OpenSSL is a software library to be used in applications that need to
secure communications over computer networks against eavesdropping or
need to ascertain the identity of the party at the other end.
OpenSSL contains an implementation of the SSL and TLS protocols.
Provides
Requires
License
Apache-2.0
Changelog
* Tue Jan 27 2026 lucas.mulling@suse.com
- Security fixes:
* Missing ASN1_TYPE validation in PKCS#12 parsing
- openssl-CVE-2026-22795.patch [bsc#1256839, CVE-2026-22795]
* ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function
- openssl-CVE-2026-22795.patch [bsc#1256840, CVE-2026-22796]
* Missing ASN1_TYPE validation in TS_RESP_verify_response() function
- openssl-CVE-2025-69420.patch [bsc#1256837, CVE-2025-69420]
* NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function
- openssl-CVE-2025-69421.patch [bsc#1256838, CVE-2025-69421]
* Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion
- openssl-CVE-2025-69419.patch [bsc#1256836, CVE-2025-69419]
* TLS 1.3 CompressedCertificate excessive memory allocation
- openssl-CVE-2025-66199.patch [bsc#1256833, CVE-2025-66199]
* Heap out-of-bounds write in BIO_f_linebuffer on short writes
- openssl-CVE-2025-68160.patch [bsc#1256834, CVE-2025-68160]
* Unauthenticated/unencrypted trailing bytes with low-level OCB function calls
- openssl-CVE-2025-69418.patch [bsc#1256835, CVE-2025-69418]
* 'openssl dgst' one-shot codepath silently truncates inputs greater than 16MB
- openssl-CVE-2025-15469.patch [bsc#1256832, CVE-2025-15469]
* Stack buffer overflow in CMS AuthEnvelopedData parsing
- openssl-CVE-2025-15467.patch [bsc#1256830, CVE-2025-15467]
- openssl-CVE-2025-15467-comments.patch
- openssl-CVE-2025-15467-test.patch
* Improper validation of PBMAC1 parameters in PKCS#12 MAC verification
- openssl-CVE-2025-11187.patch [bsc#1256829, CVE-2025-11187]
* NULL dereference in SSL_CIPHER_find() function on unknown cipher ID
- openssl-CVE-2025-15468.patch [bsc#1256831, CVE-2025-15468]
- Enable livepatching support for ppc64le [bsc#1257274]
* Tue Sep 30 2025 lucas.mulling@suse.com
- Security fix: [bsc#1250232 CVE-2025-9230]
* Fix out-of-bounds read & write in RFC 3211 KEK unwrap
* Add patch openssl3-CVE-2025-9230.patch
- Security fix: [bsc#1250233 CVE-2025-9231]
* Fix timing side-channel in SM2 algorithm on 64 bit ARM
* Add patch openssl3-CVE-2025-9231.patch
- Security fix: [bsc#1250234 CVE-2025-9232]
* Fix out-of-bounds read in HTTP client no_proxy handling
* Add patch openssl3-CVE-2025-9232.patch
* Sun Aug 17 2025 lucas.mulling@suse.com
- Move ssl configuration files to the libopenssl package [bsc#1247463]
- Don't install unneeded NOTES
* Wed Jul 30 2025 pmonreal@suse.com
- Disable LTO for userspace livepatching [jsc#PED-13245]
* Thu May 29 2025 pmonreal@suse.com
- Fix P-384 curve on lower-than-P9 PPC64 targets [bsc#1243014]
* Add openssl-Fix-P384-on-P8-targets.patch [a72f753c]
* Mon May 26 2025 lucas.mulling@suse.com
- Security fix: [bsc#1243564, CVE-2025-4575]
* Fix the x509 application adding trusted use instead of rejected use
* Add openssl-CVE-2025-4575.patch
* Thu May 15 2025 pmonreal@suse.com
- FIPS: Fix the speed command in FIPS mode for KMAC
* Add openssl-FIPS-Fix-openssl-speed-KMAC.patch
* Mon May 12 2025 pmonreal@suse.com
- FIPS: Restore the check to deny SHA1 signatures in FIPS mode and
the functionality to allow/deny via crypto-policies. [jsc#PED-12224]
* Remove openssl-rh-allow-sha1-signatures.patch
* Add patches:
- openssl-Allow-disabling-of-SHA1-signatures.patch
- openssl-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch
- openssl-FIPS-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch
* Fri Apr 04 2025 lucas.mulling@suse.com
- Update to 3.5.0:
* Security fixes:
- [bsc#1243459, CVE-2025-27587] Minerva side channel vulnerability in P-384
* Changes:
- Default encryption cipher for the req, cms, and smime applications
changed from des-ede3-cbc to aes-256-cbc.
