1 | |
---|
2 | NEWS |
---|
3 | ==== |
---|
4 | |
---|
5 | This file gives a brief overview of the major changes between each OpenSSL |
---|
6 | release. For more details please read the CHANGES file. |
---|
7 | |
---|
8 | Major changes between OpenSSL 0.9.7b and OpenSSL 0.9.7c: |
---|
9 | |
---|
10 | o Security: fix various ASN1 parsing bugs. |
---|
11 | o New -ignore_err option to OCSP utility. |
---|
12 | o Various interop and bug fixes in S/MIME code. |
---|
13 | o SSL/TLS protocol fix for unrequested client certificates. |
---|
14 | |
---|
15 | Major changes between OpenSSL 0.9.7a and OpenSSL 0.9.7b: |
---|
16 | |
---|
17 | o Security: counter the Klima-Pokorny-Rosa extension of |
---|
18 | Bleichbacher's attack |
---|
19 | o Security: make RSA blinding default. |
---|
20 | o Configuration: Irix fixes, AIX fixes, better mingw support. |
---|
21 | o Support for new platforms: linux-ia64-ecc. |
---|
22 | o Build: shared library support fixes. |
---|
23 | o ASN.1: treat domainComponent correctly. |
---|
24 | o Documentation: fixes and additions. |
---|
25 | |
---|
26 | Major changes between OpenSSL 0.9.7 and OpenSSL 0.9.7a: |
---|
27 | |
---|
28 | o Security: Important security related bugfixes. |
---|
29 | o Enhanced compatibility with MIT Kerberos. |
---|
30 | o Can be built without the ENGINE framework. |
---|
31 | o IA32 assembler enhancements. |
---|
32 | o Support for new platforms: FreeBSD/IA64 and FreeBSD/Sparc64. |
---|
33 | o Configuration: the no-err option now works properly. |
---|
34 | o SSL/TLS: now handles manual certificate chain building. |
---|
35 | o SSL/TLS: certain session ID malfunctions corrected. |
---|
36 | |
---|
37 | Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.7: |
---|
38 | |
---|
39 | o New library section OCSP. |
---|
40 | o Complete rewrite of ASN1 code. |
---|
41 | o CRL checking in verify code and openssl utility. |
---|
42 | o Extension copying in 'ca' utility. |
---|
43 | o Flexible display options in 'ca' utility. |
---|
44 | o Provisional support for international characters with UTF8. |
---|
45 | o Support for external crypto devices ('engine') is no longer |
---|
46 | a separate distribution. |
---|
47 | o New elliptic curve library section. |
---|
48 | o New AES (Rijndael) library section. |
---|
49 | o Support for new platforms: Windows CE, Tandem OSS, A/UX, AIX 64-bit, |
---|
50 | Linux x86_64, Linux 64-bit on Sparc v9 |
---|
51 | o Extended support for some platforms: VxWorks |
---|
52 | o Enhanced support for shared libraries. |
---|
53 | o Now only builds PIC code when shared library support is requested. |
---|
54 | o Support for pkg-config. |
---|
55 | o Lots of new manuals. |
---|
56 | o Makes symbolic links to or copies of manuals to cover all described |
---|
57 | functions. |
---|
58 | o Change DES API to clean up the namespace (some applications link also |
---|
59 | against libdes providing similar functions having the same name). |
---|
60 | Provide macros for backward compatibility (will be removed in the |
---|
61 | future). |
---|
62 | o Unify handling of cryptographic algorithms (software and engine) |
---|
63 | to be available via EVP routines for asymmetric and symmetric ciphers. |
---|
64 | o NCONF: new configuration handling routines. |
---|
65 | o Change API to use more 'const' modifiers to improve error checking |
---|
66 | and help optimizers. |
---|
67 | o Finally remove references to RSAref. |
---|
68 | o Reworked parts of the BIGNUM code. |
---|
69 | o Support for new engines: Broadcom ubsec, Accelerated Encryption |
---|
70 | Processing, IBM 4758. |
---|
71 | o A few new engines added in the demos area. |
---|
72 | o Extended and corrected OID (object identifier) table. |
---|
73 | o PRNG: query at more locations for a random device, automatic query for |
---|
74 | EGD style random sources at several locations. |
---|
75 | o SSL/TLS: allow optional cipher choice according to server's preference. |
