whats the difference between OpenSSL builds

Question

I was going to download and compile OpenSSL but I'm a little confused to what the differences are between:

OpenSSL 1.1.1a, OpenSSL 1.0.2.q and OpenSSL 1.1.0j

the confusing thing is that they were both released on the same date which sorta throws out the initial differences if one was a newer build number than the other.

If there is a difference, when would you use one over the other?

Answer 1

1.0.2 1.1.0 1.1.1 are the currently supported releases, as explained at https://www.openssl.org/policies/releasestrat.html (although slightly out of date; 1.1.1 was released 2018-09). As stated the main change in 1.1.1 is adding TLS1.3; the big changes in 1.1.0 (released 2016-08) were complete rewrites of the protocol state machines (resulting in dropping SSL2 and static-[EC]DH suites; also SSLv3 is disabled by default but can be enabled at configure time) and commandline option handling, and making many of the API structs opaque. Fairly detailed changes for every patch version are in the CHANGES file in the respective (source) tarball.

According to CHANGES for 1.0.2q 1.1.0j 1.1.1a, those patches (letters) of the three currently supported releases were all done on 2018-11-20 for CVE-2018-0734 plus 1.0.2 for CVE-2018-5407 and 1.1.0 and 1.1.1 for CVE-2018-0735, plus a few bugs. Frequently when a vulnerability is found it affects more than one release and all or at least several of them are patched simultaneously, and that occurred this time.