NEWS revision 111147
155714Skris 255714Skris NEWS 355714Skris ==== 455714Skris 555714Skris This file gives a brief overview of the major changes between each OpenSSL 655714Skris release. For more details please read the CHANGES file. 755714Skris 8111147Snectar Major changes between OpenSSL 0.9.7 and OpenSSL 0.9.7a: 9111147Snectar 10111147Snectar o Security: Important security related bugfixes. 11111147Snectar o Enhanced compatibility with MIT Kerberos. 12111147Snectar o Can be built without the ENGINE framework. 13111147Snectar o IA32 assembler enhancements. 14111147Snectar o Support for new platforms: FreeBSD/IA64 and FreeBSD/Sparc64. 15111147Snectar o Configuration: the no-err option now works properly. 16111147Snectar o SSL/TLS: now handles manual certificate chain building. 17111147Snectar o SSL/TLS: certain session ID malfunctions corrected. 18111147Snectar 19109998Smarkm Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.7: 20109998Smarkm 21109998Smarkm o New library section OCSP. 22109998Smarkm o Complete rewrite of ASN1 code. 23109998Smarkm o CRL checking in verify code and openssl utility. 24109998Smarkm o Extension copying in 'ca' utility. 25109998Smarkm o Flexible display options in 'ca' utility. 26109998Smarkm o Provisional support for international characters with UTF8. 27109998Smarkm o Support for external crypto devices ('engine') is no longer 28109998Smarkm a separate distribution. 29109998Smarkm o New elliptic curve library section. 30109998Smarkm o New AES (Rijndael) library section. 31109998Smarkm o Support for new platforms: Windows CE, Tandem OSS, A/UX, AIX 64-bit, 32109998Smarkm Linux x86_64, Linux 64-bit on Sparc v9 33109998Smarkm o Extended support for some platforms: VxWorks 34109998Smarkm o Enhanced support for shared libraries. 35109998Smarkm o Now only builds PIC code when shared library support is requested. 36109998Smarkm o Support for pkg-config. 37109998Smarkm o Lots of new manuals. 38109998Smarkm o Makes symbolic links to or copies of manuals to cover all described 39109998Smarkm functions. 40109998Smarkm o Change DES API to clean up the namespace (some applications link also 41109998Smarkm against libdes providing similar functions having the same name). 42109998Smarkm Provide macros for backward compatibility (will be removed in the 43109998Smarkm future). 44109998Smarkm o Unify handling of cryptographic algorithms (software and engine) 45109998Smarkm to be available via EVP routines for asymmetric and symmetric ciphers. 46109998Smarkm o NCONF: new configuration handling routines. 47109998Smarkm o Change API to use more 'const' modifiers to improve error checking 48109998Smarkm and help optimizers. 49109998Smarkm o Finally remove references to RSAref. 50109998Smarkm o Reworked parts of the BIGNUM code. 51109998Smarkm o Support for new engines: Broadcom ubsec, Accelerated Encryption 52109998Smarkm Processing, IBM 4758. 53109998Smarkm o A few new engines added in the demos area. 54109998Smarkm o Extended and corrected OID (object identifier) table. 55109998Smarkm o PRNG: query at more locations for a random device, automatic query for 56109998Smarkm EGD style random sources at several locations. 57109998Smarkm o SSL/TLS: allow optional cipher choice according to server's preference. 58109998Smarkm o SSL/TLS: allow server to explicitly set new session ids. 59109998Smarkm o SSL/TLS: support Kerberos cipher suites (RFC2712). 60109998Smarkm Only supports MIT Kerberos for now. 61109998Smarkm o SSL/TLS: allow more precise control of renegotiations and sessions. 62109998Smarkm o SSL/TLS: add callback to retrieve SSL/TLS messages. 63109998Smarkm o SSL/TLS: support AES cipher suites (RFC3268). 