This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
- Major changes between OpenSSL 1.0.2 and OpenSSL 1.0.2a [under development]
+ Major changes between OpenSSL 1.0.2f and OpenSSL 1.1.0 [in pre-release]
+
+ o Support for ChaCha20 and Poly1305 added to libcrypto and libssl
+ o Support for extended master secret
+ o CCM ciphersuites
+ o Reworked test suite, now based on perl, Test::Harness and Test::More
+ o Various libcrypto structures made opaque including: BIGNUM, EVP_MD,
+ EVP_MD_CTX, HMAC_CTX, EVP_CIPHER and EVP_CIPHER_CTX.
+ o libssl internal structures made opaque
+ o SSLv2 support removed
+ o Kerberos ciphersuite support removed
+ o RC4 removed from DEFAULT ciphersuites in libssl
+ o 40 and 56 bit cipher support removed from libssl
+ o All public header files moved to include/openssl, no more symlinking
+ o SSL/TLS state machine, version negotiation and record layer rewritten
+ o EC revision: now operations use new EC_KEY_METHOD.
+ o Support for OCB mode added to libcrypto
+ o Support for asynchronous crypto operations added to libcrypto and libssl
+ o Deprecated interfaces can now be disabled at build time either
+ relative to the latest release via the "no-deprecated" Configure
+ argument, or via the "--api=1.1.0|1.0.0|0.9.8" option.
+ o Application software can be compiled with -DOPENSSL_API_COMPAT=version
+ to ensure that features deprecated in that version are not exposed.
+ o Support for RFC6698/RFC7671 DANE TLSA peer authentication
+ o Change of Configure to use --prefix as the main installation
+ directory location rather than --openssldir. The latter becomes
+ the directory for certs, private key and openssl.cnf exclusively.
+ o Reworked BIO networking library, with full support for IPv6.
+ o New "unified" build system
+
+ Major changes between OpenSSL 1.0.2e and OpenSSL 1.0.2f [28 Jan 2016]
+
+ o DH small subgroups (CVE-2016-0701)
+ o SSLv2 doesn't block disabled ciphers (CVE-2015-3197)
+
+ Major changes between OpenSSL 1.0.2d and OpenSSL 1.0.2e [3 Dec 2015]
+
+ o BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193)
+ o Certificate verify crash with missing PSS parameter (CVE-2015-3194)
+ o X509_ATTRIBUTE memory leak (CVE-2015-3195)
+ o Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs
+ o In DSA_generate_parameters_ex, if the provided seed is too short,
+ return an error
+
+ Major changes between OpenSSL 1.0.2c and OpenSSL 1.0.2d [9 Jul 2015]
+
+ o Alternate chains certificate forgery (CVE-2015-1793)
+ o Race condition handling PSK identify hint (CVE-2015-3196)
+
+ Major changes between OpenSSL 1.0.2b and OpenSSL 1.0.2c [12 Jun 2015]
+
+ o Fix HMAC ABI incompatibility
+
+ Major changes between OpenSSL 1.0.2a and OpenSSL 1.0.2b [11 Jun 2015]
+
+ o Malformed ECParameters causes infinite loop (CVE-2015-1788)
+ o Exploitable out-of-bounds read in X509_cmp_time (CVE-2015-1789)
+ o PKCS7 crash with missing EnvelopedContent (CVE-2015-1790)
+ o CMS verify infinite loop with unknown hash function (CVE-2015-1792)
+ o Race condition handling NewSessionTicket (CVE-2015-1791)
+
+ Major changes between OpenSSL 1.0.2 and OpenSSL 1.0.2a [19 Mar 2015]
o OpenSSL 1.0.2 ClientHello sigalgs DoS fix (CVE-2015-0291)
o Multiblock corrupted pointer fix (CVE-2015-0290)
Major changes between OpenSSL 0.9.8e and OpenSSL 0.9.8f [11 Oct 2007]:
o Add gcc 4.2 support.
- o Add support for AES and SSE2 assembly lanugauge optimization
+ o Add support for AES and SSE2 assembly language optimization
for VC++ build.
o Support for RFC4507bis and server name extensions if explicitly
selected at compile time.