- The default TLS supported groups list has been changed to include
and prefer hybrid PQC KEM groups. Some practically unused groups
were removed from the default list.
- The default TLS keyshares have been changed to offer X25519MLKEM768
and and X25519.
- All BIO_meth_get_*() functions were deprecated.
* New features:
- Support for server side QUIC (RFC 9000)
- Support for 3rd party QUIC stacks including 0-RTT support
- Support for PQC algorithms (ML-KEM, ML-DSA and SLH-DSA)
- A new configuration option no-tls-deprecated-ec to disable support
for TLS groups deprecated in RFC8422
- A new configuration option enable-fips-jitter to make the FIPS
provider to use the JITTER seed source
- Support for central key generation in CMP
- Support added for opaque symmetric key objects (EVP_SKEY)
- Support for multiple TLS keyshares and improved TLS key establishment
group configurability
- API support for pipelining in provided cipher algorithms
* Remove patches:
- openssl-3-disable-hmac-hw-acceleration-with-engine-digest.patch
- openssl-3-support-CPACF-sha3-shake-perf-improvement.patch
- openssl-3-add-defines-CPACF-funcs.patch
- openssl-3-fix-memleak-s390x_HMAC_CTX_copy.patch
- openssl-3-add-xof-state-handling-s3_absorb.patch
- openssl-3-fix-state-handling-sha3_absorb_s390x.patch
- openssl-3-fix-s390x_shake_squeeze.patch
- openssl-3-hw-acceleration-aes-xts-s390x.patch
- openssl-3-support-EVP_DigestSqueeze-in-digest-prov-s390x.patch
- openssl-3-fix-state-handling-keccak_final_s390x.patch
- openssl-3-add-hw-acceleration-hmac.patch
- openssl-3-fix-state-handling-sha3_final_s390x.patch
- openssl-3-fix-hmac-digest-detection-s390x.patch
- openssl-3-support-multiple-sha3_squeeze_s390x.patch
- openssl-3-fix-sha3-squeeze-ppc64.patch
- openssl-3-fix-s390x_sha3_absorb.patch
- openssl-3-fix-state-handling-shake_final_s390x.patch
- openssl-3-add_EVP_DigestSqueeze_api.patch
- openssl-FIPS-enforce-security-checks-during-initialization.patch
- openssl-FIPS-140-3-zeroization.patch
- openssl-FIPS-Add-explicit-indicator-for-key-length.patch
- openssl-FIPS-Mark-SHA1-as-nonapproved.patch
- openssl-Remove-EC-curves.patch
- openssl-FIPS-services-minimize.patch
- openssl-Revert-Improve-FIPS-RSA-keygen-performance.patch
- openssl-3-FIPS-GCM-Implement-explicit-indicator-for-IV-gen.patch
- openssl-3-fix-quic_multistream_test.patch
- openssl-3-jitterentropy-3.4.0.patch
- openssl-Add-FIPS-indicator-parameter-to-HKDF.patch
- openssl-FIPS-140-3-DRBG.patch
- openssl-FIPS-Use-FFDHE2048-in-self-test.patch
- openssl-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
- openssl-FIPS-signature-Add-indicator-for-PSS-salt-length.patch
- openssl-pbkdf2-Set-indicator-if-pkcs5-param-disabled-checks.patch
- openssl-FIPS-enforce-EMS-support.patch
- openssl-Allow-disabling-of-SHA1-signatures.patch
- openssl-3-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch
* Rebased patches:
- openssl-pkgconfig.patch
- openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
- openssl-Add-Kernel-FIPS-mode-flag-support.patch
- openssl-Force-FIPS.patch
- openssl-disable-fipsinstall.patch
- openssl-FIPS-embed-hmac.patch
- openssl-Add-changes-to-ectest-and-eccurve.patch
- openssl-Disable-explicit-ec.patch
- openssl-skipped-tests-EC-curves.patch
- openssl-FIPS-140-3-keychecks.patch
- openssl-FIPS-early-KATS.patch
- openssl-FIPS-limit-rsa-encrypt.patch
- openssl-FIPS-Expose-a-FIPS-indicator.patch
- openssl-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch
- openssl-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch
- openssl-pbkdf2-Set-minimum-password-length-of-8-bytes.patch
- openssl-FIPS-RSA-disable-shake.patch
- openssl-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
- openssl-FIPS-Enforce-error-state.patch
- openssl-FIPS-Remove-X9.31-padding-from-FIPS-prov.patch
- openssl-FIPS-enforce-EMS-support.patch
- openssl-TESTS-Disable-default-provider-crypto-policies.patch
- openssl-skip-quic-pairwise.patch
* Add patches:
- openssl-FIPS-Fix-encoder-decoder-negative-test.patch
- openssl-FIPS-SUSE-FIPS-module-version.patch
- openssl-FIPS-EC-disable-weak-curves.patch
- openssl-FIPS-NO-DES-support.patch
- openssl-FIPS-NO-DSA-Support.patch
- openssl-FIPS-NO-Kmac.patch
- openssl-FIPS-NO-PQ-ML-SLH-DSA.patch
- openssl-shared-jitterentropy.patch
- openssl-rh-allow-sha1-signatures.patch
- openssl-disable-75-test_quicapi-test.patch
- Changes between 3.3.0 and 3.4.0:
* Changes:
- Deprecation of TS_VERIFY_CTX_set_* functions and addition of
replacement TS_VERIFY_CTX_set0_* functions with improved semantics
- The X25519 and X448 key exchange implementation in the FIPS provider
is unapproved and has fips=no property.
