OpenSSL 3.6.0

OpenSSL 3.6.0 is a feature release adding significant new functionality to OpenSSL.

This release incorporates the following potentially significant or incompatible changes:

Added NIST security categories for PKEY objects.

Added support for EVP_SKEY opaque symmetric key objects to the key derivation and key exchange provider methods. Added EVP_KDF_CTX_set_SKEY(), EVP_KDF_derive_SKEY(), and EVP_PKEY_derive_SKEY() functions.

Added LMS signature verification support as per [SP 800-208]. This support is present in both the FIPS and default providers.

An ANSI-C toolchain is no longer sufficient for building OpenSSL. The code should be built using compilers supporting C-99 features.

Support for the VxWorks platforms has been removed.

Added an openssl configutl utility for processing the OpenSSL configuration file and dumping the equal configuration file.

Added support for FIPS 186-5 deterministic ECDSA signature generation to the FIPS provider.

Deprecated EVP_PKEY_ASN1_METHOD-related functions.

OpenSSL 3.5.0

OpenSSL 3.5.0 is a feature release adding significant new functionality to OpenSSL.

This release incorporates the following potentially significant or incompatible changes:

• Default encryption cipher for the req, cms, and smime applications changed from des-ede3-cbc to aes-256-cbc.
• The default TLS supported groups list has been changed to include and prefer hybrid PQC KEM groups. Some practically unused groups were removed from the default list.
• The default TLS keyshares have been changed to offer X25519MLKEM768 and and X25519.
• All BIO_meth_get_*() functions were deprecated.

This release adds the following new features:

• Support for server side QUIC (RFC 9000)
• Support for 3rd party QUIC stacks including 0-RTT support
• Support for PQC algorithms (ML-KEM, ML-DSA and SLH-DSA)
• A new configuration option no-tls-deprecated-ec to disable support for TLS groups deprecated in RFC8422
• A new configuration option enable-fips-jitter to make the FIPS provider to use the JITTER seed source
• Support for central key generation in CMP
• Support added for opaque symmetric key objects (EVP_SKEY)
• Support for multiple TLS keyshares and improved TLS key establishment group configurability
• API support for pipelining in provided cipher algorithms

Known issues in 3.5.0

openssl/openssl#27282
Calling SSL_accept on objects returned from SSL_accept_connection results in error. It is expected that making this call will advance the SSL handshake for the passed connection, but currently it does not.
This can be handled by calling SSL_do_handshake instead. A fix is planned for OpenSSL 3.5.1

OpenSSL 3.4.1

OpenSSL 3.4.1

OpenSSL 3.4.1 is a security patch release. The most severe CVE fixed in this release is High.

This release incorporates the following bug fixes and mitigations:

• Fixed RFC7250 handshakes with unauthenticated servers don't abort as expected. (CVE-2024-12797)

• Fixed timing side-channel in ECDSA signature computation. (CVE-2024-13176)

OpenSSL 3.4.0

OpenSSL 3.4

Major changes between OpenSSL 3.3 and OpenSSL 3.4.0 [22 Oct 2024]

OpenSSL 3.4.0 is a feature release adding significant new functionality to OpenSSL.

This release incorporates the following potentially significant or incompatible changes:

• Deprecation of TS_VERIFY_CTX_set_* functions and addition of replacement TS_VERIFY_CTX_set0_* functions with improved semantics
• Redesigned use of OPENSSLDIR/ENGINESDIR/MODULESDIR on Windows such that what were formerly build time locations can now be defined at run time with registry keys
• The X25519 and X448 key exchange implementation in the FIPS provider is unapproved and has fips=no property.
• SHAKE-128 and SHAKE-256 implementations have no default digest length anymore. That means these algorithms cannot be used with EVP_DigestFinal/_ex() unless the xoflen param is set before.
• Setting config_diagnostics=1 in the config file will cause errors to be returned from SSL_CTX_new() and SSL_CTX_new_ex() if there is an error in the ssl module configuration.
• An empty renegotiate extension will be used in TLS client hellos instead of the empty renegotiation SCSV, for all connections with a minimum TLS version > 1.0.
• Deprecation of SSL_SESSION_get_time(), SSL_SESSION_set_time() and SSL_CTX_flush_sessions() functions in favor of their respective _ex functions which are Y2038-safe on platforms with Y2038-safe time_t

