OpenSSL Releases
----------------
+ - [OpenSSL 3.3](#openssl-33)
+ - [OpenSSL 3.2](#openssl-32)
+ - [OpenSSL 3.1](#openssl-31)
- [OpenSSL 3.0](#openssl-30)
- [OpenSSL 1.1.1](#openssl-111)
- [OpenSSL 1.1.0](#openssl-110)
- [OpenSSL 1.0.0](#openssl-100)
- [OpenSSL 0.9.x](#openssl-09x)
+OpenSSL 3.4
+-----------
+
+### Major changes between OpenSSL 3.3 and OpenSSL 3.4 [under development]
+
+OpenSSL 3.4.0 is a feature release adding significant new functionality to
+OpenSSL.
+
+This release is in development.
+
+ * Added initial Attribute Certificate (RFC 5755) support.
+
+OpenSSL 3.3
+-----------
+
+### Major changes between OpenSSL 3.2 and OpenSSL 3.3 [under development]
+
+OpenSSL 3.3.0 is a feature release adding significant new functionality to
+OpenSSL.
+
+This release adds the following new features:
+
+ * Support for qlog for tracing QUIC connections has been added
+
+ * Added APIs to allow configuring the negotiated idle timeout for QUIC
+ connections, and to allow determining the number of additional streams
+ that can currently be created for a QUIC connection.
+
+ * Added APIs to allow disabling implicit QUIC event processing for QUIC SSL
+ objects
+
+ * Added APIs to allow querying the size and utilisation of a QUIC stream's
+ write buffer
+
+ * New API `SSL_write_ex2`, which can be used to send an end-of-stream (FIN)
+ condition in an optimised way when using QUIC.
+
+ * Limited support for polling of QUIC connection and stream objects in a
+ non-blocking manner.
+
+ * Added a new EVP_DigestSqueeze() API. This allows SHAKE to squeeze multiple
+ times with different output sizes.
+
+ * Added exporter for CMake on Unix and Windows, alongside the pkg-config
+ exporter.
+
+ * The BLAKE2s hash algorithm matches BLAKE2b's support for configurable
+ output length.
+
+ * The EVP_PKEY_fromdata function has been augmented to allow for the
+ derivation of CRT (Chinese Remainder Theorem) parameters when requested
+
+ * Added API functions SSL_SESSION_get_time_ex(), SSL_SESSION_set_time_ex()
+ using time_t which is Y2038 safe on 32 bit systems when 64 bit time
+ is enabled
+
+ * Unknown entries in TLS SignatureAlgorithms, ClientSignatureAlgorithms
+ config options and the respective calls to SSL[_CTX]_set1_sigalgs() and
+ SSL[_CTX]_set1_client_sigalgs() that start with `?` character are
+ ignored and the configuration will still be used.
+
+ * Added `-set_issuer` and `-set_subject` options to `openssl x509` to
+ override the Issuer and Subject when creating a certificate. The `-subj`
+ option now is an alias for `-set_subject`.
+
+ * Added several new features of CMPv3 defined in RFC 9480 and RFC 9483
+
+ * New option `SSL_OP_PREFER_NO_DHE_KEX`, which allows configuring a TLS1.3
+ server to prefer session resumption using PSK-only key exchange over PSK
+ with DHE, if both are available.
+
+ * New atexit configuration switch, which controls whether the OPENSSL_cleanup
+ is registered when libcrypto is unloaded.
+
+ * Added X509_STORE_get1_objects to avoid issues with the existing
+ X509_STORE_get0_objects API in multi-threaded applications.
+
+This release incorporates the following potentially significant or incompatible
+changes:
+
+ * Applied AES-GCM unroll8 optimisation to Microsoft Azure Cobalt 100
+
+ * Optimized AES-CTR for ARM Neoverse V1 and V2
+
+ * Enable AES and SHA3 optimisations on Applie Silicon M3-based MacOS systems
+ similar to M1/M2.
+
+ * Various optimizations for cryptographic routines using RISC-V vector crypto
+ extensions
+
+ * Added assembly implementation for md5 on loongarch64
+
+ * Accept longer context for TLS 1.2 exporters
+
+ * The activate and soft_load configuration settings for providers in
+ openssl.cnf have been updated to require a value of [1|yes|true|on]
+ (in lower or UPPER case) to enable the setting. Conversely a value
+ of [0|no|false|off] will disable the setting.
+
+ * In `openssl speed`, changed the default hash function used with `hmac` from
+ `md5` to `sha256`.
+
+ * The `-verify` option to the `openssl crl` and `openssl req` will make the
+ program exit with 1 on failure.
