OpenSSL 1.1.1 Series Release Notes

The major changes and known issues for the 1.1.1 branch of the OpenSSL toolkit are summarised below. The contents reflect the current state of the NEWS file inside the git repository. More details can be found in the ChangeLog.

Major changes between OpenSSL 1.1.1v and OpenSSL 1.1.1w [11 Sep 2023]

• Fix POLY1305 MAC implementation corrupting XMM registers on Windows (CVE-2023-4807)

Major changes between OpenSSL 1.1.1u and OpenSSL 1.1.1v [1 Aug 2023]

• Fix excessive time spent checking DH q parameter value (CVE-2023-3817)
• Fix DH_check() excessive time with over sized modulus (CVE-2023-3446)

Major changes between OpenSSL 1.1.1t and OpenSSL 1.1.1u [30 May 2023]

• Mitigate for very slow OBJ_obj2txt() performance with gigantic OBJECT IDENTIFIER sub-identities. (CVE-2023-2650)
• Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466)
• Fixed handling of invalid certificate policies in leaf certificates (CVE-2023-0465)
• Limited the number of nodes created in a policy tree ([CVE-2023-0464])

Major changes between OpenSSL 1.1.1s and OpenSSL 1.1.1t [7 Feb 2023]

• Fixed X.400 address type confusion in X.509 GeneralName (CVE-2023-0286)
• Fixed Use-after-free following BIO_new_NDEF (CVE-2023-0215)
• Fixed Double free after calling PEM_read_bio_ex (CVE-2022-4450)
• Fixed Timing Oracle in RSA Decryption (CVE-2022-4304)

Major changes between OpenSSL 1.1.1r and OpenSSL 1.1.1s [1 Nov 2022]

• Fixed a regression introduced in OpenSSL 1.1.1r not refreshing the certificate data to be signed before signing the certificate.

Major changes between OpenSSL 1.1.1q and OpenSSL 1.1.1r [11 Oct 2022]

• Added a missing header for memcmp that caused compilation failure on some platforms

Major changes between OpenSSL 1.1.1p and OpenSSL 1.1.1q [5 Jul 2022]

• Fixed AES OCB failure to encrypt some bytes on 32-bit x86 platforms (CVE-2022-2097)

Major changes between OpenSSL 1.1.1o and OpenSSL 1.1.1p [21 Jun 2022]

• Fixed additional bugs in the c_rehash script which was not properly sanitising shell metacharacters to prevent command injection (CVE-2022-2068)

Major changes between OpenSSL 1.1.1n and OpenSSL 1.1.1o [3 May 2022]

• Fixed a bug in the c_rehash script which was not properly sanitising shell metacharacters to prevent command injection (CVE-2022-1292)

Major changes between OpenSSL 1.1.1m and OpenSSL 1.1.1n [15 Mar 2022]

• Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever for non-prime moduli (CVE-2022-0778)

Major changes between OpenSSL 1.1.1l and OpenSSL 1.1.1m [14 Dec 2021]

• None

Major changes between OpenSSL 1.1.1k and OpenSSL 1.1.1l [24 Aug 2021]

• Fixed an SM2 Decryption Buffer Overflow (CVE-2021-3711)
• Fixed various read buffer overruns processing ASN.1 strings (CVE-2021-3712)

Major changes between OpenSSL 1.1.1j and OpenSSL 1.1.1k [25 Mar 2021]

• Fixed a problem with verifying a certificate chain when using the X509_V_FLAG_X509_STRICT flag (CVE-2021-3450)
• Fixed an issue where an OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client (CVE-2021-3449)

Major changes between OpenSSL 1.1.1i and OpenSSL 1.1.1j [16 Feb 2021]

• Fixed a NULL pointer deref in the X509_issuer_and_serial_hash() function (CVE-2021-23841)
• Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks
• Fixed an overflow in the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions (CVE-2021-23840)
• Fixed SRP_Calc_client_key so that it runs in constant time

Major changes between OpenSSL 1.1.1h and OpenSSL 1.1.1i [8 Dec 2020]

• Fixed NULL pointer deref in GENERAL_NAME_cmp (CVE-2020-1971)

Major changes between OpenSSL 1.1.1g and OpenSSL 1.1.1h [22 Sep 2020]

• Disallow explicit curve parameters in verifications chains when X509_V_FLAG_X509_STRICT is used
• Enable ‘MinProtocol’ and ‘MaxProtocol’ to configure both TLS and DTLS contexts
• Oracle Developer Studio will start reporting deprecation warnings

