Release Notes: Record length are now sanity checked before skipping explicit IV in TLS 1.2, 1.1, and DTLS, to avoid possible DoS attacks. A possible deadlock when decoding public keys has been fixed. The TLS 1.0 record version number is no longer used in the initial client hello if renegotiating. tkeylen in now initialized properly when encrypting CMS messages. In FIPS mode, composite ciphers are no longer used, as they are not approved.
Release Notes: A check has been added for potentially exploitable overflows in asn1_d2i_read_bio, BUF_mem_grow, and BUF_mem_grow_clean. Workarounds have been introduced for some broken servers which "hang" if a client hello record length exceeds 255 bytes. Incorrect use of TLS 1.2 SHA-256 ciphersuites in TLS 1.0 and 1.1 connections is now avoided. A segmentation fault in the Vector Permutation AES module has been fixed.
Release Notes: Initial TLSv1.1 support and TLS v1.2 support were implemented. Many improvements and minor bugfixes were made.
Release Notes: A fix was introduced for a security issue where an extension of the Vaudenay padding oracle attack on CBC mode encryption enables an efficient plaintext recovery attack against the OpenSSL implementation of DTLS. This issue was originally reported as CVE-2011-4108. Various other bugfixes and improvements were made.
Release Notes: Initialization of X509_STORE_CTX was fixed to eliminate a case where CRLs with "nextUpdate" in the past were sometimes accepted. (This was reported as CVE-2011-3207.) An error in SSL memory handling for (EC)DH ciphersuites was fixed (CVE-2011-3210). A memory leak on bad inputs to x509_name_ex_d2i was fixed. Some ECC ciphersuites are no longer restricted to SHA1. Protection against ECDSA timing attacks was introduced.
Release Notes: An incomplete fix for unsafe triple-checked locking was updated. Several precautionary measures were introduced. Support for the Local Machine Keyset attribute in PKCS#12 files was added. Several minor bugs were fixed.
Release Notes: DTLS interoperation with non-compliant servers was fixed. IA64 assembler code was fixed. Binary incompatibility of the ssl_ctx_st structure was adjusted.
Release Notes: The SSL/TLS server implementation now properly tolerates "mismatched" protocol versions at initial connection. Several bugs were fixed.
Release Notes: RFC 3779 support was added. SMTP and IMAP protocol emulation in s_client was extended. The SSL/TLS server implementation now properly tolerates "mismatched" protocol versions at initial connection. Several bugs were fixed.
Release Notes: This release fixes a race condition in CRL checking code. It reduce the chances of duplicate issuer name and serial numbers, and introduces fixes to PKCS#7 (S/MIME) code.