---|
76 | o SSL/TLS: allow server to explicitly set new session ids. |
---|
77 | o SSL/TLS: support Kerberos cipher suites (RFC2712). |
---|
78 | Only supports MIT Kerberos for now. |
---|
79 | o SSL/TLS: allow more precise control of renegotiations and sessions. |
---|
80 | o SSL/TLS: add callback to retrieve SSL/TLS messages. |
---|
81 | o SSL/TLS: support AES cipher suites (RFC3268). |
---|
82 | |
---|
83 | Major changes between OpenSSL 0.9.6j and OpenSSL 0.9.6k: |
---|
84 | |
---|
85 | o Security: fix various ASN1 parsing bugs. |
---|
86 | o SSL/TLS protocol fix for unrequested client certificates. |
---|
87 | |
---|
88 | Major changes between OpenSSL 0.9.6i and OpenSSL 0.9.6j: |
---|
89 | |
---|
90 | o Security: counter the Klima-Pokorny-Rosa extension of |
---|
91 | Bleichbacher's attack |
---|
92 | o Security: make RSA blinding default. |
---|
93 | o Build: shared library support fixes. |
---|
94 | |
---|
95 | Major changes between OpenSSL 0.9.6h and OpenSSL 0.9.6i: |
---|
96 | |
---|
97 | o Important security related bugfixes. |
---|
98 | |
---|
99 | Major changes between OpenSSL 0.9.6g and OpenSSL 0.9.6h: |
---|
100 | |
---|
101 | o New configuration targets for Tandem OSS and A/UX. |
---|
102 | o New OIDs for Microsoft attributes. |
---|
103 | o Better handling of SSL session caching. |
---|
104 | o Better comparison of distinguished names. |
---|
105 | o Better handling of shared libraries in a mixed GNU/non-GNU environment. |
---|
106 | o Support assembler code with Borland C. |
---|
107 | o Fixes for length problems. |
---|
108 | o Fixes for uninitialised variables. |
---|
109 | o Fixes for memory leaks, some unusual crashes and some race conditions. |
---|
110 | o Fixes for smaller building problems. |
---|
111 | o Updates of manuals, FAQ and other instructive documents. |
---|
112 | |
---|
113 | Major changes between OpenSSL 0.9.6f and OpenSSL 0.9.6g: |
---|
114 | |
---|
115 | o Important building fixes on Unix. |
---|
116 | |
---|
117 | Major changes between OpenSSL 0.9.6e and OpenSSL 0.9.6f: |
---|
118 | |
---|
119 | o Various important bugfixes. |
---|
120 | |
---|
121 | Major changes between OpenSSL 0.9.6d and OpenSSL 0.9.6e: |
---|
122 | |
---|
123 | o Important security related bugfixes. |
---|
124 | o Various SSL/TLS library bugfixes. |
---|
125 | |
---|
126 | Major changes between OpenSSL 0.9.6c and OpenSSL 0.9.6d: |
---|
127 | |
---|
128 | o Various SSL/TLS library bugfixes. |
---|
129 | o Fix DH parameter generation for 'non-standard' generators. |
---|
130 | |
---|
131 | Major changes between OpenSSL 0.9.6b and OpenSSL 0.9.6c: |
---|
132 | |
---|
133 | o Various SSL/TLS library bugfixes. |
---|
134 | o BIGNUM library fixes. |
---|
135 | o RSA OAEP and random number generation fixes. |
---|
136 | o Object identifiers corrected and added. |
---|
137 | o Add assembler BN routines for IA64. |
---|
138 | o Add support for OS/390 Unix, UnixWare with gcc, OpenUNIX 8, |
---|
139 | MIPS Linux; shared library support for Irix, HP-UX. |
---|
140 | o Add crypto accelerator support for AEP, Baltimore SureWare, |
---|
141 | Broadcom and Cryptographic Appliance's keyserver |
---|
142 | [in 0.9.6c-engine release]. |
---|
143 | |
---|
144 | Major changes between OpenSSL 0.9.6a and OpenSSL 0.9.6b: |
---|
145 | |
---|
146 | o Security fix: PRNG improvements. |
---|
147 | o Security fix: RSA OAEP check. |
---|
148 | o Security fix: Reinsert and fix countermeasure to Bleichbacher's |
---|
149 | attack. |
---|
150 | o MIPS bug fix in BIGNUM. |
---|
151 | o Bug fix in "openssl enc". |
---|
152 | o Bug fix in X.509 printing routine. |
---|
153 | o Bug fix in DSA verification routine and DSA S/MIME verification. |
---|
154 | o Bug fix to make PRNG thread-safe. |
---|
155 | o Bug fix in RAND_file_name(). |
---|
156 | o Bug fix in compatibility mode trust settings. |
---|
157 | o Bug fix in blowfish EVP. |
---|
158 | o Increase default size for BIO buffering filter. |
