Lines Matching +full:enable +full:- +full:weak +full:- +full:ssl +full:- +full:ciphers
4 This is a high-level summary of the most important changes.
11 ----------------
13 - [OpenSSL 3.0](#openssl-30)
14 - [OpenSSL 1.1.1](#openssl-111)
15 - [OpenSSL 1.1.0](#openssl-110)
16 - [OpenSSL 1.0.2](#openssl-102)
17 - [OpenSSL 1.0.1](#openssl-101)
18 - [OpenSSL 1.0.0](#openssl-100)
19 - [OpenSSL 0.9.x](#openssl-09x)
22 -----------
34 does not save the contents of non-volatile XMM registers on Windows 64
38 x86_64 processors supporting the AVX512-IFMA instructions.
41 be various - from no consequences, if the calling application does not
42 depend on the contents of non-volatile XMM registers at all, to the worst
49 ([CVE-2023-4807])
56 fixing CVE-2023-3446 it was discovered that a large q parameter value can
66 ([CVE-2023-3817])
85 ([CVE-2023-3446])
89 * Do not ignore empty associated data entries with AES-SIV.
91 The AES-SIV algorithm allows for authentication of multiple associated
95 The AES-SIV implementation in OpenSSL just returns success for such call
97 The empty data thus will not be authenticated. ([CVE-2023-2975])
102 applications that use empty associated data entries with AES-SIV.
110 OBJECT IDENTIFIER sub-identifiers to canonical numeric text form.
113 numeric text form. For gigantic sub-identifiers, this would take a very
115 sub-identifier. ([CVE-2023-2650])
123 most 128 sub-identifiers, and that the maximum value that each sub-
124 identifier may have is 2^32-1 (4294967295 decimal).
126 For each byte of every sub-identifier, only the 7 lower bits are part of
131 Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5
136 that it does not enable policy checking. Thanks to David Benjamin for
138 ([CVE-2023-0466])
142 * Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms which
144 application using AES-XTS decryption if the memory just after the buffer
147 ([CVE-2023-1255])
158 Benjamin for discovering this issue. ([CVE-2023-0286])
188 ([CVE-2022-3786])
191 attacker-controlled bytes on the stack. This buffer overflow could
194 ([CVE-2022-3602])
232 to use the new provider mechanism in order to implement custom ciphers.
234 OpenSSL versions 3.0.0 to 3.0.5 incorrectly handle legacy custom ciphers
253 SSL/TLS are not impacted by this issue.
254 ([CVE-2022-3358])
263 * Fixed the linux-mips64 Configure target which was missing the
278 * Fixed detection of ktls support in cross-compile environment on Linux
314 implementation prior to commit 2621751 ("aes/asm/aesv8-armx.pl: avoid
315 32-bit lane assignment in CTR mode") for 64bit targets only, since it is
316 reportedly 2-17% slower and the silicon errata only affects 32bit targets.
336 SSL/TLS servers or other servers using 2048 bit RSA private keys running
339 ([CVE-2022-2274])
343 * AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised
351 ([CVE-2022-2097])
358 CVE-2022-1292, further bugs where the c_rehash script does not
362 When the CVE-2022-1292 was fixed it was not discovered that there
372 (CVE-2022-2068)
383 * Case insensitive string comparison is reimplemented via new locale-agnostic
398 (CVE-2022-1292)
404 where the (non-default) flag OCSP_NOCHECKS is used to return a postivie
415 verifying an ocsp response with the "-no_cert_checks" option the command line
420 ([CVE-2022-1343])
424 * Fixed a bug where the RC4-MD5 ciphersuite incorrectly used the
427 An attacker could exploit this issue by performing a man-in-the-middle attack
431 Note that data sent from an OpenSSL 3.0 endpoint to a non-OpenSSL 3.0
435 3.0 server would be impacted when talking to a non-OpenSSL 3.0 client.
442 endpoint communicating with a non-OpenSSL 3.0 endpoint will fail to complete
446 cannot decrypt data that has been encrypted using this ciphersuite - they can
450 the RC4-MD5 ciphersuite. This ciphersuite is not compiled by default in
456 1) OpenSSL must have been compiled with the (non-default) compile time option
457 enable-weak-ssl-ciphers
466 5) A version of SSL/TLS below TLSv1.3 must have been negotiated
468 6) Both endpoints must negotiate the RC4-MD5 ciphersuite in preference to any
470 (CVE-2022-1434)
485 (CVE-2022-1473)
499 for non-prime moduli.
516 - TLS clients consuming server certificates
517 - TLS servers consuming client certificates
518 - Hosting providers taking certificates or private keys from customers
519 - Certificate authorities parsing certification requests from subscribers
520 - Anything else which parses ASN.1 elliptic curve parameters
524 ([CVE-2022-0778])
534 * Made the AES constant time code for no-asm configurations
537 builds, with: ./config no-asm -DOPENSSL_AES_CONST_TIME
575 ([CVE-2021-4044])
639 * Encrypting more than 2^64 TLS records with AES-GCM is disallowed
640 as per FIPS 140-2 IG A.5 "Key/IV Pair Uniqueness Requirements from
641 SP 800-38D". The communication will fail at this point.
651 beginning of a PEM-formatted file.
671 "AES-128-SIV", "AES-128-CBC-CTS" and "CAMELLIA-128-CBC-CTS" which were
682 `--libdir=lib` to override the libdir if adding the postfix is
704 be suppressed if the undocumented -DI_CAN_LIVE_WITH_LNK4049 was set.
709 * Rework and make DEBUG macros consistent. Remove unused -DCONF_DEBUG,
710 -DBN_CTX_DEBUG, and REF_PRINT. Add a new tracing category and use it for
711 printing reference counts. Rename -DDEBUG_UNUSED to -DUNUSED_RESULT_DEBUG
717 * The signatures of the functions to get and set options on SSL and
728 * Client-initiated renegotiation is disabled by default. To allow it, use
729 the -client_renegotiation option, the SSL_OP_ALLOW_CLIENT_RENEGOTIATION
739 * OpenSSL includes a cryptographic module that is intended to be FIPS 140-2
740 validated. Please consult the README-FIPS and
741 README-PROVIDERS files, as well as the migration guide.
767 SSL or TLS connections to succeed.
845 * The implementation of older EVP ciphers related to CAST, IDEA, SEED, RC2, RC4,
851 RIPEMD-160 have been moved to the legacy provider.
868 * A number of functions handling low-level keys or engines were deprecated
879 - NID_pbeWithMD2AndDES_CBC
880 - NID_pbeWithMD5AndDES_CBC
881 - NID_pbeWithSHA1AndRC2_CBC
882 - NID_pbeWithMD2AndRC2_CBC
883 - NID_pbeWithMD5AndRC2_CBC
884 - NID_pbeWithSHA1AndDES_CBC
907 algorithms. This is enabled by including the no-cached-fetch option
912 * pkcs12 now uses defaults of PBKDF2, AES and SHA-256, with a MAC iteration
917 * The openssl speed command does not use low-level API calls anymore.
921 * Parallel dual-prime 1024-bit modular exponentiation for AVX512_IFMA
926 * Combining the Configure options no-ec and no-dh no longer disables TLSv1.3.
947 RSA_padding_add_SSLv23() and the `-ssl` option in the deprecated
965 * The default key generation method for the regular 2-prime RSA keys was
966 changed to the FIPS 186-4 B.3.6 method.
996 * Behavior of the `pkey` app is changed, when using the `-check` or `-pubcheck`
1003 to ignore unknown ciphers.
1007 * The `-cipher-commands` and `-digest-commands` options
1009 Instead use the `-cipher-algorithms` and `-digest-algorithms` options.
1014 The 'quick' one-shot (yet somewhat limited) function L<EVP_PKEY_Q_keygen(3)>
1034 * The `-crypt` option to the `passwd` command line tool has been removed.
1038 * The -C option to the `x509`, `dhparam`, `dsaparam`, and `ecparam` commands
1043 * Add support for AES Key Wrap inverse ciphers to the EVP layer.
1063 * Added new option for 'openssl list', '-providers', which will display the
1094 ignore TLS protocol version bounds when configuring DTLS-based contexts, and
1096 TLS-based contexts. The commands can be repeated to set bounds of both
1098 "max_protocol" command-line switches, in case some application uses both TLS
1104 error. Now only the "version-flexible" SSL_CTX instances are subject to
1105 limits in configuration files in command-line options.
1124 * Added ciphertext stealing algorithms AES-128-CBC-CTS, AES-192-CBC-CTS and
1125 AES-256-CBC-CTS to the providers. CS1, CS2 and CS3 variants are supported.
1143 a non-default `OSSL_LIB_CTX`.
1174 * Add CAdES-BES signature verification support, mostly derived
1179 * Add CAdES-BES signature scheme and attributes support (RFC 5126) to CMS API.
1183 * Added the AuthEnvelopedData content type structure (RFC 5083) with AES-GCM
1205 * The SSL option SSL_OP_IGNORE_UNEXPECTED_EOF is introduced.
1256 [ATX headings]: https://github.github.com/gfm/#atx-headings
1257 [setext headings]: https://github.github.com/gfm/#setext-headings
1258 [inline links]: https://github.github.com/gfm/#inline-link
1259 [reference links]: https://github.github.com/gfm/#reference-link
1260 [fenced code blocks]: https://github.github.com/gfm/#fenced-code-blocks
1261 [indented code blocks]: https://github.github.com/gfm/#indented-code-blocks
1266 A new directory test-runs/ with subdirectories named like the
1273 See L<openssl-cmp(1)> and L<OSSL_CMP_exec_IR_ses(3)> as starting points.
1280 user-defined BIOs (allowing implicit connections), persistent connections,
1282 The legacy OCSP-focused (and only partly documented) API
1287 * Added `util/check-format.pl`, a tool for checking adherence to the
1362 - Common options (such as -rand/-writerand, TLS version control, etc)
1363 were refactored and point to newly-enhanced descriptions in openssl.pod.
1364 - Added style conformance for all options (with help from Richard Levitte),
1368 - Documented some internals, such as all use of environment variables.
1369 - Addressed all internal broken L<> references.
1377 * The low-level MD2, MD4, MD5, MDC2, RIPEMD160 and Whirlpool digest
1418 used in exponentiation with 512-bit moduli. No EC algorithms are
1419 affected. Analysis suggests that attacks against 2-prime RSA1024,
1420 3-prime RSA1536, and DSA1024 as a result of this defect would be very
1423 have to re-use the DH512 private key, which is not recommended anyway.
1424 Also applications directly using the low-level API BN_mod_exp may be
1426 ([CVE-2019-1551])
1430 * Most memory-debug features have been deprecated, and the functionality
1431 replaced with no-ops.
1472 * Change the interpretation of the '--api' configuration option to
1476 the given version, no requires that 'no-deprecated' is also used
1482 value is valid as before, such as -DOPENSSL_API_COMPAT=0x10100000L.
1490 -DOPENSSL_API_COMPAT=30000 For 3.0
1491 -DOPENSSL_API_COMPAT=30200 For 3.2
1494 given API compatibility level, -DOPENSSL_NO_DEPRECATED must be
1505 - X509_LOOKUP_store()
1506 - X509_STORE_load_file()
1507 - X509_STORE_load_path()
1508 - X509_STORE_load_store()
1509 - SSL_add_store_cert_subjects_to_stack()
1510 - SSL_CTX_set_default_verify_store()
1511 - SSL_CTX_load_verify_file()
1512 - SSL_CTX_load_verify_dir()
1513 - SSL_CTX_load_verify_store()
1518 The presence of this system service is determined at run-time.
1527 of application written for pre-3.0 OpenSSL easier.
1549 * s390x assembly pack: add hardware-support for P-256, P-384, P-521,
1579 VERBOSE_FAILURE or VF can be used to enable this:
1587 * Added the `-copy_extensions` option to the `x509` command for use with
1588 `-req` and `-x509toreq`. When given with the `copy` or `copyall` argument,
1593 * Added the `-copy_extensions` option to the `req` command for use with
1594 `-x509`. When given with the `copy` or `copyall` argument,
1602 and for not self-signed certs there is an authorityKeyIdentifier extension
1611 (which may be done by using the CLI option `-x509_strict`):
1623 unless they are self-signed.
1633 * For built-in EC curves, ensure an EC_GROUP built from the curve name is
1649 ([CVE-2019-1547])
1663 The old behaviour can be re-enabled in the CMS code by setting the
1678 * Revised BN_generate_prime_ex to not avoid factors 2..17863 in p-1
1681 the 2-prime and 3-prime RSA modules were easy to distinguish, since
1683 2-prime vs. 3-prime RSA keys was possible by computing N mod 3.
1689 fix TLS connections between an EBCDIC system and a non-EBCDIC system that
1733 * `{CRYPTO,OPENSSL}_mem_debug_{push,pop}` are now no-ops and have been
1782 * Change PBKDF2 to conform to SP800-132 instead of the older PKCS5 RFC2898.
1791 * Add target VC-WIN32-UWP, VC-WIN64A-UWP, VC-WIN32-ARM-UWP and
1792 VC-WIN64-ARM-UWP in Windows OneCore target for making building libraries
1793 for Windows Store apps easier. Also, the "no-uplink" option has been added.
1809 * Added OPENSSL_info() to get diverse built-in OpenSSL data, such
1824 * Limit the number of blocks in a data unit for AES-XTS to 2^20 as
1825 mandated by IEEE Std 1619-2018.
1856 'enable-buildtest-c++'.
1891 (scrypt, TLS1 PRF and HKDF). The low-level KDF functions for PBKDF2
1904 * Fix a bug in the computation of the endpoint-pair shared secret used
1912 re-used X509_PUBKEY object if the second PUBKEY is malformed.
1926 - Major releases (indicated by incrementing the MAJOR release number)
1928 - Minor releases (indicated by incrementing the MINOR release number)
1930 - Patch releases (indicated by incrementing the PATCH number)
1937 * Add support for RFC5297 SIV mode (siv128), including AES-SIV.
1947 * Recreate the OS390-Unix config target. It no longer relies on a
1948 special script like it did for OpenSSL pre-1.1.0.
1953 a 'build.info' keyword SUBDIRS to indicate what sub-directories to
1983 * AES-XTS mode now enforces that its two keys are different to mitigate
1997 * Added new option for 'openssl list', '-objects', which will display the
2002 * Added the options `-crl_lastupdate` and `-crl_nextupdate` to `openssl ca`,
2008 * Added support for Linux Kernel TLS data-path. The Linux Kernel data-path
2010 applications with zero-copy system calls such as sendfile and splice.
2014 * The SSL option SSL_OP_CLEANSE_PLAINTEXT is introduced.
2042 doc/man7/provider.pod, doc/man7/provider-base.pod, and they in turn
2049 -------------
2077 again, but this time passing a non-NULL value for the "out" parameter.
2092 ([CVE-2021-3711])
2136 ([CVE-2021-3712])
2153 that non-CA certificates must not be able to issue other certificates.
2167 ([CVE-2021-3450])
2181 ([CVE-2021-3449])
2194 ([CVE-2021-23841])
2201 CVE-2021-23839.
2211 ([CVE-2021-23840])
2238 ([CVE-2020-1971])
2250 ignore TLS protocol version bounds when configuring DTLS-based contexts, and
2252 TLS-based contexts. The commands can be repeated to set bounds of both
2254 "max_protocol" command-line switches, in case some application uses both TLS
2260 error. Now only the "version-flexible" SSL_CTX instances are subject to
2261 limits in configuration files in command-line options.
2281 ([CVE-2020-1967])
2285 * Added AES consttime code for no-asm configurations
2287 when building openssl for no-asm.
2288 Enable with: ./config no-asm -DOPENSSL_AES_CONST_TIME
2289 Disable with: ./config no-asm -DOPENSSL_NO_AES_CONST_TIME
2305 * Revised BN_generate_prime_ex to not avoid factors 3..17863 in p-1
2308 the 2-prime and 3-prime RSA modules were easy to distinguish, since
2310 2-prime vs. 3-prime RSA keys was possible by computing N mod 3.
2354 The presence of this system service is determined at run-time.
2377 ([CVE-2019-1549])
2381 * For built-in EC curves, ensure an EC_GROUP built from the curve name is
2397 ([CVE-2019-1547])
2411 The old behaviour can be re-enabled in the CMS code by setting the
2413 ([CVE-2019-1563])
2428 fix TLS connections between an EBCDIC system and a non-EBCDIC system that
2439 ([CVE-2019-1552])
2475 'enable-buildtest-c++'.
2479 * Enable SHA3 pre-hashing for ECDSA and DSA.
2492 util/fix-doc-nits accordingly.
2513 * Prevent over long nonces in ChaCha20-Poly1305.
2515 ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input
2534 affected. Any OpenSSL internal use of this cipher, including in SSL/TLS,
2536 applications that use this cipher directly and set a non-default nonce
2541 ([CVE-2019-1543])
2561 * Change the info callback signals for the start and end of a post-handshake
2582 ([CVE-2018-0734])
2593 ([CVE-2018-0735])
2609 the application the ability to adjust the nascent SSL object at the
2621 * s390x assembly pack: add (improved) hardware-support for the following
2622 cryptographic primitives: sha3, shake, aes-gcm, aes-ccm, aes-ctr, aes-ofb,
2623 aes-cfb/cfb8, aes-ecb.