64109998Smarkm 65111147Snectar Major changes between OpenSSL 0.9.6h and OpenSSL 0.9.6i: 66111147Snectar 67111147Snectar o Important security related bugfixes. 68111147Snectar 69109998Smarkm Major changes between OpenSSL 0.9.6g and OpenSSL 0.9.6h: 70109998Smarkm 71109998Smarkm o New configuration targets for Tandem OSS and A/UX. 72109998Smarkm o New OIDs for Microsoft attributes. 73109998Smarkm o Better handling of SSL session caching. 74109998Smarkm o Better comparison of distinguished names. 75109998Smarkm o Better handling of shared libraries in a mixed GNU/non-GNU environment. 76109998Smarkm o Support assembler code with Borland C. 77109998Smarkm o Fixes for length problems. 78109998Smarkm o Fixes for uninitialised variables. 79109998Smarkm o Fixes for memory leaks, some unusual crashes and some race conditions. 80109998Smarkm o Fixes for smaller building problems. 81109998Smarkm o Updates of manuals, FAQ and other instructive documents. 82109998Smarkm 83101618Snectar Major changes between OpenSSL 0.9.6f and OpenSSL 0.9.6g: 84101618Snectar 85101618Snectar o Important building fixes on Unix. 86101618Snectar 87101613Snectar Major changes between OpenSSL 0.9.6e and OpenSSL 0.9.6f: 88101613Snectar 89101613Snectar o Various important bugfixes. 90101613Snectar 91101613Snectar Major changes between OpenSSL 0.9.6d and OpenSSL 0.9.6e: 92101613Snectar 93101613Snectar o Important security related bugfixes. 94101613Snectar o Various SSL/TLS library bugfixes. 95101613Snectar 96100928Snectar Major changes between OpenSSL 0.9.6c and OpenSSL 0.9.6d: 9789837Skris 9889837Skris o Various SSL/TLS library bugfixes. 99100928Snectar o Fix DH parameter generation for 'non-standard' generators. 100100928Snectar 101100928Snectar Major changes between OpenSSL 0.9.6b and OpenSSL 0.9.6c: 102100928Snectar 103100928Snectar o Various SSL/TLS library bugfixes. 10489837Skris o BIGNUM library fixes. 10589837Skris o RSA OAEP and random number generation fixes. 10689837Skris o Object identifiers corrected and added. 10789837Skris o Add assembler BN routines for IA64. 10889837Skris o Add support for OS/390 Unix, UnixWare with gcc, OpenUNIX 8, 10989837Skris MIPS Linux; shared library support for Irix, HP-UX. 11089837Skris o Add crypto accelerator support for AEP, Baltimore SureWare, 11189837Skris Broadcom and Cryptographic Appliance's keyserver 11289837Skris [in 0.9.6c-engine release]. 11389837Skris 114100928Snectar Major changes between OpenSSL 0.9.6a and OpenSSL 0.9.6b: 11579998Skris 11679998Skris o Security fix: PRNG improvements. 11779998Skris o Security fix: RSA OAEP check. 11879998Skris o Security fix: Reinsert and fix countermeasure to Bleichbacher's 11979998Skris attack. 12079998Skris o MIPS bug fix in BIGNUM. 12179998Skris o Bug fix in "openssl enc". 12279998Skris o Bug fix in X.509 printing routine. 12379998Skris o Bug fix in DSA verification routine and DSA S/MIME verification. 12479998Skris o Bug fix to make PRNG thread-safe. 12579998Skris o Bug fix in RAND_file_name(). 12679998Skris o Bug fix in compatibility mode trust settings. 12779998Skris o Bug fix in blowfish EVP. 12879998Skris o Increase default size for BIO buffering filter. 12979998Skris o Compatibility fixes in some scripts. 13079998Skris 13176866Skris Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.6a: 13276866Skris 13376866Skris o Security fix: change behavior of OpenSSL to avoid using 13476866Skris environment variables when running as root. 13576866Skris o Security fix: check the result of RSA-CRT to reduce the 13676866Skris possibility of deducing the private key from an incorrectly 13776866Skris calculated signature. 13876866Skris o Security fix: prevent Bleichenbacher's DSA attack. 