Reading the 1.0.2j CHANGES file, it appears that 1.0.2 was built from 1.0.1l. And there are 1124 of description of the changes for 1.0.2 and about 500 lines of changes from 1.0.1l to 1.0.1u . And my knowledge of OpenSSL is VERY VERY small. Looking at 1.0.1l, out of bug fixes, I've found some changes that do not look as bugfixes: - dhparam: generate 2048-bit parameters by default. (1.0.1n) - Reject DH handshakes with parameters shorter than 768 bits. - In DSA_generate_parameters_ex, if the provided seed is too short, use a random seed, as already documented. - Reject DH handshakes with parameters shorter than 1024 bits. - Disable SRP fake user seed to address a server memory leak. Add a new method SRP_VBASE_get1_by_user that handles the seed properly. - Remove LOW from the DEFAULT cipher list. This removes singles DES from the default. However, only the first one, in bold, appears in 1.0.1l and NOT in 1.0.2j . So, my question is still: Why OpenSSL still delivers 1.0.1* though 1.0.2* should provide the same changes plus new features ? Because change "dhparam: generate 2048-bit parameters by default." appears in 1.0.1[n-l] and not in 1.0.2* ??? I need to know in order to decide if I still manage 1.0.1 compatibility in addition to delivering 1.0.2[last version] . Help is welcome ! Tony Le 26/09/2016 ? 17:53, Salz, Rich a ?crit : However, out of more ABIs delivered by 1.0.2 compared to 1.0.1, I do not understand what is the exact difference between versions 1.0.1 and 1.0.2 . Perhaps look at the CHANGES file in 1.0.2 and see what's been added? 1.0.1 only gets bugfixes, 1.0.2 adds features, but starting with 1.0.2a only gets bugfixes. Hope this help. -- Senior Architect, Akamai Technologies IM: richsalz at jabber.at<mailto:richsalz at jabber.at> Twitter: RichSalz -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160927/3d26204b/attachment.html>