2635 differential addition-and-doubling in homogeneous projective coordinates
2636 from Izu-Takagi "A fast parallel elliptic curve multiplication resistant
2637 against side channel attacks" and Brier-Joye "Weierstrass Elliptic Curves
2638 and Side-Channel Attacks" Eq. (8) for y-coordinate recovery, modified
2645 For larger primes this will result in more rounds of Miller-Rabin.
2647 to 2^-128.
2651 * Increase the number of Miller-Rabin rounds for DSA key generating to 64.
2663 length-invariant. Switch even to fixed-length Montgomery multiplication.
2669 differential addition-and-doubling in mixed Lopez-Dahab projective
2678 differential addition-and-doubling algorithms.
2690 * Numerous side-channel attack mitigations have been applied. This may have
2700 mitigate conflict between 1.0 and 1.1 side-by-side installations. It
2702 multi-version installation is managed.
2710 EC cryptosystem implementations are then safer-by-default.
2734 Many applications do not properly handle non-application data records, and
2793 * Fixed X509_NAME_ENTRY_set to get multi-valued RDNs right in all cases.
2841 configuration has been separated out. See the ciphers man page or the
2847 in responder mode now supports the new "-multi" option, which
2849 requests. The "-timeout" option now also limits the OCSP
2854 as a long-running service, making the OpenSSL CA somewhat more
2855 feature-complete. In this mode, most diagnostic messages logged
2882 The default RAND method now utilizes an AES-CTR DRBG according to
2883 NIST standard SP 800-90Ar1. The new random generator is essentially
2886 using an AES-CTR bit stream and which seeds and reseeds itself
2890 - Support for multiple DRBG instances with seed chaining.
2891 - The default RAND method makes use of a DRBG.
2892 - There is a public and private DRBG instance.
2893 - The DRBG instances are fork-safe.
2894 - Keep all global DRBG instances on the secure heap if it is enabled.
2895 - The public and private DRBG instance are per thread for lock free
2931 * Add multi-prime RSA (RFC 8017) support.
2935 * Add SM3 implemented according to GB/T 32905-2016
2946 * Add SM4 implemented according to GB/T 32907-2016.
2951 * Reimplement -newreq-nodes and ERR_error_string_n; the
2985 To disable, configure with 'no-ui-console'. 'no-ui' is still
3002 * Add devcrypto engine. This has been implemented against cryptodev-linux,
3004 Enable by configuring with 'enable-devcryptoeng'. This is done by default
3038 * Ignore the '-named_curve auto' value for compatibility of applications
3043 * Fragmented SSL/TLS alerts are no longer accepted. An alert message is 2
3044 bytes long. In theory it is permissible in SSLv3 - TLSv1.2 to fragment such
3062 'z' is to be used for [s]size_t, and 'j' - with [u]int64_t.
3071 * Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
3089 Also remove OPENSSL_GLOBAL entirely, as it became a no-op.
3093 * Remove the VMS-specific reimplementation of gmtime from crypto/o_times.c.
3110 default unless the new "-noservername" option is used. The server name is
3111 based on the host provided to the "-connect" option unless overridden by
3112 using "-servername".
3129 <https://www.akkadia.org/drepper/SHA-crypt.txt>
3147 -------------
3151 * For built-in EC curves, ensure an EC_GROUP built from the curve name is
3167 ([CVE-2019-1547])
3181 The old behaviour can be re-enabled in the CMS code by setting the
3183 ([CVE-2019-1563])
3191 ([CVE-2019-1552])
3204 * Prevent over long nonces in ChaCha20-Poly1305.
3206 ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input
3225 affected. Any OpenSSL internal use of this cipher, including in SSL/TLS,
3227 applications that use this cipher directly and set a non-default nonce
3232 ([CVE-2019-1543])
3244 re-used X509_PUBKEY object if the second PUBKEY is malformed.
3267 ([CVE-2018-0734])
3278 ([CVE-2018-0735])
3299 ([CVE-2018-0732])
3312 ([CVE-2018-0737])
3323 length-invariant. Switch even to fixed-length Montgomery multiplication.
3329 For larger primes this will result in more rounds of Miller-Rabin.
3331 to 2^-128.
3335 * Increase the number of Miller-Rabin rounds for DSA key generating to 64.
3362 some characters, such as form-feed, were incorrectly treated as whitespace
3368 and use the "-binary" flag (for the "cms" command line application) or set
3380 are no such structures used within SSL/TLS that come from untrusted sources
3383 This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz
3385 ([CVE-2018-0739])
3389 * Incorrect CRYPTO_memcmp on HP-UX PA-RISC
3391 Because of an implementation bug the PA-RISC CRYPTO_memcmp function is
3396 HP-UX assembler, so that only HP-UX PA-RISC targets are affected.
3400 ([CVE-2018-0733])
3416 SSL_OP_NO_RENEGOTIATION option from 1.1.1-dev has been backported to
3425 * Removed the OS390-Unix config target. It relied on a script that doesn't
3433 used in exponentiation with 1024-bit moduli. No EC algorithms are affected.
3441 no longer an option since CVE-2016-0701.
3447 was originally found via the OSS-Fuzz project.
3448 ([CVE-2017-3738])
3471 This issue was reported to OpenSSL by the OSS-Fuzz project.
3472 ([CVE-2017-3736])
3479 OpenSSL could do a one-byte buffer overread. The most likely result
3482 This issue was reported to OpenSSL by the OSS-Fuzz project.
3483 ([CVE-2017-3735])
3489 * Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
3494 * Remove the VMS-specific reimplementation of gmtime from crypto/o_times.c.
3502 * Encrypt-Then-Mac renegotiation crash
3504 During a renegotiation handshake if the Encrypt-Then-Mac extension is
3505 negotiated where it was not in the original handshake (or vice-versa) then
3510 ([CVE-2017-3733])
3518 If one side of an SSL/TLS path is running on a 32-bit host and a specific
3520 perform an out-of-bounds read, usually resulting in a crash.
3523 ([CVE-2017-3731])
3535 ([CVE-2017-3730])
3552 default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very
3553 similar to CVE-2015-3193 but must be treated as a separate problem.
3555 This issue was reported to OpenSSL by the OSS-Fuzz project.
3556 ([CVE-2017-3732])
3562 * ChaCha20/Poly1305 heap-buffer-overflow
3564 TLS connections using `*-CHACHA20-POLY1305` ciphersuites are susceptible to
3569 ([CVE-2016-7054])
3583 ([CVE-2016-7053])
3589 There is a carry propagating bug in the Broadwell-specific Montgomery
3596 erroneous outcome of public-key operations with specially crafted input.
3597 Among EC algorithms only Brainpool P-512 curves are affected and one
3599 detail, because pre-requisites for attack are considered unlikely. Namely
3607 ([CVE-2016-7055])
3620 The patch applied to address CVE-2016-6307 resulted in an issue where if a
3630 ([CVE-2016-6309])
3644 the "no-ocsp" build time option are not affected.
3647 ([CVE-2016-6304])
3653 OpenSSL 1.1.0 SSL/TLS will hang during a call to SSL_peek() if the peer
3658 ([CVE-2016-6305])
3696 memory - which would then mean a more serious Denial of Service.
3699 (CVE-2016-6307 and CVE-2016-6308)
3703 * solaris-x86-cc, i.e. 32-bit configuration with vendor compiler,
3705 assemble our modules with -KPIC flag. As result it, assembly
3707 lack of side-channel resistant code, which is incompatible with
3715 * Windows command-line tool supports UTF-8 opt-in option for arguments
3718 with Windows CryptoAPI and protected with non-ASCII password, as well
3719 as files generated under UTF-8 locale on Linux also protected with
3720 non-ASCII password.
3724 * To mitigate the SWEET32 attack ([CVE-2016-2183]), 3DES cipher suites
3726 See the RC4 item below to re-enable both.
3746 no-ops and deprecated.
3751 calling CryptGenRandom(). Various other RAND-related tickets
3800 * Triple-DES ciphers have been moved from HIGH to MEDIUM.
3804 * To enable users to have their own config files and build file templates,
3806 OPENSSL_LOCAL_CONFIG_DIR as well as the in-source Configurations/
3819 the "no-shared" Configure option.
3823 * Remove the no-aes, no-hmac, no-rsa, no-sha and no-md5 Configure options.
3829 * Make various cleanup routines no-ops and mark them as deprecated. Most
3831 via auto-deinit (see OPENSSL_init_crypto and OPENSSL_init_ssl man pages).
3832 Explicitly de-initing can cause problems (e.g. where a library that uses
3833 OpenSSL de-inits, but an application is still using it). The affected
3841 * --strict-warnings no longer enables runtime debugging options
3843 enabled with '--debug' builds.
3871 * Removed no-rijndael as a config option. Rijndael is an old name for AES.
3884 * Removed the aged BC-32 config and all its supporting scripts
3900 * Added support for "pipelining". Ciphers that have the
3902 encryptions/decryptions simultaneously. There are currently no built-in
3903 ciphers with this property but the expectation is that engines will be able
3912 AES128-CBC. The kernel must be version 4.1.0 or greater.
3917 set locking callbacks to use OpenSSL in a multi-threaded environment. There
3919 also possible to configure OpenSSL at compile time for "no-threads". The
3921 replaced with "no-op" compatibility macros.
3930 * Add SSL_CIPHER queries for authentication and key-exchange.
3935 - Prefer (EC)DHE handshakes over plain RSA.
3936 - Prefer AEAD ciphers over legacy ciphers.
3937 - Prefer ECDSA over RSA when both certificates are available.
3938 - Prefer TLSv1.2 ciphers/PRF.
3939 - Remove DSS, SEED, IDEA, CAMELLIA, and AES-CCM from the
3949 * RC4 based libssl ciphersuites are now classed as "weak" ciphers and are
3950 disabled by default. They can be re-enabled using the
3951 enable-weak-ssl-ciphers option to Configure.
3965 draft-ietf-curdle-pkix-02. The corresponding EVP_PKEY method supports
3968 TLS support complies with draft-ietf-tls-rfc4492bis-08 and uses
3975 In order to fix an unavoidable memory leak ([CVE-2016-0798]),
3995 the configuration option "disable-dynamic-engine".
4000 with "disable-dso" or "disable-pic".
4015 If this isn't desirable, the configuration options "disable-pic"
4016 or "no-pic" can be used to disable the use of PIC. This will
4027 is for. Also, the configuration option --install_prefix is
4033 for DTLS; configure with enable-heartbeats. Code that uses the
4054 template in Configurations, like unix-Makefile.tmpl or
4067 * Added support for auto-initialisation and de-initialisation of the library.
4089 the leading 0-byte.
4094 compiled with zlib enabled. Applications can still enable compression
4101 SSL_CTX_sess_set_get_cb was changed. The read-only input buffer
4108 RNG, and other conditional uses of DPURIFY. This makes -DPURIFY a no-op.
4141 --prefix and --openssldir change their semantics, and become more
4144 --prefix shall be used exclusively to give the location INSTALLTOP
4148 --openssldir shall be used exclusively to give the default
4153 values of both the --prefix value and the --openssldir value will
4155 The default for --openssldir is INSTALLTOP/ssl.
4157 Anyone who uses --openssldir to specify where OpenSSL is to be
4158 installed MUST change to use --prefix instead.
4170 * EGD is no longer supported by default; use enable-egd when
4194 example, be used to implement local end-entity certificate or
4195 trust-anchor "pinning", where the "pin" data takes the form
4204 source files with -DOPENSSL_API_COMPAT=0x10100000L, which hides
4210 should be used with the --api=1.1.0 option to entirely remove
4213 Essentially the same effect can be achieved with the "no-deprecated"
4219 they should update their compile-time OPENSSL_API_COMPAT define
4256 * Remove support for all 40 and 56 bit ciphers. This includes all the export
4257 ciphers who are no longer supported and drops support the ephemeral RSA key
4258 exchange. The LOW ciphers currently doesn't have any ciphers in it.
4285 * Added ASYNC support. Libcrypto now includes the async sub-library to enable
4297 exclude it using the list of supported ciphers. This also means that the
4298 "-no_ecdhe" option has been removed from s_server.
4314 with the old code (see [ssl/statem/README.md](ssl/statem/README.md) for
4319 defined in ssl.h and ssl3.h have also been removed.
4324 with OpenSSL (case-matching; e.g., OPENSSL_VERSION for #define's)
4359 * Remove EVP_CHECK_DES_KEY, a compile-time option that never compiled.
4377 * Fix no-stdio build.
4396 * Revamped memory debug; only -DCRYPTO_MDEBUG and -DCRYPTO_MDEBUG_ABORT
4450 EXP-DH-RSA-DES-CBC-SHA and EXP-DH-DSS-DES-CBC-SHA. These two ciphersuites
4468 code and the associated standard is no longer considered fit-for-purpose.
4495 draft-ietf-tls-session-hash-03.txt. Thanks for Alfredo Pironti for an
4508 Access to deprecated functions can be re-enabled by running config with
4509 "enable-deprecated". In addition applications wishing to use deprecated
4518 at <https://www.openssl.org/source/OCB-patent-grant-OpenSSL.pdf>. Support
4519 for OCB can be removed by calling config with no-ocb.
4529 done while fixing the error code for the key-too-small case.
4531 *Annie Yousar <a.yousar@informatik.hu-berlin.de>*
4552 16-bit platforms such as WIN16
4557 - Use setbuf() and remove OPENSSL_NO_SETVBUF_IONBF
4558 - Rename OPENSSL_SYSNAME_xxx to OPENSSL_SYS_xxx
4559 - OPENSSL_NO_EC{DH,DSA} merged into OPENSSL_NO_EC
4560 - OPENSSL_NO_RIPEMD160, OPENSSL_NO_RIPEMD merged into OPENSSL_NO_RMD160
4561 - OPENSSL_NO_FP_API merged into OPENSSL_NO_STDIO
4562 - Remove OPENSSL_NO_BIO OPENSSL_NO_BUFFER OPENSSL_NO_CHAIN_VERIFY
4566 - Remove MS_STATIC; it's a relic from platforms <32 bits.
4577 NULL. Remove the non-null checks from callers. Save much code.
4597 * Harmonize version and its documentation. -f flag is used to display
4617 preparing the fix ([CVE-2014-0160])
4622 ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
4627 flaw and to Yuval Yarom for supplying a fix ([CVE-2014-0076])
4636 * Experimental encrypt-then-mac support.
4639 draft-gutmann-tls-encrypt-then-mac-02.txt
4641 To enable it set the appropriate extension number (0x42 for the test
4642 server) using e.g. -DTLSEXT_TYPE_encrypt_then_mac=0x42
4644 For non-compliant peers (i.e. just about everything) this should have no
4658 * Extend CMS code to support RSA-PSS signatures and RSA-OAEP for
4698 * Add FIPS selftest for ECDH algorithm using P-224 and B-233 curves.
4710 * New function FIPS_get_cipherbynid() to lookup FIPS supported ciphers
4722 FIPS 186-3 A.2.3.
4724 * Add support for HMAC DRBG from SP800-90. Update DRBG algorithm test and
4750 information in FIPS186-3, SP800-57 and SP800-131A.
4786 anyway as the X9.31 PRNG is now deprecated by FIPS 140-2
4790 * Extensive self tests and health checking required by SP800-90 DRBG.
4805 leading zeroes if needed: this complies with SP800-56A et al.
4809 * Initial implementation of SP800-90 DRBGs for Hash and CTR. Not used by
4827 * Add selftest checks and algorithm block of non-fips algorithms in
4838 * New build option no-ec2m to disable characteristic 2 code.
4853 * Initial, experimental EVP support for AES-GCM. AAD can be input by
4863 * New flag in ciphers: EVP_CIPH_FLAG_CUSTOM_CIPHER. This means the
4879 * Improve forward-security support: add functions
4882 SSL_CTX *ctx, int (*cb)(SSL *ssl, int is_forward_secure))
4884 SSL *ssl, int (*cb)(SSL *ssl, int is_forward_secure))
4886 for use by SSL/TLS servers; the callback function will be called whenever a
4889 SSL/TLS protocol specifications, the session_id sent by the server will be
4895 by the SSL/TLS server library, indicating whether it can provide forward
4900 * New -verify_name option in command line utilities to set verification
4910 * Experimental renegotiation in s_server -www mode. If the client
4918 multi-process servers.
4932 is enable if DEBUG_UNUSED is set. Add to several functions in evp.h
4937 * New -noct, -requestct, -requirect and -ctlogfile options for s_client.
4944 -------------
4948 * For built-in EC curves, ensure an EC_GROUP built from the curve name is
4964 ([CVE-2019-1547])
4978 The old behaviour can be re-enabled in the CMS code by setting the
4980 ([CVE-2019-1563])
4986 '/usr/local/ssl' is an unsafe prefix for location to install OpenSSL
4987 binaries and run-time config file.
