CipherCtxRef::minimal_output_size
method, which did not work properly.NO_DEPRECATED_3_0
cfg checks for more APIs.SslRef::add_chain_cert
.PKeyRef::security_bits
.Provider::set_default_search_path
.CipherCtxRef::cipher_final_unchecked
.CipherCtxRef::num
, CipherCtxRef::minimal_output_size
, and CipherCtxRef::cipher_update_unchecked
.CipherCtxRef::cipher_update
.X509Lookup::file
and X509LookupRef::load_cert_file
.Nid::BRAINPOOL_P256R1
, Nid::BRAINPOOL_P384R1
, Nid::BRAINPOOL_P512R1
.BigNumRef::copy_from_slice
.Cipher
constructors for Camellia, CAST5, and IDEA ciphers.DsaSig
.X509StoreBuilderRef::set_param
.X509VerifyParam::new
, X509VerifyParamRef::set_time
, and X509VerifyParamRef::set_depth
.SslRef::psk_identity_hint
and SslRef::psk_identity
.Nid
.SslOptions::PRIORITIZE_CHACHA
.X509ReqRef::to_text
.MdCtxRef::size
.X509NameRef::try_cmp
.MdCtxRef::reset
.MdCtxRef::digest_verify_init
to support PKey
s with only public components.Error::function
and Error::file
with OpenSSL 3.x.MessageDigest::block_size
and MdRef::block_size
.Ord
and Eq
for X509
and X509Ref
.X509Extension::add_alias
.EcGroup::from_components
EcGropuRef::set_generator
, and EcPointRef::set_affine_coordinates_gfp
.SslContextBuilder::set_tmp_ecdh_callback
and SslRef::set_tmp_ecdh_callback
.SslRef::extms_support
.Nid::create
.CipherCtx
, which exposes a more direct interface to EVP_CIPHER_CTX
.PkeyCtx
, which exposes a more direct interface to EVP_PKEY_CTX
.MdCtx
, which exposes a more direct interface to EVP_MD_CTX
.Pkcs12Builder::mac_md
.Provider
.X509Ref::issuer_name_hash
.Decrypter::set_rsa_oaep_label
.X509Ref::to_text
.Pkey::ec_gen
.no-chacha
.BigNumRef::to_vec_padded
.X509Name::from_der
and X509NameRef::to_der
.BigNum::new_secure
, BigNumReef::set_const_time
, BigNumref::is_const_time
, and BigNumRef::is_secure
.Asn1Object::as_slice
.PKeyRef::{raw_public_key, raw_private_key, private_key_to_pkcs8_passphrase}
and PKey::{private_key_from_raw_bytes, public_key_from_raw_bytes}
.Cipher::{seed_cbc, seed_cfb128, seed_ecb, seed_ofb}
.Deriver
.SslStream::peek
.Dh::set_private_key
and DhRef::private_key
.EcPointRef::affine_coordinates
.TryFrom
implementations to convert between PKey
and specific key types.X509StoreBuilderRef::set_flags
.Dh::generate_params
now uses DH_generate_params_ex
rather than the deprecated DH_generated_params
function.Asn1Type
.CmsContentInfoRef::decrypt_without_cert_check
.EcPointRef::{is_infinity, is_on_curve}
.Encrypter::set_rsa_oaep_label
.MessageDigest::sm3
.Pkcs7Ref::signers
.Cipher::nid
.X509Ref::authority_info
and AccessDescription::{method, location}
.X509NameBuilder::{append_entry_by_text_with_type, append_entry_by_nid_with_type}
.Ssl::new
to take a &SslContextRef
rather than &SslContext
.encrypt
module to support asymmetric encryption and decryption with PKey
s.MessageDigest::from_name
.ConnectConfiguration::into_ssl
.SslStream
s directly from an Ssl
and transport stream without performing any part of the handshake with SslStream::new
.SslStream::{read_early_data, write_early_data, connect, accept, do_handshake, stateless}
.ToOwned
for SslContextRef
.SslRef::{set_connect_state, set_accept_state}
.SslStream::from_raw_parts
in favor of Ssl::from_ptr
and SslStream::new
.SslStreamBuilder
in favor of methods on Ssl
and SslStream
.Asn1Object::from_str
.Dh::from_pgq
, DhRef::prime_p
, DhRef::prime_q
, DhRef::generator
, DhRef::generate_params
, DhRef::generate_key
, DhRef::public_key
, and DhRef::compute_key
.Pkcs7::from_der
and Pkcs7Ref::to_der
.Id::X25519
, Id::X448
, PKey::generate_x25519
, and PKey::generate_x448