+
+ * The d2i_ASN1_GENERALIZEDTIME(), d2i_ASN1_UTCTIME(), ASN1_TIME_check(), and
+ related functions have been augmented to check for a minimum length of
+ the input string, in accordance with ITU-T X.690 section 11.7 and 11.8.
+
+ * OPENSSL_sk_push() and sk_<TYPE>_push() functions now return 0 instead of -1
+ if called with a NULL stack argument.
+
+ * New limit on HTTP response headers is introduced to HTTP client. The
+ default limit is set to 256 header lines.
+
+This release incorporates the following bug fixes and mitigations:
+
+ * The BIO_get_new_index() function can only be called 127 times before it
+ reaches its upper bound of BIO_TYPE_MASK and will now return -1 once its
+ exhausted.
+
+A more detailed list of changes in this release can be found in the
+[CHANGES.md] file.
+
+Users interested in using the new QUIC functionality are encouraged to read the
+[README file for QUIC][README-QUIC.md], which provides links to relevant
+documentation and example code.
+
+As always, bug reports and issues relating to OpenSSL can be [filed on our issue
+tracker][issue tracker].
+
+OpenSSL 3.2
+-----------
+
+### Major changes between OpenSSL 3.2.1 and OpenSSL 3.2.2 [under development]
+
+OpenSSL 3.2.2 is a security patch release. The most severe CVE fixed in this
+release is Low.
+
+This release incorporates the following bug fixes and mitigations:
+
+ * Fixed unbounded memory growth with session handling in TLSv1.3
+ ([CVE-2024-2511])
+
+### Major changes between OpenSSL 3.2.0 and OpenSSL 3.2.1 [30 Jan 2024]
+
+OpenSSL 3.2.1 is a security patch release. The most severe CVE fixed in this
+release is Low.
+
+This release incorporates the following bug fixes and mitigations:
+
+ * Fixed PKCS12 Decoding crashes
+ ([CVE-2024-0727])
+ * Fixed excessive time spent checking invalid RSA public keys
+ ([CVE-2023-6237])
+ * Fixed POLY1305 MAC implementation corrupting vector registers on PowerPC
+ CPUs which support PowerISA 2.07
+ ([CVE-2023-6129])
+
+### Major changes between OpenSSL 3.1 and OpenSSL 3.2.0 [23 Nov 2023]
+
+OpenSSL 3.2.0 is a feature release adding significant new functionality to
+OpenSSL.
+
+This release incorporates the following potentially significant or incompatible
+changes:
+
+ * The default SSL/TLS security level has been changed from 1 to 2.
+
+ * The `x509`, `ca`, and `req` apps now always produce X.509v3 certificates.
+
+ * Subject or issuer names in X.509 objects are now displayed as UTF-8 strings
+ by default. Also spaces surrounding `=` in DN output are removed.
+
+This release adds the following new features:
+
+ * Support for client side QUIC, including support for
+ multiple streams (RFC 9000)
+
+ * Support for Ed25519ctx, Ed25519ph and Ed448ph in addition
+ to existing support for Ed25519 and Ed448 (RFC 8032)
+
+ * Support for deterministic ECDSA signatures (RFC 6979)
+
+ * Support for AES-GCM-SIV, a nonce-misuse-resistant AEAD (RFC 8452)
+
+ * Support for the Argon2 KDF, along with supporting thread pool
+ functionality (RFC 9106)
+
+ * Support for Hybrid Public Key Encryption (HPKE) (RFC 9180)
+
+ * Support for SM4-XTS
+
+ * Support for Brainpool curves in TLS 1.3
+
+ * Support for TLS Raw Public Keys (RFC 7250)
+
+ * Support for TCP Fast Open on Linux, macOS and FreeBSD,
+ where enabled and supported (RFC 7413)
+
+ * Support for TLS certificate compression, including library
+ support for zlib, Brotli and zstd (RFC 8879)
+
+ * Support for provider-based pluggable signature algorithms
+ in TLS 1.3 with supporting CMS and X.509 functionality
+
+ With a suitable provider this enables the use of post-quantum/quantum-safe
+ cryptography.
+
+ * Support for using the Windows system certificate store as a source of
+ trusted root certificates
+
+ This is not yet enabled by default and must be activated using an
+ environment variable. This is likely to become enabled by default
+ in a future feature release.