This release adds the following new features:

• Support for directly fetched composite signature algorithms such as RSA-SHA2-256 including new API functions
• FIPS indicators support in the FIPS provider and various updates of the FIPS provider required for future FIPS 140-3 validations
• Implementation of RFC 9579 (PBMAC1) in PKCS#12
• An optional additional random seed source RNG JITTER using a statically linked jitterentropy library
• New options -not_before and -not_after for explicit setting start and end dates of certificates created with the req and x509 apps
• Support for integrity-only cipher suites TLS_SHA256_SHA256 and TLS_SHA384_SHA384 in TLS 1.3, as defined in RFC 9150
• Support for requesting CRL in CMP
• Support for additional X.509v3 extensions related to Attribute Certificates
• Initial Attribute Certificate (RFC 5755) support
• Possibility to customize ECC groups initialization to use precomputed values to save CPU time and use of this feature by the P-256 implementation

OpenSSL 3.3.1

OpenSSL 3.3.1 is now available, including bug and security fixes: please download and upgrade!

Changes between 3.3.0 and 3.3.1 [4 Jun 2024]

• Fixed potential use after free after SSL_free_buffers() is called.

The SSL_free_buffers function is used to free the internal OpenSSL buffer used when processing an incoming record from the network. The call is only expected to succeed if the buffer is not currently in use. However, two scenarios have been identified where the buffer is freed even when still in use.

The first scenario occurs where a record header has been received from the network and processed by OpenSSL, but the full record body has not yet arrived. In this case calling SSL_free_buffers will succeed even though a record has only been partially processed and the buffer is still in use.

The second scenario occurs where a full record containing application data has been received and processed by OpenSSL but the application has only read part of this data. Again a call to SSL_free_buffers will succeed even though the buffer is still in use. ([CVE-2024-4741])

Matt Caswell

• Fixed an issue where checking excessively long DSA keys or parameters may be very slow.

Applications that use the functions EVP_PKEY_param_check() or EVP_PKEY_public_check() to check a DSA public key or DSA parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service.

To resolve this issue DSA keys larger than OPENSSL_DSA_MAX_MODULUS_BITS will now fail the check immediately with a DSA_R_MODULUS_TOO_LARGE error reason. ([CVE-2024-4603])

Tomáš Mráz

OpenSSL 3.3.0

Major changes between OpenSSL 3.2 and OpenSSL 3.3.0 [9 Apr 2024]

OpenSSL 3.3.0 is a feature release adding significant new functionality to OpenSSL.

This release adds the following new features:

• Support for qlog for tracing QUIC connections has been added

• Added APIs to allow configuring the negotiated idle timeout for QUIC connections, and to allow determining the number of additional streams that can currently be created for a QUIC connection.

• Added APIs to allow disabling implicit QUIC event processing for QUIC SSL objects

• Added APIs to allow querying the size and utilisation of a QUIC stream's write buffer

• New API SSL_write_ex2, which can be used to send an end-of-stream (FIN) condition in an optimised way when using QUIC.

• Limited support for polling of QUIC connection and stream objects in a non-blocking manner.

• Added a new EVP_DigestSqueeze() API. This allows SHAKE to squeeze multiple times with different output sizes.

• Added exporter for CMake on Unix and Windows, alongside the pkg-config exporter.

• The BLAKE2s hash algorithm matches BLAKE2b's support for configurable output length.

• The EVP_PKEY_fromdata function has been augmented to allow for the derivation of CRT (Chinese Remainder Theorem) parameters when requested

• Added API functions SSL_SESSION_get_time_ex(), SSL_SESSION_set_time_ex() using time_t which is Y2038 safe on 32 bit systems when 64 bit time is enabled

• Unknown entries in TLS SignatureAlgorithms, ClientSignatureAlgorithms config options and the respective calls to SSL[_CTX]_set1_sigalgs() and SSL[_CTX]_set1_client_sigalgs() that start with ? character are ignored and the configuration will still be used.

