Cryptography and SSL/TLS Toolkit

OpenSSL 1.1.1 Series Release Notes

The major changes and known issues for the 1.1.1 branch of the OpenSSL toolkit are summarised below. The contents reflect the current state of the NEWS file inside the git repository.

More details can be found in the ChangeLog.

Major changes between OpenSSL 1.1.1a and OpenSSL 1.1.1b [26 Feb 2019]

  • Change the info callback signals for the start and end of a post-handshake message exchange in TLSv1.3.
  • Fix a bug in DTLS over SCTP. This breaks interoperability with older versions of OpenSSL like OpenSSL 1.1.0 and OpenSSL 1.0.2.

Major changes between OpenSSL 1.1.1 and OpenSSL 1.1.1a [20 Nov 2018]

  • Timing vulnerability in DSA signature generation (CVE-2018-0734)
  • Timing vulnerability in ECDSA signature generation (CVE-2018-0735)

Major changes between OpenSSL 1.1.0i and OpenSSL 1.1.1 [11 Sep 2018]

  • Support for TLSv1.3 added (see for further important information). The TLSv1.3 implementation includes:
  • Fully compliant implementation of RFC8446 (TLSv1.3) on by default
  • Early data (0-RTT)
  • Post-handshake authentication and key update
  • Middlebox Compatibility Mode
  • TLSv1.3 PSKs
  • Support for all five RFC8446 ciphersuites
  • RSA-PSS signature algorithms (backported to TLSv1.2)
  • Configurable session ticket support
  • Stateless server support
  • Rewrite of the packet construction code for "safer" packet handling
  • Rewrite of the extension handling code
  • Complete rewrite of the OpenSSL random number generator to introduce the following capabilities
  • The default RAND method now utilizes an AES-CTR DRBG according to NIST standard SP 800-90Ar1.
  • Support for multiple DRBG instances with seed chaining.
  • There is a public and private DRBG instance.
  • The DRBG instances are fork-safe.
  • Keep all global DRBG instances on the secure heap if it is enabled.
  • The public and private DRBG instance are per thread for lock free operation
  • Support for various new cryptographic algorithms including:
  • SHA3
  • SHA512/224 and SHA512/256
  • EdDSA (both Ed25519 and Ed448) including X509 and TLS support
  • X448 (adding to the existing X25519 support in 1.1.0)
  • Multi-prime RSA
  • SM2
  • SM3
  • SM4
  • SipHash
  • ARIA (including TLS support)
  • Significant Side-Channel attack security improvements
  • Add a new ClientHello callback to provide the ability to adjust the SSL object at an early stage.
  • Add 'Maximum Fragment Length' TLS extension negotiation and support
  • A new STORE module, which implements a uniform and URI based reader of stores that can contain keys, certificates, CRLs and numerous other objects.
  • Move the display of configuration data to
  • Allow GNU style "make variables" to be used with Configure.
  • Claim the namespaces OSSL and OPENSSL, represented as symbol prefixes
  • Rewrite of devcrypto engine
  • Client DoS due to large DH parameter (CVE-2018-0732)
  • Cache timing vulnerability in RSA Key Generation (CVE-2018-0737)
  • Constructed ASN.1 types with a recursive definition could exceed the stack (CVE-2018-0739)
  • Incorrect CRYPTO_memcmp on HP-UX PA-RISC (CVE-2018-0733)
  • rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738)