.SrtpProfileId::SRTP_AEAD_AES_128_GCM
and SrtpProfileId::SRTP_AEAD_AES_256_GCM
.SslContextBuilder::verify_param
and SslContextBuilder::verify_param_mut
.X509Ref::subject_name_hash
and X509Ref::version
.X509StoreBuilderRef::add_lookup
, and the X509Lookup
type.X509VerifyFlags
, X509VerifyParamRef::set_flags
, X509VerifyParamRef::clear_flags
X509VerifyParamRef::get_flags
.DsaRef::private_key_to_pem
can no longer be called without a private key.Debug
implementations of many types.is_empty
implementations for Asn1StringRef
and Asn1BitStringRef
.EcPointRef::{to_pem, to_dir}
and EcKeyRef::{public_key_from_pem, public_key_from_der}
.Default
implementations for many types.Debug
implementations for many types.SslStream::from_raw_parts
.SslRef::set_mtu
.Cipher::{aes_128_ocb, aes_192_ocb, aes_256_ocb}
.SslStreamBuilder::set_dtls_mtu_size
in favor of SslRef::set_mtu
.X509Builder::append_extension
.SslConnector::into_context
and SslConnector::context
.SslAcceptor::into_context
and SslAcceptor::context
.SslMethod::tls_client
and SslMethod::tls_server
.SslContextBuilder::set_cert_store
.SslContextRef::verify_mode
and SslRef::verify_mode
.SslRef::is_init_finished
.X509Object
.X509StoreRef::objects
.Signer::sign_oneshot
and Verifier::verify_oneshot
. This is unfortunately a breaking change, but a necessary soundness fix.MessageDigest::null
.PKey::private_key_from_pkcs8
.SslOptions::NO_RENEGOTIATION
.SslStreamBuilder::set_dtls_mtu_size
.envelope::{Seal, Unseal}
.Asn1TimeRef::{diff, compare}
.Asn1Time::from_unix
.PartialEq
and PartialOrd
implementations for Asn1Time
and Asn1TimeRef
.base64::{encode_block, decode_block}
.EcGroupRef::order_bits
.Clone
implementations for Sha1
, Sha224
, Sha256
, Sha384
, and Sha512
.SslContextBuilder::{set_sigalgs_list, set_groups_list}
.EcdsaSig::from_private_components
when using OpenSSL 1.0.x.ToOwned
for PKeyRef
and Clone
for PKey
.SSL_set_app_data
.aes::{wrap_key, unwrap_key}
.CmsContentInfoRef::to_pem
and CmsContentInfo::from_pem
.DsaRef::private_key_to_pem
.EcGroupRef::{cofactor, generator}
.EcPointRef::to_owned
.Debug
implementation for EcKey
.SslAcceptor::{mozilla_intermediate_v5, mozilla_modern_v5}
.Cipher::{aes_128_ofb, aes_192_ecb, aes_192_cbc, aes_192_ctr, aes_192_cfb1, aes_192_cfb128, aes_192_cfb8, aes_192_gcm, aes_192_ccm, aes_192_ofb, aes_256_ofb}
.Ssl
's context is replaced.SslContextBuilder::add_client_ca
.Crypter
when using stream ciphers.PkeyRef::size
.CmsContentInfo::from_der
and CmsContentInfo::encrypt
.X509Ref::verify
and X509ReqRef::verify
.PartialEq
and Eq
for MessageDigest
.MessageDigest::type_
and EcGroupRef::curve_name
.ERR_PACK
to openssl-sys.ERR_*
functions in openssl-sys are const functions when building against newer Rust versions.Clone
for Dsa
.SslContextRef::add_session
and SslContextRef::remove_session
.SslSessionRef::time
, SslSessionRef::timeout
, and SslSessionRef::protocol_version
.SslContextBuilder::set_session_cache_size
and SslContextRef::session_cache_size
.ssl::cipher_name
.AsRef<str>
and AsRef<[u8]>
for OpenSslString
.Asn1Integer::from_bn
.RsaRef::check_key
.Asn1Time::from_str
and Asn1Time::from_str_x509
.Rsa::generate_with_e
.Cipher::des_ede3_cfb64
.SslCipherRef::standard_name
and ssl::cipher_name
.MessageDigest
.rand::keep_random_devices_open
.DoubleEndedIterator
for stack iterators.vendored
feature has been upgraded from 1.1.0 to 1.1.1.SslContextBuilder::set_get_session_callback
API.SslContextBuilder::set_client_hello_callback
.EcdsaSig::from_der
and EcdsaSig::to_der
.SslRef::get_shutdown
and SslRef::set_shutdown
.vendored