4988 ([CVE-2019-1552])
5001 * Add FIPS support for Android Arm 64-bit
5003 Support for Android Arm 64-bit was added to the OpenSSL FIPS Object
5005 'android64-aarch64' was missing OpenSSL 1.0.2, whence it could not be
5006 built with FIPS support on Android Arm 64-bit. This omission has been
5013 * 0-byte record padding oracle
5023 In order for this to be exploitable "non-stitched" ciphersuites must be in
5032 ([CVE-2019-1559])
5052 ([CVE-2018-5407])
5063 ([CVE-2018-0734])
5084 ([CVE-2018-0732])
5097 ([CVE-2018-0737])
5108 length-invariant. Switch even to fixed-length Montgomery multiplication.
5114 For larger primes this will result in more rounds of Miller-Rabin.
5116 to 2^-128.
5120 * Increase the number of Miller-Rabin rounds for DSA key generating to 64.
5147 are no such structures used within SSL/TLS that come from untrusted sources
5150 This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz
5152 ([CVE-2018-0739])
5158 * Read/write after SSL object in error state
5169 for the same SSL object then it will succeed and the data is passed without
5170 being decrypted/encrypted directly from the SSL/TLS record layer.
5177 ([CVE-2017-3737])
5184 used in exponentiation with 1024-bit moduli. No EC algorithms are affected.
5192 no longer an option since CVE-2016-0701.
5198 was originally found via the OSS-Fuzz project.
5199 ([CVE-2017-3738])
5222 This issue was reported to OpenSSL by the OSS-Fuzz project.
5223 ([CVE-2017-3736])
5230 OpenSSL could do a one-byte buffer overread. The most likely result
5233 This issue was reported to OpenSSL by the OSS-Fuzz project.
5239 * Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
5248 If one side of an SSL/TLS path is running on a 32-bit host and a specific
5250 perform an out-of-bounds read, usually resulting in a crash.
5253 ([CVE-2017-3731])
5270 default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very
5271 similar to CVE-2015-3193 but must be treated as a separate problem.
5273 This issue was reported to OpenSSL by the OSS-Fuzz project.
5274 ([CVE-2017-3732])
5280 There is a carry propagating bug in the Broadwell-specific Montgomery
5287 erroneous outcome of public-key operations with specially crafted input.
5288 Among EC algorithms only Brainpool P-512 curves are affected and one
5290 detail, because pre-requisites for attack are considered unlikely. Namely
5298 ([CVE-2016-7055])
5318 ([CVE-2016-7052])
5332 the "no-ocsp" build time option are not affected.
5335 ([CVE-2016-6304])
5339 * In order to mitigate the SWEET32 attack, the DES ciphers were moved from
5344 ([CVE-2016-2183])
5360 ([CVE-2016-6303])
5374 ([CVE-2016-6302])
5387 ([CVE-2016-2182])
5399 ([CVE-2016-2180])
5425 ([CVE-2016-2177])
5433 implementation means that a non-constant time codepath is followed for
5434 certain operations. This has been demonstrated through a cache-timing
5440 ([CVE-2016-2178])
5446 In a DTLS connection where handshake messages are delivered out-of-order
5458 ([CVE-2016-2179])
5473 ([CVE-2016-2181])
5489 ([CVE-2016-6306])
5495 * Prevent padding oracle in AES-NI CBC MAC check
5499 AES-NI.
5502 attack ([CVE-2013-0169]). The padding check was rewritten to be in
5508 This issue was reported by Juraj Somorovsky using TLS-Attacker.
5527 ([CVE-2016-2105])
5551 ([CVE-2016-2106])
5567 ([CVE-2016-2109])
5578 ([CVE-2016-2176])
5592 * Only remove the SSLv2 methods with the no-ssl2-method option. When the
5599 * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
5600 Builds that are not configured with "enable-weak-ssl-ciphers" will not
5601 provide any "EXPORT" or "LOW" strength ciphers.
5605 * Disable SSLv2 default build, default negotiation and weak ciphers. SSLv2
5606 is by default disabled at build-time. Builds that are not configured with
5607 "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used,
5608 users who want to negotiate SSLv2 via the version-flexible SSLv23_method()
5613 SSL_clear_options(ssl, SSL_OP_NO_SSLv2);
5616 explicitly uses the version-specific SSLv2_method() or its client and
5617 server variants, SSLv2 ciphers vulnerable to exhaustive search key
5618 recovery have been removed. Specifically, the SSLv2 40-bit EXPORT
5619 ciphers, and SSLv2 56-bit DES are no longer available.
5620 ([CVE-2016-0800])
5624 * Fix a double-free in DSA code
5633 ([CVE-2016-0705])
5653 ([CVE-2016-0798])
5678 ([CVE-2016-0797])
5696 These problems could enable attacks where large amounts of untrusted data
5699 functions when printing out human-readable dumps of ASN.1 data. Therefore
5710 ([CVE-2016-0799])
5716 A side-channel attack was found which makes use of cache-bank conflicts on
5717 the Intel Sandy-Bridge microarchitecture which could lead to the recovery
5720 hyper-threaded core as the victim thread which is performing decryptions.
5726 ([CVE-2016-0702])
5730 * Change the `req` command to generate a 2048-bit RSA/DSA key by default,
5767 ([CVE-2016-0701])
5771 * SSLv2 doesn't block disabled ciphers
5773 A malicious client can negotiate SSLv2 ciphers that have been disabled on
5774 the server and complete SSLv2 handshakes even if all SSLv2 ciphers have
5780 ([CVE-2015-3197])
5799 default in OpenSSL DHE based SSL/TLS ciphersuites.
5802 ([CVE-2015-3193])
5814 vulnerable including OpenSSL clients and servers which enable client
5818 ([CVE-2015-3194])
5827 affected. SSL/TLS is not affected.
5831 ([CVE-2015-3195])
5884 This issue was reported to OpenSSL by Joseph Barr-Pixton.
5885 ([CVE-2015-1788])
5889 * Exploitable out-of-bounds read in X509_cmp_time
5905 ([CVE-2015-1789])
5912 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
5920 ([CVE-2015-1790])
5931 ([CVE-2015-1792])
5937 If a NewSessionTicket is received by a multi-threaded client when attempting to
5940 ([CVE-2015-1791])
5944 * Only support 256-bit or stronger elliptic curves with the
5946 curves, prefer P-256 (both).
5960 ([CVE-2015-0291])
5970 using non-blocking IO. Typically, when the user application is using a
5976 ([CVE-2015-0290])
5986 that state is preserved in the SSL object from one invocation to the next
5993 ([CVE-2015-0207])
6004 OpenSSL clients and servers which enable client authentication.
6005 ([CVE-2015-0286])
6017 OpenSSL clients and servers which enable client authentication.
6020 ([CVE-2015-0208])
6034 ([CVE-2015-0287])
6041 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
6049 ([CVE-2015-0289])
6056 servers that both support SSLv2 and enable export cipher suites by sending
6057 a specially crafted SSLv2 CLIENT-MASTER-KEY message.
6061 ([CVE-2015-0293])
6070 ([CVE-2015-1787])
6078 - The client is on a platform where the PRNG has not been seeded
6080 - A protocol specific client method version has been used (i.e. not
6082 - A ciphersuite is used that does not require additional random data from
6083 the PRNG beyond the initial ClientHello client random (e.g. PSK-RC4-SHA).
6092 openssl s_client -psk 1a2b3c4d -tls1_2 -cipher PSK-RC4-SHA
6093 ([CVE-2015-0285])
6108 ([CVE-2015-0209])
6118 ([CVE-2015-0288])
6122 * Removed the export ciphers from the DEFAULT ciphers
6133 near-optimal performance even on newer platforms.
6137 * Accelerated NIST P-256 elliptic curve implementation for x86_64
6149 bogus results, with non-infinity inputs mapped to infinity too.)
6160 * Add support for little-endian ppc64 Linux target.
6167 Both 32- and 64-bit modes are supported.
6188 implementations, AESNI-SHA256 and GCM, and multi-buffer support
6228 * Add -rev test option to s_server to just reverse order of characters
6234 * New option -brief for s_client and s_server to print out a brief summary
6243 * New option -crl_download in several openssl utilities to download CRLs
6248 * New options -CRL and -CRLform for s_client and s_server for CRLs.
6282 * SSL/TLS tracing code. This parses out SSL/TLS records using the
6284 "enable-ssl-trace". New options to s_client and s_server to enable
6335 possible to have different stores per SSL structure or one store in
6395 for SSL and SSL_CTX structures. Add options to s_client and s_server
6401 from an SSL structure. Before this once a certificate had been added
6426 * Initial experimental support for explicitly trusted non-root CAs.
6429 setting is used: whether to trust (e.g., -addtrust option to the x509
6434 * Add -trusted_first option which attempts to find certificates in the
6444 * Support for linux-x32, ILP32 environment in x86_64 framework.
6448 * Experimental multi-implementation support for FIPS capable OpenSSL.
6494 between NIDs and the more common NIST names such as "P-256". Enhance
6499 * Enhance SSL/TLS certificate chain handling to support different
6514 * New function i2d_re_X509_tbs for re-encoding the TBS portion of
6516 Note: Related 1.0.2-beta specific macros X509_get_cert_info,
6521 -------------
6533 the "no-ocsp" build time option are not affected.
6536 ([CVE-2016-6304])
6540 * In order to mitigate the SWEET32 attack, the DES ciphers were moved from
6545 ([CVE-2016-2183])
6561 ([CVE-2016-6303])
6575 ([CVE-2016-6302])
6588 ([CVE-2016-2182])
6600 ([CVE-2016-2180])
6626 ([CVE-2016-2177])
6634 implementation means that a non-constant time codepath is followed for
6635 certain operations. This has been demonstrated through a cache-timing
6641 ([CVE-2016-2178])
6647 In a DTLS connection where handshake messages are delivered out-of-order
6659 ([CVE-2016-2179])
6674 ([CVE-2016-2181])
6690 ([CVE-2016-6306])
6696 * Prevent padding oracle in AES-NI CBC MAC check
6700 AES-NI.
6703 attack ([CVE-2013-0169]). The padding check was rewritten to be in
6709 This issue was reported by Juraj Somorovsky using TLS-Attacker.
6710 ([CVE-2016-2107])
6729 ([CVE-2016-2105])
6753 ([CVE-2016-2106])
6769 ([CVE-2016-2109])
6780 ([CVE-2016-2176])
6794 * Only remove the SSLv2 methods with the no-ssl2-method option. When the
6801 * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
6802 Builds that are not configured with "enable-weak-ssl-ciphers" will not
6803 provide any "EXPORT" or "LOW" strength ciphers.
6807 * Disable SSLv2 default build, default negotiation and weak ciphers. SSLv2
6808 is by default disabled at build-time. Builds that are not configured with
6809 "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used,
6810 users who want to negotiate SSLv2 via the version-flexible SSLv23_method()
6815 SSL_clear_options(ssl, SSL_OP_NO_SSLv2);
6818 explicitly uses the version-specific SSLv2_method() or its client and
6819 server variants, SSLv2 ciphers vulnerable to exhaustive search key
6820 recovery have been removed. Specifically, the SSLv2 40-bit EXPORT
6821 ciphers, and SSLv2 56-bit DES are no longer available.
6822 ([CVE-2016-0800])
6826 * Fix a double-free in DSA code
6835 ([CVE-2016-0705])
6855 ([CVE-2016-0798])
6880 ([CVE-2016-0797])
6898 These problems could enable attacks where large amounts of untrusted data
6901 functions when printing out human-readable dumps of ASN.1 data. Therefore
6912 ([CVE-2016-0799])
6918 A side-channel attack was found which makes use of cache-bank conflicts on
6919 the Intel Sandy-Bridge microarchitecture which could lead to the recovery
6922 hyper-threaded core as the victim thread which is performing decryptions.
6928 ([CVE-2016-0702])
6932 * Change the req command to generate a 2048-bit RSA/DSA key by default,
6949 * SSLv2 doesn't block disabled ciphers
6951 A malicious client can negotiate SSLv2 ciphers that have been disabled on
6952 the server and complete SSLv2 handshakes even if all SSLv2 ciphers have
6958 ([CVE-2015-3197])
6976 vulnerable including OpenSSL clients and servers which enable client
6980 ([CVE-2015-3194])
6989 affected. SSL/TLS is not affected.
6993 ([CVE-2015-3195])
7022 ([CVE-2015-1793])
7028 If PSK identity hints are received by a multi-threaded client then
7032 ([CVE-2015-3196])
7055 This issue was reported to OpenSSL by Joseph Barr-Pixton.
7056 ([CVE-2015-1788])
7060 * Exploitable out-of-bounds read in X509_cmp_time
7076 ([CVE-2015-1789])
7083 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
7091 ([CVE-2015-1790])
7102 ([CVE-2015-1792])
7108 If a NewSessionTicket is received by a multi-threaded client when attempting to
7111 ([CVE-2015-1791])
7119 * dhparam: generate 2048-bit parameters by default.
7132 OpenSSL clients and servers which enable client authentication.
7133 ([CVE-2015-0286])
7147 ([CVE-2015-0287])
7154 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
7162 ([CVE-2015-0289])
7169 servers that both support SSLv2 and enable export cipher suites by sending
7170 a specially crafted SSLv2 CLIENT-MASTER-KEY message.
7174 ([CVE-2015-0293])
7189 ([CVE-2015-0209])
7199 ([CVE-2015-0288])
7203 * Removed the export ciphers from the DEFAULT ciphers
7219 ([CVE-2014-3571])
7229 ([CVE-2015-0206])
7233 * Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
7234 built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl
7237 ([CVE-2014-3569])
7246 ([CVE-2014-3572])
7250 * Remove non-export ephemeral RSA code on client and server. This code
7252 non-export ciphersuites and could be used by a server to effectively
7256 ([CVE-2015-0204])
7268 ([CVE-2015-0205])
7272 * Ensure that the session ID context of an SSL is updated when its
7282 By using non-DER or invalid encodings outside the signed portion of a
7303 Re-encode DSA/ECDSA signatures and compare with the original received
7314 ([CVE-2014-8275])
7326 ([CVE-2014-3570])
7343 * Tighten client-side session ticket handling during renegotiation:
7363 1.0.1 server implementations for both SSL/TLS and DTLS regardless of
7368 ([CVE-2014-3513])
7374 When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
7380 ([CVE-2014-3567])
7384 * Build option no-ssl3 is incomplete.
7386 When OpenSSL is configured with "no-ssl3" as a build option, servers
7387 could accept and complete a SSL 3.0 handshake, and clients could be
7389 ([CVE-2014-3568])
7396 ([CVE-2014-3566])
7402 Re-encode DigestInto in DER and check against the original when
7418 ([CVE-2014-3512])
7422 * A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate
7424 is badly fragmented. This allows a man-in-the-middle attacker to force a
7430 ([CVE-2014-3511])
7441 ([CVE-2014-3510])
7448 ([CVE-2014-3507])
7456 ([CVE-2014-3506])
7463 Thanks to Adam Langley and Wan-Teh Chang for discovering and researching
7465 ([CVE-2014-3505])
7475 ([CVE-2014-3509])
7486 ([CVE-2014-5139])
7496 ([CVE-2014-3508])
7502 bogus results, with non-infinity inputs mapped to infinity too.)
7508 * Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted
7509 handshake can force the use of weak keying material in OpenSSL
7510 SSL/TLS clients and servers.
7513 researching this issue. ([CVE-2014-0224])
7521 Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
7522 ([CVE-2014-0221])
7531 Thanks to Jüri Aedla for reporting this issue. ([CVE-2014-0195])
7535 * Fix bug in TLS code where clients enable anonymous ECDH ciphersuites
7539 this issue. ([CVE-2014-3470])
7543 * Harmonize version and its documentation. -f flag is used to display
7565 preparing the fix ([CVE-2014-0160])
7570 ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
7575 flaw and to Yuval Yarom for supplying a fix ([CVE-2014-0076])
7579 * TLS pad extension: draft-agl-tls-padding-03
7593 ([CVE-2013-4353])
7597 to be resent. ([CVE-2013-6450])
7602 avoids preferring ECDHE-ECDSA ciphers when the client appears to be
7604 several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug
7612 * Correct fix for CVE-2013-0169. The original didn't work on AES-NI
7629 ([CVE-2013-0169])
7638 ([CVE-2012-2686])
7643 This fixes a DoS attack. ([CVE-2013-0166])
7672 Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
7674 ([CVE-2012-2333])
7683 * In FIPS mode don't try to use composite ciphers as they are not
7721 ([CVE-2012-2110])
7725 * Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections.
7735 the number of ciphers sent in the client hello. This should be
7737 -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure.
7773 *Robin Seggelmann <seggelmann@fh-muenster.de>*
7777 *Robin Seggelmann <seggelmann@fh-muenster.de>*
7785 - x86[_64]: AES-NI, PCLMULQDQ, RDRAND support;
7786 - x86[_64]: SSSE3 support (SHA1, vector-permutation AES);
7787 - x86_64: bit-sliced AES implementation;
7788 - ARM: NEON support, contemporary platforms optimizations;
7789 - s390x: z196 support;
7790 - `*`: GHASH and GF(2^m) multiplication implementations;
7794 * Make TLS-SRP code conformant with RFC 5054 API cleanup
7803 * Add DTLS-SRTP negotiation from RFC 5764.
