Changes between 1.0.0 and 1.1.0 [xx XXX xxxx]
+ *) New function OPENSSL_gmtime_diff to find the difference in days
+ and seconds between two tm structures. This will be used to provide
+ additional functionality for ASN1_TIME.
+ [Steve Henson]
+
*) New -sigopt option to the ca, req and x509 utilities. Additional
signature parameters can be passed using this option and in
particular PSS.
multi-process servers.
[Steve Henson]
- *) Initial TLSv1.1 support. Since TLSv1.1 is very similar to TLS v1.0 only
- a few changes are required:
-
- Add SSL_OP_NO_TLSv1_1 flag.
- Add TLSv1_1 methods.
- Update version checking logic to handle version 1.1.
- Add explicit IV handling (ported from DTLS code).
- Add command line options to s_client/s_server.
- [Steve Henson]
-
*) Experiemental password based recipient info support for CMS library:
implementing RFC3211.
[Steve Henson]
is enable if DEBUG_UNUSED is set. Add to several functions in evp.h
whose return value is often ignored.
[Steve Henson]
+
+ Changes between 1.0.0 and 1.0.1 [xx XXX xxxx]
+
+ *) Add call to ENGINE_register_all_complete() to
+ ENGINE_load_builtin_engines(), so some implementations get used
+ automatically instead of needing explicit application support.
+ [Steve Henson]
- Changes between 0.9.8m and 1.0.0 [25 Feb 2010]
+ *) Add support for TLS key exporter as described in RFC5705.
+ [Robin Seggelmann <seggelmann@fh-muenster.de>, Steve Henson]
+
+ *) Initial TLSv1.1 support. Since TLSv1.1 is very similar to TLS v1.0 only
+ a few changes are required:
+
+ Add SSL_OP_NO_TLSv1_1 flag.
+ Add TLSv1_1 methods.
+ Update version checking logic to handle version 1.1.
+ Add explicit IV handling (ported from DTLS code).
+ Add command line options to s_client/s_server.
+ [Steve Henson]
+
+ Changes between 1.0.0 and 1.0.0a [xx XXX xxxx]
+
+ *) Check return value of int_rsa_verify in pkey_rsa_verifyrecover
+ (CVE-2010-1633)
+ [Steve Henson, Peter-Michael Hager <hager@dortmund.net>]
+
+ Changes between 0.9.8n and 1.0.0 [xx XXX xxxx]
*) Add "missing" function EVP_CIPHER_CTX_copy(). This copies a cipher
context. The operation can be customised via the ctrl mechanism in
it from client hello again. Don't allow server to change algorithm.
[Steve Henson]
- *) Constify crypto/cast (i.e., <openssl/cast.h>): a CAST_KEY doesn't
- change when encrypting or decrypting.
- [Bodo Moeller]
-
*) Add load_crls() function to apps tidying load_certs() too. Add option
to verify utility to allow additional CRLs to be included.
[Steve Henson]
*) Change 'Configure' script to enable Camellia by default.
[NTT]
- Changes between 0.9.8m and 0.9.8n [xx XXX xxxx]
-
+ Changes between 0.9.8n and 0.9.8o [xx XXX xxxx]
+
+ *) Correct a typo in the CMS ASN1 module which can result in invalid memory
+ access or freeing data twice (CVE-2010-0742)
+ [Steve Henson, Ronald Moesbergen <intercommit@gmail.com>]
+
+ *) Add SHA2 algorithms to SSL_library_init(). SHA2 is becoming far more
+ common in certificates and some applications which only call
+ SSL_library_init and not OpenSSL_add_all_algorithms() will fail.
+ [Steve Henson]
+
+ Changes between 0.9.8m and 0.9.8n [24 Mar 2010]
+
+ *) When rejecting SSL/TLS records due to an incorrect version number, never
+ update s->server with a new major version number. As of
+ - OpenSSL 0.9.8m if 'short' is a 16-bit type,
+ - OpenSSL 0.9.8f if 'short' is longer than 16 bits,
+ the previous behavior could result in a read attempt at NULL when
+ receiving specific incorrect SSL/TLS records once record payload
+ protection is active. (CVE-2010-####)
+ [Bodo Moeller, Adam Langley]
+
*) Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL
could be crashed if the relevant tables were not present (e.g. chrooted).
[Tomas Hoger <thoger@redhat.com>]
- Changes between 0.9.8l and 0.9.8m [25 Feb 2010]
+ Changes between 0.9.8l and 0.9.8m [25 Feb 2010]
*) Always check bn_wexpend() return values for failure. (CVE-2009-3245)
[Martin Olsson, Neel Mehta]
CVE-2009-4355.
[Steve Henson]
+ *) Constify crypto/cast (i.e., <openssl/cast.h>): a CAST_KEY doesn't
+ change when encrypting or decrypting.
+ [Bodo Moeller]
+
*) Add option SSL_OP_LEGACY_SERVER_CONNECT which will allow clients to
connect and renegotiate with servers which do not support RI.
Until RI is more widely deployed this option is enabled by default.