OpenSSL

Version: 
1.1.1q
Release date: 
Friday, 2 February, 2001

License:

Interface:

The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, fully featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library.

Port by different authors.

This software is distributed in two modes:
  • as compressed package that you have to download and manually install; if prerequisites are required, you will have to manually install them too;
  • as RPM package; you can install it using your favorite rpm package manager, that will take care to download and install both the software and its prerequisites.
Choose the installation mode that you prefer. Please note that not all the versions are available in both the installation modes.

Installation with rpm

This program is installable using the rpm package manager. See below for the install string. Required prerequisites are automatically processed by the package manager and, if needed, downloaded and installed.

openssl-1.1.1q-1.oc00 (07/07/2022)
Repository: Netlabs stable
NEWS ==== This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. Major changes between OpenSSL 1.1.1p and OpenSSL 1.1.1q [5 Jul 2022] o Fixed AES OCB failure to encrypt some bytes on 32-bit x86 platforms (CVE-2022-2097) Major changes between OpenSSL 1.1.1o and OpenSSL 1.1.1p [21 Jun 2022] o Fixed additional bugs in the c_rehash script which was not properly sanitising shell metacharacters to prevent command injection (CVE-2022-2068) Major changes between OpenSSL 1.1.1n and OpenSSL 1.1.1o [3 May 2022] o Fixed a bug in the c_rehash script which was not properly sanitising shell metacharacters to prevent command injection (CVE-2022-1292) Major changes between OpenSSL 1.1.1m and OpenSSL 1.1.1n [15 Mar 2022] o Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever for non-prime moduli (CVE-2022-0778) Major changes between OpenSSL 1.1.1l and OpenSSL 1.1.1m [14 Dec 2021] o None Major changes between OpenSSL 1.1.1k and OpenSSL 1.1.1l [24 Aug 2021] o Fixed an SM2 Decryption Buffer Overflow (CVE-2021-3711) o Fixed various read buffer overruns processing ASN.1 strings (CVE-2021-3712) Major changes between OpenSSL 1.1.1j and OpenSSL 1.1.1k [25 Mar 2021] o Fixed a problem with verifying a certificate chain when using the X509_V_FLAG_X509_STRICT flag (CVE-2021-3450) o Fixed an issue where an OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client (CVE-2021-3449) Major changes between OpenSSL 1.1.1i and OpenSSL 1.1.1j [16 Feb 2021] o Fixed a NULL pointer deref in the X509_issuer_and_serial_hash() function (CVE-2021-23841) o Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks o Fixed an overflow in the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions (CVE-2021-23840) o Fixed SRP_Calc_client_key so that it runs in constant time Major changes between OpenSSL 1.1.1h and OpenSSL 1.1.1i [8 Dec 2020] o Fixed NULL pointer deref in GENERAL_NAME_cmp (CVE-2020-1971) Major changes between OpenSSL 1.1.1g and OpenSSL 1.1.1h [22 Sep 2020] o Disallow explicit curve parameters in verifications chains when X509_V_FLAG_X509_STRICT is used o Enable 'MinProtocol' and 'MaxProtocol' to configure both TLS and DTLS contexts o Oracle Developer Studio will start reporting deprecation warnings Major changes between OpenSSL 1.1.1f and OpenSSL 1.1.1g [21 Apr 2020] o Fixed segmentation fault in SSL_check_chain() (CVE-2020-1967) Major changes between OpenSSL 1.1.1e and OpenSSL 1.1.1f [31 Mar 2020] o Revert the unexpected EOF reporting via SSL_ERROR_SSL Major changes between OpenSSL 1.1.1d and OpenSSL 1.1.1e [17 Mar 2020] o Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (CVE-2019-1551) o Properly detect unexpected EOF while reading in libssl and report it via SSL_ERROR_SSL Major changes between OpenSSL 1.1.1c and OpenSSL 1.1.1d [10 Sep 2019] o Fixed a fork protection issue (CVE-2019-1549) o Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey (CVE-2019-1563) o For built-in EC curves, ensure an EC_GROUP built from the curve name is used even when parsing explicit parameters o Compute ECC cofactors if not provided during EC_GROUP construction (CVE-2019-1547) o Early start up entropy quality from the DEVRANDOM seed source has been improved for older Linux systems o Correct the extended master secret constant on EBCDIC systems o Use Windows installation paths in the mingw builds (CVE-2019-1552) o Changed DH_check to accept parameters with order q and 2q subgroups o Significantly reduce secure memory usage by the randomness pools o Revert the DEVRANDOM_WAIT feature for Linux systems Major changes between OpenSSL 1.1.1b and OpenSSL 1.1.1c [28 May 2019] o Prevent over long nonces in ChaCha20-Poly1305 (CVE-2019-1543) Major changes between OpenSSL 1.1.1a and OpenSSL 1.1.1b [26 Feb 2019] o Change the info callback signals for the start and end of a post-handshake message exchange in TLSv1.3. o Fix a bug in DTLS over SCTP. This breaks interoperability with older versions of OpenSSL like OpenSSL 1.1.0 and OpenSSL 1.0.2. Major changes between OpenSSL 1.1.1 and OpenSSL 1.1.1a [20 Nov 2018] o Timing vulnerability in DSA signature generation (CVE-2018-0734) o Timing vulnerability in ECDSA signature generation (CVE-2018-0735) Major changes between OpenSSL 1.1.0i and OpenSSL 1.1.1 [11 Sep 2018] o Support for TLSv1.3 added (see https://wiki.openssl.org/index.php/TLS1.3 for further important information). The TLSv1.3 implementation includes: o Fully compliant implementation of RFC8446 (TLSv1.3) on by default o Early data (0-RTT) o Post-handshake authentication and key update o Middlebox Compatibility Mode o TLSv1.3 PSKs o Support for all five RFC8446 ciphersuites o RSA-PSS signature algorithms (backported to TLSv1.2) o Configurable session ticket support o Stateless server support o Rewrite of the packet construction code for "safer" packet handling o Rewrite of the extension handling code o Complete rewrite of the OpenSSL random number generator to introduce the following capabilities o The default RAND method now utilizes an AES-CTR DRBG according to NIST standard SP 800-90Ar1. o Support for multiple DRBG instances with seed chaining. o There is a public and private DRBG instance. o The DRBG instances are fork-safe. o Keep all global DRBG instances on the secure heap if it is enabled. o The public and private DRBG instance are per thread for lock free operation o Support for various new cryptographic algorithms including: o SHA3 o SHA512/224 and SHA512/256 o EdDSA (both Ed25519 and Ed448) including X509 and TLS support o X448 (adding to the existing X25519 support in 1.1.0) o Multi-prime RSA o SM2 o SM3 o SM4 o SipHash o ARIA (including TLS support) o Significant Side-Channel attack security improvements o Add a new ClientHello callback to provide the ability to adjust the SSL object at an early stage. o Add 'Maximum Fragment Length' TLS extension negotiation and support o A new STORE module, which implements a uniform and URI based reader of stores that can contain keys, certificates, CRLs and numerous other objects. o Move the display of configuration data to configdata.pm. o Allow GNU style "make variables" to be used with Configure. o Claim the namespaces OSSL and OPENSSL, represented as symbol prefixes o Rewrite of devcrypto engine Major changes between OpenSSL 1.1.0h and OpenSSL 1.1.0i [under development] o Client DoS due to large DH parameter (CVE-2018-0732) o Cache timing vulnerability in RSA Key Generation (CVE-2018-0737) Major changes between OpenSSL 1.1.0g and OpenSSL 1.1.0h [under development] o Constructed ASN.1 types with a recursive definition could exceed the stack (CVE-2018-0739) o Incorrect CRYPTO_memcmp on HP-UX PA-RISC (CVE-2018-0733) o rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738) Major changes between OpenSSL 1.1.0f and OpenSSL 1.1.0g [2 Nov 2017] o bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736) o Malformed X.509 IPAddressFamily could cause OOB read (CVE-2017-3735) Major changes between OpenSSL 1.1.0e and OpenSSL 1.1.0f [25 May 2017] o config now recognises 64-bit mingw and chooses mingw64 instead of mingw Major changes between OpenSSL 1.1.0d and OpenSSL 1.1.0e [16 Feb 2017] o Encrypt-Then-Mac renegotiation crash (CVE-2017-3733) Major changes between OpenSSL 1.1.0c and OpenSSL 1.1.0d [26 Jan 2017] o Truncated packet could crash via OOB read (CVE-2017-3731) o Bad (EC)DHE parameters cause a client crash (CVE-2017-3730) o BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732) Major changes between OpenSSL 1.1.0b and OpenSSL 1.1.0c [10 Nov 2016] o ChaCha20/Poly1305 heap-buffer-overflow (CVE-2016-7054) o CMS Null dereference (CVE-2016-7053) o Montgomery multiplication may produce incorrect results (CVE-2016-7055) Major changes between OpenSSL 1.1.0a and OpenSSL 1.1.0b [26 Sep 2016] o Fix Use After Free for large message sizes (CVE-2016-6309) Major changes between OpenSSL 1.1.0 and OpenSSL 1.1.0a [22 Sep 2016] o OCSP Status Request extension unbounded memory growth (CVE-2016-6304) o SSL_peek() hang on empty record (CVE-2016-6305) o Excessive allocation of memory in tls_get_message_header() (CVE-2016-6307) o Excessive allocation of memory in dtls1_preprocess_fragment() (CVE-2016-6308) Major changes between OpenSSL 1.0.2h and OpenSSL 1.1.0 [25 Aug 2016] o Copyright text was shrunk to a boilerplate that points to the license o "shared" builds are now the default when possible o Added support for "pipelining" o Added the AFALG engine o New threading API implemented o Support for ChaCha20 and Poly1305 added to libcrypto and libssl o Support for extended master secret o CCM ciphersuites o Reworked test suite, now based on perl, Test::Harness and Test::More o *Most* libcrypto and libssl public structures were made opaque, including: BIGNUM and associated types, EC_KEY and EC_KEY_METHOD, DH and DH_METHOD, DSA and DSA_METHOD, RSA and RSA_METHOD, BIO and BIO_METHOD, EVP_MD_CTX, EVP_MD, EVP_CIPHER_CTX, EVP_CIPHER, EVP_PKEY and associated types, HMAC_CTX, X509, X509_CRL, X509_OBJECT, X509_STORE_CTX, X509_STORE, X509_LOOKUP, X509_LOOKUP_METHOD o libssl internal structures made opaque o SSLv2 support removed o Kerberos ciphersuite support removed o RC4 removed from DEFAULT ciphersuites in libssl o 40 and 56 bit cipher support removed from libssl o All public header files moved to include/openssl, no more symlinking o SSL/TLS state machine, version negotiation and record layer rewritten o EC revision: now operations use new EC_KEY_METHOD. o Support for OCB mode added to libcrypto o Support for asynchronous crypto operations added to libcrypto and libssl o Deprecated interfaces can now be disabled at build time either relative to the latest release via the "no-deprecated" Configure argument, or via the "--api=1.1.0|1.0.0|0.9.8" option. o Application software can be compiled with -DOPENSSL_API_COMPAT=version to ensure that features deprecated in that version are not exposed. o Support for RFC6698/RFC7671 DANE TLSA peer authentication o Change of Configure to use --prefix as the main installation directory location rather than --openssldir. The latter becomes the directory for certs, private key and openssl.cnf exclusively. o Reworked BIO networking library, with full support for IPv6. o New "unified" build system o New security levels o Support for scrypt algorithm o Support for X25519 o Extended SSL_CONF support using configuration files o KDF algorithm support. Implement TLS PRF as a KDF. o Support for Certificate Transparency o HKDF support. Major changes between OpenSSL 1.0.2g and OpenSSL 1.0.2h [3 May 2016] o Prevent padding oracle in AES-NI CBC MAC check (CVE-2016-2107) o Fix EVP_EncodeUpdate overflow (CVE-2016-2105) o Fix EVP_EncryptUpdate overflow (CVE-2016-2106) o Prevent ASN.1 BIO excessive memory allocation (CVE-2016-2109) o EBCDIC overread (CVE-2016-2176) o Modify behavior of ALPN to invoke callback after SNI/servername callback, such that updates to the SSL_CTX affect ALPN. o Remove LOW from the DEFAULT cipher list. This removes singles DES from the default. o Only remove the SSLv2 methods with the no-ssl2-method option. Major changes between OpenSSL 1.0.2f and OpenSSL 1.0.2g [1 Mar 2016] o Disable weak ciphers in SSLv3 and up in default builds of OpenSSL. o Disable SSLv2 default build, default negotiation and weak ciphers (CVE-2016-0800) o Fix a double-free in DSA code (CVE-2016-0705) o Disable SRP fake user seed to address a server memory leak (CVE-2016-0798) o Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption (CVE-2016-0797) o Fix memory issues in BIO_*printf functions (CVE-2016-0799) o Fix side channel attack on modular exponentiation (CVE-2016-0702) Major changes between OpenSSL 1.0.2e and OpenSSL 1.0.2f [28 Jan 2016] o DH small subgroups (CVE-2016-0701) o SSLv2 doesn't block disabled ciphers (CVE-2015-3197) Major changes between OpenSSL 1.0.2d and OpenSSL 1.0.2e [3 Dec 2015] o BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193) o Certificate verify crash with missing PSS parameter (CVE-2015-3194) o X509_ATTRIBUTE memory leak (CVE-2015-3195) o Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs o In DSA_generate_parameters_ex, if the provided seed is too short, return an error Major changes between OpenSSL 1.0.2c and OpenSSL 1.0.2d [9 Jul 2015] o Alternate chains certificate forgery (CVE-2015-1793) o Race condition handling PSK identify hint (CVE-2015-3196) Major changes between OpenSSL 1.0.2b and OpenSSL 1.0.2c [12 Jun 2015] o Fix HMAC ABI incompatibility Major changes between OpenSSL 1.0.2a and OpenSSL 1.0.2b [11 Jun 2015] o Malformed ECParameters causes infinite loop (CVE-2015-1788) o Exploitable out-of-bounds read in X509_cmp_time (CVE-2015-1789) o PKCS7 crash with missing EnvelopedContent (CVE-2015-1790) o CMS verify infinite loop with unknown hash function (CVE-2015-1792) o Race condition handling NewSessionTicket (CVE-2015-1791) Major changes between OpenSSL 1.0.2 and OpenSSL 1.0.2a [19 Mar 2015] o OpenSSL 1.0.2 ClientHello sigalgs DoS fix (CVE-2015-0291) o Multiblock corrupted pointer fix (CVE-2015-0290) o Segmentation fault in DTLSv1_listen fix (CVE-2015-0207) o Segmentation fault in ASN1_TYPE_cmp fix (CVE-2015-0286) o Segmentation fault for invalid PSS parameters fix (CVE-2015-0208) o ASN.1 structure reuse memory corruption fix (CVE-2015-0287) o PKCS7 NULL pointer dereferences fix (CVE-2015-0289) o DoS via reachable assert in SSLv2 servers fix (CVE-2015-0293) o Empty CKE with client auth and DHE fix (CVE-2015-1787) o Handshake with unseeded PRNG fix (CVE-2015-0285) o Use After Free following d2i_ECPrivatekey error fix (CVE-2015-0209) o X509_to_X509_REQ NULL pointer deref fix (CVE-2015-0288) o Removed the export ciphers from the DEFAULT ciphers Major changes between OpenSSL 1.0.1l and OpenSSL 1.0.2 [22 Jan 2015]: o Suite B support for TLS 1.2 and DTLS 1.2 o Support for DTLS 1.2 o TLS automatic EC curve selection. o API to set TLS supported signature algorithms and curves o SSL_CONF configuration API. o TLS Brainpool support. o ALPN support. o CMS support for RSA-PSS, RSA-OAEP, ECDH and X9.42 DH. Major changes between OpenSSL 1.0.1k and OpenSSL 1.0.1l [15 Jan 2015] o Build fixes for the Windows and OpenVMS platforms Major changes between OpenSSL 1.0.1j and OpenSSL 1.0.1k [8 Jan 2015] o Fix for CVE-2014-3571 o Fix for CVE-2015-0206 o Fix for CVE-2014-3569 o Fix for CVE-2014-3572 o Fix for CVE-2015-0204 o Fix for CVE-2015-0205 o Fix for CVE-2014-8275 o Fix for CVE-2014-3570 Major changes between OpenSSL 1.0.1i and OpenSSL 1.0.1j [15 Oct 2014] o Fix for CVE-2014-3513 o Fix for CVE-2014-3567 o Mitigation for CVE-2014-3566 (SSL protocol vulnerability) o Fix for CVE-2014-3568 Major changes between OpenSSL 1.0.1h and OpenSSL 1.0.1i [6 Aug 2014] o Fix for CVE-2014-3512 o Fix for CVE-2014-3511 o Fix for CVE-2014-3510 o Fix for CVE-2014-3507 o Fix for CVE-2014-3506 o Fix for CVE-2014-3505 o Fix for CVE-2014-3509 o Fix for CVE-2014-5139 o Fix for CVE-2014-3508 Major changes between OpenSSL 1.0.1g and OpenSSL 1.0.1h [5 Jun 2014] o Fix for CVE-2014-0224 o Fix for CVE-2014-0221 o Fix for CVE-2014-0198 o Fix for CVE-2014-0195 o Fix for CVE-2014-3470 o Fix for CVE-2010-5298 Major changes between OpenSSL 1.0.1f and OpenSSL 1.0.1g [7 Apr 2014] o Fix for CVE-2014-0160 o Add TLS padding extension workaround for broken servers. o Fix for CVE-2014-0076 Major changes between OpenSSL 1.0.1e and OpenSSL 1.0.1f [6 Jan 2014] o Don't include gmt_unix_time in TLS server and client random values o Fix for TLS record tampering bug CVE-2013-4353 o Fix for TLS version checking bug CVE-2013-6449 o Fix for DTLS retransmission bug CVE-2013-6450 Major changes between OpenSSL 1.0.1d and OpenSSL 1.0.1e [11 Feb 2013]: o Corrected fix for CVE-2013-0169 Major changes between OpenSSL 1.0.1c and OpenSSL 1.0.1d [4 Feb 2013]: o Fix renegotiation in TLS 1.1, 1.2 by using the correct TLS version. o Include the fips configuration module. o Fix OCSP bad key DoS attack CVE-2013-0166 o Fix for SSL/TLS/DTLS CBC plaintext recovery attack CVE-2013-0169 o Fix for TLS AESNI record handling flaw CVE-2012-2686 Major changes between OpenSSL 1.0.1b and OpenSSL 1.0.1c [10 May 2012]: o Fix TLS/DTLS record length checking bug CVE-2012-2333 o Don't attempt to use non-FIPS composite ciphers in FIPS mode. Major changes between OpenSSL 1.0.1a and OpenSSL 1.0.1b [26 Apr 2012]: o Fix compilation error on non-x86 platforms. o Make FIPS capable OpenSSL ciphers work in non-FIPS mode. o Fix SSL_OP_NO_TLSv1_1 clash with SSL_OP_ALL in OpenSSL 1.0.0 Major changes between OpenSSL 1.0.1 and OpenSSL 1.0.1a [19 Apr 2012]: o Fix for ASN1 overflow bug CVE-2012-2110 o Workarounds for some servers that hang on long client hellos. o Fix SEGV in AES code. Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.1 [14 Mar 2012]: o TLS/DTLS heartbeat support. o SCTP support. o RFC 5705 TLS key material exporter. o RFC 5764 DTLS-SRTP negotiation. o Next Protocol Negotiation. o PSS signatures in certificates, requests and CRLs. o Support for password based recipient info for CMS. o Support TLS v1.2 and TLS v1.1. o Preliminary FIPS capability for unvalidated 2.0 FIPS module. o SRP support. Major changes between OpenSSL 1.0.0g and OpenSSL 1.0.0h [12 Mar 2012]: o Fix for CMS/PKCS#7 MMA CVE-2012-0884 o Corrected fix for CVE-2011-4619 o Various DTLS fixes. Major changes between OpenSSL 1.0.0f and OpenSSL 1.0.0g [18 Jan 2012]: o Fix for DTLS DoS issue CVE-2012-0050 Major changes between OpenSSL 1.0.0e and OpenSSL 1.0.0f [4 Jan 2012]: o Fix for DTLS plaintext recovery attack CVE-2011-4108 o Clear block padding bytes of SSL 3.0 records CVE-2011-4576 o Only allow one SGC handshake restart for SSL/TLS CVE-2011-4619 o Check parameters are not NULL in GOST ENGINE CVE-2012-0027 o Check for malformed RFC3779 data CVE-2011-4577 Major changes between OpenSSL 1.0.0d and OpenSSL 1.0.0e [6 Sep 2011]: o Fix for CRL vulnerability issue CVE-2011-3207 o Fix for ECDH crashes CVE-2011-3210 o Protection against EC timing attacks. o Support ECDH ciphersuites for certificates using SHA2 algorithms. o Various DTLS fixes. Major changes between OpenSSL 1.0.0c and OpenSSL 1.0.0d [8 Feb 2011]: o Fix for security issue CVE-2011-0014 Major changes between OpenSSL 1.0.0b and OpenSSL 1.0.0c [2 Dec 2010]: o Fix for security issue CVE-2010-4180 o Fix for CVE-2010-4252 o Fix mishandling of absent EC point format extension. o Fix various platform compilation issues. o Corrected fix for security issue CVE-2010-3864. Major changes between OpenSSL 1.0.0a and OpenSSL 1.0.0b [16 Nov 2010]: o Fix for security issue CVE-2010-3864. o Fix for CVE-2010-2939 o Fix WIN32 build system for GOST ENGINE. Major changes between OpenSSL 1.0.0 and OpenSSL 1.0.0a [1 Jun 2010]: o Fix for security issue CVE-2010-1633. o GOST MAC and CFB fixes. Major changes between OpenSSL 0.9.8n and OpenSSL 1.0.0 [29 Mar 2010]: o RFC3280 path validation: sufficient to process PKITS tests. o Integrated support for PVK files and keyblobs. o Change default private key format to PKCS#8. o CMS support: able to process all examples in RFC4134 o Streaming ASN1 encode support for PKCS#7 and CMS. o Multiple signer and signer add support for PKCS#7 and CMS. o ASN1 printing support. o Whirlpool hash algorithm added. o RFC3161 time stamp support. o New generalised public key API supporting ENGINE based algorithms. o New generalised public key API utilities. o New ENGINE supporting GOST algorithms. o SSL/TLS GOST ciphersuite support. o PKCS#7 and CMS GOST support. o RFC4279 PSK ciphersuite support. o Supported points format extension for ECC ciphersuites. o ecdsa-with-SHA224/256/384/512 signature types. o dsa-with-SHA224 and dsa-with-SHA256 signature types. o Opaque PRF Input TLS extension support. o Updated time routines to avoid OS limitations. Major changes between OpenSSL 0.9.8m and OpenSSL 0.9.8n [24 Mar 2010]: o CFB cipher definition fixes. o Fix security issues CVE-2010-0740 and CVE-2010-0433. Major changes between OpenSSL 0.9.8l and OpenSSL 0.9.8m [25 Feb 2010]: o Cipher definition fixes. o Workaround for slow RAND_poll() on some WIN32 versions. o Remove MD2 from algorithm tables. o SPKAC handling fixes. o Support for RFC5746 TLS renegotiation extension. o Compression memory leak fixed. o Compression session resumption fixed. o Ticket and SNI coexistence fixes. o Many fixes to DTLS handling. Major changes between OpenSSL 0.9.8k and OpenSSL 0.9.8l [5 Nov 2009]: o Temporary work around for CVE-2009-3555: disable renegotiation. Major changes between OpenSSL 0.9.8j and OpenSSL 0.9.8k [25 Mar 2009]: o Fix various build issues. o Fix security issues (CVE-2009-0590, CVE-2009-0591, CVE-2009-0789) Major changes between OpenSSL 0.9.8i and OpenSSL 0.9.8j [7 Jan 2009]: o Fix security issue (CVE-2008-5077) o Merge FIPS 140-2 branch code. Major changes between OpenSSL 0.9.8g and OpenSSL 0.9.8h [28 May 2008]: o CryptoAPI ENGINE support. o Various precautionary measures. o Fix for bugs affecting certificate request creation. o Support for local machine keyset attribute in PKCS#12 files. Major changes between OpenSSL 0.9.8f and OpenSSL 0.9.8g [19 Oct 2007]: o Backport of CMS functionality to 0.9.8. o Fixes for bugs introduced with 0.9.8f. Major changes between OpenSSL 0.9.8e and OpenSSL 0.9.8f [11 Oct 2007]: o Add gcc 4.2 support. o Add support for AES and SSE2 assembly language optimization for VC++ build. o Support for RFC4507bis and server name extensions if explicitly selected at compile time. o DTLS improvements. o RFC4507bis support. o TLS Extensions support. Major changes between OpenSSL 0.9.8d and OpenSSL 0.9.8e [23 Feb 2007]: o Various ciphersuite selection fixes. o RFC3779 support. Major changes between OpenSSL 0.9.8c and OpenSSL 0.9.8d [28 Sep 2006]: o Introduce limits to prevent malicious key DoS (CVE-2006-2940) o Fix security issues (CVE-2006-2937, CVE-2006-3737, CVE-2006-4343) o Changes to ciphersuite selection algorithm Major changes between OpenSSL 0.9.8b and OpenSSL 0.9.8c [5 Sep 2006]: o Fix Daniel Bleichenbacher forged signature attack, CVE-2006-4339 o New cipher Camellia Major changes between OpenSSL 0.9.8a and OpenSSL 0.9.8b [4 May 2006]: o Cipher string fixes. o Fixes for VC++ 2005. o Updated ECC cipher suite support. o New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free(). o Zlib compression usage fixes. o Built in dynamic engine compilation support on Win32. o Fixes auto dynamic engine loading in Win32. Major changes between OpenSSL 0.9.8 and OpenSSL 0.9.8a [11 Oct 2005]: o Fix potential SSL 2.0 rollback, CVE-2005-2969 o Extended Windows CE support Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.8 [5 Jul 2005]: o Major work on the BIGNUM library for higher efficiency and to make operations more streamlined and less contradictory. This is the result of a major audit of the BIGNUM library. o Addition of BIGNUM functions for fields GF(2^m) and NIST curves, to support the Elliptic Crypto functions. o Major work on Elliptic Crypto; ECDH and ECDSA added, including the use through EVP, X509 and ENGINE. o New ASN.1 mini-compiler that's usable through the OpenSSL configuration file. o Added support for ASN.1 indefinite length constructed encoding. o New PKCS#12 'medium level' API to manipulate PKCS#12 files. o Complete rework of shared library construction and linking programs with shared or static libraries, through a separate Makefile.shared. o Rework of the passing of parameters from one Makefile to another. o Changed ENGINE framework to load dynamic engine modules automatically from specifically given directories. o New structure and ASN.1 functions for CertificatePair. o Changed the ZLIB compression method to be stateful. o Changed the key-generation and primality testing "progress" mechanism to take a structure that contains the ticker function and an argument. o New engine module: GMP (performs private key exponentiation). o New engine module: VIA PadLOck ACE extension in VIA C3 Nehemiah processors. o Added support for IPv6 addresses in certificate extensions. See RFC 1884, section 2.2. o Added support for certificate policy mappings, policy constraints and name constraints. o Added support for multi-valued AVAs in the OpenSSL configuration file. o Added support for multiple certificates with the same subject in the 'openssl ca' index file. o Make it possible to create self-signed certificates using 'openssl ca -selfsign'. o Make it possible to generate a serial number file with 'openssl ca -create_serial'. o New binary search functions with extended functionality. o New BUF functions. o New STORE structure and library to provide an interface to all sorts of data repositories. Supports storage of public and private keys, certificates, CRLs, numbers and arbitrary blobs. This library is unfortunately unfinished and unused within OpenSSL. o New control functions for the error stack. o Changed the PKCS#7 library to support one-pass S/MIME processing. o Added the possibility to compile without old deprecated functionality with the OPENSSL_NO_DEPRECATED macro or the 'no-deprecated' argument to the config and Configure scripts. o Constification of all ASN.1 conversion functions, and other affected functions. o Improved platform support for PowerPC. o New FIPS 180-2 algorithms (SHA-224, -256, -384 and -512). o New X509_VERIFY_PARAM structure to support parameterisation of X.509 path validation. o Major overhaul of RC4 performance on Intel P4, IA-64 and AMD64. o Changed the Configure script to have some algorithms disabled by default. Those can be explicitly enabled with the new argument form 'enable-xxx'. o Change the default digest in 'openssl' commands from MD5 to SHA-1. o Added support for DTLS. o New BIGNUM blinding. o Added support for the RSA-PSS encryption scheme o Added support for the RSA X.931 padding. o Added support for BSD sockets on NetWare. o Added support for files larger than 2GB. o Added initial support for Win64. o Added alternate pkg-config files. Major changes between OpenSSL 0.9.7l and OpenSSL 0.9.7m [23 Feb 2007]: o FIPS 1.1.1 module linking. o Various ciphersuite selection fixes. Major changes between OpenSSL 0.9.7k and OpenSSL 0.9.7l [28 Sep 2006]: o Introduce limits to prevent malicious key DoS (CVE-2006-2940) o Fix security issues (CVE-2006-2937, CVE-2006-3737, CVE-2006-4343) Major changes between OpenSSL 0.9.7j and OpenSSL 0.9.7k [5 Sep 2006]: o Fix Daniel Bleichenbacher forged signature attack, CVE-2006-4339 Major changes between OpenSSL 0.9.7i and OpenSSL 0.9.7j [4 May 2006]: o Visual C++ 2005 fixes. o Update Windows build system for FIPS. Major changes between OpenSSL 0.9.7h and OpenSSL 0.9.7i [14 Oct 2005]: o Give EVP_MAX_MD_SIZE its old value, except for a FIPS build. Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.7h [11 Oct 2005]: o Fix SSL 2.0 Rollback, CVE-2005-2969 o Allow use of fixed-length exponent on DSA signing o Default fixed-window RSA, DSA, DH private-key operations Major changes between OpenSSL 0.9.7f and OpenSSL 0.9.7g [11 Apr 2005]: o More compilation issues fixed. o Adaptation to more modern Kerberos API. o Enhanced or corrected configuration for Solaris64, Mingw and Cygwin. o Enhanced x86_64 assembler BIGNUM module. o More constification. o Added processing of proxy certificates (RFC 3820). Major changes between OpenSSL 0.9.7e and OpenSSL 0.9.7f [22 Mar 2005]: o Several compilation issues fixed. o Many memory allocation failure checks added. o Improved comparison of X509 Name type. o Mandatory basic checks on certificates. o Performance improvements. Major changes between OpenSSL 0.9.7d and OpenSSL 0.9.7e [25 Oct 2004]: o Fix race condition in CRL checking code. o Fixes to PKCS#7 (S/MIME) code. Major changes between OpenSSL 0.9.7c and OpenSSL 0.9.7d [17 Mar 2004]: o Security: Fix Kerberos ciphersuite SSL/TLS handshaking bug o Security: Fix null-pointer assignment in do_change_cipher_spec() o Allow multiple active certificates with same subject in CA index o Multiple X509 verification fixes o Speed up HMAC and other operations Major changes between OpenSSL 0.9.7b and OpenSSL 0.9.7c [30 Sep 2003]: o Security: fix various ASN1 parsing bugs. o New -ignore_err option to OCSP utility. o Various interop and bug fixes in S/MIME code. o SSL/TLS protocol fix for unrequested client certificates. Major changes between OpenSSL 0.9.7a and OpenSSL 0.9.7b [10 Apr 2003]: o Security: counter the Klima-Pokorny-Rosa extension of Bleichbacher's attack o Security: make RSA blinding default. o Configuration: Irix fixes, AIX fixes, better mingw support. o Support for new platforms: linux-ia64-ecc. o Build: shared library support fixes. o ASN.1: treat domainComponent correctly. o Documentation: fixes and additions. Major changes between OpenSSL 0.9.7 and OpenSSL 0.9.7a [19 Feb 2003]: o Security: Important security related bugfixes. o Enhanced compatibility with MIT Kerberos. o Can be built without the ENGINE framework. o IA32 assembler enhancements. o Support for new platforms: FreeBSD/IA64 and FreeBSD/Sparc64. o Configuration: the no-err option now works properly. o SSL/TLS: now handles manual certificate chain building. o SSL/TLS: certain session ID malfunctions corrected. Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.7 [30 Dec 2002]: o New library section OCSP. o Complete rewrite of ASN1 code. o CRL checking in verify code and openssl utility. o Extension copying in 'ca' utility. o Flexible display options in 'ca' utility. o Provisional support for international characters with UTF8. o Support for external crypto devices ('engine') is no longer a separate distribution. o New elliptic curve library section. o New AES (Rijndael) library section. o Support for new platforms: Windows CE, Tandem OSS, A/UX, AIX 64-bit, Linux x86_64, Linux 64-bit on Sparc v9 o Extended support for some platforms: VxWorks o Enhanced support for shared libraries. o Now only builds PIC code when shared library support is requested. o Support for pkg-config. o Lots of new manuals. o Makes symbolic links to or copies of manuals to cover all described functions. o Change DES API to clean up the namespace (some applications link also against libdes providing similar functions having the same name). Provide macros for backward compatibility (will be removed in the future). o Unify handling of cryptographic algorithms (software and engine) to be available via EVP routines for asymmetric and symmetric ciphers. o NCONF: new configuration handling routines. o Change API to use more 'const' modifiers to improve error checking and help optimizers. o Finally remove references to RSAref. o Reworked parts of the BIGNUM code. o Support for new engines: Broadcom ubsec, Accelerated Encryption Processing, IBM 4758. o A few new engines added in the demos area. o Extended and corrected OID (object identifier) table. o PRNG: query at more locations for a random device, automatic query for EGD style random sources at several locations. o SSL/TLS: allow optional cipher choice according to server's preference. o SSL/TLS: allow server to explicitly set new session ids. o SSL/TLS: support Kerberos cipher suites (RFC2712). Only supports MIT Kerberos for now. o SSL/TLS: allow more precise control of renegotiations and sessions. o SSL/TLS: add callback to retrieve SSL/TLS messages. o SSL/TLS: support AES cipher suites (RFC3268). Major changes between OpenSSL 0.9.6j and OpenSSL 0.9.6k [30 Sep 2003]: o Security: fix various ASN1 parsing bugs. o SSL/TLS protocol fix for unrequested client certificates. Major changes between OpenSSL 0.9.6i and OpenSSL 0.9.6j [10 Apr 2003]: o Security: counter the Klima-Pokorny-Rosa extension of Bleichbacher's attack o Security: make RSA blinding default. o Build: shared library support fixes. Major changes between OpenSSL 0.9.6h and OpenSSL 0.9.6i [19 Feb 2003]: o Important security related bugfixes. Major changes between OpenSSL 0.9.6g and OpenSSL 0.9.6h [5 Dec 2002]: o New configuration targets for Tandem OSS and A/UX. o New OIDs for Microsoft attributes. o Better handling of SSL session caching. o Better comparison of distinguished names. o Better handling of shared libraries in a mixed GNU/non-GNU environment. o Support assembler code with Borland C. o Fixes for length problems. o Fixes for uninitialised variables. o Fixes for memory leaks, some unusual crashes and some race conditions. o Fixes for smaller building problems. o Updates of manuals, FAQ and other instructive documents. Major changes between OpenSSL 0.9.6f and OpenSSL 0.9.6g [9 Aug 2002]: o Important building fixes on Unix. Major changes between OpenSSL 0.9.6e and OpenSSL 0.9.6f [8 Aug 2002]: o Various important bugfixes. Major changes between OpenSSL 0.9.6d and OpenSSL 0.9.6e [30 Jul 2002]: o Important security related bugfixes. o Various SSL/TLS library bugfixes. Major changes between OpenSSL 0.9.6c and OpenSSL 0.9.6d [9 May 2002]: o Various SSL/TLS library bugfixes. o Fix DH parameter generation for 'non-standard' generators. Major changes between OpenSSL 0.9.6b and OpenSSL 0.9.6c [21 Dec 2001]: o Various SSL/TLS library bugfixes. o BIGNUM library fixes. o RSA OAEP and random number generation fixes. o Object identifiers corrected and added. o Add assembler BN routines for IA64. o Add support for OS/390 Unix, UnixWare with gcc, OpenUNIX 8, MIPS Linux; shared library support for Irix, HP-UX. o Add crypto accelerator support for AEP, Baltimore SureWare, Broadcom and Cryptographic Appliance's keyserver [in 0.9.6c-engine release]. Major changes between OpenSSL 0.9.6a and OpenSSL 0.9.6b [9 Jul 2001]: o Security fix: PRNG improvements. o Security fix: RSA OAEP check. o Security fix: Reinsert and fix countermeasure to Bleichbacher's attack. o MIPS bug fix in BIGNUM. o Bug fix in "openssl enc". o Bug fix in X.509 printing routine. o Bug fix in DSA verification routine and DSA S/MIME verification. o Bug fix to make PRNG thread-safe. o Bug fix in RAND_file_name(). o Bug fix in compatibility mode trust settings. o Bug fix in blowfish EVP. o Increase default size for BIO buffering filter. o Compatibility fixes in some scripts. Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.6a [5 Apr 2001]: o Security fix: change behavior of OpenSSL to avoid using environment variables when running as root. o Security fix: check the result of RSA-CRT to reduce the possibility of deducing the private key from an incorrectly calculated signature. o Security fix: prevent Bleichenbacher's DSA attack. o Security fix: Zero the premaster secret after deriving the master secret in DH ciphersuites. o Reimplement SSL_peek(), which had various problems. o Compatibility fix: the function des_encrypt() renamed to des_encrypt1() to avoid clashes with some Unixen libc. o Bug fixes for Win32, HP/UX and Irix. o Bug fixes in BIGNUM, SSL, PKCS#7, PKCS#12, X.509, CONF and memory checking routines. o Bug fixes for RSA operations in threaded environments. o Bug fixes in misc. openssl applications. o Remove a few potential memory leaks. o Add tighter checks of BIGNUM routines. o Shared library support has been reworked for generality. o More documentation. o New function BN_rand_range(). o Add "-rand" option to openssl s_client and s_server. Major changes between OpenSSL 0.9.5a and OpenSSL 0.9.6 [10 Oct 2000]: o Some documentation for BIO and SSL libraries. o Enhanced chain verification using key identifiers. o New sign and verify options to 'dgst' application. o Support for DER and PEM encoded messages in 'smime' application. o New 'rsautl' application, low level RSA utility. o MD4 now included. o Bugfix for SSL rollback padding check. o Support for external crypto devices [1]. o Enhanced EVP interface. [1] The support for external crypto devices is currently a separate distribution. See the file README.ENGINE. Major changes between OpenSSL 0.9.5 and OpenSSL 0.9.5a [1 Apr 2000]: o Bug fixes for Win32, SuSE Linux, NeXTSTEP and FreeBSD 2.2.8 o Shared library support for HPUX and Solaris-gcc o Support of Linux/IA64 o Assembler support for Mingw32 o New 'rand' application o New way to check for existence of algorithms from scripts Major changes between OpenSSL 0.9.4 and OpenSSL 0.9.5 [25 May 2000]: o S/MIME support in new 'smime' command o Documentation for the OpenSSL command line application o Automation of 'req' application o Fixes to make s_client, s_server work under Windows o Support for multiple fieldnames in SPKACs o New SPKAC command line utility and associated library functions o Options to allow passwords to be obtained from various sources o New public key PEM format and options to handle it o Many other fixes and enhancements to command line utilities o Usable certificate chain verification o Certificate purpose checking o Certificate trust settings o Support of authority information access extension o Extensions in certificate requests o Simplified X509 name and attribute routines o Initial (incomplete) support for international character sets o New DH_METHOD, DSA_METHOD and enhanced RSA_METHOD o Read only memory BIOs and simplified creation function o TLS/SSL protocol bugfixes: Accept TLS 'client hello' in SSL 3.0 record; allow fragmentation and interleaving of handshake and other data o TLS/SSL code now "tolerates" MS SGC o Work around for Netscape client certificate hang bug o RSA_NULL option that removes RSA patent code but keeps other RSA functionality o Memory leak detection now allows applications to add extra information via a per-thread stack o PRNG robustness improved o EGD support o BIGNUM library bug fixes o Faster DSA parameter generation o Enhanced support for Alpha Linux o Experimental MacOS support Major changes between OpenSSL 0.9.3 and OpenSSL 0.9.4 [9 Aug 1999]: o Transparent support for PKCS#8 format private keys: these are used by several software packages and are more secure than the standard form o PKCS#5 v2.0 implementation o Password callbacks have a new void * argument for application data o Avoid various memory leaks o New pipe-like BIO that allows using the SSL library when actual I/O must be handled by the application (BIO pair) Major changes between OpenSSL 0.9.2b and OpenSSL 0.9.3 [24 May 1999]: o Lots of enhancements and cleanups to the Configuration mechanism o RSA OEAP related fixes o Added `openssl ca -revoke' option for revoking a certificate o Source cleanups: const correctness, type-safe stacks and ASN.1 SETs o Source tree cleanups: removed lots of obsolete files o Thawte SXNet, certificate policies and CRL distribution points extension support o Preliminary (experimental) S/MIME support o Support for ASN.1 UTF8String and VisibleString o Full integration of PKCS#12 code o Sparc assembler bignum implementation, optimized hash functions o Option to disable selected ciphers Major changes between OpenSSL 0.9.1c and OpenSSL 0.9.2b [22 Mar 1999]: o Fixed a security hole related to session resumption o Fixed RSA encryption routines for the p < q case o "ALL" in cipher lists now means "everything except NULL ciphers" o Support for Triple-DES CBCM cipher o Support of Optimal Asymmetric Encryption Padding (OAEP) for RSA o First support for new TLSv1 ciphers o Added a few new BIOs (syslog BIO, reliable BIO) o Extended support for DSA certificate/keys. o Extended support for Certificate Signing Requests (CSR) o Initial support for X.509v3 extensions o Extended support for compression inside the SSL record layer o Overhauled Win32 builds o Cleanups and fixes to the Big Number (BN) library o Support for ASN.1 GeneralizedTime o Splitted ASN.1 SETs from SEQUENCEs o ASN1 and PEM support for Netscape Certificate Sequences o Overhauled Perl interface o Lots of source tree cleanups. o Lots of memory leak fixes. o Lots of bug fixes. Major changes between SSLeay 0.9.0b and OpenSSL 0.9.1c [23 Dec 1998]: o Integration of the popular NO_RSA/NO_DSA patches o Initial support for compression inside the SSL record layer o Added BIO proxy and filtering functionality o Extended Big Number (BN) library o Added RIPE MD160 message digest o Added support for RC2/64bit cipher o Extended ASN.1 parser routines o Adjustments of the source tree for CVS o Support for various new platforms
openssl-devel-1.1.1q-1.oc00 (07/07/2022)
Repository: Netlabs stable (note: development files, not needed by the end user)
openssl-libs-1.1.1q-1.oc00 (07/07/2022)
Repository: Netlabs stable
openssl-perl-1.1.1q-1.oc00 (07/07/2022)
Repository: Netlabs stable
openssl-static-1.1.1q-1.oc00 (07/07/2022)
Repository: Netlabs stable
openssl-debuginfo-1.1.1q-1.oc00 (07/07/2022)
Repository: Netlabs stable