7808 <http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-00>. Can be
7809 disabled with a no-npn flag to config or Configure. Code donated
7814 * Add optional 64-bit optimized implementations of elliptic curves NIST-P224,
7815 NIST-P256, NIST-P521, with constant-time single point multiplication on
7817 required to use this (present in gcc 4.4 and later, for 64-bit builds).
7820 Specify "enable-ec_nistp_64_gcc_128" on the Configure (or config) command
7840 * New -sigopt option to the ca, req and x509 utilities. Additional
7853 New function ASN1_item_sign_ctx() signs a pre-initialised
7892 * Session-handling fixes:
7893 - Fix handling of connections that are resuming with a session ID,
7895 - Fix a bug that suppressed issuing of a new ticket if the client
7897 - Try to set the ticket lifetime hint to something reasonable.
7898 - Make tickets shorter by excluding irrelevant information.
7899 - On the client side, don't ignore renewed tickets.
7907 * Add RC4-MD5 and AESNI-SHA1 "stitched" implementations.
7935 switch between FIPS and non-FIPS modes.
7941 keep original code iff non-FIPS operations are allowed.
7945 * Add -attime option to openssl utilities.
7958 * New build option no-ec2m to disable characteristic 2 code.
7962 * Backport libcrypto audit of return value checking from 1.1.0-dev; not
7972 * Add similar low-level API blocking to ciphers.
7976 * low-level digest APIs are not approved in FIPS mode: any attempt
8005 * Add support for FIPS mode in ssl library: disable SSLv3, non-FIPS ciphers
8006 and enable MD5.
8035 * Initial TLS v1.2 support. Add new SHA256 digest to ssl code, switch
8045 with this defined it will not be affected by any changes to ssl internal
8064 *Robin Seggelmann <seggelmann@fh-muenster.de>*
8074 *Robin Seggelmann <seggelmann@fh-muenster.de>, Steve Henson*
8088 -------------
8097 affected. SSL/TLS is not affected.
8101 ([CVE-2015-3195])
8107 If PSK identity hints are received by a multi-threaded client then
8111 ([CVE-2015-3196])
8128 This issue was reported to OpenSSL by Joseph Barr-Pixton.
8129 ([CVE-2015-1788])
8133 * Exploitable out-of-bounds read in X509_cmp_time
8149 ([CVE-2015-1789])
8156 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
8164 ([CVE-2015-1790])
8175 ([CVE-2015-1792])
8181 If a NewSessionTicket is received by a multi-threaded client when attempting to
8184 ([CVE-2015-1791])
8197 OpenSSL clients and servers which enable client authentication.
8198 ([CVE-2015-0286])
8212 ([CVE-2015-0287])
8219 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
8227 ([CVE-2015-0289])
8234 servers that both support SSLv2 and enable export cipher suites by sending
8235 a specially crafted SSLv2 CLIENT-MASTER-KEY message.
8239 ([CVE-2015-0293])
8254 ([CVE-2015-0209])
8264 ([CVE-2015-0288])
8268 * Removed the export ciphers from the DEFAULT ciphers
8284 ([CVE-2014-3571])
8294 ([CVE-2015-0206])
8298 * Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
8299 built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl
8302 ([CVE-2014-3569])
8311 ([CVE-2014-3572])
8315 * Remove non-export ephemeral RSA code on client and server. This code
8317 non-export ciphersuites and could be used by a server to effectively
8321 ([CVE-2015-0204])
8333 ([CVE-2015-0205])
8345 ([CVE-2014-3570])
8351 By using non-DER or invalid encodings outside the signed portion of a
8383 ([CVE-2014-8275])
8391 When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
8397 ([CVE-2014-3567])
8401 * Build option no-ssl3 is incomplete.
8403 When OpenSSL is configured with "no-ssl3" as a build option, servers
8404 could accept and complete a SSL 3.0 handshake, and clients could be
8406 ([CVE-2014-3568])
8413 ([CVE-2014-3566])
8436 ([CVE-2014-3510])
8443 ([CVE-2014-3507])
8451 ([CVE-2014-3506])
8458 Thanks to Adam Langley and Wan-Teh Chang for discovering and researching
8460 ([CVE-2014-3505])
8470 ([CVE-2014-3509])
8480 ([CVE-2014-3508])
8486 bogus results, with non-infinity inputs mapped to infinity too.)
8492 * Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted
8493 handshake can force the use of weak keying material in OpenSSL
8494 SSL/TLS clients and servers.
8497 researching this issue. ([CVE-2014-0224])
8505 Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
8506 ([CVE-2014-0221])
8515 Thanks to Jüri Aedla for reporting this issue. ([CVE-2014-0195])
8519 * Fix bug in TLS code where clients enable anonymous ECDH ciphersuites
8523 this issue. ([CVE-2014-3470])
8527 * Harmonize version and its documentation. -f flag is used to display
8542 ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
8547 flaw and to Yuval Yarom for supplying a fix ([CVE-2014-0076])
8555 to be resent. ([CVE-2013-6450])
8560 avoids preferring ECDHE-ECDSA ciphers when the client appears to be
8562 several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug
8580 ([CVE-2013-0169])
8585 This fixes a DoS attack. ([CVE-2013-0166])
8609 Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
8611 ([CVE-2012-2333])
8628 ([CVE-2012-2110])
8638 old behaviour can be re-enabled in the CMS code by setting the
8642 this issue. ([CVE-2012-0884])
8646 * Fix CVE-2011-4619: make sure we really are receiving a
8654 * Fix for DTLS DoS issue introduced by fix for CVE-2011-4109.
8657 preparing a fix. ([CVE-2012-0050])
8673 <seggelmann@fh-muenster.de> and Michael Tuexen <tuexen@fh-muenster.de>
8674 for preparing the fix. ([CVE-2011-4108])
8678 * Clear bytes used for block padding of SSL 3.0 records.
8679 ([CVE-2011-4576])
8683 * Only allow one SGC handshake restart for SSL/TLS. Thanks to George
8685 Adam Langley for preparing the fix. ([CVE-2011-4619])
8689 * Check parameters are not NULL in GOST ENGINE. ([CVE-2012-0027])
8695 and Rob Austein <sra@hactrn.net> for fixing it. ([CVE-2011-4577])
8703 * Fix ssl_ciph.c set-up race.
8727 * In ssl3_clear, preserve s3->init_extra along with s3->rbuf.
8734 by initialising X509_STORE_CTX properly. ([CVE-2011-3207])
8738 * Fix SSL memory handling for (EC)DH ciphersuites, in particular
8739 for multi-threaded use of ECDH. ([CVE-2011-3210])
8747 * Remove hard coded ecdsaWithSHA1 signature tests in ssl code and check
8761 * Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014
8775 Thanks to Martin Rex for discovering this bug. CVE-2010-4180
8779 * Fixed J-PAKE implementation error, originally discovered by
8781 Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252
8789 be shared by multiple threads. CVE-2010-3864
8801 ([CVE-2010-1633])
8803 *Steve Henson, Peter-Michael Hager <hager@dortmund.net>*
8817 * Add new -subject_hash_old and -issuer_hash_old options to x509 utility to
8856 of the ctrl being passed down the chain. Fix BIO_pop() and SSL BIOs so
8872 *Michael Tuexen <tuexen@fh-muenster.de>*
8888 * If no SSLv2 ciphers are used don't use an SSLv2 compatible client hello:
8911 openssl dgst -sha256 foo
8944 * Add session ticket override functionality for use by EAP-FAST.
8953 * Type-checked OBJ_bsearch_ex.
8957 * Type-checked OBJ_bsearch. Also some constification necessitated
8958 by type-checking. Still to come: TXT_DB, bsearch(?),
9010 an extended CRL support flag is set: this flag will enable additional
9037 * To cater for systems that provide a pointer-based thread ID rather
9044 as a pointer-based thread ID to distinguish between threads.
9057 OpenSSL 0.9.9-dev between June 2006 and August 2008. Also, if an
9079 * Revamp of STACK to provide stronger type-checking. Still to come:
9086 RAM on SSL connections. This option can save about 34k per idle SSL.
9090 * Revamp of LHASH to provide stronger type-checking. Still to come:
9109 files from Configure script, currently only included in VC-WIN32.
9130 draft-rescorla-tls-opaque-prf-input-00.txt. Since this is not an
9136 -DTLSEXT_TYPE_opaque_prf_input=0x9527
9138 to the "config" or "Configure" script to enable the extension,
9145 SSL_set_tlsext_opaque_prf_input(ssl, src, len) is used to set the
9147 an internal copy of the length-'len' string at 'src', and will
9148 return non-zero for success.
9158 int (*cb)(SSL *, void *peerinput, size_t len, void *arg);
9166 has to return non-zero to report success: usually 1 to use opaque
9180 previously negotiated), and will not be called in SSL 2.0
9182 SSL_set_options(ssl, SSL_OP_NO_SSLv2) is especially recommended
9187 * Update ssl code to support digests other than SHA1+MD5 for handshake
9220 * Update SSL library to use new EVP_PKEY MAC API. Include generic MAC
9226 * Add option -stream to use PKCS#7 streaming in smime utility. New
9235 ENGINE support for HMAC keys which are unextractable. New -mac and
9236 -macopt options to dgst utility.
9240 * New option -sigopt to dgst utility. Update dgst to use
9249 ("foo+bar"), moving ("+foo+bar"), disabling ("-foo+bar", or
9257 This means that you can now say, e.g., "PSK:-PSK:HIGH" to enable
9275 in applications for which anonymous ciphers are OK (meaning
9280 * Split the SSL/TLS algorithm mask (as used for ciphersuite string
9285 away into the non-exported interface ssl/ssl_locl.h, so this
9303 * Add support for dsa-with-SHA224 and dsa-with-SHA256.
9314 * Add support for the ecdsa-with-SHA224/256/384/512 signature types.
9337 -verify_return_error to s_client and s_server. This causes real errors
9380 * Non-blocking OCSP request processing. Add -timeout option to ocsp
9406 list-message-digest-algorithms and list-cipher-algorithms.
9411 of degrees of non-zero coefficients is now terminated with -1.
9419 * Various modifications and fixes to SSL/TLS cipher string
9437 kECDHr - ECDH cert, signed with RSA
9438 kECDHe - ECDH cert, signed with ECDSA
9439 kECDH - ECDH cert (signed with either RSA or ECDSA)
9440 kEECDH - ephemeral ECDH
9441 ECDH - ECDH cert or ephemeral ECDH
9443 aECDH - ECDH cert
9444 aECDSA - ECDSA cert
9445 ECDSA - ECDSA cert
9447 AECDH - anonymous ECDH
9448 EECDH - non-anonymous ephemeral ECDH (equivalent to "kEECDH:-AECDH")
9452 * Add additional S/MIME capabilities for AES and GOST ciphers if supported.
9474 * New -resign option to smime utility. This adds one or more signers
9475 to an existing PKCS#7 signedData structure. Also -md option to use an
9486 * New -macalg option to pkcs12 utility to allow setting of an alternative
9589 "list-public-key-algorithms" to print out info.
9594 ECC ciphersuites from draft-ietf-tls-ecc-12.txt.
9617 De-spaghettify the public key ASN1 handling. Move public and private
9626 ECC ciphersuites from draft-ietf-tls-ecc-12.txt.
9632 SSL_SESSION, SSL and SSL_CTX structure.
9635 PSK-RC4-SHA, PSK-3DES-EDE-CBC-SHA, PSK-AES128-CBC-SHA,
9636 PSK-AES256-CBC-SHA
9652 extension so far. The SSL_SESSION, SSL_CTX, and SSL data structures now
9653 have new members for a host name. The SSL data structure has an
9656 SSL has been switched to a new SSL_CTX in reaction to a client's
9668 - SSL_CTX_set_tlsext_servername_callback()
9670 - SSL_CTX_set_tlsext_servername_arg()
9671 SSL_CTRL_SET_TLSEXT_HOSTNAME - SSL_set_tlsext_host_name()
9673 openssl s_client has a new '-servername ...' option.
9675 openssl s_server has new options '-servername_host ...', '-cert2 ...',
9676 '-key2 ...', '-servername_fatal' (subject to change). This allows
9677 testing the HostName extension for a specific single host name ('-cert'
9678 and '-key' remain fallbacks for handshakes without HostName
9680 default is a warning; it becomes fatal with the '-servername_fatal'
9689 * BIGNUM code on 64-bit SPARCv9 targets is switched from bn(64,64) to
9693 implementations, between 32- and 64-bit builds without hassle.
9706 "64-bit" performance on certain 32-bit targets.
9711 in SSL structures. New SSL ctrl to set maximum send fragment size.
9717 * New option -V for 'openssl ciphers'. This prints the ciphersuite code
9760 * Change 'Configure' script to enable Camellia by default.
9765 -------------
9769 * When rejecting SSL/TLS records due to an incorrect version number, never
9770 update s->server with a new major version number. As of
9771 - OpenSSL 0.9.8m if 'short' is a 16-bit type,
9772 - OpenSSL 0.9.8f if 'short' is longer than 16 bits,
9774 receiving specific incorrect SSL/TLS records once record payload
9775 protection is active. ([CVE-2010-0740])
9779 * Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL
9786 * Always check bn_wexpand() return values for failure. ([CVE-2009-3245])
9801 * The code that handled flushing of data in SSL/TLS originally used the
9811 highest version of TLS/SSL supported. Although TLS >= 2.0 is some way
9819 restarting) then use compression (e.g. SSL with compression) later.
9820 This results in significant per-connection memory leaks and
9821 has caused some security issues including CVE-2008-1678 and
9822 CVE-2009-4355.
9837 * Add "missing" ssl ctrls to clear options and mode.
9864 * Implement RFC5746. Re-enable renegotiation but require the extension
9875 servername handling. Use a non-zero length session ID when attempting
9890 * Add --strict-warnings option to Configure script to include devteam
9895 * Add support for --libdir option and LIBDIR variable in makefiles. This
9926 it used to have an ad-hoc builder which was unable to cope with anything
9934 with non-FIPS digests are now usable in FIPS mode.
9945 buffered. ([CVE-2009-1378])
9955 ([CVE-2009-1377])
9959 * Keep a copy of frag->msg_header.frag_len so it can be used after the
9960 parent structure is freed. ([CVE-2009-1379])
9964 * Handle non-blocking I/O properly in SSL_shutdown() call.
9966 *Darryl Miles <darryl-mailinglists@netbauds.net>*
9974 * Disable renegotiation completely - this fixes a severe security
9975 problem ([CVE-2009-3555]) at the cost of breaking all
9976 renegotiation. Renegotiation can be re-enabled by setting
9977 SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s3->flags at
9978 run-time. This is really not recommended unless you know what
9987 zeroing past the valid field. ([CVE-2009-0789])
9993 appear to verify correctly. ([CVE-2009-0591])
9999 a legal length. ([CVE-2009-0590])
10019 * New -hex option for openssl rand.
10040 ([CVE-2008-5077]).
10044 * Enable TLS extensions by default.
10058 * Tweak Configure so that you need to say "experimental-jpake" to enable
10059 JPAKE, and need to use -DOPENSSL_EXPERIMENTAL_JPAKE in applications.
10076 * Change the server-side SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG behavior
10087 ChangeCipherSpec as first record ([CVE-2009-1386]).
10097 double-checked locking was incomplete for RSA blinding,
10099 doubly unsafe triple-checked locking.
10108 - Avoid size_t integer overflow in HASH_UPDATE (md32_common.h).
10110 - Avoid a buffer overflow in d2i_SSL_SESSION() (ssl_asn1.c).
10114 - Change bn_nist.c so that it will properly handle input BIGNUMs
10117 - Enforce the 'num' check in BN_div() (bn_div.c) for non-BN_DEBUG
10122 * Allow engines to be "soft loaded" - i.e. optionally don't die if
10131 * Fix BN_GF2m_mod_arr() top-bit cleanup code.
10135 * Expand ENGINE to support engine supplied SSL client certificate functions.
10142 keystores. Support for SSL/TLS client authentication too.
10143 Not compiled unless enable-capieng specified to Configure.
10160 Codenomicon TLS test suite ([CVE-2008-1672])
10165 a remote crash found by Codenomicon TLS test suite ([CVE-2008-0891])
10189 the 'db' section contains nothing but zeroes (there is a one-byte
10194 * Partial backport from 0.9.9-dev:
10198 While 0.9.9-dev uses assembler for various architectures, only
10200 32-bit x86 is available through a compile-time setting.
10202 To try the 32-bit x86 assembler implementation, use Configure
10203 option "enable-montasm" (which exists only for this backport).
10205 As "enable-montasm" for 32-bit x86 disclaims code stability
10207 backported from 0.9.9-dev for further performance improvements,
10208 namely BN_from_montgomery_word. (To enable this otherwise,
10209 e.g. x86_64, try `-DMONT_FROM_WORD___NON_DEFAULT_0_9_8_BUILD`.)
10220 * Reverse ENGINE-internal logic for caching default ENGINE handles.
