id	summary	reporter	owner	description	type	status	priority	milestone	component	version	severity	resolution	keywords	cc
4922	OpenSSL-3.0.1	Bruce Dubbs	lfs-book	"New major version

OpenSSL 3.0

### Major changes between OpenSSL 1.1.1 and OpenSSL 3.0.0 [7 sep 2021]

  * Enhanced 'openssl list' with many new options.
  * Added migration guide to man7.
  * Implemented support for fully ""pluggable"" TLSv1.3 groups.
  * Added suport for Kernel TLS (KTLS).
  * Changed the license to the Apache License v2.0.
  * Moved all variations of the EVP ciphers CAST5, BF, IDEA, SEED, 
    RC2, RC4, RC5, and DES to the legacy provider.
  * Moved the EVP digests MD2, MD4, MDC2, WHIRLPOOL and 
    RIPEMD-160 to the legacy provider.
  * Added convenience functions for generating asymmetric key pairs.
  * Deprecated the `OCSP_REQ_CTX` type and functions.
  * Deprecated the `EC_KEY` and `EC_KEY_METHOD` types and functions.
  * Deprecated the `RSA` and `RSA_METHOD` types and functions.
  * Deprecated the `DSA` and `DSA_METHOD` types and functions.
  * Deprecated the `DH` and `DH_METHOD` types and functions.
  * Deprecated the `ERR_load_` functions. 
  * Remove the `RAND_DRBG` API.
  * Deprecated the `ENGINE` API.
  * Added `OSSL_LIB_CTX`, a libcrypto library context.
  * Added various `_ex` functions to the OpenSSL API 
    that support using a non-default `OSSL_LIB_CTX`.
  * Interactive mode is removed from the 'openssl' program.
  * The X25519, X448, Ed25519, Ed448, SHAKE128 and 
    SHAKE256 algorithms are included in the FIPS provider.
  * X509 certificates signed using SHA1 are no longer 
    allowed at security level 1 or higher. The default 
    security level for TLS is 1, so certificates signed 
    using SHA1 are by default no longer trusted to
    authenticate servers or clients.
  * enable-crypto-mdebug and enable-crypto-mdebug-backtrace 
    were mostly disabled; the project uses address 
    sanitize/leak-detect instead.
  * Added a Certificate Management Protocol (CMP, RFC 4210) 
    implementation also covering CRMF (RFC 4211) and HTTP 
    transfer (RFC 6712). It is part of the crypto lib and 
    adds a 'cmp' app with a demo configuration.
    All widely used CMP features are supported for both 
    clients and servers.
  * Added a proper HTTP client supporting GET with optional 
    redirection, POST, arbitrary request and response 
    content types, TLS, persistent connections,
    connections via HTTP(s) proxies, connections and 
    exchange via user-defined
    BIOs (allowing implicit connections), and timeout checks.
  * Added util/check-format.pl for checking adherence 
    to the coding guidelines.
  * Added OSSL_ENCODER, a generic encoder API.
  * Added OSSL_DECODER, a generic decoder API.
  * Added OSSL_PARAM_BLD, an easier to use API to OSSL_PARAM.
  * Added error raising macros, ERR_raise() and ERR_raise_data().
  * Deprecated ERR_put_error(), ERR_get_error_line(), 
    ERR_get_error_line_data(), ERR_peek_error_line_data(), 
    ERR_peek_last_error_line_data() and ERR_func_error_string().
  * Added OSSL_PROVIDER_available(), to check provider availibility.
  * Added 'openssl mac' that uses the EVP_MAC API.
  * Added 'openssl kdf' that uses the EVP_KDF API.
  * Add OPENSSL_info() and 'openssl info' to get built-in data.
  * Add support for enabling instrumentation through trace 
    and debug output.
  * Changed our version number scheme and set the next 
    major release to 3.0.0
  * Added EVP_MAC, an EVP layer MAC API, and a generic 
    EVP_PKEY to EVP_MAC bridge. Supported MACs are: BLAKE2, 
    CMAC, GMAC, HMAC, KMAC, POLY1305and SIPHASH.
  * Removed the heartbeat message in DTLS feature.
  * Added EVP_KDF, an EVP layer KDF and PRF API, and a generic 
    EVP_PKEY to EVP_KDF bridge.  Supported KDFs are: 
    HKDF, KBKDF, KRB5 KDF, PBKDF2, PKCS12 KDF, SCRYPT, 
    SSH KDF, SSKDF, TLS1 PRF, X9.42 KDF and X9.63 KDF.
  * All of the low-level MD2, MD4, MD5, MDC2, RIPEMD160, 
    SHA1, SHA224, SHA256, SHA384, SHA512 and Whirlpool digest 
    functions have been  deprecated.
  * All of the low-level AES, Blowfish, Camellia, CAST, 
    DES, IDEA, RC2, RC4, RC5 and SEED cipher functions 
    have been deprecated.
  * All of the low-level DH, DSA, ECDH, ECDSA and RSA 
    public key functions have been deprecated.
  * SSL 3, TLS 1.0, TLS 1.1, and DTLS 1.0 only work at 
    security level 0.
  * Added providers, a new pluggability concept that will 
    replace the ENGINE API and ENGINE implementations.
"	enhancement	closed	normal	11.1	Book	git	normal	fixed