Manual installation

Program is distributed as ZIP package: download to temporary directory and unpack to destination folder. See below for download link(s).

  1. unzip runtime-zip into some directory
  2. unzip dev-zip into the same directory (if you need the development toolkit)
  3. add '(the directory)\bin' to PATH
  4. add '(the directory)\dll' to LIBPATH
  5. set the environment variable OPENSSL_CONF to point'ssl/openssl.cnf'
    set OPENSSL_CONF=(the directory)\ssl\openssl.cnf

You can install the prerequisites with rpm running the following string in a command line:

yum install libc libcx libgcc1 libssp libstdc++6 libstdc++ libsupc++6 libsupc++ libgcc-fwd emxrt

Following ones are the download links for manual installation:

OpenSSL v. 1.0.0t (runtime, 4/12/2015)
 hobbes.nmsu.edu/download/pub/os2/util/encrypt/openssl-1.0.0t-os2knix-20151204-runtime.zip  local copy
OpenSSL v. 1.0.0t (toolkit, 4/12/2015, T. Ebisawa)
 hobbes.nmsu.edu/download/pub/os2/util/encrypt/openssl-1.0.0t-os2knix-20151204-dev.zip
OpenSSL v. 1.0.0s (toolkit, 12/6/2015) Readme/What's new
OpenSSL-1.0.0s development kit for OS2-KNIX (kLIBC). Requires OS/2 Warp V4 fix5 or later, TCP/IP for OS/2, kLIBC 0.6.3, gcc 3.3.5 csd3.
 www.os2site.com/sw/internet/openssl/old/openssl-1.0.0s-os2knix-20150612-dev.zip
OpenSSL v. 1.0.0s (runtime, 12/6/2015) Readme/What's new
OpenSSL-1.0.0s runtime kit for OS2-KNIX (kLIBC). Requires OS/2 Warp V4 fix5 or later, TCP/IP for OS/2, kLIBC 0.6.3.
 www.os2site.com/sw/internet/openssl/old/openssl-1.0.0s-os2knix-20150612-runtime.zip
OpenSSL v. 1.0.0r (runtime, 20/3/2015) Readme/What's new
OpenSSL-1.0.0o runtime kit for OS2-KNIX (kLIBC). Requires OS/2 Warp V4 fix5 or later, TCP/IP for OS/2, kLIBC 0.6.3.
 www.os2site.com/sw/internet/openssl/old/openssl-1.0.0r-os2knix-20150320-runtime.zip
OpenSSL v. 1.0.0r (toolkit, 20/3/2015) Readme/What's new
OpenSSL-1.0.0o development kit for OS2-KNIX (kLIBC). Requires OS/2 Warp V4 fix5 or later, TCP/IP for OS/2, kLIBC 0.6.3, gcc 3.3.5 csd3.
 www.os2site.com/sw/internet/openssl/old/openssl-1.0.0r-os2knix-20150320-dev.zip
OpenSSL v. 1.0.1k (11/1/2015) Readme/What's new
OpenSSL v1.0.1k for OS/2. Includes binaries and diff.
 www.os2site.com/sw/internet/openssl/old/openssl-1.0.1k-os2-20150111.zip
OpenSSL v. 1.0.0p (tookit, 9/1/2015, lpproj) Readme/What's new
OpenSSL-1.0.0o development kit for OS2-KNIX (kLIBC). Requires OS/2 Warp V4 fix5 or later, TCP/IP for OS/2, kLIBC 0.6.3, gcc 3.3.5 csd3.
 www.os2site.com/sw/internet/openssl/old/openssl-1.0.0p-os2knix-20150109-dev.zip
OpenSSL v. 1.0.0p (runtime, 9/1/2015) Readme/What's new
OpenSSL-1.0.0o runtime kit for OS2-KNIX (kLIBC). Requires OS/2 Warp V4 fix5 or later, TCP/IP for OS/2, kLIBC 0.6.3.
 www.os2site.com/sw/internet/openssl/old/openssl-1.0.0p-os2knix-20150109-runtime.zip
OpenSSL v. 1.0.0o (16/10/2014) Readme/What's new
2014-10-16 - openssl 1.0.0o
 www.os2site.com/sw/internet/openssl/old/openssl-1.0.0o-os2knix-20141016-dev.zip  local copy
OpenSSL v. 1.0.0o (runtime, 16/10/2014) Readme/What's new
2014-10-16 - openssl 1.0.0o
 www.os2site.com/sw/internet/openssl/old/openssl-1.0.0o-os2knix-20141016-runtime.zip  local copy
OpenSSL v. 1.0.0n (toolkit, 7/8/2014) Readme/What's new
2014-08-07 - openssl 1.0.0n
 www.os2site.com/sw/internet/openssl/old/openssl-1.0.0n-os2knix-20140807-dev.zip  local copy
OpenSSL v. 1.0.0n (7/8/2014) Readme/What's new
2014-08-07 - openssl 1.0.0n
 www.os2site.com/sw/internet/openssl/old/openssl-1.0.0n-os2knix-20140807-runtime.zip  local copy
OpenSSL v. 0.9.8za (emx, 6/6/2014) Readme/What's new
OpenSSL 0.9.8za experimental port for genuine EMX (OS2-EMX) and klibc 0.6.x (OS2-KNIX). System Requirement ------------------ Runtime (OS2-KNIX): - OS/2 Warp V4 or later - Pentium or above CPU - 32 bit TCP/IP for OS/2 (TCPIP32) - kLIBC 0.6.x (0.6.3 or later) Runtime (OS2-EMX): - OS/2 Warp V3 or later - i486 or above CPU - TCP/IP for OS/2 - EMX runtime (0.9d fix 04) (Note zlib 1.2.7 has linked statically with runtime DLLs.) Development Kit: - (OS2-KNIX) gcc 3.3.5 or later - (OS2-EMX) gcc 2.8.1 - zlib (1.2.8) Quick and Dirty Installation (OS2-KNIX) --------------------------------------- Runtime: 1. unzip runtime zip into some directory. 2. add '(the directory)\bin' to PATH 3. add '(the directory)\dll' to LIBPATH 4. set the environment variable OPENSSL_CONF to point 'ssl/openssl.cnf' set OPENSSL_CONF=(the directory)\ssl\openssl.cnf (I have no idea about which is the best directory for end-users (non-developer) to install runtime. some ideas... e.g. /usr/local (openssl default configuration) /usr (commonly unix style) /etc (some unix style) /MPTN/ETC (some unix style, a la OS/2) /extras (Paul Smedley's bldenv) /openssl (unique directory for openssl) x:\OS2 (installed as OS2/eCS `system' components) It is supposed the development kit will be installed into the directory /extras, bacause this package is configured with '--prefix=/extras'. ) Quick and Dirty Installation (OS2-EMX) --------------------------------------- Runtime: - copy os2_dll\openssl.exe into \emx\bin. - copy os2_dll\*.dll into \emx\dll. Development kit: - copy os2_include\* into \emx\include. - copy os2_dll\*.a and os2_dll\*.lib into \emx\lib. How to build runtime DLLs and libraries --------------------------------------- Prerequisites: - EMX runtime and development kits - perl - grep - sed - Unix style shell sh.exe - GNU make - Unix style utilities: cp, mv, rm (and more, maybe) - NetLabs gcc 3.3.5 or later (OS2-KNIX) - Unix style patch to apply *.diff Configuration and Make (OS2-EMX): on OS/2 command prompt: > os2\OS2-EMX default > make -f OS2-EMX-DLL.mak Configuration and Make (OS2-KNIX): on OS/2 command prompt: > os2\OS2-KNIX default > make -f OS2-KNIX-DLL.mak (and see INSTALL.OS2 in official OpenSSL package.)
 www.os2site.com/sw/internet/openssl/old/openssl-0.9.8za-os2emx-20140606.zip  local copy
OpenSSL v. 1.0.0m (6/6/2014, lpproj) Readme/What's new
2014-06-06 - openssl 1.0.0m
 www.os2site.com/sw/internet/openssl/old/openssl-1.0.0m-os2emx-20140606.zip  local copy
OpenSSL v. 0.9.8za (toolkit, 6/6/2014) Readme/What's new
OpenSSL 0.9.8za experimental port for genuine EMX (OS2-EMX) and klibc 0.6.x (OS2-KNIX). System Requirement ------------------ Runtime (OS2-KNIX): - OS/2 Warp V4 or later - Pentium or above CPU - 32 bit TCP/IP for OS/2 (TCPIP32) - kLIBC 0.6.x (0.6.3 or later) Runtime (OS2-EMX): - OS/2 Warp V3 or later - i486 or above CPU - TCP/IP for OS/2 - EMX runtime (0.9d fix 04) (Note zlib 1.2.7 has linked statically with runtime DLLs.) Development Kit: - (OS2-KNIX) gcc 3.3.5 or later - (OS2-EMX) gcc 2.8.1 - zlib (1.2.8) Quick and Dirty Installation (OS2-KNIX) --------------------------------------- Runtime: 1. unzip runtime zip into some directory. 2. add '(the directory)\bin' to PATH 3. add '(the directory)\dll' to LIBPATH 4. set the environment variable OPENSSL_CONF to point 'ssl/openssl.cnf' set OPENSSL_CONF=(the directory)\ssl\openssl.cnf (I have no idea about which is the best directory for end-users (non-developer) to install runtime. some ideas... e.g. /usr/local (openssl default configuration) /usr (commonly unix style) /etc (some unix style) /MPTN/ETC (some unix style, a la OS/2) /extras (Paul Smedley's bldenv) /openssl (unique directory for openssl) x:\OS2 (installed as OS2/eCS `system' components) It is supposed the development kit will be installed into the directory /extras, bacause this package is configured with '--prefix=/extras'. ) Quick and Dirty Installation (OS2-EMX) --------------------------------------- Runtime: - copy os2_dll\openssl.exe into \emx\bin. - copy os2_dll\*.dll into \emx\dll. Development kit: - copy os2_include\* into \emx\include. - copy os2_dll\*.a and os2_dll\*.lib into \emx\lib. How to build runtime DLLs and libraries --------------------------------------- Prerequisites: - EMX runtime and development kits - perl - grep - sed - Unix style shell sh.exe - GNU make - Unix style utilities: cp, mv, rm (and more, maybe) - NetLabs gcc 3.3.5 or later (OS2-KNIX) - Unix style patch to apply *.diff Configuration and Make (OS2-EMX): on OS/2 command prompt: > os2\OS2-EMX default > make -f OS2-EMX-DLL.mak Configuration and Make (OS2-KNIX): on OS/2 command prompt: > os2\OS2-KNIX default > make -f OS2-KNIX-DLL.mak (and see INSTALL.OS2 in official OpenSSL package.)
 www.os2site.com/sw/internet/openssl/old/openssl-0.9.8za-os2knix-20140606-dev.zip  local copy
OpenSSL v. 1.0.0m (toolkit, 6/6/2014) Readme/What's new
2014-06-06 - openssl 1.0.0m
 www.os2site.com/sw/internet/openssl/old/openssl-1.0.0m-os2knix-20140606-dev.zip  local copy
OpenSSL v. 0.9.8za (runtime, 6/6/2014) Readme/What's new
OpenSSL 0.9.8za experimental port for genuine EMX (OS2-EMX) and klibc 0.6.x (OS2-KNIX). System Requirement ------------------ Runtime (OS2-KNIX): - OS/2 Warp V4 or later - Pentium or above CPU - 32 bit TCP/IP for OS/2 (TCPIP32) - kLIBC 0.6.x (0.6.3 or later) Runtime (OS2-EMX): - OS/2 Warp V3 or later - i486 or above CPU - TCP/IP for OS/2 - EMX runtime (0.9d fix 04) (Note zlib 1.2.7 has linked statically with runtime DLLs.) Development Kit: - (OS2-KNIX) gcc 3.3.5 or later - (OS2-EMX) gcc 2.8.1 - zlib (1.2.8) Quick and Dirty Installation (OS2-KNIX) --------------------------------------- Runtime: 1. unzip runtime zip into some directory. 2. add '(the directory)\bin' to PATH 3. add '(the directory)\dll' to LIBPATH 4. set the environment variable OPENSSL_CONF to point 'ssl/openssl.cnf' set OPENSSL_CONF=(the directory)\ssl\openssl.cnf (I have no idea about which is the best directory for end-users (non-developer) to install runtime. some ideas... e.g. /usr/local (openssl default configuration) /usr (commonly unix style) /etc (some unix style) /MPTN/ETC (some unix style, a la OS/2) /extras (Paul Smedley's bldenv) /openssl (unique directory for openssl) x:\OS2 (installed as OS2/eCS `system' components) It is supposed the development kit will be installed into the directory /extras, bacause this package is configured with '--prefix=/extras'. ) Quick and Dirty Installation (OS2-EMX) --------------------------------------- Runtime: - copy os2_dll\openssl.exe into \emx\bin. - copy os2_dll\*.dll into \emx\dll. Development kit: - copy os2_include\* into \emx\include. - copy os2_dll\*.a and os2_dll\*.lib into \emx\lib. How to build runtime DLLs and libraries --------------------------------------- Prerequisites: - EMX runtime and development kits - perl - grep - sed - Unix style shell sh.exe - GNU make - Unix style utilities: cp, mv, rm (and more, maybe) - NetLabs gcc 3.3.5 or later (OS2-KNIX) - Unix style patch to apply *.diff Configuration and Make (OS2-EMX): on OS/2 command prompt: > os2\OS2-EMX default > make -f OS2-EMX-DLL.mak Configuration and Make (OS2-KNIX): on OS/2 command prompt: > os2\OS2-KNIX default > make -f OS2-KNIX-DLL.mak (and see INSTALL.OS2 in official OpenSSL package.)
 www.os2site.com/sw/internet/openssl/old/openssl-0.9.8za-os2knix-20140606-runtime.zip  local copy
OpenSSL v. 1.0.0m (runtime, 6/6/2014) Readme/What's new
2014-06-06 - openssl 1.0.0m
 www.os2site.com/sw/internet/openssl/old/openssl-1.0.0m-os2knix-20140606-runtime.zip  local copy
OpenSSL v. 1.0.0l (fix 2, 14/5/2014, lpproj) Readme/What's new
2014-05-14 - security fix: CVE-2014-0198
 www.os2site.com/sw/internet/openssl/old/openssl-1.0.0l-fix2-os2emx-20140514.zip  local copy
OpenSSL v. 1.0.0l (toolkit, fix 2, 14/5/2014, lpproj) Readme/What's new
2014-05-14 - security fix: CVE-2014-0198
 www.os2site.com/sw/internet/openssl/old/openssl-1.0.0l-fix2-os2knix-20140514-dev.zip  local copy
OpenSSL v. 1.0.0l (runtime, fix 2, 14/5/2014, lpproj) Readme/What's new
2014-05-14 - security fix: CVE-2014-0198
 www.os2site.com/sw/internet/openssl/old/openssl-1.0.0l-fix2-os2knix-20140514-runtime.zip  local copy
OpenSSL v. 1.0.0l (fix 1, 11/5/2014, lpproj) Readme/What's new
OpenSSL 1.0.0l *experimental* port for OS/2 (EMX, kLIBC 0.6.x) Important change(s) from 0.9.8 (for OS/2): - different DLL module name. (I think that v1.0.0 has not `complete- upward-compatibility' with v0.9.8. Some functions are missing...) Installation (OS2-KNIX): 1. unzip runtime-zip into some directory. 2. unzip dev-zip into the same directory (if you need development toolkit). 3. add '(the directory)\bin' to PATH 4. add '(the directory)\dll' to LIBPATH 5. set the environment variable OPENSSL_CONF to point 'ssl/openssl.cnf' set OPENSSL_CONF=(the directory)\ssl\openssl.cnf (I have no idea about which is the best directory for end-users (non-developer) to install runtime. some ideas... e.g. /usr/local (openssl default configuration) /usr (commonly unix style) /etc (some unix style) /MPTN/ETC (some unix style, a la OS/2) /extras (Paul Smedley's bldenv) /openssl (unique directory for openssl) x:\OS2 (installed as OS2/eCS `system' components) It is supposed the development kit will be installed into the directory /extras, bacause this package is configured with '--prefix=/extras'.) Installation (OS2-EMX) 1. just unzip os2emx-package into the directory \emx. How to build (OS2-KNIX): 1. apply the patch. 2. os2\OS2-KNIX.cmd default 3. make -f os2/OS2-KNIX-DLL.mak How to build (OS2-EMX): 1. apply the patch. 2. os2\OS2-EMX.cmd default 3. make -f os2/OS2-EMX-DLL.mak note: You should need updated bintuils (as.exe). History: 2010-04-07 - configured for generic `gcc' build, without assembly codes and experimental features. 2010-04-09 - OS2-EMX, OS2-KNIX build (using assembly codes) 2010-06-03 - version 1.0.0a 2010-06-30 - crypto/rand/rand_os2.c: fix thread-unsafed RAND_pool() 2010-10-04 - crypto/rand/rand_os2.c: more fix RAND_pool() for more-than-2 CPUs (replacing DosPerfSysCall with libc's random) (I hope someone will write proper CSPRNG like /dev/random on modern Unix-like systems for OS2/eCS...) 2010-10-13 - e_os.h: use syslog (BIO_s_log) on knix 2010-11-17 - openssl 1.0.0b 2010-12-03 - openssl 1.0.0c 2011-02-09 - openssl 1.0.0d - fixed: import libraries' name (crypto.a -> libcrypto.a, ssl.a -> libssl.a) 2011-09-10 - openssl 1.0.0e - workaround for parallel build (make -f OS2-KNIX-DLL.mak mkdirs && make -f OS2-KNIX-DLL.mak -j4) 2012-01-07 - openssl 1.0.0f - with zlib 1.2.5 2012-01-21 - openssl 1.0.0g 2012-03-13 - openssl 1.0.0h 2012-04-20 - openssl 1.0.0i 2012-05-11 - openssl 1.0.0j - default configuration CFLAGS: -march=pentium -mtune=generic (OS2KNIX) LDFLAGS: -Zhigh-mem (OS2KNIX) 2013-02-07 - openssl 1.0.0k - with zlib 1.2.7 - applied http://svn.netlabs.org/ports/changeset/578 2014-01-08 - openssl 1.0.0l - with zlib 1.2.8 2014-05-11 - security fixes: CVE-2010-5298 and CVE-2014-0076
 www.os2site.com/sw/internet/openssl/old/openssl-1.0.0l-fix1-os2emx-20140511.zip  local copy
OpenSSL v. 1.0.0l (toolkit, fix 1, 11/5/2014, lpproj) Readme/What's new
2014-05-11 - security fixes: CVE-2010-5298 and CVE-2014-0076
 www.os2site.com/sw/internet/openssl/old/openssl-1.0.0l-fix1-os2knix-20140511-dev.zip  local copy
OpenSSL v. 1.0.0l (runtime, fix 1, 11/5/2014, lpproj) Readme/What's new
2014-05-11 - security fixes: CVE-2010-5298 and CVE-2014-0076
 www.os2site.com/sw/internet/openssl/old/openssl-1.0.0l-fix1-os2knix-20140511-runtime.zip  local copy
OpenSSL v. 1.0.0k (7/2/2013) Readme/What's new
OpenSSL 1.0.0k *experimental* port for OS/2 (EMX, kLIBC 0.6.x) Important change(s) from 0.9.8 (for OS/2): - different DLL module name. (I think that v1.0.0 has not `complete- upward-compatibility' with v0.9.8. Some functions are missing...) Installation (OS2-KNIX): 1. unzip runtime-zip into some directory. 2. unzip dev-zip into the same directory (if you need development toolkit). 3. add '(the directory)\bin' to PATH 4. add '(the directory)\dll' to LIBPATH 5. set the environment variable OPENSSL_CONF to point 'ssl/openssl.cnf' set OPENSSL_CONF=(the directory)\ssl\openssl.cnf (I have no idea about which is the best directory for end-users (non-developer) to install runtime. some ideas... e.g. /usr/local (openssl default configuration) /usr (commonly unix style) /etc (some unix style) /MPTN/ETC (some unix style, a la OS/2) /extras (Paul Smedley's bldenv) /openssl (unique directory for openssl) x:\OS2 (installed as OS2/eCS `system' components) It is supposed the development kit will be installed into the directory /extras, bacause this package is configured with '--prefix=/extras'.) Installation (OS2-EMX) 1. just unzip os2emx-package into the directory \emx. How to build (OS2-KNIX): 1. apply the patch. 2. os2\OS2-KNIX.cmd default 3. make -f os2/OS2-KNIX-DLL.mak How to build (OS2-EMX): 1. apply the patch. 2. os2\OS2-EMX.cmd default 3. make -f os2/OS2-EMX-DLL.mak note: You should need updated bintuils (as.exe). History: 2010-04-07 - configured for generic `gcc' build, without assembly codes and experimental features. 2010-04-09 - OS2-EMX, OS2-KNIX build (using assembly codes) 2010-06-03 - version 1.0.0a 2010-06-30 - crypto/rand/rand_os2.c: fix thread-unsafed RAND_pool() 2010-10-04 - crypto/rand/rand_os2.c: more fix RAND_pool() for more-than-2 CPUs (replacing DosPerfSysCall with libc's random) (I hope someone will write proper CSPRNG like /dev/random on modern Unix-like systems for OS2/eCS...) 2010-10-13 - e_os.h: use syslog (BIO_s_log) on knix 2010-11-17 - openssl 1.0.0b 2010-12-03 - openssl 1.0.0c 2011-02-09 - openssl 1.0.0d - fixed: import libraries' name (crypto.a -> libcrypto.a, ssl.a -> libssl.a) 2011-09-10 - openssl 1.0.0e - workaround for parallel build (make -f OS2-KNIX-DLL.mak mkdirs && make -f OS2-KNIX-DLL.mak -j4) 2012-01-07 - openssl 1.0.0f - with zlib 1.2.5 2012-01-21 - openssl 1.0.0g 2012-03-13 - openssl 1.0.0h 2012-04-20 - openssl 1.0.0i 2012-05-11 - openssl 1.0.0j - default configuration CFLAGS: -march=pentium -mtune=generic (OS2KNIX) LDFLAGS: -Zhigh-mem (OS2KNIX) 2013-02-07 - openssl 1.0.0k - with zlib 1.2.7 - applied http://svn.netlabs.org/ports/changeset/578