+
+ * Support for using the IANA standard names in TLS ciphersuite configuration
+
+ * Multiple new features and improvements to CMP protocol support
+
+The following known issues are present in this release and will be rectified
+in a future release:
+
+ * Provider-based signature algorithms cannot be configured using the
+ SignatureAlgorithms configuration file parameter (#22761)
+
+This release incorporates the following documentation enhancements:
+
+ * Added multiple tutorials on the OpenSSL library and in particular
+ on writing various clients (using TLS and QUIC protocols) with libssl
+
+ See [OpenSSL Guide].
+
+This release incorporates the following bug fixes and mitigations:
+
+ * Fixed excessive time spent in DH check / generation with large Q parameter
+ value
+ ([CVE-2023-5678])
+
+A more detailed list of changes in this release can be found in the
+[CHANGES.md] file.
+
+Users interested in using the new QUIC functionality are encouraged to read the
+[README file for QUIC][README-QUIC.md], which provides links to relevant
+documentation and example code.
+
+As always, bug reports and issues relating to OpenSSL can be [filed on our issue
+tracker][issue tracker].
+
+OpenSSL 3.1
+-----------
+
+### Major changes between OpenSSL 3.1.3 and OpenSSL 3.1.4 [24 Oct 2023]
+
+ * Mitigate incorrect resize handling for symmetric cipher keys and IVs.
+ ([CVE-2023-5363])
+
+### Major changes between OpenSSL 3.1.2 and OpenSSL 3.1.3 [19 Sep 2023]
+
+ * Fix POLY1305 MAC implementation corrupting XMM registers on Windows
+ ([CVE-2023-4807])
+
+### Major changes between OpenSSL 3.1.1 and OpenSSL 3.1.2 [1 Aug 2023]
+
+ * Fix excessive time spent checking DH q parameter value ([CVE-2023-3817])
+ * Fix DH_check() excessive time with over sized modulus ([CVE-2023-3446])
+ * Do not ignore empty associated data entries with AES-SIV ([CVE-2023-2975])
+ * When building with the `enable-fips` option and using the resulting
+ FIPS provider, TLS 1.2 will, by default, mandate the use of an
+ extended master secret and the Hash and HMAC DRBGs will not operate
+ with truncated digests.
+
+### Major changes between OpenSSL 3.1.0 and OpenSSL 3.1.1 [30 May 2023]
+
+ * Mitigate for very slow `OBJ_obj2txt()` performance with gigantic OBJECT
+ IDENTIFIER sub-identities. ([CVE-2023-2650])
+ * Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms
+ ([CVE-2023-1255])
+ * Fixed documentation of X509_VERIFY_PARAM_add0_policy() ([CVE-2023-0466])
+ * Fixed handling of invalid certificate policies in leaf certificates
+ ([CVE-2023-0465])
+ * Limited the number of nodes created in a policy tree ([CVE-2023-0464])
+
+### Major changes between OpenSSL 3.0 and OpenSSL 3.1.0 [14 Mar 2023]
+
+ * SSL 3, TLS 1.0, TLS 1.1, and DTLS 1.0 only work at security level 0.
+ * Performance enhancements and new platform support including new
+ assembler code algorithm implementations.
+ * Deprecated LHASH statistics functions.
+ * FIPS 140-3 compliance changes.
+
OpenSSL 3.0
-----------
-### Major changes between OpenSSL 1.1.1 and OpenSSL 3.0 alpha 17 [in pre-release]
+### Major changes between OpenSSL 3.0.7 and OpenSSL 3.0.8 [7 Feb 2023]
+
+ * Fixed NULL dereference during PKCS7 data verification ([CVE-2023-0401])
+ * Fixed X.400 address type confusion in X.509 GeneralName ([CVE-2023-0286])
+ * Fixed NULL dereference validating DSA public key ([CVE-2023-0217])
+ * Fixed Invalid pointer dereference in d2i_PKCS7 functions ([CVE-2023-0216])
+ * Fixed Use-after-free following BIO_new_NDEF ([CVE-2023-0215])
+ * Fixed Double free after calling PEM_read_bio_ex ([CVE-2022-4450])
+ * Fixed Timing Oracle in RSA Decryption ([CVE-2022-4304])
+ * Fixed X.509 Name Constraints Read Buffer Overflow ([CVE-2022-4203])
+ * Fixed X.509 Policy Constraints Double Locking ([CVE-2022-3996])
+
+### Major changes between OpenSSL 3.0.6 and OpenSSL 3.0.7 [1 Nov 2022]
+
+ * Added RIPEMD160 to the default provider.
+ * Fixed regressions introduced in 3.0.6 version.
+ * Fixed two buffer overflows in punycode decoding functions.
