Changes between 1.0.2e and 1.1.0 [xx XXX xxxx]
+ *) EGD is no longer supported by default; use enable-egd when
+ configuring.
+ [Ben Kaduk and Rich Salz]
+
+ *) The distribution now has Makefile.in files, which are used to
+ create Makefile's when Configure is run. *Configure must be run
+ before trying to build now.*
+ [Rich Salz]
+
+ *) The return value for SSL_CIPHER_description() for error conditions
+ has changed.
+ [Rich Salz]
+
+ *) Support for RFC6698/RFC7671 DANE TLSA peer authentication.
+
+ Obtaining and performing DNSSEC validation of TLSA records is
+ the application's responsibility. The application provides
+ the TLSA records of its choice to OpenSSL, and these are then
+ used to authenticate the peer.
+
+ The TLSA records need not even come from DNS. They can, for
+ example, be used to implement local end-entity certificate or
+ trust-anchor "pinning", where the "pin" data takes the form
+ of TLSA records, which can augment or replace verification
+ based on the usual WebPKI public certification authorities.
+ [Viktor Dukhovni]
+
+ *) Revert default OPENSSL_NO_DEPRECATED setting. Instead OpenSSL
+ continues to support deprecated interfaces in default builds.
+ However, applications are strongly advised to compile their
+ source files with -DOPENSSL_API_COMPAT=0x10100000L, which hides
+ the declarations of all interfaces deprecated in 0.9.8, 1.0.0
+ or the 1.1.0 releases.
+
+ In environments in which all applications have been ported to
+ not use any deprecated interfaces OpenSSL's Configure script
+ should be used with the --api=1.1.0 option to entirely remove
+ support for the deprecated features from the library and
+ unconditionally disable them in the installed headers.
+ Essentially the same effect can be achieved with the "no-deprecated"
+ argument to Configure, except that this will always restrict
+ the build to just the latest API, rather than a fixed API
+ version.
+
+ As applications are ported to future revisions of the API,
+ they should update their compile-time OPENSSL_API_COMPAT define
+ accordingly, but in most cases should be able to continue to
+ compile with later releases.
+
+ The OPENSSL_API_COMPAT versions for 1.0.0, and 0.9.8 are
+ 0x10000000L and 0x00908000L, respectively. However those
+ versions did not support the OPENSSL_API_COMPAT feature, and
+ so applications are not typically tested for explicit support
+ of just the undeprecated features of either release.
+ [Viktor Dukhovni]
+
+ *) Add support for setting the minimum and maximum supported protocol.
+ It can bet set via the SSL_set_min_proto_version() and
+ SSL_set_max_proto_version(), or via the SSL_CONF's MinProtocol and
+ MaxProtcol. It's recommended to use the new APIs to disable
+ protocols instead of disabling individual protocols using
+ SSL_set_options() or SSL_CONF's Protocol. This change also
+ removes support for disabling TLS 1.2 in the OpenSSL TLS
+ client at compile time by defining OPENSSL_NO_TLS1_2_CLIENT.
+ [Kurt Roeckx]
+
+ *) Support for ChaCha20 and Poly1305 added to libcrypto and libssl.
+ [Andy Polyakov]
+
+ *) New EC_KEY_METHOD, this replaces the older ECDSA_METHOD and ECDH_METHOD
+ and integrates ECDSA and ECDH functionality into EC. Implementations can
+ now redirect key generation and no longer need to convert to or from
+ ECDSA_SIG format.
+
+ Note: the ecdsa.h and ecdh.h headers are now no longer needed and just
+ include the ec.h header file instead.
+ [Steve Henson]
+
*) Remove support for all 40 and 56 bit ciphers. This includes all the export
ciphers who are no longer supported and drops support the ephemeral RSA key
exchange. The LOW ciphers currently doesn't have any ciphers in it.
[Kurt Roeckx]
+ *) Made EVP_MD_CTX, EVP_MD, EVP_CIPHER_CTX, EVP_CIPHER and HMAC_CTX
+ opaque. For HMAC_CTX, the following constructors and destructors
+ were added:
+
+ HMAC_CTX *HMAC_CTX_new(void);
+ void HMAC_CTX_free(HMAC_CTX *ctx);
+
+ For EVP_MD and EVP_CIPHER, complete APIs to create, fill and
+ destroy such methods has been added. See EVP_MD_meth_new(3) and
+ EVP_CIPHER_meth_new(3) for documentation.
+
+ Additional changes:
+ 1) EVP_MD_CTX_cleanup(), EVP_CIPHER_CTX_cleanup() and
+ HMAC_CTX_cleanup() were removed. HMAC_CTX_reset() and
+ EVP_MD_CTX_reset() should be called instead to reinitialise
+ an already created structure.
+ 2) For consistency with the majority of our object creators and
+ destructors, EVP_MD_CTX_(create|destroy) were renamed to
+ EVP_MD_CTX_(new|free). The old names are retained as macros
+ for deprecated builds.
+ [Richard Levitte]
+
*) Added ASYNC support. Libcrypto now includes the async sub-library to enable
cryptographic operations to be performed asynchronously as long as an
asynchronous capable engine is used. See the ASYNC_start_job() man page for
*) SSL_{CTX_}set_ecdh_auto() has been removed and ECDH is support is
always enabled now. If you want to disable the support you should
- exclude it using the list of supported ciphers.
+ exclude it using the list of supported ciphers. This also means that the
+ "-no_ecdhe" option has been removed from s_server.
[Kurt Roeckx]
*) SSL_{CTX}_set_tmp_ecdh() which can set 1 EC curve now internally calls
*) The demo files in crypto/threads were moved to demo/threads.
[Rich Salz]
- *) Removed obsolete engines: 4758cca, aep, atalla, cswift, nuron and sureware.
- [Matt Caswell]
+ *) Removed obsolete engines: 4758cca, aep, atalla, cswift, nuron, gmp,
+ and sureware.
+ [Matt Caswell, Rich Salz]
*) New ASN.1 embed macro.
[Richard Levitte]
+ *) Revamped memory debug; only -DCRYPTO_MDEBUG and -DCRYPTO_MDEBUG_ABORT
+ are used; the latter aborts on memory leaks (usually checked on exit).
+ Some undocumented "set malloc, etc., hooks" functions were removed
+ and others were changed. All are now documented.
+ [Rich Salz]
+
*) In DSA_generate_parameters_ex, if the provided seed is too short,
return an error
[Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>]
*) Added HTTP GET support to the ocsp command.
[Rich Salz]
+ *) Changed default digest for the dgst and enc commands from MD5 to
+ sha256
+ [Rich Salz]
+
*) RAND_pseudo_bytes has been deprecated. Users should use RAND_bytes instead.
[Matt Caswell]
*) Added support for OCB mode. OpenSSL has been granted a patent license
compatible with the OpenSSL license for use of OCB. Details are available
- at https://www.openssl.org/docs/misc/OCB-patent-grant-OpenSSL.pdf. Support
+ at https://www.openssl.org/source/OCB-patent-grant-OpenSSL.pdf. Support
for OCB can be removed by calling config with no-ocb.
[Matt Caswell]
projects / openssl.git / blobdiff