- SHAKE-128 and SHAKE-256 implementations have no default digest length
anymore. That means these algorithms cannot be used with
EVP_DigestFinal/_ex() unless the xoflen param is set before.
- Setting config_diagnostics=1 in the config file will cause errors to
be returned from SSL_CTX_new() and SSL_CTX_new_ex() if there is an
error in the ssl module configuration.
- An empty renegotiate extension will be used in TLS client hellos
instead of the empty renegotiation SCSV, for all connections with a
minimum TLS version > 1.0.
- Deprecation of SSL_SESSION_get_time(), SSL_SESSION_set_time() and
SSL_CTX_flush_sessions() functions in favor of their respective _ex
functions which are Y2038-safe on platforms with Y2038-safe time_t
* New features:
- Support for directly fetched composite signature algorithms such as
RSA-SHA2-256 including new API functions
- FIPS indicators support in the FIPS provider and various updates of
the FIPS provider required for future FIPS 140-3 validations
- Implementation of RFC 9579 (PBMAC1) in PKCS#12
- An optional additional random seed source RNG JITTER using a statically
linked jitterentropy library
- New options -not_before and -not_after for explicit setting start and
end dates of certificates created with the req and x509 apps
- Support for integrity-only cipher suites TLS_SHA256_SHA256 and
TLS_SHA384_SHA384 in TLS 1.3, as defined in RFC 9150
- Support for retrieving certificate request templates and CRLs in CMP
- Support for additional X.509v3 extensions related to Attribute Certificates
- Initial Attribute Certificate (RFC 5755) support
- Possibility to customize ECC groups initialization to use precomputed
values to save CPU time and use of this feature by the P-256 implementation
- Changes between 3.2.0 and 3.3.0:
* Changes:
- Optimized AES-CTR for ARM Neoverse V1 and V2
- Various optimizations for cryptographic routines using RISC-V vector
crypto extensions
- Added assembly implementation for md5 on loongarch64
- Accept longer context for TLS 1.2 exporters
- The activate and soft_load configuration settings for providers in
openssl.cnf have been updated to require a value of [1|yes|true|on]
(in lower or UPPER case) to enable the setting. Conversely a value of
[0|no|false|off] will disable the setting.
- In openssl speed, changed the default hash function used with hmac from
md5 to sha256.
- The -verify option to the openssl crl and openssl req will make the
program exit with 1 on failure.
- The d2i_ASN1_GENERALIZEDTIME(), d2i_ASN1_UTCTIME(), ASN1_TIME_check(),
and related functions have been augmented to check for a minimum length
of the input string, in accordance with ITU-T X.690 section 11.7 and 11.8.
- OPENSSL_sk_push() and sk__push() functions now return 0 instead of -1
if called with a NULL stack argument.
- New limit on HTTP response headers is introduced to HTTP client.
The default limit is set to 256 header lines.
* Bug fixes and mitigations:
- The BIO_get_new_index() function can only be called 127 times before
it reaches its upper bound of BIO_TYPE_MASK and will now return -1
once its exhausted.