 www.os2site.com/sw/internet/openssl/old/openssl-1.0.0k-os2emx-20130207.zip  local copy
OpenSSL v. 1.0.0k (toolkit, 7/2/2013) Readme/What's new
OpenSSL 1.0.0k *experimental* port for OS/2 (EMX, kLIBC 0.6.x) Important change(s) from 0.9.8 (for OS/2): - different DLL module name. (I think that v1.0.0 has not `complete- upward-compatibility' with v0.9.8. Some functions are missing...) Installation (OS2-KNIX): 1. unzip runtime-zip into some directory. 2. unzip dev-zip into the same directory (if you need development toolkit). 3. add '(the directory)\bin' to PATH 4. add '(the directory)\dll' to LIBPATH 5. set the environment variable OPENSSL_CONF to point 'ssl/openssl.cnf' set OPENSSL_CONF=(the directory)\ssl\openssl.cnf (I have no idea about which is the best directory for end-users (non-developer) to install runtime. some ideas... e.g. /usr/local (openssl default configuration) /usr (commonly unix style) /etc (some unix style) /MPTN/ETC (some unix style, a la OS/2) /extras (Paul Smedley's bldenv) /openssl (unique directory for openssl) x:\OS2 (installed as OS2/eCS `system' components) It is supposed the development kit will be installed into the directory /extras, bacause this package is configured with '--prefix=/extras'.) Installation (OS2-EMX) 1. just unzip os2emx-package into the directory \emx. How to build (OS2-KNIX): 1. apply the patch. 2. os2\OS2-KNIX.cmd default 3. make -f os2/OS2-KNIX-DLL.mak How to build (OS2-EMX): 1. apply the patch. 2. os2\OS2-EMX.cmd default 3. make -f os2/OS2-EMX-DLL.mak note: You should need updated bintuils (as.exe). History: 2010-04-07 - configured for generic `gcc' build, without assembly codes and experimental features. 2010-04-09 - OS2-EMX, OS2-KNIX build (using assembly codes) 2010-06-03 - version 1.0.0a 2010-06-30 - crypto/rand/rand_os2.c: fix thread-unsafed RAND_pool() 2010-10-04 - crypto/rand/rand_os2.c: more fix RAND_pool() for more-than-2 CPUs (replacing DosPerfSysCall with libc's random) (I hope someone will write proper CSPRNG like /dev/random on modern Unix-like systems for OS2/eCS...) 2010-10-13 - e_os.h: use syslog (BIO_s_log) on knix 2010-11-17 - openssl 1.0.0b 2010-12-03 - openssl 1.0.0c 2011-02-09 - openssl 1.0.0d - fixed: import libraries' name (crypto.a -> libcrypto.a, ssl.a -> libssl.a) 2011-09-10 - openssl 1.0.0e - workaround for parallel build (make -f OS2-KNIX-DLL.mak mkdirs && make -f OS2-KNIX-DLL.mak -j4) 2012-01-07 - openssl 1.0.0f - with zlib 1.2.5 2012-01-21 - openssl 1.0.0g 2012-03-13 - openssl 1.0.0h 2012-04-20 - openssl 1.0.0i 2012-05-11 - openssl 1.0.0j - default configuration CFLAGS: -march=pentium -mtune=generic (OS2KNIX) LDFLAGS: -Zhigh-mem (OS2KNIX) 2013-02-07 - openssl 1.0.0k - with zlib 1.2.7 - applied http://svn.netlabs.org/ports/changeset/578
 www.os2site.com/sw/internet/openssl/old/openssl-1.0.0k-os2knix-20130207-dev.zip  local copy
OpenSSL v. 1.0.0k (runtime, 7/2/2013) Readme/What's new
2013-02-07 - openssl 1.0.0k - with zlib 1.2.7 - applied http://svn.netlabs.org/ports/changeset/578
 www.os2site.com/sw/internet/openssl/old/openssl-1.0.0k-os2knix-20130207-runtime.zip  local copy
OpenSSL v. 0.9.8y (emx, 6/2/2013) Readme/What's new
OpenSSL 0.9.8y experimental port for genuine EMX (OS2-EMX) and klibc 0.6.x (OS2-KNIX). System Requirement ------------------ Runtime (OS2-KNIX): - OS/2 Warp V4 or later - Pentium or above CPU - 32 bit TCP/IP for OS/2 (TCPIP32) - kLIBC 0.6.x (0.6.3 or later) Runtime (OS2-EMX): - OS/2 Warp V3 or later - i486 or above CPU - TCP/IP for OS/2 - EMX runtime (0.9d fix 04) (Note zlib 1.2.7 has linked statically with runtime DLLs.) Development Kit: - (OS2-KNIX) gcc 3.3.5 or later - (OS2-EMX) gcc 2.8.1 - zlib (1.2.7) Quick and Dirty Installation (OS2-KNIX) --------------------------------------- Runtime: 1. unzip runtime zip into some directory. 2. add '(the directory)\bin' to PATH 3. add '(the directory)\dll' to LIBPATH 4. set the environment variable OPENSSL_CONF to point 'ssl/openssl.cnf' set OPENSSL_CONF=(the directory)\ssl\openssl.cnf (I have no idea about which is the best directory for end-users (non-developer) to install runtime. some ideas... e.g. /usr/local (openssl default configuration) /usr (commonly unix style) /etc (some unix style) /MPTN/ETC (some unix style, a la OS/2) /extras (Paul Smedley's bldenv) /openssl (unique directory for openssl) x:\OS2 (installed as OS2/eCS `system' components) It is supposed the development kit will be installed into the directory /extras, bacause this package is configured with '--prefix=/extras'. ) Quick and Dirty Installation (OS2-EMX) --------------------------------------- Runtime: - copy os2_dll\openssl.exe into \emx\bin. - copy os2_dll\*.dll into \emx\dll. Development kit: - copy os2_include\* into \emx\include. - copy os2_dll\*.a and os2_dll\*.lib into \emx\lib. How to build runtime DLLs and libraries --------------------------------------- Prerequisites: - EMX runtime and development kits - perl - grep - sed - Unix style shell sh.exe - GNU make - Unix style utilities: cp, mv, rm (and more, maybe) - NetLabs gcc 3.3.5 or later (OS2-KNIX) - Unix style patch to apply *.diff Configuration and Make (OS2-EMX): on OS/2 command prompt: > os2\OS2-EMX default > make -f OS2-EMX-DLL.mak Configuration and Make (OS2-KNIX): on OS/2 command prompt: > os2\OS2-KNIX default > make -f OS2-KNIX-DLL.mak (and see INSTALL.OS2 in official OpenSSL package.)
 www.os2site.com/sw/internet/openssl/old/openssl-0.9.8y-os2emx-20130206.zip  local copy
OpenSSL v. 0.9.8y (toolkit, 6/2/2013) Readme/What's new
OpenSSL 0.9.8y experimental port for genuine EMX (OS2-EMX) and klibc 0.6.x (OS2-KNIX). System Requirement ------------------ Runtime (OS2-KNIX): - OS/2 Warp V4 or later - Pentium or above CPU - 32 bit TCP/IP for OS/2 (TCPIP32) - kLIBC 0.6.x (0.6.3 or later) Runtime (OS2-EMX): - OS/2 Warp V3 or later - i486 or above CPU - TCP/IP for OS/2 - EMX runtime (0.9d fix 04) (Note zlib 1.2.7 has linked statically with runtime DLLs.) Development Kit: - (OS2-KNIX) gcc 3.3.5 or later - (OS2-EMX) gcc 2.8.1 - zlib (1.2.7) Quick and Dirty Installation (OS2-KNIX) --------------------------------------- Runtime: 1. unzip runtime zip into some directory. 2. add '(the directory)\bin' to PATH 3. add '(the directory)\dll' to LIBPATH 4. set the environment variable OPENSSL_CONF to point 'ssl/openssl.cnf' set OPENSSL_CONF=(the directory)\ssl\openssl.cnf (I have no idea about which is the best directory for end-users (non-developer) to install runtime. some ideas... e.g. /usr/local (openssl default configuration) /usr (commonly unix style) /etc (some unix style) /MPTN/ETC (some unix style, a la OS/2) /extras (Paul Smedley's bldenv) /openssl (unique directory for openssl) x:\OS2 (installed as OS2/eCS `system' components) It is supposed the development kit will be installed into the directory /extras, bacause this package is configured with '--prefix=/extras'. ) Quick and Dirty Installation (OS2-EMX) --------------------------------------- Runtime: - copy os2_dll\openssl.exe into \emx\bin. - copy os2_dll\*.dll into \emx\dll. Development kit: - copy os2_include\* into \emx\include. - copy os2_dll\*.a and os2_dll\*.lib into \emx\lib. How to build runtime DLLs and libraries --------------------------------------- Prerequisites: - EMX runtime and development kits - perl - grep - sed - Unix style shell sh.exe - GNU make - Unix style utilities: cp, mv, rm (and more, maybe) - NetLabs gcc 3.3.5 or later (OS2-KNIX) - Unix style patch to apply *.diff Configuration and Make (OS2-EMX): on OS/2 command prompt: > os2\OS2-EMX default > make -f OS2-EMX-DLL.mak Configuration and Make (OS2-KNIX): on OS/2 command prompt: > os2\OS2-KNIX default > make -f OS2-KNIX-DLL.mak (and see INSTALL.OS2 in official OpenSSL package.)
 www.os2site.com/sw/internet/openssl/old/openssl-0.9.8y-os2knix-20130206-dev.zip  local copy
OpenSSL v. 0.9.8y (runtime, 6/2/2013) Readme/What's new
OpenSSL 0.9.8y experimental port for genuine EMX (OS2-EMX) and klibc 0.6.x (OS2-KNIX). System Requirement ------------------ Runtime (OS2-KNIX): - OS/2 Warp V4 or later - Pentium or above CPU - 32 bit TCP/IP for OS/2 (TCPIP32) - kLIBC 0.6.x (0.6.3 or later) Runtime (OS2-EMX): - OS/2 Warp V3 or later - i486 or above CPU - TCP/IP for OS/2 - EMX runtime (0.9d fix 04) (Note zlib 1.2.7 has linked statically with runtime DLLs.) Development Kit: - (OS2-KNIX) gcc 3.3.5 or later - (OS2-EMX) gcc 2.8.1 - zlib (1.2.7) Quick and Dirty Installation (OS2-KNIX) --------------------------------------- Runtime: 1. unzip runtime zip into some directory. 2. add '(the directory)\bin' to PATH 3. add '(the directory)\dll' to LIBPATH 4. set the environment variable OPENSSL_CONF to point 'ssl/openssl.cnf' set OPENSSL_CONF=(the directory)\ssl\openssl.cnf (I have no idea about which is the best directory for end-users (non-developer) to install runtime. some ideas... e.g. /usr/local (openssl default configuration) /usr (commonly unix style) /etc (some unix style) /MPTN/ETC (some unix style, a la OS/2) /extras (Paul Smedley's bldenv) /openssl (unique directory for openssl) x:\OS2 (installed as OS2/eCS `system' components) It is supposed the development kit will be installed into the directory /extras, bacause this package is configured with '--prefix=/extras'. ) Quick and Dirty Installation (OS2-EMX) --------------------------------------- Runtime: - copy os2_dll\openssl.exe into \emx\bin. - copy os2_dll\*.dll into \emx\dll. Development kit: - copy os2_include\* into \emx\include. - copy os2_dll\*.a and os2_dll\*.lib into \emx\lib. How to build runtime DLLs and libraries --------------------------------------- Prerequisites: - EMX runtime and development kits - perl - grep - sed - Unix style shell sh.exe - GNU make - Unix style utilities: cp, mv, rm (and more, maybe) - NetLabs gcc 3.3.5 or later (OS2-KNIX) - Unix style patch to apply *.diff Configuration and Make (OS2-EMX): on OS/2 command prompt: > os2\OS2-EMX default > make -f OS2-EMX-DLL.mak Configuration and Make (OS2-KNIX): on OS/2 command prompt: > os2\OS2-KNIX default > make -f OS2-KNIX-DLL.mak (and see INSTALL.OS2 in official OpenSSL package.)
 www.os2site.com/sw/internet/openssl/old/openssl-0.9.8y-os2knix-20130206-runtime.zip  local copy
OpenSSL v. 1.0.0e (runtime, 10/9/2011) Readme/What's new
History: 2010-04-07 - configured for generic `gcc' build, without assembly codes and experimental features. 2010-04-09 - OS2-EMX, OS2-KNIX build (using assembly codes) 2010-06-03 - version 1.0.0a 2010-06-30 - crypto/rand/rand_os2.c: fix thread-unsafed RAND_pool() 2010-10-04 - crypto/rand/rand_os2.c: more fix RAND_pool() for more-than-2 CPUs (replacing DosPerfSysCall with libc's random) (I hope someone will write proper CSPRNG like /dev/random on modern Unix-like systems for OS2/eCS...) 2010-10-13 - e_os.h: use syslog (BIO_s_log) on knix 2010-11-17 - openssl 1.0.0b 2010-12-03 - openssl 1.0.0c 2011-02-09 - openssl 1.0.0d - fixed: import libraries' name (crypto.a -> libcrypto.a, ssl.a -> libssl.a) 2011-09-10 - openssl 1.0.0e - workaround for parallel build (make -f OS2-KNIX-DLL.mak mkdirs && make -f OS2-KNIX-DLL.mak -j4)
 www.os2site.com/sw/internet/openssl/old/openssl-1.0.0e-os2knix-20110910-runtime.zip  local copy
OpenSSL v. 1.0.0a (toolkit, 3/6/2010, T. Ebisawa) Readme/What's new
OpenSSL 1.0.0a *experimental* port for OS/2 (EMX, kLIBC) Important change(s) from 0.9.8 (for OS/2): - different DLL module name. (I think that v1.0.0 has not `complete- upward-compatibility' with v0.9.8. Some functions are missing...) Installation (OS2-KNIX): 1. unzip runtime-zip into some directory. 2. unzip dev-zip into the same directory (if you need development toolkit). 3. add '(the directory)\bin' to PATH 4. add '(the directory)\dll' to LIBPATH 5. set the environment variable OPENSSL_CONF to point 'ssl/openssl.cnf' set OPENSSL_CONF=(the directory)\ssl\openssl.cnf (I have no idea about which is the best directory for end-users (non-developer) to install runtime. some ideas... e.g. /usr/local (openssl default configuration) /usr (commonly unix style) /etc (some unix style) /MPTN/ETC (some unix style, a la OS/2) /extras (Paul Smedley's bldenv) /openssl (unique directory for openssl) x:\OS2 (installed as OS2/eCS `system' components) It is supposed the development kit will be installed into the directory /extras, bacause this package is configured with '--prefix=/extras'.) Installation (OS2-EMX) 1. just unzip os2emx-package into the directory \emx. How to build (OS2-KNIX): 1. apply the patch. 2. os2\OS2-KNIX.cmd default 3. make -f os2/OS2-KNIX-DLL.mak How to build (OS2-EMX): 1. apply the patch. 2. os2\OS2-EMX.cmd default 3. make -f os2/OS2-EMX-DLL.mak note: You should need updated bintuils (as.exe). History: 2010-04-07 - configured for generic `gcc' build, without assembly codes and experimental features. 2010-04-09 - OS2-EMX, OS2-KNIX build (with assmbly codes) 2010-06-03 - version 1.0.0a
 www.os2site.com/sw/internet/openssl/old/openssl-1.0.0a-os2knix-20100603-dev.zip  local copy
OpenSSL v. 1.0.0a (runtime, 3/6/2010, T. Ebisawa) Readme/What's new
History: 2010-04-07 - configured for generic `gcc' build, without assembly codes and experimental features. 2010-04-09 - OS2-EMX, OS2-KNIX build (with assmbly codes) 2010-06-03 - version 1.0.0a
 www.os2site.com/sw/internet/openssl/old/openssl-1.0.0a-os2knix-20100603-runtime.zip  local copy
OpenSSL v. 0.9.8o (toolkit, 2/6/2010, T. Ebisawa) Readme/What's new
OpenSSL 0.9.8o experimental port for genuine EMX (OS2-EMX) and klibc 0.6.x (OS2-KNIX). System Requirement ------------------ Runtime (OS2-KNIX): - OS/2 Warp V4 or later - Pentium or above CPU - 32 bit TCP/IP for OS/2 (TCPIP32) - kLIBC 0.6.3 Runtime (OS2-EMX): - OS/2 Warp V3 or later - i486 or above CPU - TCP/IP for OS/2 - EMX runtime (0.9d fix 04) (Note zlib 1.2.3 has linked statically with runtime DLLs.) Development Kit: - (OS2-KNIX) gcc 3.3.5 or later - (OS2-EMX) gcc 2.8.1 - zlib (1.2.3) System Recommendation --------------------- - perl (5.10 or later) Quick and Dirty Installation (OS2-KNIX) --------------------------------------- Runtime: 1. unzip runtime zip into some directory. 2. add '(the directory)\bin' to PATH 3. add '(the directory)\dll' to LIBPATH 4. set the environment variable OPENSSL_CONF to point 'ssl/openssl.cnf' set OPENSSL_CONF=(the directory)\ssl\openssl.cnf (I have no idea about which is the best directory for end-users (non-developer) to install runtime. some ideas... e.g. /usr/local (openssl default configuration) /usr (commonly unix style) /etc (some unix style) /MPTN/ETC (some unix style, a la OS/2) /extras (Paul Smedley's bldenv) /openssl (unique directory for openssl) x:\OS2 (installed as OS2/eCS `system' components) It is supposed the development kit will be installed into the directory /extras, bacause this package is configured with '--prefix=/extras'. ) Quick and Dirty Installation (OS2-EMX) --------------------------------------- Runtime: - copy os2_dll/openssl.exe into \emx\bin. - copy os2_dll/*.dll into \emx\dll. Development kit: - copy os2_include/* into \emx\include. - copy os2_dll/*.a and os2_dll/*.lib into \emx\lib. How to build runtime DLLs and libraries --------------------------------------- Prerequisites: - EMX runtime and development kits - perl - grep - sed - Unix style shell sh.exe - GNU make - Unix style utilities: cp, mv, rm (and more, maybe) - NetLabs gcc 3.3.5 or later (OS2-KNIX) - Unix style patch to apply *.diff Configuration and Make (OS2-EMX): on OS/2 command prompt: > os2\OS2-EMX default > make -f OS2-EMX-DLL.mak Configuration and Make (OS2-KNIX): on OS/2 command prompt: > os2\OS2-KNIX default > make -f OS2-KNIX-DLL.mak (and see INSTALL.OS2 in official OpenSSL package.)
