### Changes between 1.1.1 and 3.0 [xx XXX xxxx]
+ * On build targets where the multilib postfix is set in the build
+ configuration the libdir directory was changing based on whether
+ the lib directory with the multilib postfix exists on the system
+ or not. This unpredictable behavior was removed and eventual
+ multilib postfix is now always added to the default libdir. Use
+ `--libdir=lib` to override the libdir if adding the postfix is
+ undesirable.
+
+ *Jan Lána*
+
+ * The ERR_GET_FUNC() function was removed. With the loss of meaningful
+ function codes, this function can only cause problems for calling
+ applications.
+
+ *Paul Dale*
+
+ * Add a configurable flag to output date formats as ISO 8601. Does not
+ change the default date format.
+
+ *William Edmisten*
+
+ * Version of MSVC earlier than 1300 could get link warnings, which could
+ be suppressed if the undocumented -DI_CAN_LIVE_WITH_LNK4049 was set.
+ Support for this flag has been removed.
+
+ *Rich Salz*
+
+ * Rework and make DEBUG macros consistent. Remove unused -DCONF_DEBUG,
+ -DBN_CTX_DEBUG, and REF_PRINT. Add a new tracing category and use it for
+ printing reference counts. Rename -DDEBUG_UNUSED to -DUNUSED_RESULT_DEBUG
+ Fix BN_DEBUG_RAND so it compiles and, when set, force DEBUG_RAND to be set
+ also. Rename engine_debug_ref to be ENGINE_REF_PRINT also for consistency.
+
+ *Rich Salz*
+
* The signatures of the functions to get and set options on SSL and
SSL_CTX objects changed from "unsigned long" to "uint64_t" type.
Some source code changes may be required.
- * Rich Salz *
+ *Rich Salz*
+
+ * The public definitions of conf_method_st and conf_st have been
+ deprecated. They will be made opaque in a future release.
+
+ *Rich Salz and Tomáš Mráz*
* Client-initiated renegotiation is disabled by default. To allow it, use
the -client_renegotiation option, the SSL_OP_ALLOW_CLIENT_RENEGOTIATION
flag, or the "ClientRenegotiation" config parameter as appropriate.
- * Rich Salz *
+ *Rich Salz*
* Add "abspath" and "includedir" pragma's to config files, to prevent,
or modify relative pathname inclusion.
- * Rich Salz *
+ *Rich Salz*
* OpenSSL includes a cryptographic module that is intended to be FIPS 140-2
validated. Please consult the README-FIPS and
*Shane Lontis*
+ * Many functions in the EVP_ namespace that are getters of values from
+ implementations or contexts were renamed to include get or get0 in their
+ names. Old names are provided as macro aliases for compatibility and
+ are not deprecated.
+
+ *Tomáš Mráz*
+
* The EVP_PKEY_CTRL_PKCS7_ENCRYPT, EVP_PKEY_CTRL_PKCS7_DECRYPT,
EVP_PKEY_CTRL_PKCS7_SIGN, EVP_PKEY_CTRL_CMS_ENCRYPT,
EVP_PKEY_CTRL_CMS_DECRYPT, and EVP_PKEY_CTRL_CMS_SIGN control operations
* Deprecated the obsolete X9.31 RSA key generation related functions.
+ * While a callback function set via `SSL_CTX_set_cert_verify_callback()`
+ is not allowed to return a value > 1, this is no more taken as failure.
+
+ *Viktor Dukhovni and David von Oheimb*
+
+ * Deprecated the obsolete X9.31 RSA key generation related functions
+ BN_X931_generate_Xpq(), BN_X931_derive_prime_ex(), and
+ BN_X931_generate_prime_ex().
+
*Tomáš Mráz*
* The default key generation method for the regular 2-prime RSA keys was
*Richard Levitte*
- * Enhanced the documentation of EVP_PKEY_size(), EVP_PKEY_bits()
- and EVP_PKEY_security_bits(). Especially EVP_PKEY_size() needed
+ * Enhanced the documentation of EVP_PKEY_get_size(), EVP_PKEY_get_bits()
+ and EVP_PKEY_get_security_bits(). Especially EVP_PKEY_get_size() needed
a new formulation to include all the things it can be used for,
as well as words of caution.
*Paul Dale*
- * The low-level MD2, MD4, MD5, MDC2, RIPEMD160, SHA1, SHA224, SHA256,
- SHA384, SHA512 and Whirlpool digest functions have been deprecated.
+ * The low-level MD2, MD4, MD5, MDC2, RIPEMD160 and Whirlpool digest
+ functions have been deprecated.
*Paul Dale and David von Oheimb*
* Removed the function names from error messages and deprecated the
xxx_F_xxx define's.
+ *Richard Levitte*
+
* Removed NextStep support and the macro OPENSSL_UNISTD
*Rich Salz*
*Richard Levitte*
- * Added newline escaping functionality to a filename when using openssl dgst.
- This output format is to replicate the output format found in the `*sum`
- checksum programs. This aims to preserve backward compatibility.
-
- *Matt Eaton, Richard Levitte, and Paul Dale*
-
* Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just
the first value.
*"Brian Havard" <brianh@kheldar.apana.org.au> and Richard Levitte*
* Rewrite commands to use `NCONF` routines instead of the old `CONF`.
- New functions to support `NCONF `routines in extension code.
+ New functions to support `NCONF` routines in extension code.
New function `CONF_set_nconf()`
to allow functions which take an `NCONF` to also handle the old `LHASH`
structure: this means that the old `CONF` compatible routines can be
*Ralf S. Engelschall*
* Removed dummy files from the 0.9.1b source tree:
- ```
crypto/asn1/x crypto/bio/cd crypto/bio/fg crypto/bio/grep crypto/bio/vi
crypto/bn/asm/......add.c crypto/bn/asm/a.out crypto/dsa/f crypto/md5/f
crypto/pem/gmon.out crypto/perlasm/f crypto/pkcs7/build crypto/rsa/f
crypto/sha/asm/f crypto/threads/f ms/zzz ssl/f ssl/f.mak test/f
util/f.mak util/pl/f util/pl/f.mak crypto/bf/bf_locl.old apps/f
- ```
*Ralf S. Engelschall*