+ Changes between 1.1.0g and 1.1.1 [xx XXX xxxx]
+
+ *) Extend OSSL_STORE with capabilities to search and to narrow the set of
+ objects loaded. This adds the functions OSSL_STORE_expect() and
+ OSSL_STORE_find() as well as needed tools to construct searches and
+ get the search data out of them.
+ [Richard Levitte]
+
+ *) Support for TLSv1.3 added. Note that users upgrading from an earlier
+ version of OpenSSL should review their configuration settings to ensure
+ that they are still appropriate for TLSv1.3. In particular if no TLSv1.3
+ ciphersuites are enabled then OpenSSL will refuse to make a connection
+ unless (1) TLSv1.3 is explicitly disabled or (2) the ciphersuite
+ configuration is updated to include suitable ciphersuites. The DEFAULT
+ ciphersuite configuration does include TLSv1.3 ciphersuites. For further
+ information on this and other related issues please see:
+ https://www.openssl.org/blog/blog/2018/02/08/tlsv1.3/
+
+ NOTE: In this pre-release of OpenSSL a draft version of the
+ TLSv1.3 standard has been implemented. Implementations of different draft
+ versions of the standard do not inter-operate, and this version will not
+ inter-operate with an implementation of the final standard when it is
+ eventually published. Different pre-release versions may implement
+ different versions of the draft. The final version of OpenSSL 1.1.1 will
+ implement the final version of the standard.
+ TODO(TLS1.3): Remove the above note before final release
+ [Matt Caswell]
+
+ *) Grand redesign of the OpenSSL random generator
+
+ The default RAND method now utilizes an AES-CTR DRBG according to
+ NIST standard SP 800-90Ar1. The new random generator is essentially
+ a port of the default random generator from the OpenSSL FIPS 2.0
+ object module. It is a hybrid deterministic random bit generator
+ using an AES-CTR bit stream and which seeds and reseeds itself
+ automatically using trusted system entropy sources.
+
+ Some of its new features are:
+ o Support for multiple DRBG instances with seed chaining.
+ o Add a public DRBG instance for the default RAND method.
+ o Add a dedicated DRBG instance for generating long term private keys.
+ o Make the DRBG instances fork-safe.
+ o Keep all global DRBG instances on the secure heap if it is enabled.
+ o Add a DRBG instance to every SSL instance for lock free operation
+ and to increase unpredictability.
+ [Paul Dale, Benjamin Kaduk, Kurt Roeckx, Rich Salz, Matthias St. Pierre]
+
+ *) Changed Configure so it only says what it does and doesn't dump
+ so much data. Instead, ./configdata.pm should be used as a script
+ to display all sorts of configuration data.
+ [Richard Levitte]
+
+ *) Added processing of "make variables" to Configure.
+ [Richard Levitte]
+
+ *) Added SHA512/224 and SHA512/256 algorithm support.
+ [Paul Dale]
+
+ *) The last traces of Netware support, first removed in 1.1.0, have
+ now been removed.
+ [Rich Salz]