 www.os2site.com/sw/internet/openssl/old/openssl-0.9.8o-os2knix-20100602-dev.zip  local copy
OpenSSL v. 0.9.8o (runtime, 2/6/2010, T. Ebisawa) Readme/What's new
OpenSSL 0.9.8o experimental port for genuine EMX (OS2-EMX) and klibc 0.6.x (OS2-KNIX). System Requirement ------------------ Runtime (OS2-KNIX): - OS/2 Warp V4 or later - Pentium or above CPU - 32 bit TCP/IP for OS/2 (TCPIP32) - kLIBC 0.6.3 Runtime (OS2-EMX): - OS/2 Warp V3 or later - i486 or above CPU - TCP/IP for OS/2 - EMX runtime (0.9d fix 04) (Note zlib 1.2.3 has linked statically with runtime DLLs.) Development Kit: - (OS2-KNIX) gcc 3.3.5 or later - (OS2-EMX) gcc 2.8.1 - zlib (1.2.3) System Recommendation --------------------- - perl (5.10 or later) Quick and Dirty Installation (OS2-KNIX) --------------------------------------- Runtime: 1. unzip runtime zip into some directory. 2. add '(the directory)\bin' to PATH 3. add '(the directory)\dll' to LIBPATH 4. set the environment variable OPENSSL_CONF to point 'ssl/openssl.cnf' set OPENSSL_CONF=(the directory)\ssl\openssl.cnf (I have no idea about which is the best directory for end-users (non-developer) to install runtime. some ideas... e.g. /usr/local (openssl default configuration) /usr (commonly unix style) /etc (some unix style) /MPTN/ETC (some unix style, a la OS/2) /extras (Paul Smedley's bldenv) /openssl (unique directory for openssl) x:\OS2 (installed as OS2/eCS `system' components) It is supposed the development kit will be installed into the directory /extras, bacause this package is configured with '--prefix=/extras'. ) Quick and Dirty Installation (OS2-EMX) --------------------------------------- Runtime: - copy os2_dll/openssl.exe into \emx\bin. - copy os2_dll/*.dll into \emx\dll. Development kit: - copy os2_include/* into \emx\include. - copy os2_dll/*.a and os2_dll/*.lib into \emx\lib. How to build runtime DLLs and libraries --------------------------------------- Prerequisites: - EMX runtime and development kits - perl - grep - sed - Unix style shell sh.exe - GNU make - Unix style utilities: cp, mv, rm (and more, maybe) - NetLabs gcc 3.3.5 or later (OS2-KNIX) - Unix style patch to apply *.diff Configuration and Make (OS2-EMX): on OS/2 command prompt: > os2\OS2-EMX default > make -f OS2-EMX-DLL.mak Configuration and Make (OS2-KNIX): on OS/2 command prompt: > os2\OS2-KNIX default > make -f OS2-KNIX-DLL.mak (and see INSTALL.OS2 in official OpenSSL package.)
 www.os2site.com/sw/internet/openssl/old/openssl-0.9.8o-os2knix-20100602-runtime.zip  local copy
OpenSSL v. 0.9.8n (toolkit, 27/3/2010, T. Ebisawa) Readme/What's new
OpenSSL CHANGES _______________ Changes between 0.9.8m and 0.9.8n [24 Mar 2010] *) When rejecting SSL/TLS records due to an incorrect version number, never update s->server with a new major version number. As of - OpenSSL 0.9.8m if 'short' is a 16-bit type, - OpenSSL 0.9.8f if 'short' is longer than 16 bits, the previous behavior could result in a read attempt at NULL when receiving specific incorrect SSL/TLS records once record payload protection is active. (CVE-2010-0740) [Bodo Moeller, Adam Langley <agl@chromium.org>] *) Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL could be crashed if the relevant tables were not present (e.g. chrooted). [Tomas Hoger <thoger@redhat.com>]
 hobbes.nmsu.edu/download/pub/os2/util/encrypt/openssl-0.9.8n-os2knix-20100325-dev.zip
OpenSSL v. 0.9.8n (runtime, 27/3/2010, T. Ebisawa) Readme/What's new
OpenSSL CHANGES _______________ Changes between 0.9.8m and 0.9.8n [24 Mar 2010] *) When rejecting SSL/TLS records due to an incorrect version number, never update s->server with a new major version number. As of - OpenSSL 0.9.8m if 'short' is a 16-bit type, - OpenSSL 0.9.8f if 'short' is longer than 16 bits, the previous behavior could result in a read attempt at NULL when receiving specific incorrect SSL/TLS records once record payload protection is active. (CVE-2010-0740) [Bodo Moeller, Adam Langley <agl@chromium.org>] *) Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL could be crashed if the relevant tables were not present (e.g. chrooted). [Tomas Hoger <thoger@redhat.com>]
 hobbes.nmsu.edu/download/pub/os2/util/encrypt/openssl-0.9.8n-os2knix-20100325-runtime.zip
OpenSSL v. 0.9.8m (runtime, 28/2/2010) Readme/What's new
OpenSSL CHANGES _______________ Changes between 0.9.8l and 0.9.8m [25 Feb 2010] *) Always check bn_wexpend() return values for failure. (CVE-2009-3245) [Martin Olsson, Neel Mehta] *) Fix X509_STORE locking: Every 'objs' access requires a lock (to accommodate for stack sorting, always a write lock!). [Bodo Moeller] *) On some versions of WIN32 Heap32Next is very slow. This can cause excessive delays in the RAND_poll(): over a minute. As a workaround include a time check in the inner Heap32Next loop too. [Steve Henson] *) The code that handled flushing of data in SSL/TLS originally used the BIO_CTRL_INFO ctrl to see if any data was pending first. This caused the problem outlined in PR#1949. The fix suggested there however can trigger problems with buggy BIO_CTRL_WPENDING (e.g. some versions of Apache). So instead simplify the code to flush unconditionally. This should be fine since flushing with no data to flush is a no op. [Steve Henson] *) Handle TLS versions 2.0 and later properly and correctly use the highest version of TLS/SSL supported. Although TLS >= 2.0 is some way off ancient servers have a habit of sticking around for a while... [Steve Henson] *) Modify compression code so it frees up structures without using the ex_data callbacks. This works around a problem where some applications call CRYPTO_cleanup_all_ex_data() before application exit (e.g. when restarting) then use compression (e.g. SSL with compression) later. This results in significant per-connection memory leaks and has caused some security issues including CVE-2008-1678 and CVE-2009-4355. [Steve Henson] *) Constify crypto/cast (i.e., <openssl/cast.h>): a CAST_KEY doesn't change when encrypting or decrypting. [Bodo Moeller] *) Add option SSL_OP_LEGACY_SERVER_CONNECT which will allow clients to connect and renegotiate with servers which do not support RI. Until RI is more widely deployed this option is enabled by default. [Steve Henson] *) Add "missing" ssl ctrls to clear options and mode. [Steve Henson] *) If client attempts to renegotiate and doesn't support RI respond with a no_renegotiation alert as required by RFC5746. Some renegotiating TLS clients will continue a connection gracefully when they receive the alert. Unfortunately OpenSSL mishandled this alert and would hang waiting for a server hello which it will never receive. Now we treat a received no_renegotiation alert as a fatal error. This is because applications requesting a renegotiation might well expect it to succeed and would have no code in place to handle the server denying it so the only safe thing to do is to terminate the connection. [Steve Henson] *) Add ctrl macro SSL_get_secure_renegotiation_support() which returns 1 if peer supports secure renegotiation and 0 otherwise. Print out peer renegotiation support in s_client/s_server. [Steve Henson] *) Replace the highly broken and deprecated SPKAC certification method with the updated NID creation version. This should correctly handle UTF8. [Steve Henson] *) Implement RFC5746. Re-enable renegotiation but require the extension as needed. Unfortunately, SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION turns out to be a bad idea. It has been replaced by SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION which can be set with SSL_CTX_set_options(). This is really not recommended unless you know what you are doing. [Eric Rescorla <ekr@networkresonance.com>, Ben Laurie, Steve Henson] *) Fixes to stateless session resumption handling. Use initial_ctx when issuing and attempting to decrypt tickets in case it has changed during servername handling. Use a non-zero length session ID when attempting stateless session resumption: this makes it possible to determine if a resumption has occurred immediately after receiving server hello (several places in OpenSSL subtly assume this) instead of later in the handshake. [Steve Henson] *) The functions ENGINE_ctrl(), OPENSSL_isservice(), CMS_get1_RecipientRequest() and RAND_bytes() can return <=0 on error fixes for a few places where the return code is not checked correctly. [Julia Lawall <julia@diku.dk>] *) Add --strict-warnings option to Configure script to include devteam warnings in other configurations. [Steve Henson] *) Add support for --libdir option and LIBDIR variable in makefiles. This makes it possible to install openssl libraries in locations which have names other than "lib", for example "/usr/lib64" which some systems need. [Steve Henson, based on patch from Jeremy Utley] *) Don't allow the use of leading 0x80 in OIDs. This is a violation of X690 8.9.12 and can produce some misleading textual output of OIDs. [Steve Henson, reported by Dan Kaminsky] *) Delete MD2 from algorithm tables. This follows the recommendation in several standards that it is not used in new applications due to several cryptographic weaknesses. For binary compatibility reasons the MD2 API is still compiled in by default. [Steve Henson] *) Add compression id to {d2i,i2d}_SSL_SESSION so it is correctly saved and restored. [Steve Henson] *) Rename uni2asc and asc2uni functions to OPENSSL_uni2asc and OPENSSL_asc2uni conditionally on Netware platforms to avoid a name clash. [Guenter <lists@gknw.net>] *) Fix the server certificate chain building code to use X509_verify_cert(), it used to have an ad-hoc builder which was unable to cope with anything other than a simple chain. [David Woodhouse <dwmw2@infradead.org>, Steve Henson] *) Don't check self signed certificate signatures in X509_verify_cert() by default (a flag can override this): it just wastes time without adding any security. As a useful side effect self signed root CAs with non-FIPS digests are now usable in FIPS mode. [Steve Henson] *) In dtls1_process_out_of_seq_message() the check if the current message is already buffered was missing. For every new message was memory allocated, allowing an attacker to perform an denial of service attack with sending out of seq handshake messages until there is no memory left. Additionally every future messege was buffered, even if the sequence number made no sense and would be part of another handshake. So only messages with sequence numbers less than 10 in advance will be buffered. (CVE-2009-1378) [Robin Seggelmann, discovered by Daniel Mentz] *) Records are buffered if they arrive with a future epoch to be processed after finishing the corresponding handshake. There is currently no limitation to this buffer allowing an attacker to perform a DOS attack with sending records with future epochs until there is no memory left. This patch adds the pqueue_size() function to detemine the size of a buffer and limits the record buffer to 100 entries. (CVE-2009-1377) [Robin Seggelmann, discovered by Daniel Mentz] *) Keep a copy of frag->msg_header.frag_len so it can be used after the parent structure is freed. (CVE-2009-1379) [Daniel Mentz] *) Handle non-blocking I/O properly in SSL_shutdown() call. [Darryl Miles <darryl-mailinglists@netbauds.net>] *) Add 2.5.4.* OIDs [Ilya O. <vrghost@gmail.com>]
 www.os2site.com/sw/internet/openssl/old/openssl-0.9.8m-os2knix-20100228-runtime.zip  local copy
OpenSSL v. 0.9.8m (28/2/2010) Readme/What's new
OpenSSL CHANGES _______________ Changes between 0.9.8l and 0.9.8m [25 Feb 2010] *) Always check bn_wexpend() return values for failure. (CVE-2009-3245) [Martin Olsson, Neel Mehta] *) Fix X509_STORE locking: Every 'objs' access requires a lock (to accommodate for stack sorting, always a write lock!). [Bodo Moeller] *) On some versions of WIN32 Heap32Next is very slow. This can cause excessive delays in the RAND_poll(): over a minute. As a workaround include a time check in the inner Heap32Next loop too. [Steve Henson] *) The code that handled flushing of data in SSL/TLS originally used the BIO_CTRL_INFO ctrl to see if any data was pending first. This caused the problem outlined in PR#1949. The fix suggested there however can trigger problems with buggy BIO_CTRL_WPENDING (e.g. some versions of Apache). So instead simplify the code to flush unconditionally. This should be fine since flushing with no data to flush is a no op. [Steve Henson] *) Handle TLS versions 2.0 and later properly and correctly use the highest version of TLS/SSL supported. Although TLS >= 2.0 is some way off ancient servers have a habit of sticking around for a while... [Steve Henson] *) Modify compression code so it frees up structures without using the ex_data callbacks. This works around a problem where some applications call CRYPTO_cleanup_all_ex_data() before application exit (e.g. when restarting) then use compression (e.g. SSL with compression) later. This results in significant per-connection memory leaks and has caused some security issues including CVE-2008-1678 and CVE-2009-4355. [Steve Henson] *) Constify crypto/cast (i.e., <openssl/cast.h>): a CAST_KEY doesn't change when encrypting or decrypting. [Bodo Moeller] *) Add option SSL_OP_LEGACY_SERVER_CONNECT which will allow clients to connect and renegotiate with servers which do not support RI. Until RI is more widely deployed this option is enabled by default. [Steve Henson] *) Add "missing" ssl ctrls to clear options and mode. [Steve Henson] *) If client attempts to renegotiate and doesn't support RI respond with a no_renegotiation alert as required by RFC5746. Some renegotiating TLS clients will continue a connection gracefully when they receive the alert. Unfortunately OpenSSL mishandled this alert and would hang waiting for a server hello which it will never receive. Now we treat a received no_renegotiation alert as a fatal error. This is because applications requesting a renegotiation might well expect it to succeed and would have no code in place to handle the server denying it so the only safe thing to do is to terminate the connection. [Steve Henson] *) Add ctrl macro SSL_get_secure_renegotiation_support() which returns 1 if peer supports secure renegotiation and 0 otherwise. Print out peer renegotiation support in s_client/s_server. [Steve Henson] *) Replace the highly broken and deprecated SPKAC certification method with the updated NID creation version. This should correctly handle UTF8. [Steve Henson] *) Implement RFC5746. Re-enable renegotiation but require the extension as needed. Unfortunately, SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION turns out to be a bad idea. It has been replaced by SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION which can be set with SSL_CTX_set_options(). This is really not recommended unless you know what you are doing. [Eric Rescorla <ekr@networkresonance.com>, Ben Laurie, Steve Henson] *) Fixes to stateless session resumption handling. Use initial_ctx when issuing and attempting to decrypt tickets in case it has changed during servername handling. Use a non-zero length session ID when attempting stateless session resumption: this makes it possible to determine if a resumption has occurred immediately after receiving server hello (several places in OpenSSL subtly assume this) instead of later in the handshake. [Steve Henson] *) The functions ENGINE_ctrl(), OPENSSL_isservice(), CMS_get1_RecipientRequest() and RAND_bytes() can return <=0 on error fixes for a few places where the return code is not checked correctly. [Julia Lawall <julia@diku.dk>] *) Add --strict-warnings option to Configure script to include devteam warnings in other configurations. [Steve Henson] *) Add support for --libdir option and LIBDIR variable in makefiles. This makes it possible to install openssl libraries in locations which have names other than "lib", for example "/usr/lib64" which some systems need. [Steve Henson, based on patch from Jeremy Utley] *) Don't allow the use of leading 0x80 in OIDs. This is a violation of X690 8.9.12 and can produce some misleading textual output of OIDs. [Steve Henson, reported by Dan Kaminsky] *) Delete MD2 from algorithm tables. This follows the recommendation in several standards that it is not used in new applications due to several cryptographic weaknesses. For binary compatibility reasons the MD2 API is still compiled in by default. [Steve Henson] *) Add compression id to {d2i,i2d}_SSL_SESSION so it is correctly saved and restored. [Steve Henson] *) Rename uni2asc and asc2uni functions to OPENSSL_uni2asc and OPENSSL_asc2uni conditionally on Netware platforms to avoid a name clash. [Guenter <lists@gknw.net>] *) Fix the server certificate chain building code to use X509_verify_cert(), it used to have an ad-hoc builder which was unable to cope with anything other than a simple chain. [David Woodhouse <dwmw2@infradead.org>, Steve Henson] *) Don't check self signed certificate signatures in X509_verify_cert() by default (a flag can override this): it just wastes time without adding any security. As a useful side effect self signed root CAs with non-FIPS digests are now usable in FIPS mode. [Steve Henson] *) In dtls1_process_out_of_seq_message() the check if the current message is already buffered was missing. For every new message was memory allocated, allowing an attacker to perform an denial of service attack with sending out of seq handshake messages until there is no memory left. Additionally every future messege was buffered, even if the sequence number made no sense and would be part of another handshake. So only messages with sequence numbers less than 10 in advance will be buffered. (CVE-2009-1378) [Robin Seggelmann, discovered by Daniel Mentz] *) Records are buffered if they arrive with a future epoch to be processed after finishing the corresponding handshake. There is currently no limitation to this buffer allowing an attacker to perform a DOS attack with sending records with future epochs until there is no memory left. This patch adds the pqueue_size() function to detemine the size of a buffer and limits the record buffer to 100 entries. (CVE-2009-1377) [Robin Seggelmann, discovered by Daniel Mentz] *) Keep a copy of frag->msg_header.frag_len so it can be used after the parent structure is freed. (CVE-2009-1379) [Daniel Mentz] *) Handle non-blocking I/O properly in SSL_shutdown() call. [Darryl Miles <darryl-mailinglists@netbauds.net>] *) Add 2.5.4.* OIDs [Ilya O. <vrghost@gmail.com>]