+ ([CVE-2022-3786]) and ([CVE-2022-3602])
+
+### Major changes between OpenSSL 3.0.5 and OpenSSL 3.0.6 [11 Oct 2022]
- * Added migration guide to man7
- * Implemented support for fully "pluggable" TLSv1.3 groups
- * Added suport for Kernel TLS (KTLS)
+ * Fix for custom ciphers to prevent accidental use of NULL encryption
+ ([CVE-2022-3358])
+
+### Major changes between OpenSSL 3.0.4 and OpenSSL 3.0.5 [5 Jul 2022]
+
+ * Fixed heap memory corruption with RSA private key operation
+ ([CVE-2022-2274])
+ * Fixed AES OCB failure to encrypt some bytes on 32-bit x86 platforms
+ ([CVE-2022-2097])
+
+### Major changes between OpenSSL 3.0.3 and OpenSSL 3.0.4 [21 Jun 2022]
+
+ * Fixed additional bugs in the c_rehash script which was not properly
+ sanitising shell metacharacters to prevent command injection
+ ([CVE-2022-2068])
+
+### Major changes between OpenSSL 3.0.2 and OpenSSL 3.0.3 [3 May 2022]
+
+ * Fixed a bug in the c_rehash script which was not properly sanitising shell
+ metacharacters to prevent command injection ([CVE-2022-1292])
+ * Fixed a bug in the function `OCSP_basic_verify` that verifies the signer
+ certificate on an OCSP response ([CVE-2022-1343])
+ * Fixed a bug where the RC4-MD5 ciphersuite incorrectly used the
+ AAD data as the MAC key ([CVE-2022-1434])
+ * Fix a bug in the OPENSSL_LH_flush() function that breaks reuse of the memory
+ occupied by the removed hash table entries ([CVE-2022-1473])
+
+### Major changes between OpenSSL 3.0.1 and OpenSSL 3.0.2 [15 Mar 2022]
+
+ * Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever
+ for non-prime moduli ([CVE-2022-0778])
+
+### Major changes between OpenSSL 3.0.0 and OpenSSL 3.0.1 [14 Dec 2021]
+
+ * Fixed invalid handling of X509_verify_cert() internal errors in libssl
+ ([CVE-2021-4044])
+ * Allow fetching an operation from the provider that owns an unexportable key
+ as a fallback if that is still allowed by the property query.
+
+### Major changes between OpenSSL 1.1.1 and OpenSSL 3.0.0 [7 sep 2021]
+
+ * Enhanced 'openssl list' with many new options.
+ * Added migration guide to man7.
+ * Implemented support for fully "pluggable" TLSv1.3 groups.
+ * Added support for Kernel TLS (KTLS).
* Changed the license to the Apache License v2.0.
* Moved all variations of the EVP ciphers CAST5, BF, IDEA, SEED, RC2,
RC4, RC5, and DES to the legacy provider.
* Remove the `RAND_DRBG` API.
* Deprecated the `ENGINE` API.
* Added `OSSL_LIB_CTX`, a libcrypto library context.
+ * Added various `_ex` functions to the OpenSSL API that support using
+ a non-default `OSSL_LIB_CTX`.
* Interactive mode is removed from the 'openssl' program.
- * The X25519, X448, Ed25519, Ed448 and SHAKE256 algorithms are included in
- the FIPS provider. None have the "fips=yes" property set and, as such,
- will not be accidentially used.
- * The algorithm specific public key command line applications have
- been deprecated. These include dhparam, gendsa and others. The pkey
- alternatives should be used instead: pkey, pkeyparam and genpkey.
+ * The X25519, X448, Ed25519, Ed448, SHAKE128 and SHAKE256 algorithms are
+ included in the FIPS provider.
* X509 certificates signed using SHA1 are no longer allowed at security
level 1 or higher. The default security level for TLS is 1, so
certificates signed using SHA1 are by default no longer trusted to
BIOs (allowing implicit connections), and timeout checks.
* Added util/check-format.pl for checking adherence to the coding guidelines.
* Added OSSL_ENCODER, a generic encoder API.
+ * Added OSSL_DECODER, a generic decoder API.
* Added OSSL_PARAM_BLD, an easier to use API to OSSL_PARAM.
* Added error raising macros, ERR_raise() and ERR_raise_data().
* Deprecated ERR_put_error(), ERR_get_error_line(), ERR_get_error_line_data(),
ERR_peek_error_line_data(), ERR_peek_last_error_line_data() and
ERR_func_error_string().
- * Added OSSL_PROVIDER_available(), to check provider availibility.
