Skip to content

OpenSSL 1.1.1

Choose a tag to compare

View all tags
@openssl-machine openssl-machine released this 21 Sep 09:54
· 15624 commits to master since this release
OpenSSL_1_1_1
This tag was signed with the committer’s verified signature.
mattcaswell Matt Caswell
GPG key ID: D9C4D26D0E604491
Verified
Learn about vigilant mode.
1708e3e

Changelog

  • Support for TLSv1.3 added (see https://wiki.openssl.org/index.php/TLS1.3
    for further important information). The TLSv1.3 implementation includes:
    • Fully compliant implementation of RFC8446 (TLSv1.3) on by default
    • Early data (0-RTT)
    • Post-handshake authentication and key update
    • Middlebox Compatibility Mode
    • TLSv1.3 PSKs
    • Support for all five RFC8446 ciphersuites
    • RSA-PSS signature algorithms (backported to TLSv1.2)
    • Configurable session ticket support
    • Stateless server support
    • Rewrite of the packet construction code for "safer" packet handling
    • Rewrite of the extension handling code
  • Complete rewrite of the OpenSSL random number generator to introduce the
    following capabilities
    • The default RAND method now utilizes an AES-CTR DRBG according to
      NIST standard SP 800-90Ar1.
    • Support for multiple DRBG instances with seed chaining.
    • There is a public and private DRBG instance.
    • The DRBG instances are fork-safe.
    • Keep all global DRBG instances on the secure heap if it is enabled.
    • The public and private DRBG instance are per thread for lock free
      operation
  • Support for various new cryptographic algorithms including:
    • SHA3
    • SHA512/224 and SHA512/256
    • EdDSA (both Ed25519 and Ed448) including X509 and TLS support
    • X448 (adding to the existing X25519 support in 1.1.0)
    • Multi-prime RSA
    • SM2
    • SM3
    • SM4
    • SipHash
    • ARIA (including TLS support)
  • Significant Side-Channel attack security improvements
  • Add a new ClientHello callback to provide the ability to adjust the SSL
    object at an early stage.
  • Add 'Maximum Fragment Length' TLS extension negotiation and support
  • A new STORE module, which implements a uniform and URI based reader of
    stores that can contain keys, certificates, CRLs and numerous other
    objects.
  • Move the display of configuration data to configdata.pm.
  • Allow GNU style "make variables" to be used with Configure.
  • Claim the namespaces OSSL and OPENSSL, represented as symbol prefixes
  • Rewrite of devcrypto engine
Assets 6
Loading