 www.os2site.com/sw/internet/openssl/old/openssl-0.9.8m-os2emx-20100228.zip  local copy
OpenSSL v. 0.9.8m (toolkit, 28/2/2010) Readme/What's new
OpenSSL CHANGES _______________ Changes between 0.9.8l and 0.9.8m [25 Feb 2010] *) Always check bn_wexpend() return values for failure. (CVE-2009-3245) [Martin Olsson, Neel Mehta] *) Fix X509_STORE locking: Every 'objs' access requires a lock (to accommodate for stack sorting, always a write lock!). [Bodo Moeller] *) On some versions of WIN32 Heap32Next is very slow. This can cause excessive delays in the RAND_poll(): over a minute. As a workaround include a time check in the inner Heap32Next loop too. [Steve Henson] *) The code that handled flushing of data in SSL/TLS originally used the BIO_CTRL_INFO ctrl to see if any data was pending first. This caused the problem outlined in PR#1949. The fix suggested there however can trigger problems with buggy BIO_CTRL_WPENDING (e.g. some versions of Apache). So instead simplify the code to flush unconditionally. This should be fine since flushing with no data to flush is a no op. [Steve Henson] *) Handle TLS versions 2.0 and later properly and correctly use the highest version of TLS/SSL supported. Although TLS >= 2.0 is some way off ancient servers have a habit of sticking around for a while... [Steve Henson] *) Modify compression code so it frees up structures without using the ex_data callbacks. This works around a problem where some applications call CRYPTO_cleanup_all_ex_data() before application exit (e.g. when restarting) then use compression (e.g. SSL with compression) later. This results in significant per-connection memory leaks and has caused some security issues including CVE-2008-1678 and CVE-2009-4355. [Steve Henson] *) Constify crypto/cast (i.e., <openssl/cast.h>): a CAST_KEY doesn't change when encrypting or decrypting. [Bodo Moeller] *) Add option SSL_OP_LEGACY_SERVER_CONNECT which will allow clients to connect and renegotiate with servers which do not support RI. Until RI is more widely deployed this option is enabled by default. [Steve Henson] *) Add "missing" ssl ctrls to clear options and mode. [Steve Henson] *) If client attempts to renegotiate and doesn't support RI respond with a no_renegotiation alert as required by RFC5746. Some renegotiating TLS clients will continue a connection gracefully when they receive the alert. Unfortunately OpenSSL mishandled this alert and would hang waiting for a server hello which it will never receive. Now we treat a received no_renegotiation alert as a fatal error. This is because applications requesting a renegotiation might well expect it to succeed and would have no code in place to handle the server denying it so the only safe thing to do is to terminate the connection. [Steve Henson] *) Add ctrl macro SSL_get_secure_renegotiation_support() which returns 1 if peer supports secure renegotiation and 0 otherwise. Print out peer renegotiation support in s_client/s_server. [Steve Henson] *) Replace the highly broken and deprecated SPKAC certification method with the updated NID creation version. This should correctly handle UTF8. [Steve Henson] *) Implement RFC5746. Re-enable renegotiation but require the extension as needed. Unfortunately, SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION turns out to be a bad idea. It has been replaced by SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION which can be set with SSL_CTX_set_options(). This is really not recommended unless you know what you are doing. [Eric Rescorla <ekr@networkresonance.com>, Ben Laurie, Steve Henson] *) Fixes to stateless session resumption handling. Use initial_ctx when issuing and attempting to decrypt tickets in case it has changed during servername handling. Use a non-zero length session ID when attempting stateless session resumption: this makes it possible to determine if a resumption has occurred immediately after receiving server hello (several places in OpenSSL subtly assume this) instead of later in the handshake. [Steve Henson] *) The functions ENGINE_ctrl(), OPENSSL_isservice(), CMS_get1_RecipientRequest() and RAND_bytes() can return <=0 on error fixes for a few places where the return code is not checked correctly. [Julia Lawall <julia@diku.dk>] *) Add --strict-warnings option to Configure script to include devteam warnings in other configurations. [Steve Henson] *) Add support for --libdir option and LIBDIR variable in makefiles. This makes it possible to install openssl libraries in locations which have names other than "lib", for example "/usr/lib64" which some systems need. [Steve Henson, based on patch from Jeremy Utley] *) Don't allow the use of leading 0x80 in OIDs. This is a violation of X690 8.9.12 and can produce some misleading textual output of OIDs. [Steve Henson, reported by Dan Kaminsky] *) Delete MD2 from algorithm tables. This follows the recommendation in several standards that it is not used in new applications due to several cryptographic weaknesses. For binary compatibility reasons the MD2 API is still compiled in by default. [Steve Henson] *) Add compression id to {d2i,i2d}_SSL_SESSION so it is correctly saved and restored. [Steve Henson] *) Rename uni2asc and asc2uni functions to OPENSSL_uni2asc and OPENSSL_asc2uni conditionally on Netware platforms to avoid a name clash. [Guenter <lists@gknw.net>] *) Fix the server certificate chain building code to use X509_verify_cert(), it used to have an ad-hoc builder which was unable to cope with anything other than a simple chain. [David Woodhouse <dwmw2@infradead.org>, Steve Henson] *) Don't check self signed certificate signatures in X509_verify_cert() by default (a flag can override this): it just wastes time without adding any security. As a useful side effect self signed root CAs with non-FIPS digests are now usable in FIPS mode. [Steve Henson] *) In dtls1_process_out_of_seq_message() the check if the current message is already buffered was missing. For every new message was memory allocated, allowing an attacker to perform an denial of service attack with sending out of seq handshake messages until there is no memory left. Additionally every future messege was buffered, even if the sequence number made no sense and would be part of another handshake. So only messages with sequence numbers less than 10 in advance will be buffered. (CVE-2009-1378) [Robin Seggelmann, discovered by Daniel Mentz] *) Records are buffered if they arrive with a future epoch to be processed after finishing the corresponding handshake. There is currently no limitation to this buffer allowing an attacker to perform a DOS attack with sending records with future epochs until there is no memory left. This patch adds the pqueue_size() function to detemine the size of a buffer and limits the record buffer to 100 entries. (CVE-2009-1377) [Robin Seggelmann, discovered by Daniel Mentz] *) Keep a copy of frag->msg_header.frag_len so it can be used after the parent structure is freed. (CVE-2009-1379) [Daniel Mentz] *) Handle non-blocking I/O properly in SSL_shutdown() call. [Darryl Miles <darryl-mailinglists@netbauds.net>] *) Add 2.5.4.* OIDs [Ilya O. <vrghost@gmail.com>]
 www.os2site.com/sw/internet/openssl/old/openssl-0.9.8m-os2knix-20100228-dev.zip  local copy
OpenSSL v. 1.0.0b3 (20/9/2009, Paul Smedley (Smedles))
 www.os2site.com/sw/internet/openssl/old/openssl-1.0.0-beta3-os2.zip  local copy
OpenSSL v. 0.9.8j (klibc, 15/1/2009) Readme/What's new
OpenSSL CHANGES _______________ Changes between 0.9.8i and 0.9.8j [07 Jan 2009] *) Properly check EVP_VerifyFinal() and similar return values (CVE-2008-5077). [Ben Laurie, Bodo Moeller, Google Security Team] *) Properly check EVP_VerifyFinal() and similar return values (CVE-2008-5077). [Ben Laurie, Bodo Moeller, Google Security Team] *) Enable TLS extensions by default. [Ben Laurie] *) Allow the CHIL engine to be loaded, whether the application is multithreaded or not. (This does not release the developer from the obligation to set up the dynamic locking callbacks.) [Sander Temme <sander@temme.net>] *) Use correct exit code if there is an error in dgst command. [Steve Henson; problem pointed out by Roland Dirlewanger] *) Tweak Configure so that you need to say "experimental-jpake" to enable JPAKE, and need to use -DOPENSSL_EXPERIMENTAL_JPAKE in applications. [Bodo Moeller] *) Add experimental JPAKE support, including demo authentication in s_client and s_server. [Ben Laurie] *) Set the comparison function in v3_addr_canonize(). [Rob Austein <sra@hactrn.net>] *) Add support for XMPP STARTTLS in s_client. [Philip Paeps <philip@freebsd.org>] *) Change the server-side SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG behavior to ensure that even with this option, only ciphersuites in the server's preference list will be accepted. (Note that the option applies only when resuming a session, so the earlier behavior was just about the algorithm choice for symmetric cryptography.) [Bodo Moeller]
 www.os2site.com/sw/internet/openssl/old/openssl-0.9.8j-klibc-gcc432-20090115.zip  local copy
OpenSSL v. 0.9.8j (emx, 15/1/2009) Readme/What's new
OpenSSL CHANGES _______________ Changes between 0.9.8i and 0.9.8j [07 Jan 2009] *) Properly check EVP_VerifyFinal() and similar return values (CVE-2008-5077). [Ben Laurie, Bodo Moeller, Google Security Team] *) Properly check EVP_VerifyFinal() and similar return values (CVE-2008-5077). [Ben Laurie, Bodo Moeller, Google Security Team] *) Enable TLS extensions by default. [Ben Laurie] *) Allow the CHIL engine to be loaded, whether the application is multithreaded or not. (This does not release the developer from the obligation to set up the dynamic locking callbacks.) [Sander Temme <sander@temme.net>] *) Use correct exit code if there is an error in dgst command. [Steve Henson; problem pointed out by Roland Dirlewanger] *) Tweak Configure so that you need to say "experimental-jpake" to enable JPAKE, and need to use -DOPENSSL_EXPERIMENTAL_JPAKE in applications. [Bodo Moeller] *) Add experimental JPAKE support, including demo authentication in s_client and s_server. [Ben Laurie] *) Set the comparison function in v3_addr_canonize(). [Rob Austein <sra@hactrn.net>] *) Add support for XMPP STARTTLS in s_client. [Philip Paeps <philip@freebsd.org>] *) Change the server-side SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG behavior to ensure that even with this option, only ciphersuites in the server's preference list will be accepted. (Note that the option applies only when resuming a session, so the earlier behavior was just about the algorithm choice for symmetric cryptography.) [Bodo Moeller]
 www.os2site.com/sw/internet/openssl/old/openssl-0.9.8j-os2emx-20090115.zip  local copy
OpenSSL v. 0.9.8i (18/9/2008) Readme/What's new
OpenSSL CHANGES _______________ Changes between 0.9.8h and 0.9.8i [15 Sep 2008] *) Fix a state transitition in s3_srvr.c and d1_srvr.c (was using SSL3_ST_CW_CLNT_HELLO_B, should be ..._ST_SW_SRVR_...). [Nagendra Modadugu] *) The fix in 0.9.8c that supposedly got rid of unsafe double-checked locking was incomplete for RSA blinding, addressing just one layer of what turns out to have been doubly unsafe triple-checked locking. So now fix this for real by retiring the MONT_HELPER macro in crypto/rsa/rsa_eay.c. [Bodo Moeller; problem pointed out by Marius Schilder] *) Various precautionary measures: - Avoid size_t integer overflow in HASH_UPDATE (md32_common.h). - Avoid a buffer overflow in d2i_SSL_SESSION() (ssl_asn1.c). (NB: This would require knowledge of the secret session ticket key to exploit, in which case you'd be SOL either way.) - Change bn_nist.c so that it will properly handle input BIGNUMs outside the expected range. - Enforce the 'num' check in BN_div() (bn_div.c) for non-BN_DEBUG builds. [Neel Mehta, Bodo Moeller] *) Add support for Local Machine Keyset attribute in PKCS#12 files. [Steve Henson] *) Fix BN_GF2m_mod_arr() top-bit cleanup code. [Huang Ying] *) Expand ENGINE to support engine supplied SSL client certificate functions. This work was sponsored by Logica. [Steve Henson] *) Add CryptoAPI ENGINE to support use of RSA and DSA keys held in Windows keystores. Support for SSL/TLS client authentication too. Not compiled unless enable-capieng specified to Configure. This work was sponsored by Logica. [Steve Henson] *) Allow engines to be "soft loaded" - i.e. optionally don't die if the load fails. Useful for distros. [Ben Laurie and the FreeBSD team]
 www.os2site.com/sw/internet/openssl/old/openssl-0.9.8i-klibc-20080918.zip  local copy
OpenSSL v. 0.9.8h (klibc, 30/5/2008) Readme/What's new