13976866Skris o Security fix: Zero the premaster secret after deriving the 14076866Skris master secret in DH ciphersuites. 14176866Skris o Reimplement SSL_peek(), which had various problems. 14276866Skris o Compatibility fix: the function des_encrypt() renamed to 14376866Skris des_encrypt1() to avoid clashes with some Unixen libc. 14476866Skris o Bug fixes for Win32, HP/UX and Irix. 14576866Skris o Bug fixes in BIGNUM, SSL, PKCS#7, PKCS#12, X.509, CONF and 14676866Skris memory checking routines. 147100936Snectar o Bug fixes for RSA operations in threaded environments. 14876866Skris o Bug fixes in misc. openssl applications. 14976866Skris o Remove a few potential memory leaks. 15076866Skris o Add tighter checks of BIGNUM routines. 15176866Skris o Shared library support has been reworked for generality. 15276866Skris o More documentation. 15376866Skris o New function BN_rand_range(). 15476866Skris o Add "-rand" option to openssl s_client and s_server. 15576866Skris 15668651Skris Major changes between OpenSSL 0.9.5a and OpenSSL 0.9.6: 15768651Skris 15868651Skris o Some documentation for BIO and SSL libraries. 15968651Skris o Enhanced chain verification using key identifiers. 16068651Skris o New sign and verify options to 'dgst' application. 16168651Skris o Support for DER and PEM encoded messages in 'smime' application. 16268651Skris o New 'rsautl' application, low level RSA utility. 16368651Skris o MD4 now included. 16468651Skris o Bugfix for SSL rollback padding check. 16568651Skris o Support for external crypto devices [1]. 16668651Skris o Enhanced EVP interface. 16768651Skris 16868651Skris [1] The support for external crypto devices is currently a separate 16968651Skris distribution. See the file README.ENGINE. 17068651Skris 17159191Skris Major changes between OpenSSL 0.9.5 and OpenSSL 0.9.5a: 17259191Skris 17359191Skris o Bug fixes for Win32, SuSE Linux, NeXTSTEP and FreeBSD 2.2.8 17459191Skris o Shared library support for HPUX and Solaris-gcc 17559191Skris o Support of Linux/IA64 17659191Skris o Assembler support for Mingw32 17759191Skris o New 'rand' application 17859191Skris o New way to check for existence of algorithms from scripts 17959191Skris 18059191Skris Major changes between OpenSSL 0.9.4 and OpenSSL 0.9.5: 18159191Skris 18259191Skris o S/MIME support in new 'smime' command 18359191Skris o Documentation for the OpenSSL command line application 18459191Skris o Automation of 'req' application 18559191Skris o Fixes to make s_client, s_server work under Windows 18659191Skris o Support for multiple fieldnames in SPKACs 18759191Skris o New SPKAC command line utilty and associated library functions 18859191Skris o Options to allow passwords to be obtained from various sources 18959191Skris o New public key PEM format and options to handle it 19059191Skris o Many other fixes and enhancements to command line utilities 19159191Skris o Usable certificate chain verification 19259191Skris o Certificate purpose checking 19359191Skris o Certificate trust settings 19459191Skris o Support of authority information access extension 19559191Skris o Extensions in certificate requests 19659191Skris o Simplified X509 name and attribute routines 19759191Skris o Initial (incomplete) support for international character sets 19859191Skris o New DH_METHOD, DSA_METHOD and enhanced RSA_METHOD 19959191Skris o Read only memory BIOs and simplified creation function 20059191Skris o TLS/SSL protocol bugfixes: Accept TLS 'client hello' in SSL 3.0 20159191Skris record; allow fragmentation and interleaving of handshake and other 20259191Skris data 20359191Skris o TLS/SSL code now "tolerates" MS SGC 20459191Skris o Work around for Netscape client certificate hang bug 20559191Skris o RSA_NULL option that removes RSA patent code