10227 'uptodate' flag is reset so that auto-discovery will be used next
10244 with the enable-cms configuration option.
10281 - fixed wrong usage of ioctlsocket() when build for LIBC BSD sockets
10282 - fixed do_tests.pl to run the test suite with CLIB builds too (CLIB_OPT)
10283 - added some more tests to do_tests.pl
10284 - fixed RunningProcess usage so that it works with newer LIBC NDKs too
10285 - removed usage of BN_LLONG for CLIB builds to avoid runtime dependency
10286 - added new Configure targets netware-clib-bsdsock, netware-clib-gcc,
10287 netware-clib-bsdsock-gcc, netware-libc-bsdsock-gcc
10288 - various changes to netware.pl to enable gcc-cross builds on Win32
10290 - changed crypto/bio/b_sock.c to work with macro functions (CLIB BSD)
10291 - various changes to fix missing prototype warnings
10292 - fixed x86nasm.pl to create correct asm files for NASM COFF output
10293 - added AES, WHIRLPOOL and CPUID assembler code to build files
10294 - added missing AES assembler make rules to mk1mf.pl
10295 - fixed order of includes in `apps/ocsp.c` so that `e_os.h` settings apply
10311 + DTLS interoperation with non-compliant servers
10323 pre-0.9.8f clients. To allow for hassle free upgrade post-0.9.8e
10326 This update even addresses CVE-2007-4995.
10359 extension so far. The SSL_SESSION, SSL_CTX, and SSL data structures now
10360 have new members for a host name. The SSL data structure has an
10363 SSL has been switched to a new SSL_CTX in reaction to a client's
10375 - SSL_CTX_set_tlsext_servername_callback()
10377 - SSL_CTX_set_tlsext_servername_arg()
10378 SSL_CTRL_SET_TLSEXT_HOSTNAME - SSL_set_tlsext_host_name()
10380 openssl s_client has a new '-servername ...' option.
10382 openssl s_server has new options '-servername_host ...', '-cert2 ...',
10383 '-key2 ...', '-servername_fatal' (subject to change). This allows
10384 testing the HostName extension for a specific single host name ('-cert'
10385 and '-key' remain fallbacks for handshakes without HostName
10387 default is a warning; it becomes fatal with the '-servername_fatal'
10413 * Add the Korean symmetric 128-bit cipher SEED (see
10417 TLS_RSA_WITH_SEED_CBC_SHA = "SEED-SHA"
10418 TLS_DHE_DSS_WITH_SEED_CBC_SHA = "DHE-DSS-SEED-SHA"
10419 TLS_DHE_RSA_WITH_SEED_CBC_SHA = "DHE-RSA-SEED-SHA"
10420 TLS_DH_anon_WITH_SEED_CBC_SHA = "ADH-SEED-SHA"
10424 is configured with 'enable-seed'.
10432 J.-P. Seifert, "New Branch Prediction Vulnerabilities in OpenSSL
10436 respectively, which are slower, but avoid the security-relevant
10451 constant-time implementations for more than just exponentiation.
10461 enable BN_FLG_CONSTTIME.
10465 * In the SSL/TLS server implementation, be strict about session ID
10468 out-of-context reuse was forbidden only if SSL_VERIFY_PEER was
10478 a ciphersuite string such as "DEFAULT:RSA" cannot enable
10479 authentication-only ciphersuites.
10483 * Update the SSL_get_shared_ciphers() fix CVE-2006-3738 which was
10485 ([CVE-2007-5135]) [Ben Laurie]
10491 ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a
10506 * Have SSL/TLS server implementation tolerate "mismatched" record
10527 *Goetz Babin-Ebell*
10532 cause a denial of service. ([CVE-2006-2940])
10537 in a denial of service. ([CVE-2006-2937]) [Steve Henson]
10540 ([CVE-2006-3738]) [Tavis Ormandy and Will Drewry, Google Security Team]
10542 * Fix SSL client code which could crash if connecting to a
10543 malicious SSLv2 server. ([CVE-2006-4343])
10548 match only those. Before that, "AES256-SHA" would be interpreted
10549 as a pattern and match "AES128-SHA" too (since AES128-SHA got
10553 "RC4-MD5" that intentionally matched multiple ciphersuites --
10554 namely, SSL 2.0 ciphersuites in addition to the more common ones
10555 from SSL 3.0/TLS 1.0.
10560 Thus, "RC4-MD5" again will properly select both the SSL 2.0
10561 ciphersuite and the SSL 3.0/TLS 1.0 ciphersuite.
10563 Since SSL 2.0 does not have any ciphersuites for which the
10577 ([CVE-2006-4339]) [Ben Laurie and Google Security Team]
10590 treatment in ssl/ssl_ciph.s makes sure that these ciphersuites
10592 However, please upgrade to OpenSSL 0.9.9[-dev] for
10593 non-experimental use of the ECC ciphersuites to get TLS extension
10601 - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
10602 - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
10603 - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")
10606 draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really
10610 draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as
10616 dual-core machines) and other potential thread-safety issues.
10620 * Add the symmetric cipher Camellia (128-bit, 192-bit, 256-bit key
10621 versions), which is now available for royalty-free use
10627 is configured with 'enable-camellia'.
10651 * Update support for ECC-based TLS ciphersuites according to
10652 draft-ietf-tls-ecc-12.txt with proposed changes (but without
10667 Static zlib linking now works on Windows and the new --with-zlib-include
10668 --with-zlib-lib options to Configure can be used to supply the location
10695 countermeasure against man-in-the-middle protocol-version
10696 rollback in the SSL 2.0 server implementation, which is a bad
10697 idea. ([CVE-2005-2969])
10712 * Avoid some small subgroup attacks in Diffie-Hellman.
10716 * Add functions for well-known primes.
10753 * Add -utf8 command line and config file option to 'ca'.
10763 involves renaming the source and generated shared-libs for
10772 use it. Make -CSP option work again in pkcs12 utility.
10777 - automatic re-creation of the BN_BLINDING parameters after
10779 - add new function for parameter creation
10780 - introduce flags to control the update behaviour of the
10782 - hide BN_BLINDING structure
10799 ssl/ssl_rsa.c and ssl/s3_both.c
10803 * Use SHA-1 instead of MD5 as the default digest algorithm for
10808 * Compile clean with "-Wall -Wmissing-prototypes
10809 -Wstrict-prototypes -Wmissing-declarations -Werror". Currently
10815 The new counterpiece to "no-xxx" is "enable-xxx".
10818 "enable-rc5" and "enable-mdc2", respectively, are specified.
10822 fee for non-commercial use. As before, "no-idea" can be used to
10829 EGEE (Enabling Grids for E-science in Europe).
10834 as Intel P4, IA-64 and AMD64.
10838 * New utility extract-section.pl. This can be used specify an alternative
10849 * New arguments -certform, -keyform and -pass for s_client and s_server
10874 * New FIPS 180-2 algorithms, SHA-224/-256/-384/-512 are implemented.
10890 moved from CA.pl to the 'ca' utility with a new option -create_serial.
10895 patchlevels, 0.9.7e employed 'openssl x509 -next_serial' in
10903 give fewer recursive includes, which could break lazy source code - so
10907 backwards-compatible behaviour prevails when this isn't defined.
10922 valid (weak or incorrect parity).
10944 static array of bignums, BN_CTX now uses a linked-list of such arrays
10969 associated ASN1, EVP and SSL functions and old ASN1 macros.
10980 * BN_CTX_get() should return zero-valued bignums, providing the same
11013 * Because of the callback-based approach for implementing LHASH as a
11014 template type, lh_insert() adds opaque objects to hash-tables and
11017 (and losing the object pointers). So some over-zealous constifications in
11031 aren't necessarily the greatest nomenclatures - but this is what was used
11038 the self-tests were still using deprecated key-generation functions so
11059 modulus operations are not performed. The (pre-generated) prime
11061 re-generated on some platforms because of the "division by zero"
11066 * Update support for ECC-based TLS ciphersuites according to
11067 draft-ietf-tls-ecc-03.txt: the KDF1 key derivation function with
11068 SHA-1 now is only used for "small" curves (where the
11082 *Götz Babin-Ebell <babin-ebell@trustcenter.de> via Richard Levitte*
11094 to certificate and key stores, be they simple file-based stores, or
11095 HSM-type store, or LDAP stores, or...
11108 a string. The copy gets NUL-terminated. BUF_memdup() duplicates
11116 searched-for key would be inserted to preserve sorting order.
11137 * Make it possible to create self-signed certificates with 'openssl ca'
11138 in such a way that the self-signed certificate becomes part of the
11140 as all other certificate signing. The new flag '-selfsign' enables
11147 request can be signed by that key (self-signing).
11160 * Generate multi-valued AVAs using '+' notation in config files for
11178 dsa_mod_exp() and/or bn_mod_exp() handlers if they are non-NULL,
11207 * Add full support for -rpath/-R, both in shared libraries and
11237 ./config -DOPENSSL_USE_GMP -lgmp
11242 testing availability of engines with "-t" - the old behaviour is
11243 produced by increasing the feature's verbosity with "-tt".
11254 * Key-generation can now be implemented in RSA_METHOD, DSA_METHOD
11261 * Change the "progress" mechanism used in key-generation and
11267 migrate to the new functions. Also, the new key-generation API
11268 functions operate on a caller-supplied key-structure and return
11269 success/failure rather than returning a key or NULL - this is to
11283 * cb will point to my_cb; my_arg can be retrieved as cb->arg.
11292 draft-ietf-tls-compression-04.txt.
11302 -- at least one of the pair shall be present -- }
11323 to avoid the need to access 'a->neg' directly in applications.
11327 * Implement fast modular reduction for pseudo-Mersenne primes
11346 /usr/local/ssl/engines is the default directory for dynamic
11348 the usual use of --prefix and/or --openssldir, and at run
11364 files while avoiding the low-level API.
11368 algorithm NIDs can be set to -1 for no encryption, the mac
11371 Enhance pkcs12 utility by making the -nokeys and -nocerts
11372 options work when creating a PKCS#12 file. New option -nomac
11375 instead of the low-level API.
11391 * Let 'openssl req' fail if an argument to '-newkey' is not
11396 * Add support for ECC-based ciphersuites from draft-ietf-tls-ecc-01.txt.
11443 enable it).
11532 functionality is disabled at compile-time.
11539 Modify asn1_parse2 (crypto/asn1/asn1_par.c) so that in non-'dump'
11540 mode the content of non-printable OCTET STRINGs is output in a
11553 - Curves (i.e., groups) are encoded explicitly unless asn1_flag
11555 - Points are encoded in uncompressed form by default; options for
11604 EC_METHOD) that verifies that the curve discriminant is non-zero.
11619 - 'openssl req' now has a '-newkey ecdsa:file' option;
11620 - EVP_PKCS82PKEY (crypto/evp/evp_pkey.c) now can handle ECDSA;
11621 - X509_PUBKEY_get (crypto/asn1/x_pubkey.c) and
11625 - ECDSA engine support has been added.
11660 a ciphersuite string such as "DEFAULT:RSA" cannot enable
11661 authentication-only ciphersuites.
11666 ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a
11689 * Have SSL/TLS server implementation tolerate "mismatched" record
11705 cause a denial of service. ([CVE-2006-2940])
11710 in a denial of service. ([CVE-2006-2937]) [Steve Henson]
11713 ([CVE-2006-3738]) [Tavis Ormandy and Will Drewry, Google Security Team]
11715 * Fix SSL client code which could crash if connecting to a
11716 malicious SSLv2 server. ([CVE-2006-4343])
11721 ciphersuite selects this one ciphersuite (so that "AES256-SHA"
11722 will no longer include "AES128-SHA"), and any other similar
11724 "RC4-MD5" will still include both the SSL 2.0 ciphersuite and the
11725 SSL 3.0/TLS 1.0 ciphersuite). This is a backport combining
11733 ([CVE-2006-4339]) [Ben Laurie and Google Security Team]
11743 - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
11744 - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
11745 - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")
11748 draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really
11752 draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as
11758 dual-core machines) and other potential thread-safety issues.
11773 * Add new Windows build target VC-32-GMAKE for VC++. This uses GNU make
11785 safely run with a non-FIPSed libcrypto, as it may crash because of
11794 countermeasure against man-in-the-middle protocol-version
11795 rollback in the SSL 2.0 server implementation, which is a bad
11796 idea. ([CVE-2005-2969])
11808 the exponentiation using a fixed-length exponent. (Otherwise,
11815 * Make a new fixed-window mod_exp implementation the default for
11816 RSA, DSA, and DH private-key operations so that the sequence of
11819 cache-timing and potential related attacks.
11831 SSLv23_client_method() so that is uses the SSL 3.0/TLS 1.0
11833 (Previously, the SSL 2.0 backwards compatible Client Hello
11838 * Add support for smime-type MIME parameter in S/MIME messages which some
11875 they must be explicitly allowed in run-time. See
11882 * Use (SSL_RANDOM_VALUE - 4) bytes of pseudo random data when generating
11884 (SSL_RANDOM_VALUE - sizeof(time_t)) would be used which would result in
11917 * Back-port of selected performance improvements from development
11925 *Nauticus Networks SSL Team <openssl@nauticusnet.com>, Steve Henson*
11927 * Add new -passin argument to dgst.
11932 this is needed for some certificates that re-encode DNs into UTF8Strings
11943 - if there is an unhandled critical extension (unless the user
11945 - if the path length has been exceeded (if one is set at all)
11946 - that certain extensions fit the associated purpose (if one has
11973 certificate is created using 'openssl req -x509'. The initial serial
11974 number file is created using 'openssl x509 -next_serial' in CA.pl
11981 * Fix null-pointer assignment in do_change_cipher_spec() revealed
11982 by using the Codenomicon TLS Test Tool ([CVE-2004-0079])
11986 * Fix flaw in SSL/TLS handshaking when using Kerberos ciphersuites
11987 ([CVE-2004-0112])
12037 invalid tags (CVE-2003-0543 and CVE-2003-0544).
12039 Free up ASN1_TYPE correctly if ANY type is invalid ([CVE-2003-0545]).
12046 * New -ignore_err option in ocsp application to stop the server
12051 * In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate
12052 if the server requested one: as stated in TLS 1.0 and SSL 3.0
12057 * In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional
12059 but also for SSL 3.0 (as required by the specification).
12092 * Countermeasure against the Klima-Pokorny-Rosa extension of
12095 in ssl3_get_client_key_exchange (ssl/s3_srvr.c).
12102 They would be ill-advised to do so in most cases.
12108 an unpredictable seed -- if it is not unpredictable, there
12109 is no point in blinding anyway). Make RSA blinding thread-safe
12110 by remembering the creator's thread ID in rsa->blinding and
12111 having all other threads use local one-time blinding factors
12112 (this requires more computation than sharing rsa->blinding, but
12132 * In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked
12136 between bad padding and a MAC verification error. ([CVE-2003-0078])
12142 * Make the no-err option work as intended. The intention with no-err
12150 used by default when no-err is given.
12165 * Allow an application to disable the automatic SSL chain building.
12202 could still fail with a "ssl session id is different" error. This
12210 * IA-32 assembler support enhancements: unified ELF targets, support
12216 FreeBSD on non-x86 processors is separate from x86 processors on
12265 warnings and a request that patches get sent to openssl-dev.
12269 * Add the VC-CE target, introduce the WINCE sysname, and add
12274 * Change the DLL names for Cygwin to cygcrypto-x.y.z.dll and
12275 cygssl-x.y.z.dll, where x, y and z are the major, minor and
12285 * Avoid using fixed-size buffers for one-line DNs.
12344 * Add assertions to prevent user-supplied crypto functions from
12362 * Fix off-by-one error in EGD path.
12392 Remote buffer overflow in SSL3 protocol - an attacker could
12393 supply an oversized master key in Kerberos-enabled versions.
12394 ([CVE-2002-0657])
12398 * Change the SSL kerb5 codes to match RFC 2712.
12402 * Make -nameopt work fully for req and add -reqopt switch.
12404 *Michael Bell <michael.bell@rz.hu-berlin.de>, Steve Henson*
12406 * The "block size" for block ciphers in CFB and OFB mode should be 1.
12417 to allow version independent disabling of normally unselected ciphers,
12418 which may be activated as a side-effect of selecting a single cipher.
12426 * Add appropriate support for separate platform-dependent build
12427 directories. The recommended way to make a platform-dependent
12434 mkdir -p objtree/"`uname -s`-`uname -r`-`uname -m`"
12435 cd objtree/"`uname -s`-`uname -r`-`uname -m`"
12436 (cd $OPENSSL_SOURCE; find . -type f) | while read F; do
12437 mkdir -p `dirname $F`
12438 ln -s $OPENSSL_SOURCE/$F $F
12452 *Götz Babin-Ebell <babinebell@trustcenter.de>*
12454 * Improve diagnostics in file reading and command-line digests.
12459 error in AES-CFB decryption.