• Added -set_issuer and -set_subject options to openssl x509 to override the Issuer and Subject when creating a certificate. The -subj option now is an alias for -set_subject.

• Added several new features of CMPv3 defined in RFC 9480 and RFC 9483

• New option SSL_OP_PREFER_NO_DHE_KEX, which allows configuring a TLS1.3 server to prefer session resumption using PSK-only key exchange over PSK with DHE, if both are available.

• New atexit configuration switch, which controls whether the OPENSSL_cleanup is registered when libcrypto is unloaded.

• Added X509_STORE_get1_objects to avoid issues with the existing X509_STORE_get0_objects API in multi-threaded applications.

This release incorporates the following potentially significant or incompatible changes:

• Applied AES-GCM unroll8 optimisation to Microsoft Azure Cobalt 100

• Optimized AES-CTR for ARM Neoverse V1 and V2

• Enable AES and SHA3 optimisations on Applie Silicon M3-based MacOS systems similar to M1/M2.

• Various optimizations for cryptographic routines using RISC-V vector crypto extensions

• Added assembly implementation for md5 on loongarch64

• Accept longer context for TLS 1.2 exporters

• The activate and soft_load configuration settings for providers in openssl.cnf have been updated to require a value of [1|yes|true|on] (in lower or UPPER case) to enable the setting. Conversely a value of [0|no|false|off] will disable the setting.

• In openssl speed, changed the default hash function used with hmac from md5 to sha256.

• The -verify option to the openssl crl and openssl req will make the program exit with 1 on failure.

• The d2i_ASN1_GENERALIZEDTIME(), d2i_ASN1_UTCTIME(), ASN1_TIME_check(), and related functions have been augmented to check for a minimum length of the input string, in accordance with ITU-T X.690 section 11.7 and 11.8.

• OPENSSL_sk_push() and sk__push() functions now return 0 instead of -1 if called with a NULL stack argument.

• New limit on HTTP response headers is introduced to HTTP client. The default limit is set to 256 header lines.

This release incorporates the following bug fixes and mitigations:

• The BIO_get_new_index() function can only be called 127 times before it reaches its upper bound of BIO_TYPE_MASK and will now return -1 once its exhausted.

A more detailed list of changes in this release can be found in the CHANGES.md file.

Users interested in using the new QUIC functionality are encouraged to read the README file for QUIC, which provides links to relevant documentation and example code.

As always, bug reports and issues relating to OpenSSL can be filed on our issue tracker.

OpenSSL 3.1.2

OpenSSL 3.1.2 is now available, including bug and security fixes

Changes between 3.1.1 and 3.1.2 [1 Aug 2023]

• Fix excessive time spent checking DH q parameter value.

  The function DH_check() performs various checks on DH parameters. After
  fixing CVE-2023-3446 it was discovered that a large q parameter value can
  also trigger an overly long computation during some of these checks.
  A correct q value, if present, cannot be larger than the modulus p
  parameter, thus it is unnecessary to perform these checks if q is larger
  than p.

  If DH_check() is called with such q parameter value,
  DH_CHECK_INVALID_Q_VALUE return flag is set and the computationally
  intensive checks are skipped.

  ([CVE-2023-3817])

  Tomáš Mráz

• Fix DH_check() excessive time with over sized modulus.

  The function DH_check() performs various checks on DH parameters. One of
  those checks confirms that the modulus ("p" parameter) is not too large.
  Trying to use a very large modulus is slow and OpenSSL will not normally use
  a modulus which is over 10,000 bits in length.

  However the DH_check() function checks numerous aspects of the key or
  parameters that have been supplied. Some of those checks use the supplied
  modulus value even if it has already been found to be too large.

