X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=CHANGES.md;h=585a451d18163bbb44150e9057e3ef564f236f74;hp=68fa1e00330de54b1a3713c07fca24a86825eb31;hb=16b0e0fcb32f553b9302db997045950c6af5f805;hpb=23ccae80bd58adfe89e3e345414684eb82bdb531 diff --git a/CHANGES.md b/CHANGES.md index 68fa1e0033..585a451d18 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -23,6 +23,55 @@ OpenSSL 3.0 ### Changes between 1.1.1 and 3.0 [xx XXX xxxx] + * 'Configure' has been changed to figure out the configuration target if + none is given on the command line. Consequently, the 'config' script is + now only a mere wrapper. All documentation is changed to only mention + 'Configure'. + + *Rich Salz and Richard Levitte* + + * Added a library context that applications as well as other + libraries can use to form a separate context within which libcrypto + operations are performed. + + There are two ways this can be used: + + - Directly, by passing a library context to functions that take + such an argument, such as `EVP_CIPHER_fetch` and similar algorithm + fetching functions. + - Indirectly, by creating a new library context and then assigning + it as the new default, with `OPENSSL_CTX_set0_default`. + + All public OpenSSL functions that take an `OPENSSL_CTX` pointer, + apart from the functions directly related to `OPENSSL_CTX`, accept + NULL to indicate that the default library context should be used. + + Library code that changes the default library context using + `OPENSSL_CTX_set0_default` should take care to restore it with a + second call before returning to the caller. + + *Richard Levitte* + + * Handshake now fails if Extended Master Secret extension is dropped + on renegotiation. + + *Tomas Mraz* + + * Dropped interactive mode from the 'openssl' program. From now on, + the `openssl` command without arguments is equivalent to `openssl + help`. + + *Richard Levitte* + + * Renamed EVP_PKEY_cmp() to EVP_PKEY_eq() and + EVP_PKEY_cmp_parameters() to EVP_PKEY_parameters_eq(). + While the old function names have been retained for backward compatibility + they should not be used in new developments + because their return values are confusing: Unlike other `_cmp()` functions + they do not return 0 in case their arguments are equal. + + *David von Oheimb* + * Deprecated EC_METHOD_get_field_type(). Applications should switch to EC_GROUP_get_field_type(). @@ -99,6 +148,14 @@ OpenSSL 3.0 *Paul Dale* + * The security strength of SHA1 and MD5 based signatures in TLS has been + reduced. This results in SSL 3, TLS 1.0, TLS 1.1 and DTLS 1.0 no longer + working at the default security level of 1 and instead requires security + level 0. The security level can be changed either using the cipher string + with @SECLEVEL, or calling SSL_CTX_set_security_level(). + + *Kurt Roeckx* + * EVP_PKEY_get0_RSA(), EVP_PKEY_get0_DSA(), EVP_PKEY_get0_DH(), and EVP_PKEY_get0_EC_KEY() can now handle EVP_PKEYs with provider side internal keys, if they correspond to one of those built in types. @@ -157,6 +214,12 @@ OpenSSL 3.0 *David von Oheimb* + * BIO_do_connect and BIO_do_handshake have been extended: + If domain name resolution yields multiple IP addresses all of them are tried + after connect() failures. + + *David von Oheimb* + * All of the low level RSA functions have been deprecated including: RSA_new_method, RSA_size, RSA_security_bits, RSA_get0_pss_params, @@ -335,8 +398,8 @@ OpenSSL 3.0 and HMAC_CTX_get_md. Use of these low level functions has been informally discouraged for a long - time. Instead applications should use L, - L, L, L + time. Instead applications should use L, + L, L, L and L. *Paul Dale* @@ -359,8 +422,8 @@ OpenSSL 3.0 CMAC_CTX_copy, CMAC_Init, CMAC_Update, CMAC_Final and CMAC_resume. Use of these low level functions has been informally discouraged for a long - time. Instead applications should use L, - L, L, L + time. Instead applications should use L, + L, L, L and L. *Paul Dale*