OpenSSL

Cryptography and SSL/TLS Toolkit

OpenSSL 1.1.1 Series Release Notes

The major changes and known issues for the 1.1.1 branch of the OpenSSL toolkit are summarised below. The contents reflect the current state of the NEWS file inside the git repository.

More details can be found in the ChangeLog.

Major changes between OpenSSL 1.1.1g and OpenSSL 1.1.1h [22 Sep 2020]

  • Disallow explicit curve parameters in verifications chains when X509_V_FLAG_X509_STRICT is used
  • Enable 'MinProtocol' and 'MaxProtocol' to configure both TLS and DTLS contexts
  • Oracle Developer Studio will start reporting deprecation warnings

Major changes between OpenSSL 1.1.1f and OpenSSL 1.1.1g [21 Apr 2020]

Major changes between OpenSSL 1.1.1e and OpenSSL 1.1.1f [31 Mar 2020]

  • Revert the unexpected EOF reporting via SSL_ERROR_SSL

Major changes between OpenSSL 1.1.1d and OpenSSL 1.1.1e [17 Mar 2020]

  • Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (CVE-2019-1551)
  • Properly detect unexpected EOF while reading in libssl and report it via SSL_ERROR_SSL

Major changes between OpenSSL 1.1.1c and OpenSSL 1.1.1d [10 Sep 2019]

  • Fixed a fork protection issue (CVE-2019-1549)
  • Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey (CVE-2019-1563)
  • For built-in EC curves, ensure an EC_GROUP built from the curve name is used even when parsing explicit parameters
  • Compute ECC cofactors if not provided during EC_GROUP construction (CVE-2019-1547)
  • Early start up entropy quality from the DEVRANDOM seed source has been improved for older Linux systems
  • Correct the extended master secret constant on EBCDIC systems
  • Use Windows installation paths in the mingw builds (CVE-2019-1552)
  • Changed DH_check to accept parameters with order q and 2q subgroups
  • Significantly reduce secure memory usage by the randomness pools
  • Revert the DEVRANDOM_WAIT feature for Linux systems

Major changes between OpenSSL 1.1.1b and OpenSSL 1.1.1c [28 May 2019]

Major changes between OpenSSL 1.1.1a and OpenSSL 1.1.1b [26 Feb 2019]

  • Change the info callback signals for the start and end of a post-handshake message exchange in TLSv1.3.
  • Fix a bug in DTLS over SCTP. This breaks interoperability with older versions of OpenSSL like OpenSSL 1.1.0 and OpenSSL 1.0.2.

Major changes between OpenSSL 1.1.1 and OpenSSL 1.1.1a [20 Nov 2018]

  • Timing vulnerability in DSA signature generation (CVE-2018-0734)
  • Timing vulnerability in ECDSA signature generation (CVE-2018-0735)

Major changes between OpenSSL 1.1.0i and OpenSSL 1.1.1 [11 Sep 2018]

  • Support for TLSv1.3 added (see https://wiki.openssl.org/index.php/TLS1.3 for further important information). The TLSv1.3 implementation includes:
  • Fully compliant implementation of RFC8446 (TLSv1.3) on by default
  • Early data (0-RTT)
  • Post-handshake authentication and key update
  • Middlebox Compatibility Mode
  • TLSv1.3 PSKs
  • Support for all five RFC8446 ciphersuites
  • RSA-PSS signature algorithms (backported to TLSv1.2)
  • Configurable session ticket support
  • Stateless server support
  • Rewrite of the packet construction code for "safer" packet handling
  • Rewrite of the extension handling code
  • Complete rewrite of the OpenSSL random number generator to introduce the following capabilities
  • The default RAND method now utilizes an AES-CTR DRBG according to NIST standard SP 800-90Ar1.
  • Support for multiple DRBG instances with seed chaining.
  • There is a public and private DRBG instance.
  • The DRBG instances are fork-safe.
  • Keep all global DRBG instances on the secure heap if it is enabled.
  • The public and private DRBG instance are per thread for lock free operation
  • Support for various new cryptographic algorithms including:
  • SHA3
  • SHA512/224 and SHA512/256
  • EdDSA (both Ed25519 and Ed448) including X509 and TLS support
  • X448 (adding to the existing X25519 support in 1.1.0)
  • Multi-prime RSA
  • SM2
  • SM3
  • SM4
  • SipHash
  • ARIA (including TLS support)
  • Significant Side-Channel attack security improvements
  • Add a new ClientHello callback to provide the ability to adjust the SSL object at an early stage.
  • Add 'Maximum Fragment Length' TLS extension negotiation and support
  • A new STORE module, which implements a uniform and URI based reader of stores that can contain keys, certificates, CRLs and numerous other objects.
  • Move the display of configuration data to configdata.pm.
  • Allow GNU style "make variables" to be used with Configure.
  • Claim the namespaces OSSL and OPENSSL, represented as symbol prefixes
  • Rewrite of devcrypto engine
  • Client DoS due to large DH parameter (CVE-2018-0732)
  • Cache timing vulnerability in RSA Key Generation (CVE-2018-0737)
  • Constructed ASN.1 types with a recursive definition could exceed the stack (CVE-2018-0739)
  • Incorrect CRYPTO_memcmp on HP-UX PA-RISC (CVE-2018-0733)
  • rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738)