pkeyutil: check return value reading password

[openssl.git] / CHANGES.md

diff --git a/CHANGES.md b/CHANGES.md
index 14694739ae63bb1a85660d2950c5c11e621ff897..31e183f3959d848327234e0f2b149d3bebdfe110 100644 (file)
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -23,6 +23,27 @@ OpenSSL 3.0
 
 ### Changes between 1.1.1 and 3.0 [xx XXX xxxx]
 
+ * Remove the RAND_DRBG API
+
+   The RAND_DRBG API did not fit well into the new provider concept as
+   implemented by EVP_RAND and EVP_RAND_CTX. The main reason is that the
+   RAND_DRBG API is a mixture of 'front end' and 'back end' API calls
+   and some of its API calls are rather low-level. This holds in particular
+   for the callback mechanism (RAND_DRBG_set_callbacks()).
+
+   Adding a compatibility layer to continue supporting the RAND_DRBG API as
+   a legacy API for a regular deprecation period turned out to come at the
+   price of complicating the new provider API unnecessarily. Since the
+   RAND_DRBG API exists only since version 1.1.1, it was decided by the OMC
+   to drop it entirely.
+
+   *Paul Dale and Matthias St. Pierre*
+
+ * Allow SSL_set1_host() and SSL_add1_host() to take IP literal addresses
+   as well as actual hostnames.
+
+   *David Woodhouse*
+
  * The 'MinProtocol' and 'MaxProtocol' configuration commands now silently
    ignore TLS protocol version bounds when configuring DTLS-based contexts, and
    conversely, silently ignore DTLS protocol version bounds when configuring
@@ -1151,6 +1172,11 @@ OpenSSL 3.0
 
    *Martin Elshuber*
 
+ * `PKCS12_parse` now maintains the order of the parsed certificates
+   when outputting them via `*ca` (rather than reversing it).
+
+   *David von Oheimb*
+
 OpenSSL 1.1.1
 -------------