cargo feature will cause openssl-sys to compile and statically link to a vendored copy of OpenSSL.SslContextBuilder::set_psk_server_callback
.DsaRef::pub_key
and DsaRef::priv_key
.Dsa::from_private_components
and Dsa::from_public_components
.X509NameRef::entries
.SslContextBuilder::set_psk_callback
has been renamed to SslContextBuilder::set_psk_client_callback
and deprecated.SslRef::set_alpn_protos
.SslContextBuilder::set_ciphersuites
.CmsContentInfo::sign
.SslRef::servername
now returns None
rather than panicking on a non-UTF8 name.MessageDigest::from_nid
.Nid::signature_algorithms
, Nid::long_name
, and Nid::short_name
.SslRef::verified_chain
.SslRef::servername_raw
which returns a &[u8]
rather than &str
.SslRef::finished
and SslRef::peer_finished
.X509Ref::digest
to replace X509Ref::fingerprint
.X509StoreBuilder
and X509Store
now implement Sync
and Send
.X509Ref::fingerprint
has been deprecated in favor of X509Ref::digest
.openssl-sys
will now detect Homebrew-installed OpenSSL when installed to a non-default directory.X509_V_ERR_INVALID_CALL
, X509_V_ERR_STORE_LOOKUP
, and X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION
constants in openssl-sys
are now only present when building against 1.1.0g and up rather than 1.1.0.SslContextBuilder::max_proto_version
and SslContextBuilder::min_proto_version
are only present when building against 1.1.0g and up rather than 1.1.0.CmsContentInfo::sign
.Clone
and ToOwned
implementations to Rsa
and RsaRef
respectively.min_proto_version
and max_proto_version
methods are available when linking against LibreSSL 2.6.1 and up in addition to OpenSSL.X509VerifyParam
is available when linking against LibreSSL 2.6.1 and up in addition to OpenSSL.Stack
and StackRef
are now Sync
and Send
.X509Req::public_key
and X509Req::extensions
.RsaPrivateKeyBuilder
to allow control over initialization of optional components of an RSA private key.SslSession
.DEP_OPENSSL_VERSION_NUMBER
and DEP_OPENSSL_LIBRESSL_VERSION_NUMBER
environment variables to downstream build scripts which contains the hex-encoded version number of the OpenSSL or LibreSSL distribution being built against. The other variables are deprecated.SslOptions::ENABLE_MIDDLEBOX_COMPAT
.Sync
and Send
implementations.PKeyRef::id
.Padding::PKCS1_PSS
.Signer::set_rsa_pss_saltlen
, Signer::set_rsa_mgf1_md
, Signer::set_rsa_pss_saltlen
, and Signer::set_rsa_mgf1_md
X509StoreContextRef::verify
to directly verify certificates.EcKey::from_private_components
.X509Ref::serial_number
.Asn1IntegerRef::to_bn
.PKey::private_key_from_der
to return a PKey<Private>
rather than a PKey<Public>
. This is technically a breaking change but the function was pretty useless previously.X509CheckFlags::FLAG_NO_WILDCARDS
has been renamed to X509CheckFlags::NO_WILDCARDS
and the old name deprecated.ErrorStack
's Display
implementation no longer writes an empty string if it contains no errors.SslRef::version2
.Cipher::des_ede3_cbc
.SslRef::export_keying_material
.Error
or ErrorStack
back onto OpenSSL's error stack. Various callback bindings use this to propagate errors properly.SslContextBuilder::set_cookie_generate_cb
and SslContextBuilder::set_cookie_verify_cb
.SslContextBuilder::set_max_proto_version
, SslContextBuilder::set_min_proto_version
, SslContextBuilder::max_proto_version
, and SslContextBuilder::min_proto_version
.SslConnector
‘s default cipher list to match Python’s.SslRef::version
has been deprecated. Use SslRef::version_str
instead.Rsa::public_key_from_pem_pkcs1
.SslOptions::NO_TLSV1_3
. (OpenSSL 1.1.1 only)SslVersion
.SslSessionCacheMode
