Changes between 1.1.1 and 3.0.0 [xx XXX xxxx]
+ *) Correct the extended master secret constant on EBCDIC systems. Without this
+ fix TLS connections between an EBCDIC system and a non-EBCDIC system that
+ negotiate EMS will fail. Unfortunately this also means that TLS connections
+ between EBCDIC systems with this fix, and EBCDIC systems without this
+ fix will fail if they negotiate EMS.
+ [Matt Caswell]
+
+ *) Changed the library initialisation so that the config file is now loaded
+ by default. This was already the case for libssl. It now occurs for both
+ libcrypto and libssl. Use the OPENSSL_INIT_NO_LOAD_CONFIG option to
+ OPENSSL_init_crypto() to suppress automatic loading of a config file.
+ [Matt Caswell]
+
+ *) Introduced new error raising macros, ERR_raise() and ERR_raise_data(),
+ where the former acts as a replacement for ERR_put_error(), and the
+ latter replaces the combination ERR_put_error()+ERR_add_error_data().
+ ERR_raise_data() adds more flexibility by taking a format string and
+ an arbitrary number of arguments following it, to be processed with
+ BIO_snprintf().
+ [Richard Levitte]
+
+ *) Introduced a new function, OSSL_PROVIDER_available(), which can be used
+ to check if a named provider is loaded and available. When called, it
+ will also activate all fallback providers if such are still present.
+ [Richard Levitte]
+
+ *) Enforce a minimum DH modulus size of 512 bits.
+ [Bernd Edlinger]
+
+ *) Changed DH parameters to generate the order q subgroup instead of 2q.
+ Previously generated DH parameters are still accepted by DH_check
+ but DH_generate_key works around that by clearing bit 0 of the
+ private key for those. This avoids leaking bit 0 of the private key.
+ [Bernd Edlinger]
+
+ *) Significantly reduce secure memory usage by the randomness pools.
+ [Paul Dale]
+
*) {CRYPTO,OPENSSL}_mem_debug_{push,pop} are now no-ops and have been
deprecated.
[Rich Salz]
*) Support SM2 signing and verification schemes with X509 certificate.
[Paul Yang]
- *) The macro SYSerr() was changed to take a function name, not
- a numeric value; the SYS_F_xxx defines were removed.
- [Rich Salz]
-
*) Use SHA256 as the default digest for TS query in the ts app.
[Tomas Mraz]