12478 * Fix escaping of non-ASCII characters when using the -subj option
12489 Some more OID additions. (Michael Bell <michael.bell@rz.hu-berlin.de>)
12502 * Fix the 'app_verify_callback' interface so that the user-defined
12509 in ssl_verify_cert_chain (ssl/ssl_cert.c), the call
12510 i=s->ctx->app_verify_callback(&ctx)
12512 i=s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg).
12545 the same as the utility itself: that is the -config
12576 * Have the CHIL engine fork-safe (as defined by nCipher) and actually
12585 * Add the configuration target debug-linux-ppro.
12597 * Add -keyform to rsautl, and document -engine.
12623 default_algorithms = RSA, DSA, RAND, CIPHERS, DIGESTS
12636 symmetric ciphers, and behave the same way. Move everything to
12650 (up to about 10% better than before for P-192 and P-224).
12658 SSL_set_msg_callback(ssl, cb)
12659 SSL_set_msg_callback_arg(ssl, arg)
12664 const void *buf, size_t len, SSL *ssl, void *arg)
12668 protocol version according to which the SSL library interprets
12670 TLS1_VERSION). 'content_type' is 0 in the case of SSL 2.0, or
12671 the content type as defined in the SSL 3.0/TLS 1.0 protocol
12673 'buf' and 'len' point to the actual message, 'ssl' to the
12674 SSL object, and 'arg' is the application-defined value set by
12675 SSL[_CTX]_set_msg_callback_arg().
12677 'openssl s_client' and 'openssl s_server' have new '-msg' options
12678 to enable a callback that displays all protocol messages.
12708 * Add -multi and -mr options to "openssl speed" - giving multiple parallel
12709 runs for the former and machine-readable output for the latter.
12713 * Add '-noemailDN' option to 'openssl ca'. This prevents inclusion
12714 of the e-mail address in the DN (i.e., it will go into a certificate
12733 There are also macros that enable and disable the support of old
12779 * Change ssl3_get_message (ssl/s3_both.c) and the functions using it
12793 support for symmetric ciphers and digest implementations - so ENGINEs
12798 API changes worth noting - some RSA, DSA, DH, and RAND functions that
12800 reverted back - the hooking from this code to ENGINE is now a good
12801 deal more passive and at run-time, operations deal directly with
12804 functions dealing with `BN_MOD_EXP[_CRT]` handlers have been removed -
12834 * New SSL option SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION.
12850 settable (`SSL*_get/set_max_cert_list()`), as proposed by
12855 * Add support for shared libraries for Unixware-7
12869 makes them more flexible to be built both as statically-linked ENGINEs
12870 and self-contained shared-libraries loadable via the "dynamic" ENGINE.
12871 Also, add stub code to each that makes building them as self-contained
12872 shared-libraries easier (see [README-Engine.md](README-Engine.md)).
12878 self-contained shared-libraries. The "dynamic" ENGINE exposes control
12879 commands that can be used to configure what shared-library to load and
12881 the [README-Engine.md](README-Engine.md) file
12882 that brings its information up-to-date and
12884 (ie. how to use it, how to build "dynamic"-loadable ENGINEs, etc).
12913 ex_data state - it's now all inside ex_data.c and all "class" code (eg.
12914 RSA, BIO, SSL_CTX, etc) no longer stores its own STACKS and per-class
12919 thread-safety problems that existed, and (b) makes it possible to clean
12948 (crypto/evp/ and ssl/) to do this. Also changed the evp and ssl code
12976 for their choice and can explicitly enable this option.
13040 * Changes to Kerberos SSL for RFC 2712 compliance:
13045 Added openssl-style ASN.1 macros for Kerberos ticket, ap_req,
13052 * Cause 'openssl speed' to use fully hard-coded DSA keys as it
13063 s-cbc 4408.85k 5560.51k 5778.46k 5862.20k 5825.16k
13064 s-cbc 4389.55k 5571.17k 5792.23k 5846.91k 5832.11k
13065 s-cbc 4394.32k 5575.92k 5807.44k 5848.37k 5841.30k
13067 s-cbc 3482.66k 5069.49k 5496.39k 5614.16k 5639.28k
13068 s-cbc 3480.74k 5068.76k 5510.34k 5609.87k 5635.52k
13069 s-cbc 3483.72k 5067.62k 5504.60k 5708.01k 5724.80k
13072 s-cbc 4660.16k 5650.19k 5807.19k 5827.13k 5783.32k
13074 s-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
13078 * Added the OS2-EMX target.
13097 * Change all calls to low-level digest routines in the library and
13114 dialog box interfaces, application-defined prompts, the possibility
13121 attribute in PKCS#12 files, add new -CSP option to pkcs12 utility.
13161 purpose functions and tidy up setting in other SSL functions.
13207 per-structure level rather than having to store it globally.
13219 by ENGINE_by_id() normally, when it is incremented on the pre-existing
13231 - verbosity levels ('-v', '-vv', and '-vvv') that provide information
13233 - executing control commands from command line arguments using the
13234 '-pre' and '-post' switches. '-post' is only used if '-t' is
13236 the individual commands are colon-separated, for example;
13237 openssl engine chil -pre FORK_CHECK:0 -pre SO_PATH:/lib/test.so
13243 and input types for run-time discovery by calling applications. A
13246 the new string-based API function ENGINE_ctrl_cmd_string(). (Eg. this
13255 OpenSSL-based application. Commands have been added to all the
13256 existing hardware-supporting ENGINEs, noticeably "SO_PATH" to allow
13257 control over shared-library paths without source code alterations.
13271 should already have non-const pointers to it (ie. they should only
13277 - "atalla" and "ubsec" string definitions were moved from header files
13279 rather than hard-coded - allowing parameterisation of these values
13281 - Removed unused "#if 0"'d code.
13282 - Fixed engine list iteration code so it uses ENGINE_free() to release
13284 - Constified the RAND_METHOD element of ENGINE structures.
13285 - Constified various get/set functions as appropriate and added
13286 missing functions (including a catch-all ENGINE_cpy that duplicates
13288 - Removed NULL parameter checks in get/set functions. Setting a method
13292 - Deprecate the ENGINE_FLAGS_MALLOCED define and move the area for
13294 - Changed prototypes for ENGINE handler functions (init(), finish(),
13295 ctrl(), key-load functions, etc) to take an (ENGINE*) parameter.
13301 used only if the modulus is odd. On 32-bit systems, it is faster
13302 only for relatively small moduli (roughly 20-30% for 128-bit moduli,
13303 roughly 5-15% for 256-bit moduli), so we use it only for moduli
13304 up to 450 bits. In 64-bit environments, the binary algorithm
13353 Lenka Fibikova <fibikova@exp-math.uni-essen.de>*
13369 * Add the -HTTP option to s_server. It is similar to -WWW, but requires
13375 change the def and num file printf format specifier from "%-40sXXX"
13376 to "%-39s XXX". The latter will always guarantee a space after the
13423 * New option '-subj arg' for 'openssl req' and 'openssl ca'. This
13430 Add options '-batch' and '-verbose' to 'openssl req'.
13436 global variables in shared libraries. To enable this functionality,
13490 checked. Two new options -validity_period and -status_age added to
13520 * Add support for overriding the generation of SSL/TLS session IDs.
13521 These callbacks can be registered either in an SSL_CTX or per SSL.
13524 can be useful for session caching in multiple-server environments. A
13525 command-line switch for testing this (and any client code that wishes
13540 sure e_os2.h will cover all platform-specific cases together with
13542 Additionally, it is now possible to define configuration/platform-
13546 from `OPENSSL_SYSNAME_*` or compiler-specific macros depending on
13551 * New option -set_serial to 'req' and 'x509' this allows the serial
13573 * Initial (incomplete) OCSP SSL support.
13578 port and path components: primarily to parse OCSP URLs. New -url
13589 the request is nonce-less.
13595 e.g. `(openssl x509 -out cert1; openssl x509 -out cert2) <certs`.
13624 * Add the option -VAfile to 'openssl ocsp', so the user can give the
13630 * Update Rijndael code to version 3.0 and change EVP AES ciphers to
13696 is initialised to -1 but X509_time_adj() now has to check the value
13742 * New '-extfile ...' option to 'openssl ca' for reading X.509v3
13745 the '-extensions ...' option may be used for specifying the
13758 `openssl ca -status <serial>` prints the status of the cert with
13760 `openssl ca -updatedb` updates the expiry status of certificates
13765 * New '-newreq-nodes' command option to CA.pl. This is like
13766 '-newreq', but calls 'openssl req' with the '-nodes' option
13781 * New SSLeay_version code SSLEAY_DIR to determine the compiled-in
13782 value of OPENSSLDIR. This is available via the new '-d' option
13783 to 'openssl version', and is also included in 'openssl version -a'.
13810 There should no longer be any prototype-casting required when using
13821 The locations /var/run/egd-pool, /dev/egd-pool, /etc/egd-pool, and
13830 (select timeout) and read in non-blocking mode. DEVRANDOM now
13835 For VMS, there's a currently-empty rand_vms.c.
13954 problems: As the program is single-threaded, all we have
13963 during TLS/SSL handshakes so that thread-safety is essential.
13965 for multi-threaded use, so it probably should be abolished.
14019 * Fix BN_uadd and BN_usub: Always return non-negative results instead
14024 * BN_div bugfix: If the result is 0, the sign (res->neg) must not be
14031 that provide type-safety and avoid function pointer casting for the
14032 type-specific callbacks.
14052 (using the probabilistic Tonelli-Shanks algorithm unless
14056 *Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller*
14099 * Change BN_mod_mul so that the result is always non-negative.
14121 These functions always generate non-negative results.
14130 *Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller*
14132 <!--
14146 -->
14149 unless the '-salt' option is used (which usually means that
14152 or the new '-noverify' option is used.
14155 non-interactive use of 'openssl passwd' (passwords on the command
14156 line, '-stdin' option, '-in ...' option) and thus should not
14173 casts back to non-const were required (to be solved at a later
14195 are built-in in OpenSSL shall ever be used or not. The benefit is
14249 * Rework the filename-translation in the DSO code. It is now possible to
14256 * Support threads on FreeBSD-elf in Configure.
14282 implemented. Also added new SSL code SSL_WANT_ACCEPT to cover
14305 * Fix null-pointer assignment in do_change_cipher_spec() revealed
14306 by using the Codenomicon TLS Test Tool ([CVE-2004-0079])
14315 certain ASN.1 tags ([CVE-2003-0851])
14324 invalid tags (CVE-2003-0543 and CVE-2003-0544).
14331 * In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate
14332 if the server requested one: as stated in TLS 1.0 and SSL 3.0
14337 * In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional
14339 but also for SSL 3.0 (as required by the specification).
14350 * Countermeasure against the Klima-Pokorny-Rosa extension of
14353 in ssl3_get_client_key_exchange (ssl/s3_srvr.c).
14360 They would be ill-advised to do so in most cases.
14366 an unpredictable seed -- if it is not unpredictable, there
14367 is no point in blinding anyway). Make RSA blinding thread-safe
14368 by remembering the creator's thread ID in rsa->blinding and
14369 having all other threads use local one-time blinding factors
14370 (this requires more computation than sharing rsa->blinding, but
14378 * In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked
14382 between bad padding and a MAC verification error. ([CVE-2003-0078])
14400 because the session->cipher setting was not restored when reloading
14407 * Fix client_certificate (ssl/s2_clnt.c): The permissible total
14408 length of the REQUEST-CERTIFICATE message is 18 .. 34, not 17 .. 33.
14410 *Zeev Lieber <zeev-l@yahoo.com>*
14433 the bitwise-OR of the two for use by the majority of applications
14436 changing anyway, so this is more a bug-fix than a behavioural
14441 * Don't impose a 16-byte length minimum on session IDs in ssl/s3_clnt.c
14442 (the SSL 3.0 and TLS 1.0 specifications allow any length up to 32 bytes).
14458 contents. Bug found by Sam Varshavchik <mrsam@courier-mta.com>
14470 * [In 0.9.6g-engine release:]
14479 *Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>,
14497 * Fix cipher selection routines: ciphers without encryption had no flags
14509 for disabling the SSL 3.0/TLS 1.0 CBC vulnerability countermeasure
14513 broken SSL implementations, the new option is part of SSL_OP_ALL.
14514 SSL_OP_ALL is usually employed when compatibility with weird SSL
14515 implementations is desired (e.g. '-bugs' option to 's_client' and
14526 F30602-01-2-0537.
14531 supplied buffer. ([CVE-2002-0659])
14541 too small for 64 bit platforms. ([CVE-2002-0655])
14542 *Matthew Byng-Maddick <mbm@aldigital.co.uk> and Ben Laurie (CHATS)>*
14544 * Remote buffer overflow in SSL3 protocol - an attacker could
14545 supply an oversized session ID to a client. ([CVE-2002-0656])
14549 * Remote buffer overflow in SSL2 protocol - an attacker could
14550 supply an oversized client master key. ([CVE-2002-0656])
14557 encoded as NULL) with id-dsa-with-sha1.
14566 an end-of-file condition would erroneously be flagged, when the CRLF
14569 BASE64-decoding BIO. Bug fund and patch submitted by Pavel Tsekov
14575 in CBC ciphersuites in SSL 3.0/TLS 1.0: Send an empty fragment
14585 * TLS/SSL library bugfix: use s->s3->in_read_app_data differently
14588 processing was enabled when in fact s->s3->in_read_app_data was
14601 * Fix DH_generate_parameters() so that it works for 'non-standard'
14608 a generator of the order-q subgroup is just as good, if not
14618 * Fix ssl3_pending() (ssl/s3_lib.c) to prevent SSL_pending() from
14619 returning non-zero before the data has been completely received
14620 when using non-blocking I/O.
14624 * Some of the ciphers missed the strength entry (SSL_LOW etc).
14656 * [In 0.9.6d-engine release:]
14661 * Add the configuration target linux-s390x.
14663 *Neale Ferguson <Neale.Ferguson@SoftwareAG-USA.com> via Richard Levitte*
14666 ssl3_accept (ssl/s3_srvr.c) incorrectly used a local flag
14669 invocations of ssl3_accept when using non-blocking I/O, the
14674 To avoid this problem, we now set s->new_session to 2 instead of
14679 * Bugfix: Return -1 from ssl3_get_server_done (ssl3/s3_clnt.c)
14692 * Fix ssl3_read_bytes (ssl/s3_pkt.c): To ignore messages of unknown
14693 type, we must throw them away by setting rr->length to 0.
14711 * Fix crypto/objects/objects.h: "ld-ce" should be "id-ce",
14713 Also some ip-pda OIDs in crypto/objects/objects.txt were
14723 * [In 0.9.6c-engine release:]
14728 * [In 0.9.6c-engine release:]
14736 rearranged (all '-L' options must appear before the first object
14741 * [In 0.9.6c-engine release:]
14747 * [In 0.9.6c-engine release:]
14753 * [In 0.9.6c-engine release:]
14763 * Change ssl/s2_clnt.c and ssl/s2_srvr.c so that received handshake
14764 messages are stored in a single piece (fixed-length part and
14765 variable-length part combined) and fix various bugs found on the way.
14775 * Change ssl23_get_client_hello (ssl/s23_srvr.c) behaviour when
14785 * Fix SSL handshake functions and SSL_clear() such that SSL_clear()
14786 never resets s->method to s->ctx->method when called from within
14787 one of the SSL handshake functions.
14791 * In ssl3_get_client_hello (ssl/s3_srvr.c), generate a fatal alert
14794 ssl23_get_client_hello (ssl/s23_srvr.c) to select TLS 1.0 if
14795 the client demanded SSL 3.0 but only TLS 1.0 is enabled; then
14800 * Fix ssl3_get_message (ssl/s3_both.c) to handle message fragmentation
14805 * Avoid infinite loop in ssl3_get_message (ssl/s3_both.c) if a
14810 * Bugfix in ssl3_accept (ssl/s3_srvr.c): Case SSL3_ST_SW_HELLO_REQ_C
14821 * Fix ssl/s3_enc.c, ssl/t1_enc.c and ssl/s3_pkt.c so that we don't
14827 Similar changes are not required for the SSL 2.0 implementation
14828 because the number of padding bytes is sent in clear for SSL 2.0,
14829 and the extra bytes are just ignored. However ssl/s2_pkt.c
14835 * Add OpenUNIX-8 support including shared libraries
14852 * Rabin-Miller test analyses assume uniformly distributed witnesses,
14884 configuration target "alpha-cc-rpath", which will never be selected
14889 * In ssl3_get_key_exchange (ssl/s3_clnt.c), call ssl3_get_message()
14896 * Enhanced support for IA-64 Unix platforms (well, Linux and HP-UX).
14900 * Modified SSL library such that the verify_callback that has been set
14901 specifically for an SSL object with SSL_set_verify() is actually being
14917 dh->length and always used
14919 BN_rand_range(priv_key, dh->p).
14921 BN_rand_range() is not necessary for Diffie-Hellman, and this
14922 specific range makes Diffie-Hellman unnecessarily inefficient if
14923 dh->length (recommended exponent length) is much smaller than the
14924 length of dh->p. We could use BN_rand_range() if the order of
14926 dh->length.