  A new limit has been added to DH_check of 32,768 bits. Supplying a
  key/parameters with a modulus over this size will simply cause DH_check() to
  fail.

  ([CVE-2023-3446])

  Matt Caswell

• Do not ignore empty associated data entries with AES-SIV.

  The AES-SIV algorithm allows for authentication of multiple associated
  data entries along with the encryption. To authenticate empty data the
  application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate())
  with NULL pointer as the output buffer and 0 as the input buffer length.
  The AES-SIV implementation in OpenSSL just returns success for such call
  instead of performing the associated data authentication operation.
  The empty data thus will not be authenticated. ([CVE-2023-2975])

  Thanks to Juerg Wullschleger (Google) for discovering the issue.

  The fix changes the authentication tag value and the ciphertext for
  applications that use empty associated data entries with AES-SIV.
  To decrypt data encrypted with previous versions of OpenSSL the application
  has to skip calls to EVP_DecryptUpdate() for empty associated data
  entries.

  Tomáš Mráz

• When building with the enable-fips option and using the resulting
  FIPS provider, TLS 1.2 will, by default, mandate the use of an extended
  master secret (FIPS 140-3 IG G.Q) and the Hash and HMAC DRBGs will
  not operate with truncated digests (FIPS 140-3 IG G.R).

  Paul Dale

OpenSSL 1.1.1v

OpenSSL 1.1.1v is now available, including bug and security fixes

Changes between 1.1.1u and 1.1.1v [1 Aug 2023]

• Fix excessive time spent checking DH q parameter value.

  The function DH_check() performs various checks on DH parameters. After
  fixing CVE-2023-3446 it was discovered that a large q parameter value can
  also trigger an overly long computation during some of these checks.
  A correct q value, if present, cannot be larger than the modulus p
  parameter, thus it is unnecessary to perform these checks if q is larger
  than p.

  If DH_check() is called with such q parameter value,
  DH_CHECK_INVALID_Q_VALUE return flag is set and the computationally
  intensive checks are skipped.

  (CVE-2023-3817)
  [Tomáš Mráz]

• Fix DH_check() excessive time with over sized modulus

  The function DH_check() performs various checks on DH parameters. One of
  those checks confirms that the modulus ("p" parameter) is not too large.
  Trying to use a very large modulus is slow and OpenSSL will not normally use
  a modulus which is over 10,000 bits in length.

  However the DH_check() function checks numerous aspects of the key or
  parameters that have been supplied. Some of those checks use the supplied
  modulus value even if it has already been found to be too large.

  A new limit has been added to DH_check of 32,768 bits. Supplying a
  key/parameters with a modulus over this size will simply cause DH_check()
  to fail.
  (CVE-2023-3446)
  [Matt Caswell]

OpenSSL 3.1.1

Changes between 3.1.0 and 3.1.1 [30 May 2023]

• Mitigate for the time it takes for OBJ_obj2txt to translate gigantic OBJECT IDENTIFIER sub-identifiers to canonical numeric text form.

OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical numeric text form. For gigantic sub-identifiers, this would take a very long time, the time complexity being O(n^2) where n is the size of that sub-identifier. ([CVE-2023-2650])

To mitigitate this, OBJ_obj2txt() will only translate an OBJECT IDENTIFIER to canonical numeric text form if the size of that OBJECT IDENTIFIER is 586 bytes or less, and fail otherwise.

The basis for this restriction is RFC 2578 (STD 58), section 3.5. OBJECT IDENTIFIER values, which stipulates that OBJECT IDENTIFIERS may have at most 128 sub-identifiers, and that the maximum value that each sub- identifier may have is 2^32-1 (4294967295 decimal).

For each byte of every sub-identifier, only the 7 lower bits are part of the value, so the maximum amount of bytes that an OBJECT IDENTIFIER with these restrictions may occupy is 32 * 128 / 7, which is approximately 586 bytes.

Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5

Richard Levitte

• Multiple algorithm implementation fixes for ARM BE platforms.