Major changes between OpenSSL 1.1.1f and OpenSSL 1.1.1g [21 Apr 2020]

• Fixed segmentation fault in SSL_check_chain() (CVE-2020-1967)

Major changes between OpenSSL 1.1.1e and OpenSSL 1.1.1f [31 Mar 2020]

• Revert the unexpected EOF reporting via SSL_ERROR_SSL

Major changes between OpenSSL 1.1.1d and OpenSSL 1.1.1e [17 Mar 2020]

• Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (CVE-2019-1551)
• Properly detect unexpected EOF while reading in libssl and report it via SSL_ERROR_SSL

Major changes between OpenSSL 1.1.1c and OpenSSL 1.1.1d [10 Sep 2019]

• Fixed a fork protection issue (CVE-2019-1549)
• Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey (CVE-2019-1563)
• For built-in EC curves, ensure an EC_GROUP built from the curve name is used even when parsing explicit parameters
• Compute ECC cofactors if not provided during EC_GROUP construction (CVE-2019-1547)
• Early start up entropy quality from the DEVRANDOM seed source has been improved for older Linux systems
• Correct the extended master secret constant on EBCDIC systems
• Use Windows installation paths in the mingw builds (CVE-2019-1552)
• Changed DH_check to accept parameters with order q and 2q subgroups
• Significantly reduce secure memory usage by the randomness pools
• Revert the DEVRANDOM_WAIT feature for Linux systems

Major changes between OpenSSL 1.1.1b and OpenSSL 1.1.1c [28 May 2019]

• Prevent over long nonces in ChaCha20-Poly1305 (CVE-2019-1543)

Major changes between OpenSSL 1.1.1a and OpenSSL 1.1.1b [26 Feb 2019]

• Change the info callback signals for the start and end of a post-handshake message exchange in TLSv1.3.
• Fix a bug in DTLS over SCTP. This breaks interoperability with older versions of OpenSSL like OpenSSL 1.1.0 and OpenSSL 1.0.2.

Major changes between OpenSSL 1.1.1 and OpenSSL 1.1.1a [20 Nov 2018]

• Timing vulnerability in DSA signature generation (CVE-2018-0734)
• Timing vulnerability in ECDSA signature generation (CVE-2018-0735)

Major changes between OpenSSL 1.1.0i and OpenSSL 1.1.1 [11 Sep 2018]

• Support for TLSv1.3 added. The TLSv1.3 implementation includes:
  • Fully compliant implementation of RFC8446 (TLSv1.3) on by default
  • Early data (0-RTT)
  • Post-handshake authentication and key update
  • Middlebox Compatibility Mode
  • TLSv1.3 PSKs
  • Support for all five RFC8446 ciphersuites
  • RSA-PSS signature algorithms (backported to TLSv1.2)
  • Configurable session ticket support
  • Stateless server support
  • Rewrite of the packet construction code for “safer” packet handling
  • Rewrite of the extension handling code
• Complete rewrite of the OpenSSL random number generator to introduce the following capabilities:
  • The default RAND method now utilizes an AES-CTR DRBG according to NIST standard SP 800-90Ar1.
  • Support for multiple DRBG instances with seed chaining.
  • There is a public and private DRBG instance.
  • The DRBG instances are fork-safe.
  • Keep all global DRBG instances on the secure heap if it is enabled.
  • The public and private DRBG instance are per thread for lock free operation
• Support for various new cryptographic algorithms including:
  • SHA3
  • SHA512/224 and SHA512/256
  • EdDSA (both Ed25519 and Ed448) including X509 and TLS support
  • X448 (adding to the existing X25519 support in 1.1.0)
  • Multi-prime RSA
  • SM2
  • SM3
  • SM4
  • SipHash
  • ARIA (including TLS support)
• Significant Side-Channel attack security improvements
• Add a new ClientHello callback to provide the ability to adjust the SSL object at an early stage.
• Add ‘Maximum Fragment Length’ TLS extension negotiation and support
• A new STORE module, which implements a uniform and URI based reader of stores that can contain keys, certificates, CRLs and numerous other objects.
• Move the display of configuration data to configdata.pm.
• Allow GNU style “make variables” to be used with Configure.
• Claim the namespaces OSSL and OPENSSL, represented as symbol prefixes
• Rewrite of devcrypto engine