+ * Added OSSL_PROVIDER_available(), to check provider availability.
* Added 'openssl mac' that uses the EVP_MAC API.
* Added 'openssl kdf' that uses the EVP_KDF API.
* Add OPENSSL_info() and 'openssl info' to get built-in data.
* Changed our version number scheme and set the next major release to
3.0.0
* Added EVP_MAC, an EVP layer MAC API, and a generic EVP_PKEY to EVP_MAC
- bridge.
+ bridge. Supported MACs are: BLAKE2, CMAC, GMAC, HMAC, KMAC, POLY1305
+ and SIPHASH.
* Removed the heartbeat message in DTLS feature.
- * Added EVP_KDF, an EVP layer KDF API, and a generic EVP_PKEY to EVP_KDF
- bridge.
+ * Added EVP_KDF, an EVP layer KDF and PRF API, and a generic EVP_PKEY to
+ EVP_KDF bridge. Supported KDFs are: HKDF, KBKDF, KRB5 KDF, PBKDF2,
+ PKCS12 KDF, SCRYPT, SSH KDF, SSKDF, TLS1 PRF, X9.42 KDF and X9.63 KDF.
* All of the low-level MD2, MD4, MD5, MDC2, RIPEMD160, SHA1, SHA224,
SHA256, SHA384, SHA512 and Whirlpool digest functions have been
deprecated.
RC4, RC5 and SEED cipher functions have been deprecated.
* All of the low-level DH, DSA, ECDH, ECDSA and RSA public key functions
have been deprecated.
- * SSL 3, TLS 1.0, TLS 1.1, and DTLS 1.0 only work at security level 0.
+ * SSL 3, TLS 1.0, TLS 1.1, and DTLS 1.0 only work at security level 0,
+ except when RSA key exchange without SHA1 is used.
+ * Added providers, a new pluggability concept that will replace the
+ ENGINE API and ENGINE implementations.
OpenSSL 1.1.1
-------------
-### Major changes between OpenSSL 1.1.1j and OpenSSL 1.1.1k [under development]
+### Major changes between OpenSSL 1.1.1k and OpenSSL 1.1.1l [24 Aug 2021]
+
+ * Fixed an SM2 Decryption Buffer Overflow ([CVE-2021-3711])
+ * Fixed various read buffer overruns processing ASN.1 strings ([CVE-2021-3712])
+
+### Major changes between OpenSSL 1.1.1j and OpenSSL 1.1.1k [25 Mar 2021]
* Fixed a problem with verifying a certificate chain when using the
X509_V_FLAG_X509_STRICT flag ([CVE-2021-3450])
* Overhauled Win32 builds
* Cleanups and fixes to the Big Number (BN) library
* Support for ASN.1 GeneralizedTime
- * Splitted ASN.1 SETs from SEQUENCEs
+ * Split ASN.1 SETs from SEQUENCEs
* ASN1 and PEM support for Netscape Certificate Sequences
* Overhauled Perl interface
* Lots of source tree cleanups.
<!-- Links -->
+[CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511
+[CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727
+[CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237
+[CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129
+[CVE-2023-5678]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5678
+[CVE-2023-5363]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5363
+[CVE-2023-4807]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-4807
+[CVE-2023-3817]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3817
+[CVE-2023-3446]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3446
+[CVE-2023-2975]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2975
+[CVE-2023-2650]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2650
+[CVE-2023-1255]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-1255
+[CVE-2023-0466]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466
+[CVE-2023-0465]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0465
+[CVE-2023-0464]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0464
+[CVE-2023-0401]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0401
+[CVE-2023-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0286
+[CVE-2023-0217]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0217
+[CVE-2023-0216]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0216
+[CVE-2023-0215]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0215
+[CVE-2022-4450]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4450
+[CVE-2022-4304]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4304
+[CVE-2022-4203]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4203
+[CVE-2022-3996]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-3996
+[CVE-2022-2274]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2274
+[CVE-2022-2097]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2097
[CVE-2020-1971]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1971
[CVE-2020-1967]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1967
[CVE-2019-1563]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1563
[CVE-2006-2940]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-2940
[CVE-2006-2937]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-2937
[CVE-2005-2969]: https://www.openssl.org/news/vulnerabilities.html#CVE-2005-2969
+[OpenSSL Guide]: https://www.openssl.org/docs/manmaster/man7/ossl-guide-introduction.html
+[CHANGES.md]: ./CHANGES.md
+[README-QUIC.md]: ./README-QUIC.md
+[issue tracker]: https://github.com/openssl/openssl/issues