and SslContextBuilder::set_session_cache_mode
.SslContextBuilder::set_new_session_callback
, SslContextBuilder::set_remove_session_callback
, and SslContextBuilder::set_get_session_callback
.SslContextBuilder::set_keylog_callback
. (OpenSSL 1.1.1 only)SslRef::client_random
and SslRef::server_random
. (OpenSSL 1.1.0+ only)SslAcceptorBuilder::mozilla_modern
constructor now disables TLSv1.0 and TLSv1.1 in accordance with Mozilla's recommendations.GeneralName
accessors for rfc822Name
and uri
variants.X509StoreBuilder::add_cert
.ConnectConfiguration::set_use_server_name_indication
and ConnectConfiguration::set_verify_hostname
for use in contexts where you don't have ownership of the ConnectConfiguration
.From<ErrorStack> for ssl::Error
implementation.ssl::select_next_proto
function can be used to easily implement the ALPN selection callback in a “standard” way.fips
module.X509VerifyResult
can now be set in the certificate verification callback via X509StoreContextRef::set_error
.All constants have been moved to associated constants of their type. For example, bn::MSB_ONE
is now bn::MsbOption::ONE
.
Asymmetric key types are now parameterized over what they contain. In OpenSSL, the same type is used for key parameters, public keys, and private keys. Unfortunately, some APIs simply assume that certain components are present and will segfault trying to use things that aren't there.
The pkey
module contains new tag types named Params
, Public
, and Private
, and the Dh
, Dsa
, EcKey
, Rsa
, and PKey
have a type parameter set to one of those values. This allows the Signer
constructor to indicate that it requires a private key at compile time for example. Previously, Signer
would simply segfault if provided a key without private components.
ALPN support has been changed to more directly model OpenSSL's own APIs. Instead of a single method used for both the server and client sides which performed everything automatically, the SslContextBuilder::set_alpn_protos
and SslContextBuilder::set_alpn_select_callback
handle the client and server sides respectively.
SslConnector::danger_connect_without_providing_domain_for_certificate_verification_and_server_name_indication
has been removed in favor of new methods which provide more control. The ConnectConfiguration::use_server_name_indication
method controls the use of Server Name Indication (SNI), and the ConnectConfiguration::verify_hostname
method controls the use of hostname verification. These can be controlled independently, and if both are disabled, the domain argument to ConnectConfiguration::connect
is ignored.
Shared secret derivation is now handled by the new derive::Deriver
type rather than pkey::PKeyContext
, which has been removed.
ssl::Error
is now no longer an enum, and provides more direct access to the relevant state.
SslConnectorBuilder::new
has been moved and renamed to SslConnector::builder
.
SslAcceptorBuilder::mozilla_intermediate
and SslAcceptorBuilder::mozilla_modern
have been moved to SslAcceptor
and no longer take the private key and certificate chain. Install those manually after creating the builder.
X509VerifyError
is now X509VerifyResult
and can now have the “ok” value in addition to error values.
x509::X509FileType
is now ssl::SslFiletype
.
Asymmetric key serialization and deserialization methods now document the formats that they correspond to, and some have been renamed to better indicate that.
SslRef::compression
has been removed.ssl::SslOptions
flags have been removed as they no longer do anything.Look at the release tags for information about older releases.