* new features:
- Support for qlog for tracing QUIC connections has been added
- Added APIs to allow configuring the negotiated idle timeout for QUIC
connections, and to allow determining the number of additional streams
that can currently be created for a QUIC connection.
- Added APIs to allow disabling implicit QUIC event processing for QUIC
SSL objects
- Added APIs to allow querying the size and utilisation of a QUIC
stream's write buffer
- New API SSL_write_ex2, which can be used to send an end-of-stream (FIN)
condition in an optimised way when using QUIC.
- Limited support for polling of QUIC connection and stream objects in a
non-blocking manner.
- Added a new EVP_DigestSqueeze() API. This allows SHAKE to squeeze multiple
times with different output sizes.
- The BLAKE2s hash algorithm matches BLAKE2b's support for configurable
output length.
- The EVP_PKEY_fromdata function has been augmented to allow for the
derivation of CRT (Chinese Remainder Theorem) parameters when requested
- Added API functions SSL_SESSION_get_time_ex(), SSL_SESSION_set_time_ex()
using time_t which is Y2038 safe on 32 bit systems when 64 bit time
is enabled.
- Unknown entries in TLS SignatureAlgorithms, ClientSignatureAlgorithms
config
options and the respective calls to SSL[_CTX]_set1_sigalgs() and
SSL[_CTX]_set1_client_sigalgs() that start with ? character are ignored
and the configuration will still be used.
- Added -set_issuer and -set_subject options to openssl x509 to override
the Issuer and Subject when creating a certificate. The -subj option
now is an alias for -set_subject.
- Added several new features of CMPv3 defined in RFC 9480 and RFC 9483
- New option SSL_OP_PREFER_NO_DHE_KEX, which allows configuring a TLS1.3
server to prefer session resumption using PSK-only key exchange over
PSK with DHE, if both are available.
- New atexit configuration switch, which controls whether the OPENSSL_cleanup
is registered when libcrypto is unloaded.
- Added X509_STORE_get1_objects to avoid issues with the existing
X509_STORE_get0_objects API in multi-threaded applications.
- Support for using certificate profiles and extened delayed delivery in CMP
* Fri Mar 21 2025 lucas.mulling@suse.com
- FIPS: Mark SHA-1 as non-approved in the SLI. [jsc#PED-12224]
* Add openssl-FIPS-Mark-SHA1-as-nonapproved.patch
* Wed Mar 05 2025 lucas.mulling@suse.com
- Introduce --without lto. When %{optflags} contains -flto=*, tests cases are
also built using -flto=* which significantly increases build times, this
option disables lto which improve iteration times when developing.
* Tue Feb 11 2025 lucas.mulling@suse.com
- Update to 3.2.4:
* Fixed RFC7250 handshakes with unauthenticated servers don't abort as
expected. [bsc#1236599, CVE-2024-12797]
* Fixed timing side-channel in ECDSA signature computation. [CVE-2024-13176]
* Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic
curve parameters. [CVE-2024-9143]
- Remove patch openssl-CVE-2024-13176.patch
- Rebase patches:
* openssl-3-add_EVP_DigestSqueeze_api.patch
* openssl-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
* openssl-FIPS-RSA-encapsulate.patch
* openssl-disable-fipsinstall.patch
* Wed Jan 22 2025 lucas.mulling@suse.com
- bsc#1236136 CVE-2024-13176: Fix timing side-channel in ECDSA signature computation
* Add patch openssl-CVE-2024-13176.patch
* Mon Dec 23 2024 giuliano.belinassi@suse.com
- Add support for userspace livepatching on ppc64le (jsc#PED-11850).
- Use gcc-13 for ppc64le.
* Tue Dec 17 2024 pmonreal@suse.com
- Fix evp_properties section in the openssl.cnf file [bsc#1234647]
* Rebase patches:
- openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
- openssl-TESTS-Disable-default-provider-crypto-policies.patch
* Tue Nov 12 2024 pmonreal@suse.com
- Do not use HASHBANGPERL to avoid introducing a dependency on the
perl-base package. [bsc#1233235]
* Thu Nov 07 2024 angel.yankov@suse.com
- Add missing fixes for SHA3_squeeze and quic_multistream_test on
pcc64 arch. [jsc#PED-10280]
* Added openssl-3-fix-sha3-squeeze-ppc64.patch
* Added openssl-3-fix-quic_multistream_test.patch
* Tue Nov 05 2024 angel.yankov@suse.com
- Support MSA 11 HMAC on s390x [jsc#PED-10274]
* Add openssl-3-disable-hmac-hw-acceleration-with