but keeps other 20659191Skris RSA functionality 20759191Skris o Memory leak detection now allows applications to add extra information 20859191Skris via a per-thread stack 20959191Skris o PRNG robustness improved 21059191Skris o EGD support 21159191Skris o BIGNUM library bug fixes 21259191Skris o Faster DSA parameter generation 21359191Skris o Enhanced support for Alpha Linux 21459191Skris o Experimental MacOS support 21559191Skris 21655714Skris Major changes between OpenSSL 0.9.3 and OpenSSL 0.9.4: 21755714Skris 21855714Skris o Transparent support for PKCS#8 format private keys: these are used 21955714Skris by several software packages and are more secure than the standard 22055714Skris form 22155714Skris o PKCS#5 v2.0 implementation 22255714Skris o Password callbacks have a new void * argument for application data 22355714Skris o Avoid various memory leaks 22455714Skris o New pipe-like BIO that allows using the SSL library when actual I/O 22555714Skris must be handled by the application (BIO pair) 22655714Skris 22755714Skris Major changes between OpenSSL 0.9.2b and OpenSSL 0.9.3: 22855714Skris o Lots of enhancements and cleanups to the Configuration mechanism 22955714Skris o RSA OEAP related fixes 23055714Skris o Added `openssl ca -revoke' option for revoking a certificate 23155714Skris o Source cleanups: const correctness, type-safe stacks and ASN.1 SETs 23255714Skris o Source tree cleanups: removed lots of obsolete files 23355714Skris o Thawte SXNet, certificate policies and CRL distribution points 23455714Skris extension support 23555714Skris o Preliminary (experimental) S/MIME support 23655714Skris o Support for ASN.1 UTF8String and VisibleString 23755714Skris o Full integration of PKCS#12 code 23855714Skris o Sparc assembler bignum implementation, optimized hash functions 23955714Skris o Option to disable selected ciphers 24055714Skris 24155714Skris Major changes between OpenSSL 0.9.1c and OpenSSL 0.9.2b: 24255714Skris o Fixed a security hole related to session resumption 24355714Skris o Fixed RSA encryption routines for the p < q case 24455714Skris o "ALL" in cipher lists now means "everything except NULL ciphers" 24555714Skris o Support for Triple-DES CBCM cipher 24655714Skris o Support of Optimal Asymmetric Encryption Padding (OAEP) for RSA 24755714Skris o First support for new TLSv1 ciphers 24855714Skris o Added a few new BIOs (syslog BIO, reliable BIO) 24955714Skris o Extended support for DSA certificate/keys. 25055714Skris o Extended support for Certificate Signing Requests (CSR) 25155714Skris o Initial support for X.509v3 extensions 25255714Skris o Extended support for compression inside the SSL record layer 25355714Skris o Overhauled Win32 builds 25455714Skris o Cleanups and fixes to the Big Number (BN) library 25555714Skris o Support for ASN.1 GeneralizedTime 25655714Skris o Splitted ASN.1 SETs from SEQUENCEs 25755714Skris o ASN1 and PEM support for Netscape Certificate Sequences 25855714Skris o Overhauled Perl interface 25955714Skris o Lots of source tree cleanups. 26055714Skris o Lots of memory leak fixes. 26155714Skris o Lots of bug fixes. 26255714Skris 26355714Skris Major changes between SSLeay 0.9.0b and OpenSSL 0.9.1c: 26455714Skris o Integration of the popular NO_RSA/NO_DSA patches 26555714Skris o Initial support for compression inside the SSL record layer 26655714Skris o Added BIO proxy and filtering functionality 26755714Skris o Extended Big Number (BN) library 26855714Skris o Added RIPE MD160 message digest 26955714Skris o Addeed support for RC2/64bit cipher 27055714Skris o Extended ASN.1 parser routines 27155714Skris o Adjustations of the source tree for CVS 27255714Skris o Support for various new platforms 27355714Skris 274