---|
159 | o Compatibility fixes in some scripts. |
---|
160 | |
---|
161 | Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.6a: |
---|
162 | |
---|
163 | o Security fix: change behavior of OpenSSL to avoid using |
---|
164 | environment variables when running as root. |
---|
165 | o Security fix: check the result of RSA-CRT to reduce the |
---|
166 | possibility of deducing the private key from an incorrectly |
---|
167 | calculated signature. |
---|
168 | o Security fix: prevent Bleichenbacher's DSA attack. |
---|
169 | o Security fix: Zero the premaster secret after deriving the |
---|
170 | master secret in DH ciphersuites. |
---|
171 | o Reimplement SSL_peek(), which had various problems. |
---|
172 | o Compatibility fix: the function des_encrypt() renamed to |
---|
173 | des_encrypt1() to avoid clashes with some Unixen libc. |
---|
174 | o Bug fixes for Win32, HP/UX and Irix. |
---|
175 | o Bug fixes in BIGNUM, SSL, PKCS#7, PKCS#12, X.509, CONF and |
---|
176 | memory checking routines. |
---|
177 | o Bug fixes for RSA operations in threaded environments. |
---|
178 | o Bug fixes in misc. openssl applications. |
---|
179 | o Remove a few potential memory leaks. |
---|
180 | o Add tighter checks of BIGNUM routines. |
---|
181 | o Shared library support has been reworked for generality. |
---|
182 | o More documentation. |
---|
183 | o New function BN_rand_range(). |
---|
184 | o Add "-rand" option to openssl s_client and s_server. |
---|
185 | |
---|
186 | Major changes between OpenSSL 0.9.5a and OpenSSL 0.9.6: |
---|
187 | |
---|
188 | o Some documentation for BIO and SSL libraries. |
---|
189 | o Enhanced chain verification using key identifiers. |
---|
190 | o New sign and verify options to 'dgst' application. |
---|
191 | o Support for DER and PEM encoded messages in 'smime' application. |
---|
192 | o New 'rsautl' application, low level RSA utility. |
---|
193 | o MD4 now included. |
---|
194 | o Bugfix for SSL rollback padding check. |
---|
195 | o Support for external crypto devices [1]. |
---|
196 | o Enhanced EVP interface. |
---|
197 | |
---|
198 | [1] The support for external crypto devices is currently a separate |
---|
199 | distribution. See the file README.ENGINE. |
---|
200 | |
---|
201 | Major changes between OpenSSL 0.9.5 and OpenSSL 0.9.5a: |
---|
202 | |
---|
203 | o Bug fixes for Win32, SuSE Linux, NeXTSTEP and FreeBSD 2.2.8 |
---|
204 | o Shared library support for HPUX and Solaris-gcc |
---|
205 | o Support of Linux/IA64 |
---|
206 | o Assembler support for Mingw32 |
---|
207 | o New 'rand' application |
---|
208 | o New way to check for existence of algorithms from scripts |
---|
209 | |
---|
210 | Major changes between OpenSSL 0.9.4 and OpenSSL 0.9.5: |
---|
211 | |
---|
212 | o S/MIME support in new 'smime' command |
---|
213 | o Documentation for the OpenSSL command line application |
---|
214 | o Automation of 'req' application |
---|
215 | o Fixes to make s_client, s_server work under Windows |
---|
216 | o Support for multiple fieldnames in SPKACs |
---|
217 | o New SPKAC command line utilty and associated library functions |
---|
218 | o Options to allow passwords to be obtained from various sources |
---|
219 | o New public key PEM format and options to handle it |
---|
220 | o Many other fixes and enhancements to command line utilities |
---|
221 | o Usable certificate chain verification |
---|
222 | o Certificate purpose checking |
---|
223 | o Certificate trust settings |
---|
224 | o Support of authority information access extension |
---|
225 | o Extensions in certificate requests |
---|
226 | o Simplified X509 name and attribute routines |
---|
227 | o Initial (incomplete) support for international character sets |
---|
228 | o New DH_METHOD, DSA_METHOD and enhanced RSA_METHOD |
---|
229 | o Read only memory BIOs and simplified creation function |
---|
230 | o TLS/SSL protocol bugfixes: Accept TLS 'client hello' in SSL 3.0 |