14932 where 'l' is dh->length if this is defined, or BN_num_bits(dh->p)-1
14950 * In crypto/rand/md_rand.c, use a new short-time lock CRYPTO_LOCK_RAND2
14965 *Albert Chin-A-Young <china@thewrittenword.com>*
14967 * Add configuration option to build on Linux on both big-endian and
14968 little-endian MIPS.
14970 *Ralf Baechle <ralf@uni-koblenz.de>*
14972 * Add the possibility to create shared libraries on HP-UX.
14980 Markku-Juhani O. Saarinen <markku-juhani.saarinen@nokia.com>:
14983 'md' followed by enough consecutive 1-byte PRNG requests
14994 Markku-Juhani's attack. (Actually it had never occurred
14996 half from which PRNG output bytes were taken -- I had always
15029 ssl3_enc (ssl/s3_enc.c) and tls1_enc (ssl/t1_enc.c).
15039 when fixing the server behaviour for backwards-compatible 'client
15041 SSL 3.0 and TLS 1.0 anyway because length and version checking
15043 around 2^-40; see section 5 in Bleichenbacher's CRYPTO '98
15099 * Change bctest again: '-x' expressions are not available in all
15119 If SEQUENCE is length is indefinite just set c->slen to the total
15126 * Change bctest to avoid here-documents inside command substitution
15139 * Check the result of RSA-CRT (see D. Boneh, R. DeMillo, R. Lipton:
15141 Computations, J. Cryptology 14 (2001) 2, 101-119,
15208 due to incorrect handling of multi-threading:
15216 inband-signalling in the previous code (which relied on the
15221 * Add "-rand" option also to s_client and s_server.
15226 *Kurt Hockenbury <khockenb@stevens-tech.edu> and
15245 to be set and top=0 forces the highest bit to be set; top=-1 is new
15250 * In the `NCONF_...`-based implementations for `CONF_...` queries
15306 * Fix 'openssl passwd -1'.
15317 * Fix C code generated by 'openssl dsaparam -C': If a BN_bin2bn
15327 * Increase s2->wbuf allocation by one byte in ssl2_new (ssl/s2_lib.c).
15328 Otherwise do_ssl_write (ssl/s2_pkt.c) will write beyond buffer limits
15334 obtain lock CRYPTO_LOCK_RSA before setting `rsa->_method_mod_{n,p,q}`.
15364 avoid potential security hole. (Re-used sessions on the client side
15370 * Fix ssl3_pending: If the record in s->s3->rrec is not of type
15378 releases, have been re-implemented by renaming the previous
15381 to them. The new ssl[23]_{read,peek} functions are calls to
15382 ssl[23]_read_internal with the 'peek' flag set appropriately.
15389 the method-specific "init()" handler. Also clean up ex_data after
15390 calling the method-specific "finish()" handler. Previously, this was
15409 *Jean-Marc Desperrier <jean-marc.desperrier@certplus.com>*
15413 - Make note of the expected extension for the shared libraries and
15418 - Make as few rebuilds of the shared libraries as possible.
15420 - Still avoid linking the OpenSSL programs with the shared libraries.
15422 - When installing, install the shared libraries separately from the
15429 Copy SSL_CTX's read_ahead flag to SSL object directly in SSL_new
15449 with an initial SSL 3.0/TLS record that is too small to contain the
15486 in a record-oriented fashion. That means that every write() will
15497 Currently, it's a VMS-only method, because that's where it has
15505 but it was in 0.9.6-beta[12].)
15531 documentation and run-time libraries. The devel package contains
15538 * Add a large number of documentation files for many SSL routines.
15540 *Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>*
15551 * New SSL API mode 'SSL_MODE_AUTO_RETRY'. This disables the default
15663 In BIO_puts, increment b->num_write as in BIO_write.
15680 used for low-level RSA operations. DER public key
15687 *Andreas Schneider <andreas@ds3.etech.fh-hamburg.de>*
15689 * A demo state-machine implementation was sponsored by
15756 are stored in Makefile.ssl in the variable CONFIGURE_ARGS,
15765 * Add the arguments -CAfile and -CApath to the pkcs12 utility.
15787 * Fix SSL 2.0 rollback checking: Due to an off-by-one error in
15789 and thus the SSL 3.0/TLS 1.0 countermeasure against protocol
15792 In s23_clnt.c, don't use special rollback-attack detection padding
15793 (RSA_SSLV23_PADDING) if SSL 2.0 is the only protocol enabled in the
15795 SSL 2.0 is the only protocol enabled in the server.
15816 this will enable certificates using GeneralizedTime in validity
15858 * New options to smime application. -inform and -outform
15860 PEM and DER. The -content option allows the content to be
15885 - New object identifiers are inserted in objects.txt, following
15887 - objects.pl is used to process obj_mac.num and create a new
15889 - obj_dat.pl is used to create a new obj_dat.h, using the data in
15901 * Add BSD-style MD5-based passwords to 'openssl passwd' (option '-1').
15905 * Addition of the command line parameter '-rand file' to 'openssl req'.
15947 an -sgckey command line option to the rsa utility. Thanks to
15949 algorithm to openssl-dev.
15966 * Re-implement BN_mod_exp2_mont using independent (and larger) windows.
15997 * The type-safe stack code has been rejigged. It is now only compiled
15999 by default all type-specific stack functions are "#define"d back to
16001 but retains the type-safety checking possibilities of the original
16009 map type-safe stack functions onto their plain stack counterparts.
16030 * In ssl/s2_clnt.c and ssl/s3_clnt.c, call ERR_clear_error() when
16040 key length ciphers via the EVP_CIPHER_CTX_set_key_length() function and
16044 ciphers.
16049 for CFB and OFB modes they zero ctx->num.
16057 all individual ciphers. If the cipher wants to handle IVs or keys
16075 i.e. non-zero for export ciphersuites, zero otherwise.
16093 Added -fingerprint option to crl utility, to support new c_rehash
16098 * Eliminate non-ANSI declarations in crypto.h and stack.h.
16102 * Fix for SSL server purpose checking. Server checking was
16104 but no ssl client purpose.
16135 * Bugfix for linux-elf makefile.one.
16195 * Add '-tls1' option to 'openssl ciphers', which was already
16198 experimental TLS 1.0 ciphers are currently treated as SSL 3.0 ciphers.)
16203 OpenSSL-based applications) load shared libraries and bind to
16215 * Rename openssl x509 option '-crlext', which was added in 0.9.5,
16216 to '-clrext' (= clear extensions), as intended and documented.
16234 *Ulf Möller, using the problem description in krb4-0.9.7, where
16243 'openssl XXX' exists, the new pseudo-command 'openssl no-XXX'
16245 'no-XXX' is printed in this case, 'XXX' otherwise. In both cases,
16250 the 'no-cipher' compilation switches can be tested this way.
16252 ('openssl no-XXX' is not able to detect pseudo-commands such
16253 as 'quit', 'list-XXX-commands', or 'no-XXX' itself.)
16257 * Update test suite so that 'make test' succeeds in 'no-rsa' configuration.
16265 to parameters -- in previous versions (since OpenSSL 0.9.3) the
16271 * New s_client option -ign_eof: EOF at stdin is ignored, and
16273 This is part of what -quiet does; unlike -quiet, -ign_eof
16310 * Add '-dsaparam' option to 'openssl dhparam' application. This
16317 by 'openssl dhparam -C'.
16343 * New 'rand' application for creating pseudo-random output.
16357 *Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE> and Anonymous*
16417 or -rand.
16449 sections with information on -D... compiler switches used for
16450 compiling the library so that applications can see them. To enable
16451 one of these sections, a pre-processor symbol `OPENSSL_..._DEFINES`
16459 * Bugfix: Tolerate fragmentation and interleaving in the SSL 3/TLS
16494 SSL/TLS protocol it isn't a "bug" option and is on by default. See
16499 * HP-UX tune-up: new unified configs, HP C compiler bug workaround.
16503 * Add -rand argument to smime and pkcs12 applications and read/write
16530 equal (it gave wrong results if `(rem=(n1-q*d0)&BN_MASK2) < d0)`.
16552 SSLeay_add_all_ciphers() to just add ciphers to the table and not
16559 * Add a new -notext option to 'ca' and a -pubkey option to 'spkac'.
16563 * Use a less unusual form of the Miller-Rabin primality test (it used
16564 a binary algorithm for exponentiation integrated into the Miller-Rabin
16586 using 50 iterations of the Rabin-Miller test.
16589 iterations of the Rabin-Miller test as required by the appendix
16590 to FIPS PUB 186[-1]) instead of DSA_is_prime.
16596 for each positive witness in the Rabin-Miller test, not just
16601 function with an 'iteration count' of -1, meaning that a
16603 from an application-provided seed, trial division is skipped).
16608 division before starting the Rabin-Miller test and has
16611 'callback(1, -1, cb_arg)' is called when a number has passed the
16621 * New -pkcs12 option to CA.pl script to write out a PKCS#12 file.
16643 by stat(). RAND_load_file(..., -1) is new and uses the complete file
16660 Rabin-Miller iterations.
16664 * Diffie-Hellman uses "safe" primes: DH_check() return code renamed to
16676 * Make the ciphers, s_server and s_client programs check the return values
16681 * Enhance the SSL/TLS cipher mechanism to correctly handle the TLS 56bit
16682 ciphers. Before when the 56bit ciphers were enabled the sorting was
16686 cipher-strength (using the strength_bits hard coded in the tables).
16687 The new command is `@STRENGTH` (see also `doc/apps/ciphers.pod`).
16689 Fix a bug in the cipher-command parser: when supplying a cipher command
16691 *A-Za-z0-9*, ssl_set_cipher_list used to hang in an endless loop. Now
16694 Due to the strength-sorting extension, the code of the
16696 the readability was also increased :-)
16698 *Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>*
16700 * Minor change to 'x509' utility. The -CAcreateserial option now uses 1
16729 NO_RSA in `ssl/s2*.c`.
16743 * Do more iterations of Rabin-Miller probable prime test (specifically,
16744 3 for 1024-bit primes, 6 for 512-bit primes, 12 for 256-bit primes
16747 false-positive rate of at most 2^-80 for random input.
16751 * Rewrite ssl3_read_n (ssl/s3_pkt.c) avoiding a couple of bugs.
16769 -nomaciter option is used. This improves file security and
16774 * Honor the no-xxx Configure options when creating .DEF files.
16823 (with a total of 192 bits for TLS 1.0 and more for SSL 3.0), they can
16825 provided by SSL/TLS is not desired or is not enough.
16831 $PATH. Just exploiting of the BWX extension results in 20-30%
16840 weak crypto and after checking the certificate is SGC a second one
16862 * SSL 3/TLS 1 servers now don't request certificates when an anonymous
16863 ciphersuites has been selected (as required by the SSL 3/TLS 1
16882 some routines that use cipher OIDs: some ciphers do not have OIDs
16896 for a given id. SSL client, server and email already have functions
17061 -fingerprint and -x509toreq options. Also -x509toreq choked if a
17076 if the verify purpose is for SSL client use it expects the CA to be
17077 trusted for SSL client use. However the default value can be changed to
17085 SSL integration. Add purpose and trust to SSL_CTX and SSL and functions
17086 to set them. If not set then assume SSL clients will verify SSL servers
17089 Two new options to the verify program: -untrusted allows a set of
17090 untrusted certificates to be passed in and -purpose which sets the
17122 Added a -pubkey option to the 'x509' utility to output the public key.
17161 openssl verify -CAfile ss.pem ss.pem
17169 but an application-provided verification callback (set by
17171 anyway (i.e. leaves x509_store_ctx->error != X509_V_OK
17173 ssl->verify_result to the appropriate error code to avoid
17182 *Po-Cheng Chen <pocheng@nst.com.tw>, slightly modified by Steve Henson*
17186 -S option to allow a salt to be input on the command line.
17216 the string plus current file name and line number to a per-thread
17219 Also updated memory leak detection code to be multi-thread-safe.
17223 * Add options -text and -noout to pkcs7 utility and delete the
17239 * Fix the -revoke option in ca. It was freeing up memory twice,
17264 with non-optimised assembler. Even so, this now gives around 95%
17284 X509_NAME_add_entry_by_txt(nm, "CN", MBSTRING_ASC, "Steve", -1, -1, 0);
17287 X509_NAME_add_entry_by_txt(nm, field, MBSTRING_UTF8, str, -1, -1, 0);
17303 - Assure unique random numbers after fork().
17304 - Make sure that concurrent threads access the global counter and
17318 dsaparam -genkey (which also ignored its '-rand' option),
17327 of each file listed in the '-rand' option. The function as previously
17329 that support '-rand'.
17359 to see if it usable for various purposes such as SSL client,
17362 verification. Also added a -purpose flag to x509 utility to
17379 * RC4 tune-up featuring 30-40% performance improvement on most RISC
17384 * New -noout option to asn1parse. This causes no output to be produced
17385 its main use is when combined with -strparse and -out to extract data
17395 * New option -dhparam in s_server. This allows a DH parameter file to be
17402 * Add -pubin and -pubout options to the rsa and dsa commands. These allow
17404 openssl rsa -in key.pem -pubout -out pubkey.pem
17445 working at all :-) A dedicated Windows application might handle this
17457 for SSL signatures and modifications to the SSL library to use it instead
17462 * Add new -verify -CAfile and -CApath options to the crl program, these
17471 * Initialize all non-automatic variables each time one of the openssl
17472 sub-programs is started (this is necessary as they may be started
17485 * Non-copying interface to BIO pairs.
17502 (s3_srvr.c), as required by the SSL 3.0/TLS 1.0 specifications.
17520 <madwolf@comune.modena.it>. The new option is called -extensions
17521 and can be applied to ca, req and x509. Also -reqexts to override
17522 the request extensions in req and -crlexts to override the crl extensions
17537 config file. They can be printed out with the -text option to req but
17560 library. Also added low-level modexp hooks and CRYPTO_EX structure and
17580 a SSLv2-compatible client hello for SSLv3 or TLSv1 could be read,
17606 * -crlf option to s_client and s_server for sending newlines as
17621 * Fix -startdate and -enddate (which was missing) arguments to 'ca'
17630 For 1024-bit p, DSA_generate_parameters followed by DSA_dup_DH is
17633 much more efficient (160-bit exponentiation instead of 1024-bit
17635 ciphersuites in SSL/TLS servers (see ssl/ssltest.c). It is of
17649 * Allow the -k option to be used more than once in the enc program:
17696 * The -DPLATFORM="\"$(PLATFORM)\"" definition and the similar -DCFLAGS=...
17697 (both in crypto/Makefile.ssl for use by crypto/cversion.c) caused
17700 auto-generated file crypto/buildinf.h (created by crypto/Makefile.ssl
17721 * Fix memory leaks in s3_clnt.c: All non-anonymous SSL3/TLS1 connections
17728 * New function RSA_check_key and new openssl rsa option -check
17767 * Memory leak checking (-DCRYPTO_MDEBUG) had some problems.
17776 to disable memory-checking temporarily.
17781 -DCRYPTO_MDEBUG_TIME is new and additionally stores the current time
17785 -DCRYPTO_MDEBUG_THREAD is also new and adds the thread ID.
17787 -DCRYPTO_MDEBUG_ALL enables all of the above, plus any future
17792 * Introduce "mode" for SSL structures (with defaults in SSL_CTX),
17809 * Fix problems with no-hmac etc.
17820 Also really enable memory leak checks in openssl.c and in some
17830 *Steve Henson, reported by Brien Wheeler <bwheeler@authentica-security.com>*
17850 Fixed, now "no-idea no-rc5 -DCRYPTO_MDEBUG" etc. works as intended.
17861 Whoever hopes to achieve shared-library compatibility across versions
17862 must use this, not the compile-time macro.
17865 Note: All this applies only to multi-threaded programs, others don't
17870 * Add missing case to s3_clnt.c state machine -- one of the new SSL tests
17877 can use the SSL library even if none of the specific BIOs is
17923 name for unistd.h (for pre-POSIX systems); we need this for NeXTstep,
17933 Changing the behaviour of the former might break existing programs --
17939 fails, it needs to cause bc to give a non-zero result or make test carries
17950 ciphers. NOTE: although the key derivation function has been verified
17952 yet. Added a -v2 "cipher" option to pkcs8 application to allow the use
17957 * Instead of "mkdir -p", which is not fully portable, use new
17958 Perl script "util/mkdir-p.pl".
17988 * "linux-sparc64" configuration (ultrapenguin).
17991 "linux-sparc" configuration.
17993 *Christian Forster <fo@hawo.stw.uni-erlangen.de>*
17995 * config now generates no-xxx options for missing ciphers.
18004 * Support BS2000/OSD-POSIX.
18020 * New configuration variants "bsdi-elf-gcc" (BSD/OS 4.x).
18026 * New configuration variant "sco5-gcc".
18049 * SHA library changes for irix64-mips4-cc.
18117 * New option -out to asn1parse to allow the parsed structure to be
18118 output to a file. This is most useful when combined with the -strparse
18123 * Make SSL library a little more fool-proof by not requiring any longer
18127 intended anyway -- now it really works as intended).
