openssl/openssl openssl-3.0.0

OpenSSL 3.0.0

on GitHub

Changelog

• Enhanced 'openssl list' with many new options.
• Added migration guide to man7.
• Implemented support for fully "pluggable" TLSv1.3 groups.
• Added suport for Kernel TLS (KTLS).
• Changed the license to the Apache License v2.0.
• Moved all variations of the EVP ciphers CAST5, BF, IDEA, SEED, RC2,
  RC4, RC5, and DES to the legacy provider.
• Moved the EVP digests MD2, MD4, MDC2, WHIRLPOOL and RIPEMD-160 to the legacy
  provider.
• Added convenience functions for generating asymmetric key pairs.
• Deprecated the OCSP_REQ_CTX type and functions.
• Deprecated the EC_KEY and EC_KEY_METHOD types and functions.
• Deprecated the RSA and RSA_METHOD types and functions.
• Deprecated the DSA and DSA_METHOD types and functions.
• Deprecated the DH and DH_METHOD types and functions.
• Deprecated the ERR_load_ functions.
• Remove the RAND_DRBG API.
• Deprecated the ENGINE API.
• Added OSSL_LIB_CTX, a libcrypto library context.
• Added various _ex functions to the OpenSSL API that support using
  a non-default OSSL_LIB_CTX.
• Interactive mode is removed from the 'openssl' program.
• The X25519, X448, Ed25519, Ed448, SHAKE128 and SHAKE256 algorithms are
  included in the FIPS provider.
• X509 certificates signed using SHA1 are no longer allowed at security
  level 1 or higher. The default security level for TLS is 1, so
  certificates signed using SHA1 are by default no longer trusted to
  authenticate servers or clients.
• enable-crypto-mdebug and enable-crypto-mdebug-backtrace were mostly
  disabled; the project uses address sanitize/leak-detect instead.
• Added a Certificate Management Protocol (CMP, RFC 4210) implementation
  also covering CRMF (RFC 4211) and HTTP transfer (RFC 6712).
  It is part of the crypto lib and adds a 'cmp' app with a demo configuration.
  All widely used CMP features are supported for both clients and servers.
• Added a proper HTTP client supporting GET with optional redirection, POST,
  arbitrary request and response content types, TLS, persistent connections,
  connections via HTTP(s) proxies, connections and exchange via user-defined
  BIOs (allowing implicit connections), and timeout checks.
• Added util/check-format.pl for checking adherence to the coding guidelines.
• Added OSSL_ENCODER, a generic encoder API.
• Added OSSL_DECODER, a generic decoder API.
• Added OSSL_PARAM_BLD, an easier to use API to OSSL_PARAM.
• Added error raising macros, ERR_raise() and ERR_raise_data().
• Deprecated ERR_put_error(), ERR_get_error_line(), ERR_get_error_line_data(),
  ERR_peek_error_line_data(), ERR_peek_last_error_line_data() and
  ERR_func_error_string().
• Added OSSL_PROVIDER_available(), to check provider availibility.
• Added 'openssl mac' that uses the EVP_MAC API.
• Added 'openssl kdf' that uses the EVP_KDF API.
• Add OPENSSL_info() and 'openssl info' to get built-in data.
• Add support for enabling instrumentation through trace and debug
  output.
• Changed our version number scheme and set the next major release to
  3.0.0
• Added EVP_MAC, an EVP layer MAC API, and a generic EVP_PKEY to EVP_MAC
  bridge. Supported MACs are: BLAKE2, CMAC, GMAC, HMAC, KMAC, POLY1305
  and SIPHASH.
• Removed the heartbeat message in DTLS feature.
• Added EVP_KDF, an EVP layer KDF and PRF API, and a generic EVP_PKEY to
  EVP_KDF bridge. Supported KDFs are: HKDF, KBKDF, KRB5 KDF, PBKDF2,
  PKCS12 KDF, SCRYPT, SSH KDF, SSKDF, TLS1 PRF, X9.42 KDF and X9.63 KDF.
• All of the low-level MD2, MD4, MD5, MDC2, RIPEMD160, SHA1, SHA224,
  SHA256, SHA384, SHA512 and Whirlpool digest functions have been
  deprecated.
• All of the low-level AES, Blowfish, Camellia, CAST, DES, IDEA, RC2,
  RC4, RC5 and SEED cipher functions have been deprecated.
• All of the low-level DH, DSA, ECDH, ECDSA and RSA public key functions
  have been deprecated.
• SSL 3, TLS 1.0, TLS 1.1, and DTLS 1.0 only work at security level 0.
• Added providers, a new pluggability concept that will replace the
  ENGINE API and ENGINE implementations.