---|
231 | record; allow fragmentation and interleaving of handshake and other |
---|
232 | data |
---|
233 | o TLS/SSL code now "tolerates" MS SGC |
---|
234 | o Work around for Netscape client certificate hang bug |
---|
235 | o RSA_NULL option that removes RSA patent code but keeps other |
---|
236 | RSA functionality |
---|
237 | o Memory leak detection now allows applications to add extra information |
---|
238 | via a per-thread stack |
---|
239 | o PRNG robustness improved |
---|
240 | o EGD support |
---|
241 | o BIGNUM library bug fixes |
---|
242 | o Faster DSA parameter generation |
---|
243 | o Enhanced support for Alpha Linux |
---|
244 | o Experimental MacOS support |
---|
245 | |
---|
246 | Major changes between OpenSSL 0.9.3 and OpenSSL 0.9.4: |
---|
247 | |
---|
248 | o Transparent support for PKCS#8 format private keys: these are used |
---|
249 | by several software packages and are more secure than the standard |
---|
250 | form |
---|
251 | o PKCS#5 v2.0 implementation |
---|
252 | o Password callbacks have a new void * argument for application data |
---|
253 | o Avoid various memory leaks |
---|
254 | o New pipe-like BIO that allows using the SSL library when actual I/O |
---|
255 | must be handled by the application (BIO pair) |
---|
256 | |
---|
257 | Major changes between OpenSSL 0.9.2b and OpenSSL 0.9.3: |
---|
258 | o Lots of enhancements and cleanups to the Configuration mechanism |
---|
259 | o RSA OEAP related fixes |
---|
260 | o Added `openssl ca -revoke' option for revoking a certificate |
---|
261 | o Source cleanups: const correctness, type-safe stacks and ASN.1 SETs |
---|
262 | o Source tree cleanups: removed lots of obsolete files |
---|
263 | o Thawte SXNet, certificate policies and CRL distribution points |
---|
264 | extension support |
---|
265 | o Preliminary (experimental) S/MIME support |
---|
266 | o Support for ASN.1 UTF8String and VisibleString |
---|
267 | o Full integration of PKCS#12 code |
---|
268 | o Sparc assembler bignum implementation, optimized hash functions |
---|
269 | o Option to disable selected ciphers |
---|
270 | |
---|
271 | Major changes between OpenSSL 0.9.1c and OpenSSL 0.9.2b: |
---|
272 | o Fixed a security hole related to session resumption |
---|
273 | o Fixed RSA encryption routines for the p < q case |
---|
274 | o "ALL" in cipher lists now means "everything except NULL ciphers" |
---|
275 | o Support for Triple-DES CBCM cipher |
---|
276 | o Support of Optimal Asymmetric Encryption Padding (OAEP) for RSA |
---|
277 | o First support for new TLSv1 ciphers |
---|
278 | o Added a few new BIOs (syslog BIO, reliable BIO) |
---|
279 | o Extended support for DSA certificate/keys. |
---|
280 | o Extended support for Certificate Signing Requests (CSR) |
---|
281 | o Initial support for X.509v3 extensions |
---|
282 | o Extended support for compression inside the SSL record layer |
---|
283 | o Overhauled Win32 builds |
---|
284 | o Cleanups and fixes to the Big Number (BN) library |
---|
285 | o Support for ASN.1 GeneralizedTime |
---|
286 | o Splitted ASN.1 SETs from SEQUENCEs |
---|
287 | o ASN1 and PEM support for Netscape Certificate Sequences |
---|
288 | o Overhauled Perl interface |
---|
289 | o Lots of source tree cleanups. |
---|
290 | o Lots of memory leak fixes. |
---|
291 | o Lots of bug fixes. |
---|
292 | |
---|
293 | Major changes between SSLeay 0.9.0b and OpenSSL 0.9.1c: |
---|
294 | o Integration of the popular NO_RSA/NO_DSA patches |
---|
295 | o Initial support for compression inside the SSL record layer |
---|
296 | o Added BIO proxy and filtering functionality |
---|
297 | o Extended Big Number (BN) library |
---|
298 | o Added RIPE MD160 message digest |
---|
299 | o Addeed support for RC2/64bit cipher |
---|
300 | o Extended ASN.1 parser routines |
---|
301 | o Adjustations of the source tree for CVS |
---|
302 | o Support for various new platforms |
---|
303 | |
---|