18135 * Fix various things to let OpenSSL even pass "egcc -pipe -O2 -Wall
18136 -Wshadow -Wpointer-arith -Wcast-align -Wmissing-prototypes
18137 -Wmissing-declarations -Wnested-externs -Winline" with EGCS 1.1.2+
18148 various ways (and thus what used to be known as ctx->default_cert
18149 is now called ctx->cert, since we don't resort to `s->ctx->[default_]cert`
18150 any longer when s->cert does not give us what we need).
18153 we have solved a couple of bugs of the earlier code where s->cert
18154 was used as if it could not have been shared with other SSL structures.
18156 Note that using the SSL API in certain dirty ways now will result
18163 that holds per-session data (if available); currently, this is
18191 * Add PEDANTIC compiler flag to allow compilation with gcc -pedantic,
18192 without disallowing inline assembler and the like for non-pedantic builds.
18204 * SHA-1 cleanups and performance enhancements.
18212 * Accept any -xxx and +xxx compiler options in Configure.
18227 DER-encoded.)
18231 * Support verify_depth from the SSL API.
18232 x509_vfy.c had what can be considered an off-by-one-error:
18260 * New Configure options "threads" and "no-threads". For systems
18271 $(INSTALLTOP)/bin -- they shouldn't clutter directories
18276 * "make linux-shared" to build shared libraries.
18280 * New Configure option `no-<cipher>` (rsa, idea, rc5, ...).
18298 * New Configure options --prefix=DIR and --openssldir=DIR.
18319 * Change behaviour of ssl2_read when facing length-0 packets: Don't return
18337 * Fix new 56-bit DES export ciphersuites: they were using 7 bytes instead of
18339 between OpenSSL and Baltimore C/SSL 2.0 and J/SSL 2.0.
18415 * Don't auto-generate pem.h.
18419 * Introduce type-safe ASN.1 SETs.
18423 * Convert various additional casted stacks to type-safe STACK_OF() variants.
18427 * Introduce type-safe STACKs. This will almost certainly break lots of code
18435 * Add `openssl ca -revoke <certfile>` facility which revokes a certificate
18438 revoking a certificate. The -revoke option does the gory details now.
18442 * Fix `openssl crl -noout -text` combination where `-noout` killed the
18443 `-text` option at all and this way the `-noout -text` combination was
18455 ciphers that were excluded, e.g. by -DNO_IDEA. Also, test
18456 all available ciphers including rc5, which was forgotten until now.
18459 `openssl list-cipher-commands` is used.
18497 * New "-showcerts" option for s_client.
18506 * More PKCS#12 integration. Add new pkcs12 directory with Makefile.ssl and
18538 * Make sure the RSA OAEP test is skipped under -DRSAref because
18544 so they no longer are missing under -DNOPROTO.
18574 * Make rsa_oaep_test return non-zero on error.
18579 solaris-sparc-sc4-pic, make, then run shlib/solaris-sc4.sh. It'd be nice
18589 except NULL ciphers". This means the default cipher list will no longer
18590 enable NULL ciphers. They need to be specifically enabled e.g. with
18609 * Let util/clean-depend.pl work also with older Perl 5.00x versions.
18621 * DES quad checksum was broken on big-endian architectures. Fixed.
18682 pre-configured entry in Configure's %table under key `<id>` with value
18684 perform a quick test-compile under FreeBSD 3.1 with pgcc and without
18685 assembler stuff you can use `perl Configure "FreeBSD-elf:pgcc:-O6:::"`
18686 now, which overrides the FreeBSD-elf entry on-the-fly.
18694 * Allow DSO flags like -fpic, -fPIC, -KPIC etc. to be specified
18701 * Remarkably, export ciphers were totally broken and no-one had noticed!
18707 questions now is the OpenSSL core team under openssl-core@openssl.org.
18708 And add a paragraph about the dual-license situation to make sure people
18754 ssl/ssl_lib.c and ssl/ssl.h.
18764 stuff. Fix mk1mf.pl and VC-32.pl to support NT differences also. Various
18775 This means that Apache-SSL and similar packages don't have to mess around
18781 ssl/ssl_lib.c.
18787 * Get rid of remaining C++-style comments which strict C compilers hate.
18798 their SSL_CTX_xxx() counterparts but work on a per-connection basis. This
18800 per-connection basis (e.g. Apache+mod_ssl) instead of a per-context basis
18810 non-public-API function ssl_cert_instantiate() is used as a helper
18815 * Move s_server -dcert and -dkey options out of the undocumented feature
18821 * Fix the cipher decision scheme for export ciphers: the export bits are
18838 * Don't hard-code path to Perl interpreter on shebang line of Configure
18839 script. Instead use the usual Shell->Perl transition trick.
18843 * Make `openssl x509 -noout -modulus`' functional also for DSA certificates
18845 -noout -modulus` as it's already the case for `openssl rsa -noout
18846 -modulus`. For RSA the -modulus is the real "modulus" while for DSA
18848 `openssl dsa -modulus` in the past) which serves a similar purpose.
18849 Additionally the NO_RSA no longer completely removes the whole -modulus
18855 * Add Arne Ansper's reliable BIO - this is an encrypted, block-digested
18872 TLS_RSA_EXPORT56_WITH_DES_CBC_SHA, as specified in "56-bit Export Cipher
18873 Suites For TLS", draft-ietf-tls-56-bit-ciphersuites-00.txt.
18903 foundations than the ad-hoc padding used in PKCS #1 v1.5. It is secure
18908 * Updates to the new SSL compression code
18919 * Run extensive memory leak checks on SSL commands. Fixed *lots* of memory
18920 leaks in `ssl/` relating to new `X509_get_pubkey()` behaviour. Also fixes
18934 *Lars Weber <3weber@informatik.uni-hamburg.de>*
18971 * Correct calculation of key length for export ciphers (too much space was
18972 allocated for null ciphers). This has not been tested!
18977 message is now correct (it understands "crypto" and "ssl" on its
18981 perl util/mkdef.pl crypto ssl update
18987 - ported BN stuff to OpenSSL's different BN library
18988 - made the perl/ source tree CVS-aware
18989 - renamed the package from SSLeay to OpenSSL (the files still contain
18991 - removed obsolete files (the test scripts will be replaced
19003 -rSSLeay_0_8_1b" or they were renamed (as it was definitely the case for
19011 what that's for :-) Fix to ASN1 macro which messed up
19038 * Fixed ms/32all.bat script: `no_asm` -> `no-asm`
19040 *Rainer W. Gerling <gerling@mpg-gv.mpg.de>*
19046 * Modify crl2pkcs7 so it supports multiple -certfile arguments. Fix a
19075 and add a sample to openssl.cnf so req -x509 now adds appropriate
19100 Ad Hoc Way) - Makefile.ssls now all contain local dependencies, which
19105 * Spelling mistake in C version of CAST-128.
19109 * Changes to the error generation code. The perl script err-code.pl
19116 either modify crypto/Makefile.ssl to pass the -regen flag to err_code.pl
19121 * CAST-128 was incorrectly implemented for short keys. The C version has
19123 new assembler HAS NOT BEEN GENERATED FOR WIN32 - the Makefile needs fixing
19125 *Ben Laurie, reported (with fix for C version) by Jun-ichiro itojun
19154 * Add prototypes to SSL methods. Make SSL_write's buffer const, at last.
19202 *Bodo Moeller <3moeller@informatik.uni-hamburg.de>*
19204 * Don't blow it for numeric `-newkey` arguments to `apps/req`.
19206 *Bodo Moeller <3moeller@informatik.uni-hamburg.de>*
19238 * Make sure the already existing X509_STORE->depth variable is initialized
19270 * Make the top-level INSTALL documentation easier to understand.
19274 * Makefiles updated to exit if an error occurs in a sub-directory
19289 * Enhanced the err-ins.pl script so it makes the error library number
19326 *Ben Laurie - pointed out by Ulf Möller <ulf@fitug.de>*
19334 ncr-scde
19335 unixware-2.0
19336 unixware-2.0-pentium
19337 sco5-cc.
19346 * Generate Makefile.ssl from Makefile.org (to keep CVS happy).
19350 ### Changes between 0.9.1b and 0.9.1c [23-Dec-1998]
19357 * Some fixups to the top-level documents.
19361 * Fixed the nasty bug where rsaref.h was not found under compile-time
19366 * Incorporated the popular no-RSA/DSA-only patches
19367 which allow to compile a RSA-free SSLeay.
19371 * Fixed nasty rehash problem under `make -f Makefile.ssl links`
19389 * Recompiled the error-definition header files and added
19394 * Cleaned up the top-level documents;
19407 crypto/sha/asm/f crypto/threads/f ms/zzz ssl/f ssl/f.mak test/f
19438 * New COMP library [crypto/comp/] for SSL Record Layer Compression:
19444 * Add -strparse option to asn1pars program which parses nested
19457 * Added "-genkey" option to "dsaparam" program.
19465 * Added -a (all) option to "ssleay version" command.
19489 * Fixed the weak key values in DES library
19509 * Added more RSA padding checks for SSL/TLS.
19532 * Support the string "TLSv1" for all TLS v1 ciphers.
19537 ex_data index of the SSL context in the X509_STORE_CTX ex_data.
19549 * A minor bug in ssl/s3_clnt.c where there would always be 4 0
19554 <!-- Links -->
19556 [CVE-2023-4807]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-4807
19557 [CVE-2023-3817]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3817
19558 [CVE-2023-3446]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3446
19559 [CVE-2023-2975]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2975
19560 [CVE-2023-2650]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2650
19561 [CVE-2023-0466]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466
19562 [CVE-2023-1255]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-1255
19563 [CVE-2023-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0286
19564 [CVE-2022-2274]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2274
19565 [CVE-2022-2097]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2274
19566 [CVE-2020-1971]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1971
19567 [CVE-2020-1967]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1967
19568 [CVE-2019-1563]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1563
19569 [CVE-2019-1559]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1559
19570 [CVE-2019-1552]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1552
19571 [CVE-2019-1551]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1551
19572 [CVE-2019-1549]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1549
19573 [CVE-2019-1547]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1547
19574 [CVE-2019-1543]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1543
19575 [CVE-2018-5407]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-5407
19576 [CVE-2018-0739]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0739
19577 [CVE-2018-0737]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0737
19578 [CVE-2018-0735]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0735
19579 [CVE-2018-0734]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0734
19580 [CVE-2018-0733]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0733
19581 [CVE-2018-0732]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0732
19582 [CVE-2017-3738]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3738
19583 [CVE-2017-3737]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3737
19584 [CVE-2017-3736]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3736
19585 [CVE-2017-3735]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3735
19586 [CVE-2017-3733]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3733
19587 [CVE-2017-3732]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3732
19588 [CVE-2017-3731]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3731
19589 [CVE-2017-3730]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3730
19590 [CVE-2016-7055]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7055
19591 [CVE-2016-7054]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7054
19592 [CVE-2016-7053]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7053
19593 [CVE-2016-7052]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7052
19594 [CVE-2016-6309]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6309
19595 [CVE-2016-6308]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6308
19596 [CVE-2016-6307]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6307
19597 [CVE-2016-6306]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6306
19598 [CVE-2016-6305]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6305
19599 [CVE-2016-6304]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6304
19600 [CVE-2016-6303]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6303
19601 [CVE-2016-6302]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6302
19602 [CVE-2016-2183]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2183
19603 [CVE-2016-2182]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2182
19604 [CVE-2016-2181]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2181
19605 [CVE-2016-2180]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2180
19606 [CVE-2016-2179]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2179
19607 [CVE-2016-2178]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2178
19608 [CVE-2016-2177]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2177
19609 [CVE-2016-2176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2176
19610 [CVE-2016-2109]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2109
19611 [CVE-2016-2107]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2107
19612 [CVE-2016-2106]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2106
19613 [CVE-2016-2105]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2105
19614 [CVE-2016-0800]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0800
19615 [CVE-2016-0799]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0799
19616 [CVE-2016-0798]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0798
19617 [CVE-2016-0797]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0797
19618 [CVE-2016-0705]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0705
19619 [CVE-2016-0702]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0702
19620 [CVE-2016-0701]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0701
19621 [CVE-2015-3197]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3197
19622 [CVE-2015-3196]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3196
19623 [CVE-2015-3195]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3195
19624 [CVE-2015-3194]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3194
19625 [CVE-2015-3193]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3193
19626 [CVE-2015-1793]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1793
19627 [CVE-2015-1792]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1792
19628 [CVE-2015-1791]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1791
19629 [CVE-2015-1790]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1790
19630 [CVE-2015-1789]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1789
19631 [CVE-2015-1788]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1788
19632 [CVE-2015-1787]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1787
19633 [CVE-2015-0293]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0293
19634 [CVE-2015-0291]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0291
19635 [CVE-2015-0290]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0290
19636 [CVE-2015-0289]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0289
19637 [CVE-2015-0288]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0288
19638 [CVE-2015-0287]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0287
19639 [CVE-2015-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0286
19640 [CVE-2015-0285]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0285
19641 [CVE-2015-0209]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0209
19642 [CVE-2015-0208]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0208
19643 [CVE-2015-0207]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0207
19644 [CVE-2015-0206]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0206
19645 [CVE-2015-0205]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0205
19646 [CVE-2015-0204]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0204
19647 [CVE-2014-8275]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-8275
19648 [CVE-2014-5139]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-5139
19649 [CVE-2014-3572]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3572
19650 [CVE-2014-3571]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3571
19651 [CVE-2014-3570]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3570
19652 [CVE-2014-3569]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3569
19653 [CVE-2014-3568]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3568
19654 [CVE-2014-3567]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3567
19655 [CVE-2014-3566]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3566
19656 [CVE-2014-3513]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3513
19657 [CVE-2014-3512]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3512
19658 [CVE-2014-3511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3511
19659 [CVE-2014-3510]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3510
19660 [CVE-2014-3509]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3509
19661 [CVE-2014-3508]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3508
19662 [CVE-2014-3507]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3507
19663 [CVE-2014-3506]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3506
19664 [CVE-2014-3505]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3505
19665 [CVE-2014-3470]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3470
19666 [CVE-2014-0224]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0224
19667 [CVE-2014-0221]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0221
19668 [CVE-2014-0195]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0195
19669 [CVE-2014-0160]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0160
19670 [CVE-2014-0076]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0076
19671 [CVE-2013-6450]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-6450
19672 [CVE-2013-4353]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-4353
19673 [CVE-2013-0169]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-0169
19674 [CVE-2013-0166]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-0166
19675 [CVE-2012-2686]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2686
19676 [CVE-2012-2333]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2333
19677 [CVE-2012-2110]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2110
19678 [CVE-2012-0884]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0884
19679 [CVE-2012-0050]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0050
19680 [CVE-2012-0027]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0027
19681 [CVE-2011-4619]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4619
19682 [CVE-2011-4577]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4577
19683 [CVE-2011-4576]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4576
19684 [CVE-2011-4109]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4109
19685 [CVE-2011-4108]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4108
19686 [CVE-2011-3210]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-3210
19687 [CVE-2011-3207]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-3207
19688 [CVE-2011-0014]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-0014
19689 [CVE-2010-4252]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-4252
19690 [CVE-2010-4180]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-4180
19691 [CVE-2010-3864]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-3864
19692 [CVE-2010-1633]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-1633
19693 [CVE-2010-0740]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-0740
19694 [CVE-2010-0433]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-0433
19695 [CVE-2009-4355]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-4355
19696 [CVE-2009-3555]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-3555
19697 [CVE-2009-3245]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-3245
19698 [CVE-2009-1386]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1386
19699 [CVE-2009-1379]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1379
19700 [CVE-2009-1378]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1378
19701 [CVE-2009-1377]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1377
19702 [CVE-2009-0789]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0789
19703 [CVE-2009-0591]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0591
19704 [CVE-2009-0590]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0590
19705 [CVE-2008-5077]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-5077
19706 [CVE-2008-1678]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-1678
19707 [CVE-2008-1672]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-1672
19708 [CVE-2008-0891]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-0891
19709 [CVE-2007-5135]: https://www.openssl.org/news/vulnerabilities.html#CVE-2007-5135
19710 [CVE-2007-4995]: https://www.openssl.org/news/vulnerabilities.html#CVE-2007-4995
19711 [CVE-2006-4343]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-4343
19712 [CVE-2006-4339]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-4339
19713 [CVE-2006-3738]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-3738
19714 [CVE-2006-2940]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-2940
19715 [CVE-2006-2937]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-2937
19716 [CVE-2005-2969]: https://www.openssl.org/news/vulnerabilities.html#CVE-2005-2969
19717 [CVE-2004-0112]: https://www.openssl.org/news/vulnerabilities.html#CVE-2004-0112
19718 [CVE-2004-0079]: https://www.openssl.org/news/vulnerabilities.html#CVE-2004-0079
19719 [CVE-2003-0851]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0851
19720 [CVE-2003-0545]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0545
19721 [CVE-2003-0544]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0544
19722 [CVE-2003-0543]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0543
19723 [CVE-2003-0078]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0078
19724 [CVE-2002-0659]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0659
19725 [CVE-2002-0657]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0657
19726 [CVE-2002-0656]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0656
19727 [CVE-2002-0655]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0655