  Liu-ErMeng

• Added a -pedantic option to fipsinstall that adjusts the various settings to ensure strict FIPS compliance rather than backwards compatibility.

  Paul Dale

• Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms which happens if the buffer size is 4 mod 5 in 16 byte AES blocks. This can trigger a crash of an application using AES-XTS decryption if the memory just after the buffer being decrypted is not mapped. Thanks to Anton Romanov (Amazon) for discovering the issue. ([CVE-2023-1255])

  Nevine Ebeid

• Reworked the Fix for the Timing Oracle in RSA Decryption ([CVE-2022-4304]).
  The previous fix for this timing side channel turned out to cause a severe 2-3x performance regression in the typical use case compared to 3.0.7. The new fix uses existing constant time code paths, and restores the previous performance level while fully eliminating all existing timing side channels.
  The fix was developed by Bernd Edlinger with testing support by Hubert Kario.

  Bernd Edlinger

• Add FIPS provider configuration option to disallow the use of truncated digests with Hash and HMAC DRBGs (q.v. FIPS 140-3 IG D.R.).
  The option '-no_drbg_truncated_digests' can optionally be supplied to 'openssl fipsinstall'.

  Paul Dale

• Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention that it does not enable policy checking. Thanks to David Benjamin for discovering this issue. ([CVE-2023-0466])

  Tomáš Mráz

• Fixed an issue where invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether. ([CVE-2023-0465])

  Matt Caswell

• Limited the number of nodes created in a policy tree to mitigate against CVE-2023-0464. The default limit is set to 1000 nodes, which should be sufficient for most installations. If required, the limit can be adjusted by setting the OPENSSL_POLICY_TREE_NODES_MAX build time define to a desired maximum number of nodes or zero to allow unlimited growth. ([CVE-2023-0464])

  Paul Dale

OpenSSL 1.1.1u

Changes between 1.1.1t and 1.1.1u [30 May 2023]

• Mitigate for the time it takes for OBJ_obj2txt to translate gigantic OBJECT IDENTIFIER sub-identifiers to canonical numeric text form.

OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical numeric text form. For gigantic sub-identifiers, this would take a very long time, the time complexity being O(n^2) where n is the size of that sub-identifier. (CVE-2023-2650)

To mitigitate this, OBJ_obj2txt() will only translate an OBJECT IDENTIFIER to canonical numeric text form if the size of that OBJECT IDENTIFIER is 586 bytes or less, and fail otherwise.

The basis for this restriction is RFC 2578 (STD 58), section 3.5. OBJECT IDENTIFIER values, which stipulates that OBJECT IDENTIFIERS may have at most 128 sub-identifiers, and that the maximum value that each sub-identifier may have is 2^32-1 (4294967295 decimal).

For each byte of every sub-identifier, only the 7 lower bits are part of the value, so the maximum amount of bytes that an OBJECT IDENTIFIER with these restrictions may occupy is 32 * 128 / 7, which is approximately 586 bytes.

Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5

[Richard Levitte]

• Reworked the Fix for the Timing Oracle in RSA Decryption (CVE-2022-4304).

The previous fix for this timing side channel turned out to cause a severe 2-3x performance regression in the typical use case compared to 1.1.1s. The new fix uses existing constant time code paths, and restores the previous performance level while fully eliminating all existing timing side channels.
The fix was developed by Bernd Edlinger with testing support by Hubert Kario.
[Bernd Edlinger]

• Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention that it does not enable policy checking. Thanks to David Benjamin for discovering this issue. (CVE-2023-0466)
  [Tomas Mraz]

• Fixed an issue where invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether. (CVE-2023-0465)
  [Matt Caswell]

• Limited the number of nodes created in a policy tree to mitigate against CVE-2023-0464. The default limit is set to 1000 nodes, which should be sufficient for most installations. If required, the limit can be adjusted by setting the OPENSSL_POLICY_TREE_NODES_MAX build time define to a desired maximum number of nodes or zero to allow unlimited growth. (CVE-2023-0464)
  [Paul Dale]