OpenSSL CHANGES _______________ Changes between 0.9.8g and 0.9.8h [28 May 2008] *) Fix flaw if 'Server Key exchange message' is omitted from a TLS handshake which could lead to a cilent crash as found using the Codenomicon TLS test suite (CVE-2008-1672) [Steve Henson, Mark Cox] *) Fix double free in TLS server name extensions which could lead to a remote crash found by Codenomicon TLS test suite (CVE-2008-0891) [Joe Orton] *) Clear error queue in SSL_CTX_use_certificate_chain_file() Clear the error queue to ensure that error entries left from older function calls do not interfere with the correct operation. [Lutz Jaenicke, Erik de Castro Lopo] *) Remove root CA certificates of commercial CAs: The OpenSSL project does not recommend any specific CA and does not have any policy with respect to including or excluding any CA. Therefore it does not make any sense to ship an arbitrary selection of root CA certificates with the OpenSSL software. [Lutz Jaenicke] *) RSA OAEP patches to fix two separate invalid memory reads. The first one involves inputs when 'lzero' is greater than 'SHA_DIGEST_LENGTH' (it would read about SHA_DIGEST_LENGTH bytes before the beginning of from). The second one involves inputs where the 'db' section contains nothing but zeroes (there is a one-byte invalid read after the end of 'db'). [Ivan Nestlerode <inestlerode@us.ibm.com>] *) Partial backport from 0.9.9-dev: Introduce bn_mul_mont (dedicated Montgomery multiplication procedure) as a candidate for BIGNUM assembler implementation. While 0.9.9-dev uses assembler for various architectures, only x86_64 is available by default here in the 0.9.8 branch, and 32-bit x86 is available through a compile-time setting. To try the 32-bit x86 assembler implementation, use Configure option "enable-montasm" (which exists only for this backport). As "enable-montasm" for 32-bit x86 disclaims code stability anyway, in this constellation we activate additional code backported from 0.9.9-dev for further performance improvements, namely BN_from_montgomery_word. (To enable this otherwise, e.g. x86_64, try "-DMONT_FROM_WORD___NON_DEFAULT_0_9_8_BUILD".) [Andy Polyakov (backport partially by Bodo Moeller)] *) Add TLS session ticket callback. This allows an application to set TLS ticket cipher and HMAC keys rather than relying on hardcoded fixed values. This is useful for key rollover for example where several key sets may exist with different names. [Steve Henson] *) Reverse ENGINE-internal logic for caching default ENGINE handles. This was broken until now in 0.9.8 releases, such that the only way a registered ENGINE could be used (assuming it initialises successfully on the host) was to explicitly set it as the default for the relevant algorithms. This is in contradiction with 0.9.7 behaviour and the documentation. With this fix, when an ENGINE is registered into a given algorithm's table of implementations, the 'uptodate' flag is reset so that auto-discovery will be used next time a new context for that algorithm attempts to select an implementation. [Ian Lister (tweaked by Geoff Thorpe)] *) Backport of CMS code to OpenSSL 0.9.8. This differs from the 0.9.9 implemention in the following ways: Lack of EVP_PKEY_ASN1_METHOD means algorithm parameters have to be hard coded. Lack of BER streaming support means one pass streaming processing is only supported if data is detached: setting the streaming flag is ignored for embedded content. CMS support is disabled by default and must be explicitly enabled with the enable-cms configuration option. [Steve Henson] *) Update the GMP engine glue to do direct copies between BIGNUM and mpz_t when openssl and GMP use the same limb size. Otherwise the existing "conversion via a text string export" trick is still used. [Paul Sheer <paulsheer@gmail.com>] *) Zlib compression BIO. This is a filter BIO which compressed and uncompresses any data passed through it. [Steve Henson] *) Add AES_wrap_key() and AES_unwrap_key() functions to implement RFC3394 compatible AES key wrapping. [Steve Henson] *) Add utility functions to handle ASN1 structures. ASN1_STRING_set0(): sets string data without copying. X509_ALGOR_set0() and X509_ALGOR_get0(): set and retrieve X509_ALGOR (AlgorithmIdentifier) data. Attribute function X509at_get0_data_by_OBJ(): retrieves data from an X509_ATTRIBUTE structure optionally checking it occurs only once. ASN1_TYPE_set1(): set and ASN1_TYPE structure copying supplied data. [Steve Henson] *) Fix BN flag handling in RSA_eay_mod_exp() and BN_MONT_CTX_set() to get the expected BN_FLG_CONSTTIME behavior. [Bodo Moeller (Google)] *) Netware support: - fixed wrong usage of ioctlsocket() when build for LIBC BSD sockets - fixed do_tests.pl to run the test suite with CLIB builds too (CLIB_OPT) - added some more tests to do_tests.pl - fixed RunningProcess usage so that it works with newer LIBC NDKs too - removed usage of BN_LLONG for CLIB builds to avoid runtime dependency - added new Configure targets netware-clib-bsdsock, netware-clib-gcc, netware-clib-bsdsock-gcc, netware-libc-bsdsock-gcc - various changes to netware.pl to enable gcc-cross builds on Win32 platform - changed crypto/bio/b_sock.c to work with macro functions (CLIB BSD) - various changes to fix missing prototype warnings - fixed x86nasm.pl to create correct asm files for NASM COFF output - added AES, WHIRLPOOL and CPUID assembler code to build files - added missing AES assembler make rules to mk1mf.pl - fixed order of includes in apps/ocsp.c so that e_os.h settings apply [Guenter Knauf <eflash@gmx.net>] *) Implement certificate status request TLS extension defined in RFC3546. A client can set the appropriate parameters and receive the encoded OCSP response via a callback. A server can query the supplied parameters and set the encoded OCSP response in the callback. Add simplified examples to s_client and s_server. [Steve Henson]
 www.os2site.com/sw/internet/openssl/old/openssl-0.9.8h-klibc-20080530.zip  local copy
OpenSSL v. 0.9.8h (emx, 30/5/2008) Readme/What's new
OpenSSL CHANGES _______________ Changes between 0.9.8g and 0.9.8h [28 May 2008] *) Fix flaw if 'Server Key exchange message' is omitted from a TLS handshake which could lead to a cilent crash as found using the Codenomicon TLS test suite (CVE-2008-1672) [Steve Henson, Mark Cox] *) Fix double free in TLS server name extensions which could lead to a remote crash found by Codenomicon TLS test suite (CVE-2008-0891) [Joe Orton] *) Clear error queue in SSL_CTX_use_certificate_chain_file() Clear the error queue to ensure that error entries left from older function calls do not interfere with the correct operation. [Lutz Jaenicke, Erik de Castro Lopo] *) Remove root CA certificates of commercial CAs: The OpenSSL project does not recommend any specific CA and does not have any policy with respect to including or excluding any CA. Therefore it does not make any sense to ship an arbitrary selection of root CA certificates with the OpenSSL software. [Lutz Jaenicke] *) RSA OAEP patches to fix two separate invalid memory reads. The first one involves inputs when 'lzero' is greater than 'SHA_DIGEST_LENGTH' (it would read about SHA_DIGEST_LENGTH bytes before the beginning of from). The second one involves inputs where the 'db' section contains nothing but zeroes (there is a one-byte invalid read after the end of 'db'). [Ivan Nestlerode <inestlerode@us.ibm.com>] *) Partial backport from 0.9.9-dev: Introduce bn_mul_mont (dedicated Montgomery multiplication procedure) as a candidate for BIGNUM assembler implementation. While 0.9.9-dev uses assembler for various architectures, only x86_64 is available by default here in the 0.9.8 branch, and 32-bit x86 is available through a compile-time setting. To try the 32-bit x86 assembler implementation, use Configure option "enable-montasm" (which exists only for this backport). As "enable-montasm" for 32-bit x86 disclaims code stability anyway, in this constellation we activate additional code backported from 0.9.9-dev for further performance improvements, namely BN_from_montgomery_word. (To enable this otherwise, e.g. x86_64, try "-DMONT_FROM_WORD___NON_DEFAULT_0_9_8_BUILD".) [Andy Polyakov (backport partially by Bodo Moeller)] *) Add TLS session ticket callback. This allows an application to set TLS ticket cipher and HMAC keys rather than relying on hardcoded fixed values. This is useful for key rollover for example where several key sets may exist with different names. [Steve Henson] *) Reverse ENGINE-internal logic for caching default ENGINE handles. This was broken until now in 0.9.8 releases, such that the only way a registered ENGINE could be used (assuming it initialises successfully on the host) was to explicitly set it as the default for the relevant algorithms. This is in contradiction with 0.9.7 behaviour and the documentation. With this fix, when an ENGINE is registered into a given algorithm's table of implementations, the 'uptodate' flag is reset so that auto-discovery will be used next time a new context for that algorithm attempts to select an implementation. [Ian Lister (tweaked by Geoff Thorpe)] *) Backport of CMS code to OpenSSL 0.9.8. This differs from the 0.9.9 implemention in the following ways: Lack of EVP_PKEY_ASN1_METHOD means algorithm parameters have to be hard coded. Lack of BER streaming support means one pass streaming processing is only supported if data is detached: setting the streaming flag is ignored for embedded content. CMS support is disabled by default and must be explicitly enabled with the enable-cms configuration option. [Steve Henson] *) Update the GMP engine glue to do direct copies between BIGNUM and mpz_t when openssl and GMP use the same limb size. Otherwise the existing "conversion via a text string export" trick is still used. [Paul Sheer <paulsheer@gmail.com>] *) Zlib compression BIO. This is a filter BIO which compressed and uncompresses any data passed through it. [Steve Henson] *) Add AES_wrap_key() and AES_unwrap_key() functions to implement RFC3394 compatible AES key wrapping. [Steve Henson] *) Add utility functions to handle ASN1 structures. ASN1_STRING_set0(): sets string data without copying. X509_ALGOR_set0() and X509_ALGOR_get0(): set and retrieve X509_ALGOR (AlgorithmIdentifier) data. Attribute function X509at_get0_data_by_OBJ(): retrieves data from an X509_ATTRIBUTE structure optionally checking it occurs only once. ASN1_TYPE_set1(): set and ASN1_TYPE structure copying supplied data. [Steve Henson] *) Fix BN flag handling in RSA_eay_mod_exp() and BN_MONT_CTX_set() to get the expected BN_FLG_CONSTTIME behavior. [Bodo Moeller (Google)] *) Netware support: - fixed wrong usage of ioctlsocket() when build for LIBC BSD sockets - fixed do_tests.pl to run the test suite with CLIB builds too (CLIB_OPT) - added some more tests to do_tests.pl - fixed RunningProcess usage so that it works with newer LIBC NDKs too - removed usage of BN_LLONG for CLIB builds to avoid runtime dependency - added new Configure targets netware-clib-bsdsock, netware-clib-gcc, netware-clib-bsdsock-gcc, netware-libc-bsdsock-gcc - various changes to netware.pl to enable gcc-cross builds on Win32 platform - changed crypto/bio/b_sock.c to work with macro functions (CLIB BSD) - various changes to fix missing prototype warnings - fixed x86nasm.pl to create correct asm files for NASM COFF output - added AES, WHIRLPOOL and CPUID assembler code to build files - added missing AES assembler make rules to mk1mf.pl - fixed order of includes in apps/ocsp.c so that e_os.h settings apply [Guenter Knauf <eflash@gmx.net>] *) Implement certificate status request TLS extension defined in RFC3546. A client can set the appropriate parameters and receive the encoded OCSP response via a callback. A server can query the supplied parameters and set the encoded OCSP response in the callback. Add simplified examples to s_client and s_server. [Steve Henson]
 www.os2site.com/sw/internet/openssl/old/openssl-0.9.8h-os2emx-20080530.zip  local copy
OpenSSL v. 0.9.8g (22/10/2007) Readme/What's new
OpenSSL CHANGES _______________ Changes between 0.9.8f and 0.9.8g [19 Oct 2007] *) Fix various bugs: + Binary incompatibility of ssl_ctx_st structure + DTLS interoperation with non-compliant servers + Don't call get_session_cb() without proposed session + Fix ia64 assembler code [Andy Polyakov, Steve Henson]
 www.os2site.com/sw/internet/openssl/old/openssl-0.9.8g-os2emx-20071022.zip  local copy
OpenSSL v. 0.9.8f (13/10/2007) Readme/What's new
OpenSSL CHANGES _______________ Changes between 0.9.8e and 0.9.8f [11 Oct 2007] *) DTLS Handshake overhaul. There were longstanding issues with OpenSSL DTLS implementation, which were making it impossible for RFC 4347 compliant client to communicate with OpenSSL server. Unfortunately just fixing these incompatibilities would "cut off" pre-0.9.8f clients. To allow for hassle free upgrade post-0.9.8e server keeps tolerating non RFC compliant syntax. The opposite is not true, 0.9.8f client can not communicate with earlier server. This update even addresses CVE-2007-4995. [Andy Polyakov] *) Changes to avoid need for function casts in OpenSSL: some compilers (gcc 4.2 and later) reject their use. [Kurt Roeckx <kurt@roeckx.be>, Peter Hartley <pdh@utter.chaos.org.uk>, Steve Henson] *) Add RFC4507 support to OpenSSL. This includes the corrections in RFC4507bis. The encrypted ticket format is an encrypted encoded SSL_SESSION structure, that way new session features are automatically supported. If a client application caches session in an SSL_SESSION structure support is transparent because tickets are now stored in the encoded SSL_SESSION. The SSL_CTX structure automatically generates keys for ticket protection in servers so again support should be possible with no application modification. If a client or server wishes to disable RFC4507 support then the option SSL_OP_NO_TICKET can be set. Add a TLS extension debugging callback to allow the contents of any client or server extensions to be examined. This work was sponsored by Google. [Steve Henson] *) Add initial support for TLS extensions, specifically for the server_name extension so far. The SSL_SESSION, SSL_CTX, and SSL data structures now have new members for a host name. The SSL data structure has an additional member SSL_CTX *initial_ctx so that new sessions can be stored in that context to allow for session resumption, even after the SSL has been switched to a new SSL_CTX in reaction to a client's server_name extension. New functions (subject to change): SSL_get_servername() SSL_get_servername_type() SSL_set_SSL_CTX() New CTRL codes and macros (subject to change): SSL_CTRL_SET_TLSEXT_SERVERNAME_CB - SSL_CTX_set_tlsext_servername_callback() SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG - SSL_CTX_set_tlsext_servername_arg() SSL_CTRL_SET_TLSEXT_HOSTNAME - SSL_set_tlsext_host_name() openssl s_client has a new '-servername ...' option. openssl s_server has new options '-servername_host ...', '-cert2 ...', '-key2 ...', '-servername_fatal' (subject to change). This allows testing the HostName extension for a specific single host name ('-cert' and '-key' remain fallbacks for handshakes without HostName negotiation). If the unrecogninzed_name alert has to be sent, this by default is a warning; it becomes fatal with the '-servername_fatal' option. [Peter Sylvester, Remy Allais, Christophe Renou, Steve Henson] *) Add AES and SSE2 assembly language support to VC++ build. [Steve Henson] *) Mitigate attack on final subtraction in Montgomery reduction. [Andy Polyakov] *) Fix crypto/ec/ec_mult.c to work properly with scalars of value 0 (which previously caused an internal error). [Bodo Moeller] *) Squeeze another 10% out of IGE mode when in != out. [Ben Laurie] *) AES IGE mode speedup. [Dean Gaudet (Google)] *) Add the Korean symmetric 128-bit cipher SEED (see http://www.kisa.or.kr/kisa/seed/jsp/seed_eng.jsp) and add SEED ciphersuites from RFC 4162: TLS_RSA_WITH_SEED_CBC_SHA = "SEED-SHA" TLS_DHE_DSS_WITH_SEED_CBC_SHA = "DHE-DSS-SEED-SHA" TLS_DHE_RSA_WITH_SEED_CBC_SHA = "DHE-RSA-SEED-SHA" TLS_DH_anon_WITH_SEED_CBC_SHA = "ADH-SEED-SHA" To minimize changes between patchlevels in the OpenSSL 0.9.8 series, SEED remains excluded from compilation unless OpenSSL is configured with 'enable-seed'. [KISA, Bodo Moeller] *) Mitigate branch prediction attacks, which can be practical if a single processor is shared, allowing a spy process to extract information. For detailed background information, see http://eprint.iacr.org/2007/039 (O. Aciicmez, S. Gueron, J.-P. Seifert, "New Branch Prediction Vulnerabilities in OpenSSL and Necessary Software Countermeasures"). The core of the change are new versions BN_div_no_branch() and BN_mod_inverse_no_branch() of BN_div() and BN_mod_inverse(), respectively, which are slower, but avoid the security-relevant conditional branches. These are automatically called by BN_div() and BN_mod_inverse() if the flag BN_FLG_CONSTTIME is set for one of the input BIGNUMs. Also, BN_is_bit_set() has been changed to remove a conditional branch. BN_FLG_CONSTTIME is the new name for the previous BN_FLG_EXP_CONSTTIME flag, since it now affects more than just modular exponentiation. (Since OpenSSL 0.9.7h, setting this flag in the exponent causes BN_mod_exp_mont() to use the alternative implementation in BN_mod_exp_mont_consttime().) The old name remains as a deprecated alias. Similary, RSA_FLAG_NO_EXP_CONSTTIME is replaced by a more general RSA_FLAG_NO_CONSTTIME flag since the RSA implementation now uses constant-time implementations for more than just exponentiation. Here too the old name is kept as a deprecated alias. BN_BLINDING_new() will now use BN_dup() for the modulus so that the BN_BLINDING structure gets an independent copy of the modulus. This means that the previous "BIGNUM *m" argument to BN_BLINDING_new() and to BN_BLINDING_create_param() now essentially becomes "const BIGNUM *m", although we can't actually change this in the header file before 0.9.9. It allows RSA_setup_blinding() to use BN_with_flags() on the modulus to enable BN_FLG_CONSTTIME. [Matthew D Wood (Intel Corp)] *) In the SSL/TLS server implementation, be strict about session ID context matching (which matters if an application uses a single external cache for different purposes). Previously, out-of-context reuse was forbidden only if SSL_VERIFY_PEER was set. This did ensure strict client verification, but meant that, with applications using a single external cache for quite different requirements, clients could circumvent ciphersuite restrictions for a given session ID context by starting a session in a different context. [Bodo Moeller] *) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that a ciphersuite string such as "DEFAULT:RSA" cannot enable authentication-only ciphersuites. [Bodo Moeller]
