client side support for QUIC.
- * Added multiple tutorials on the OpenSSL library and in particular
- on writing various clients (using TLS and QUIC protocols) with libssl.
- * Added support for Brainpool curves in TLS-1.3.
- * Added Raw Public Key (RFC7250) support.
- * Added support for certificate compression (RFC8879), including
- library support for Brotli and Zstandard compression.
- * Implemented support for all five instances of EdDSA from RFC8032.
- * Implemented SM4-XTS support.
- * Implemented deterministic ECDSA signatures (RFC6979) support.
- * Implemented AES-GCM-SIV (RFC8452) support.
- * Implemented Hybrid Public Key Encryption (HPKE) as defined in RFC9180.
- * Multiple new features and improvements of the CMP protocol support.
- * Subject or issuer names in X.509 objects are now displayed as UTF-8 strings
- by default.
- * TCP Fast Open (RFC7413) support is available on Linux, macOS, and FreeBSD
- where enabled and supported.
* The default SSL/TLS security level has been changed from 1 to 2.
- * Full support for provider-based/pluggable signature algorithms in TLS 1.3
- operations as well as CMS and X.509 data structure support. With a suitable
- provider this fully enables use of post-quantum/quantum-safe cryptography.
- * It is now possible to use the IANA standard names in TLS cipher
- configuration.
+
* The `x509`, `ca`, and `req` apps now always produce X.509v3 certificates.
- * Support for Argon2d, Argon2i, Argon2id KDFs has been added along with
- a basic thread pool implementation for select platforms.
+
+ * Subject or issuer names in X.509 objects are now displayed as UTF-8 strings
+ by default. Also spaces surrounding `=` in DN output are removed.
+
+This release adds the following new features:
+
+ * Support for client side QUIC, including support for
+ multiple streams (RFC 9000)
+
+ * Support for Ed25519ctx, Ed25519ph and Ed448ph in addition
+ to existing support for Ed25519 and Ed448 (RFC 8032)
+
+ * Support for deterministic ECDSA signatures (RFC 6979)
+
+ * Support for AES-GCM-SIV, a nonce-misuse-resistant AEAD (RFC 8452)
+
+ * Support for the Argon2 KDF, along with supporting thread pool
+ functionality (RFC 9106)
+
+ * Support for Hybrid Public Key Encryption (HPKE) (RFC 9180)
+
+ * Support for SM4-XTS
+
+ * Support for Brainpool curves in TLS 1.3
+
+ * Support for TLS Raw Public Keys (RFC 7250)
+
+ * Support for TCP Fast Open on Linux, macOS and FreeBSD,
+ where enabled and supported (RFC 7413)
+
+ * Support for TLS certificate compression, including library
+ support for zlib, Brotli and zstd (RFC 8879)
+
+ * Support for provider-based pluggable signature algorithms
+ in TLS 1.3 with supporting CMS and X.509 functionality
+
+ With a suitable provider this enables the use of post-quantum/quantum-safe
+ cryptography.
+
+ * Support for using the Windows system certificate store as a source of
+ trusted root certificates
+
+ This is not yet enabled by default and must be activated using an
+ environment variable. This is likely to become enabled by default
+ in a future feature release.
+
+ * Support for using the IANA standard names in TLS ciphersuite configuration
+
+ * Multiple new features and improvements to CMP protocol support
+
+The following known issues are present in this release and will be rectified
+in a future release:
+
+ * Provider-based signature algorithms cannot be configured using the
+ SignatureAlgorithms configuration file parameter (#22761)
+
+This release incorporates the following documentation enhancements:
+
+ * Added multiple tutorials on the OpenSSL library and in particular
+ on writing various clients (using TLS and QUIC protocols) with libssl
+
+ See [OpenSSL Guide].
+
+This release incorporates the following bug fixes and mitigations:
+
+ * Fixed excessive time spent in DH check / generation with large Q parameter
+ value
+ ([CVE-2023-5678])
+
+A more detailed list of changes in this release can be found in the
+[CHANGES.md] file.
+
+Users interested in using the new QUIC functionality are encouraged to read the
+[README file for QUIC][README-QUIC.md], which provides links to relevant
+documentation and example code.
+
+As always, bug reports and issues relating to OpenSSL can be [filed on our issue
+tracker][issue tracker].
OpenSSL 3.1
-----------
-### Major changes between OpenSSL 3.1.2 and OpenSSL 3.1.3 [under development]
+### Major changes between OpenSSL 3.1.3 and OpenSSL 3.1.4 [24 Oct 2023]
+
+ * Mitigate incorrect resize handling for symmetric cipher keys and IVs.
+ ([CVE-2023-5363])
+
+### Major changes between OpenSSL 3.1.2 and OpenSSL 3.1.3 [19 Sep 2023]
* Fix POLY1305 MAC implementation corrupting XMM registers on Windows
([CVE-2023-4807])
<!-- Links -->
+[CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511
+[CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727
+[CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237
+[CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129
+[CVE-2023-5678]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5678
+[CVE-2023-5363]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5363
[CVE-2023-4807]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-4807
[CVE-2023-3817]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3817
[CVE-2023-3446]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3446
[CVE-2006-2940]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-2940
[CVE-2006-2937]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-2937
[CVE-2005-2969]: https://www.openssl.org/news/vulnerabilities.html#CVE-2005-2969
+[OpenSSL Guide]: https://www.openssl.org/docs/manmaster/man7/ossl-guide-introduction.html
+[CHANGES.md]: ./CHANGES.md
+[README-QUIC.md]: ./README-QUIC.md
+[issue tracker]: https://github.com/openssl/openssl/issues