 www.os2site.com/sw/internet/openssl/old/openssl-0.9.8f-os2emx-20071013.zip  local copy
OpenSSL v. 0.9.8e (18/4/2007) Readme/What's new
OpenSSL CHANGES _______________ Changes between 0.9.8d and 0.9.8e [23 Feb 2007] *) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that a ciphersuite string such as "DEFAULT:RSA" cannot enable authentication-only ciphersuites. [Bodo Moeller] *) Since AES128 and AES256 (and similarly Camellia128 and Camellia256) share a single mask bit in the logic of ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a kludge to work properly if AES128 is available and AES256 isn't (or if Camellia128 is available and Camellia256 isn't). [Victor Duchovni] *) Fix the BIT STRING encoding generated by crypto/ec/ec_asn1.c (within i2d_ECPrivateKey, i2d_ECPKParameters, i2d_ECParameters): When a point or a seed is encoded in a BIT STRING, we need to prevent the removal of trailing zero bits to get the proper DER encoding. (By default, crypto/asn1/a_bitstr.c assumes the case of a NamedBitList, for which trailing 0 bits need to be removed.) [Bodo Moeller] *) Have SSL/TLS server implementation tolerate "mismatched" record protocol version while receiving ClientHello even if the ClientHello is fragmented. (The server can't insist on the particular protocol version it has chosen before the ServerHello message has informed the client about his choice.) [Bodo Moeller] *) Add RFC 3779 support. [Rob Austein for ARIN, Ben Laurie] *) Load error codes if they are not already present instead of using a static variable. This allows them to be cleanly unloaded and reloaded. Improve header file function name parsing. [Steve Henson] *) extend SMTP and IMAP protocol emulation in s_client to use EHLO or CAPABILITY handshake as required by RFCs. [Goetz Babin-Ebell]
 www.os2site.com/sw/internet/openssl/old/openssl-0.9.8e-os2-20070418.zip  local copy
OpenSSL v. 0.9.8d (29/9/2006) Readme/What's new
OpenSSL CHANGES _______________ Changes between 0.9.8c and 0.9.8d [28 Sep 2006] *) Introduce limits to prevent malicious keys being able to cause a denial of service. (CVE-2006-2940) [Steve Henson, Bodo Moeller] *) Fix ASN.1 parsing of certain invalid structures that can result in a denial of service. (CVE-2006-2937) [Steve Henson] *) Fix buffer overflow in SSL_get_shared_ciphers() function. (CVE-2006-3738) [Tavis Ormandy and Will Drewry, Google Security Team] *) Fix SSL client code which could crash if connecting to a malicious SSLv2 server. (CVE-2006-4343) [Tavis Ormandy and Will Drewry, Google Security Team] *) Since 0.9.8b, ciphersuite strings naming explicit ciphersuites match only those. Before that, "AES256-SHA" would be interpreted as a pattern and match "AES128-SHA" too (since AES128-SHA got the same strength classification in 0.9.7h) as we currently only have a single AES bit in the ciphersuite description bitmap. That change, however, also applied to ciphersuite strings such as "RC4-MD5" that intentionally matched multiple ciphersuites -- namely, SSL 2.0 ciphersuites in addition to the more common ones from SSL 3.0/TLS 1.0. So we change the selection algorithm again: Naming an explicit ciphersuite selects this one ciphersuite, and any other similar ciphersuite (same bitmap) from *other* protocol versions. Thus, "RC4-MD5" again will properly select both the SSL 2.0 ciphersuite and the SSL 3.0/TLS 1.0 ciphersuite. Since SSL 2.0 does not have any ciphersuites for which the 128/256 bit distinction would be relevant, this works for now. The proper fix will be to use different bits for AES128 and AES256, which would have avoided the problems from the beginning; however, bits are scarce, so we can only do this in a new release (not just a patchlevel) when we can change the SSL_CIPHER definition to split the single 'unsigned long mask' bitmap into multiple values to extend the available space. [Bodo Moeller]
 www.os2site.com/sw/internet/openssl/old/openssl-0.9.8d-os2-20060929.zip  local copy
OpenSSL v. 0.9.8c (7/9/2006) Readme/What's new
OpenSSL CHANGES _______________ Changes between 0.9.8b and 0.9.8c [05 Sep 2006] *) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher (CVE-2006-4339) [Ben Laurie and Google Security Team] *) Add AES IGE and biIGE modes. [Ben Laurie] *) Change the Unix randomness entropy gathering to use poll() when possible instead of select(), since the latter has some undesirable limitations. [Darryl Miles via Richard Levitte and Bodo Moeller] *) Disable "ECCdraft" ciphersuites more thoroughly. Now special treatment in ssl/ssl_ciph.s makes sure that these ciphersuites cannot be implicitly activated as part of, e.g., the "AES" alias. However, please upgrade to OpenSSL 0.9.9[-dev] for non-experimental use of the ECC ciphersuites to get TLS extension support, which is required for curve and point format negotiation to avoid potential handshake problems. [Bodo Moeller] *) Disable rogue ciphersuites: - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5") - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5") - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5") The latter two were purportedly from draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really appear there. Also deactive the remaining ciphersuites from draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as unofficial, and the ID has long expired. [Bodo Moeller] *) Fix RSA blinding Heisenbug (problems sometimes occured on dual-core machines) and other potential thread-safety issues. [Bodo Moeller] *) Add the symmetric cipher Camellia (128-bit, 192-bit, 256-bit key versions), which is now available for royalty-free use (see http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html). Also, add Camellia TLS ciphersuites from RFC 4132. To minimize changes between patchlevels in the OpenSSL 0.9.8 series, Camellia remains excluded from compilation unless OpenSSL is configured with 'enable-camellia'. [NTT] *) Disable the padding bug check when compression is in use. The padding bug check assumes the first packet is of even length, this is not necessarily true if compresssion is enabled and can result in false positives causing handshake failure. The actual bug test is ancient code so it is hoped that implementations will either have fixed it by now or any which still have the bug do not support compression. [Steve Henson]
 www.os2site.com/sw/internet/openssl/old/openssl-0.9.8c-os2-20060907.zip  local copy
OpenSSL v. 0.9.8b (17/5/2006) Readme/What's new
OpenSSL CHANGES _______________ Changes between 0.9.8a and 0.9.8b [04 May 2006] *) When applying a cipher rule check to see if string match is an explicit cipher suite and only match that one cipher suite if it is. [Steve Henson] *) Link in manifests for VC++ if needed. [Austin Ziegler <halostatue@gmail.com>] *) Update support for ECC-based TLS ciphersuites according to draft-ietf-tls-ecc-12.txt with proposed changes (but without TLS extensions, which are supported starting with the 0.9.9 branch, not in the OpenSSL 0.9.8 branch). [Douglas Stebila] *) New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free() to support opaque EVP_CIPHER_CTX handling. [Steve Henson] *) Fixes and enhancements to zlib compression code. We now only use "zlib1.dll" and use the default __cdecl calling convention on Win32 to conform with the standards mentioned here: http://www.zlib.net/DLL_FAQ.txt Static zlib linking now works on Windows and the new --with-zlib-include --with-zlib-lib options to Configure can be used to supply the location of the headers and library. Gracefully handle case where zlib library can't be loaded. [Steve Henson] *) Several fixes and enhancements to the OID generation code. The old code sometimes allowed invalid OIDs (1.X for X >= 40 for example), couldn't handle numbers larger than ULONG_MAX, truncated printing and had a non standard OBJ_obj2txt() behaviour. [Steve Henson] *) Add support for building of engines under engine/ as shared libraries under VC++ build system. [Steve Henson] *) Corrected the numerous bugs in the Win32 path splitter in DSO. Hopefully, we will not see any false combination of paths any more. [Richard Levitte]
 www.os2site.com/sw/internet/openssl/old/openssl-0.9.8b-os2-20060517.zip  local copy
OpenSSL v. 0.9.8a (13/11/2005) Readme/What's new
OpenSSL CHANGES _______________ Changes between 0.9.8 and 0.9.8a [11 Oct 2005] *) Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING (part of SSL_OP_ALL). This option used to disable the countermeasure against man-in-the-middle protocol-version rollback in the SSL 2.0 server implementation, which is a bad idea. (CAN-2005-2969) [Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center for Information Security, National Institute of Advanced Industrial Science and Technology [AIST], Japan)] *) Add two function to clear and return the verify parameter flags. [Steve Henson] *) Keep cipherlists sorted in the source instead of sorting them at runtime, thus removing the need for a lock. [Nils Larsch] *) Avoid some small subgroup attacks in Diffie-Hellman. [Nick Mathewson and Ben Laurie] *) Add functions for well-known primes. [Nick Mathewson] *) Extended Windows CE support. [Satoshi Nakamura and Andy Polyakov] *) Initialize SSL_METHOD structures at compile time instead of during runtime, thus removing the need for a lock. [Steve Henson] *) Make PKCS7_decrypt() work even if no certificate is supplied by attempting to decrypt each encrypted key in turn. Add support to smime utility. [Steve Henson]
 www.os2site.com/sw/internet/openssl/old/openssl-0.9.8a-os2-20051113.zip  local copy
OpenSSL v. 0.9.8 (3/8/2005, Yuri Dario (Paperino)) Readme/What's new
Yuri Dario's build of OpenSSL v0.9.8 including full source tree with static libraries and binaries built with GCC v3.3.5.
 www.os2site.com/sw/internet/openssl/old/openssl-0.9.8.zip  local copy
OpenSSL v. 0.9.7e (16/11/2004, Brian Havard) Readme/What's new
Brian Havard's build of OpenSSL v0.9.7e.
 www.os2site.com/sw/internet/openssl/old/openssl-0.9.7e-cli-os2.zip  local copy
OpenSSL v. 0.9.7a (21/4/2003, Johannes Hromadka) Readme/What's new
This is openssl-0.9.7a for OS/2. with the patch against the Klima-Pokorny-Rosa attack on RSA in SSL/TLS applied. I compiled it on Warp4 with emx 0.9d using OS2-EMX.cmd from the original tar ball. The DLLs and EXE are compressed with LXLite. Put openssl in a directory in your PATH and the DLLs to a direcotory in your LIBPATH. Copy conf\openssl.cnf.demoCA to a directory of your choice and set the environement variable OPENSSL_CONF by putting SET OPENSSL_CONF=D:\MPTN\etc\ssl\openssl.cnf into CONFIG.SYS. If you want to compile your own programs and link them with the opensll put the files from include and lib to your emx directory. Note that openssl is a subdirectory of your include directory. If you need .lib files you can create them using emxomf. See the doc directory for some information and visit http://www.columbia.edu/~ariel/ssleay/ for more infos. Grab the full source at http://www.openssl.org/ There are many ways to make your own keys and certificates. A good solution is to use sslRexx. It provides everithing you need Here is a short desctription how I made my own Certification Authority, a Server Key for Apache and a client Key/Certificate for me, signed by my own CA. Root CA: The root CA is needed to sign all certificates ======= Generate a CA-Key and store it in sub-directory private: openssl genrsa -des3 -out private/MyOwnCA.pem 2048 Make a selfsigned certificate based on above key. openssl req -new -x509 -days 730 -key private/CAkey.pem -out CAcert.pem optional generate text output of this certificate: openssl x509 -in ./CAcert.pem -text > CAcert.txt Now you have a key and certificate for your own CA which can be used to sign user and server keys. The CAcert is also needed to configure Apache and Netscape. You can/should give away the CA certificate but never give the CA key to anybody. Make a Key and Certificate for the Apache Server ================================================ Generate a key -------------- openssl genrsa -des3 -out server-key.pem 2048 With this variant, you will be prompted for a protecting password. If you don't want your key to be protected by a password, remove the flag '-des3' from the command line above. NOTE: if you intend to use the key together with a server certificate, you may want to avoid protecting it with a password, since that would mean someone would have to type in the password every time the server needs to access the key. But then you should protect the server key in another way. Create a signing request ------------------------ openssl req -new -key server-key.pem -out server-req.pem Now send this request to your CA for signing. Since you are your own CA sign it: -------- openssl ca -in server-req.pem -out server-cert.pem -outdir MyOwnCA/newcerts Verify the certificate openssl verify -CAfile CAcert.pem server-cert.pem Now you have a key and a certificate for your Apache Webserver. Your Client Certificate/Key =========================== Generate a private key ---------------------- openssl genrsa -des3 -out hrom-key.pem 2048 Create a signing request ------------------------ openssl req -new -key hrom-key.pem -out hrom-req.pem Let the CA sign it ------------------ openssl ca -in hrom-req.pem -out hrom-cert.pem -outdir MyOwnCA/newcerts After you get back the certificate from the CA, combine it with your private key and store the result as p12 file. This file can be imported into your browser. openssl pkcs12 -export -name Hromadka -in hrom-cert.pem -inkey hrom-key.pem -out hrom.p12 Securtiy Notes: Never give your private key to a CA, they only need the signing request. Never give away your p12 file. Always secure your private keys with a passphrase. -- Johannes Hromadka Johannes.Hromadka@gmx.net 2003-03-02
 hobbes.nmsu.edu/download/pub/os2/util/encrypt/openssl-0.9.7a-os2-bin.zip
OpenSSL v. 0.9.7d (21/3/2003, Brian Havard) Readme/What's new
Brian Havard's build of OpenSSL v0.9.7d.
 www.os2site.com/sw/internet/openssl/old/openssl-0.9.7d-cli-os2.zip  local copy
OpenSSL v. 0.9.6 (15/2/2001, Vladimir Anufriev) Readme/What's new
If you need to build the OpenSSL library for yourself, EG you're porting an application that requires SSL or other cryptography functions provided by it, all you need to do is the following. Download the official OpenSSL source code from the OpenSSL web site Extract the source using tar xzf openssl-0.9.6.tar.gz Delete all the 0 length files in openssl-0.9.6\include\openssl that tar makes in place of symlinks Apply the patch openssl-emx.patch in the openssl-0.9.6 directory using a unix style patch program like gnupatch.zip and a command line like patch -p0 < openssl-emx.patch While still in the openssl-0.9.6 directory, run os2\emx.cmd to generate the makefiles. Note that this requires that you have a PERL interpreter installed. Run make -f emx.mak Once finished, you'll find the libraries, test programs & the openssl.exe command line application in the out2 directory. You may need to move the .a files up into the openssl-0.9.6 directory for other applications to find them for linking.
 www.os2site.com/sw/internet/openssl/old/openssl-0.9.6.zip  local copy
OpenSSL v. 0.9.6 (build on OS2, 3/2/2001, Ilya) Readme/What's new
a) Needed to fix SHELL= lines in all the daughter Makefile.ssl files. Run pfind -bak=-orig . "/^Makefile\.ssl$/" "=~ s/^(?=TOP\s*=)/SHELL=sh\n/" and manually remove SHELL=/bin/sh from toplevel Makefile.ssl. b) Add syslog.h to ./include; [I took it from ssh source of OS/2 port of 1.14] c) Run make -f Makefile.ssl. When the build of openssl.exe fails, put syslog.obj into the toplevel directory and run this: cp os2/sslcrypt.def-short sslcrypt.def cp os2/openssl.def-short openssl.def emxexp libcrypto.a >>sslcrypt.def emxexp libssl.a >>openssl.def emxomf libcrypto.a libssl.a emximp -o crypto.a sslcrypt.def emximp -o ssl.a openssl.def emximp -o crypto.lib sslcrypt.def emximp -o ssl.lib openssl.def gcc -Zmt -Zdll -Zomf -Zcrtdll -s -o sslcrypt.dll libcrypto.lib syslog.obj sslcrypt.def -lsocket gcc -Zmt -Zdll -Zomf -Zcrtdll -s -o openssl.dll libssl.lib openssl.def -lsocket crypto.lib make -f Makefile.ssl to build tests and apps. Alternatively, apply the patch in os2/patches/README and do as it is said there. Problems: 1) openssl reads in text mode (See os2/patches/README for details); 2) not enough randomness; 3) A lot of test files hardwire /bin/rm; not all corrected. Ilya
 www.os2site.com/sw/internet/openssl/old/openssl-0.9.6-build-on-os2.zip  local copy
Record updated last time on: 11/01/2023 - 22:00

Translate to...

Add new comment