Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Encryption Communications Open Source Software The Internet Upgrades Your Rights Online

OpenSSL 1.0.2 Released 97

kthreadd writes The OpenSSL project has released its second feature release of the OpenSSL 1.0 series, version 1.0.2 which is ABI compatible with the 1.0.0 and 1.0.1 series. Major new features in this release include Suite B support for TLS 1.2 and DTLS 1.2 and support for DTLS 1.2. selection. Other major changes include TLS automatic EC curve selection, an API to set TLS supported signature algorithms and curves, the SSL_CONF configuration API, support for TLS Brainpool, support for ALPN and support for CMS support for RSA-PSS, RSA-OAEP, ECDH and X9.42 DH.
This discussion has been archived. No new comments can be posted.

OpenSSL 1.0.2 Released

Comments Filter:
  • libressl-2.1.3 (Score:2, Informative)

    by Anonymous Coward

    libressl-2.1.3.tar.gz 21-Jan-2015 2.7M [openbsd.org]. For you non Open BSD users: portability wrappers [github.com]. Full Source [github.com].

    • Re:libressl-2.1.3 (Score:5, Insightful)

      by Anon E. Muss ( 808473 ) on Saturday January 24, 2015 @09:30PM (#48895959)

      libressl is NOT portable. Supporting BSD and Linux is not the definition of "portable" (see also: "We play both types of music: Country and Western"). The libressl code depends on the non-standard #include_next preprocessor directive, so it can only build with GCC (and probably clang, which emulates many GCC-isms). Forget about building on Windows using Microsoft's C compiler.

      OpenSSL remains the only portable SSL library that can be used by both open source and commercial developers alike. Which is really a shame, because OpenSSL sucks. All the bad things the libressl people have said about OpenSSL are absolutely true.

      • Re: (Score:3, Insightful)

        by ron_ivi ( 607351 )

        NOT portable .... Forget about building on Windows using Microsoft's C compiler.

        Just because one compiler for one platform fails to support a popular C extension doesn't mean the library isn't portable.

        You can always choose to complie on that platform using one of the compliers that *does* support the extension.

        • Just because one compiler for one platform fails to support a popular C extension doesn't mean the library isn't portable.

          Except that the one platform is Windows, which accounts for the vast majority of desktop PC's and laptops, and a significant chunk of servers. And the one compiler is the standard for Windows, used by the vast majority of Windows developers.

          You don't have to like this, but it is the truth.

          In my opinion, any software that can't compile on Windows using the native toolchain doesn't qualify as "portable". That doesn't make it bad software. It just isn't "portable" software.

          • by ron_ivi ( 607351 )

            one compiler is the standard for Windows

            That sounds like the source of the portability issues right there.

            Perhaps that OS vendor could encourage more complier writers to support compliers for that platform.

      • Re:libressl-2.1.3 (Score:5, Informative)

        by armanox ( 826486 ) <asherewindknight@yahoo.com> on Sunday January 25, 2015 @01:26AM (#48896839) Homepage Journal
        Actually, libressl supports OS X and HP-UX as well. Some groundwork is in place for supporting AIX and IRIX (I no longer have access to AIX to continue porting, and I'm not sure IRIX will ever work right). If you really wanted it to work with MSVC, you could write, test, and propose the patches to make it work. I'm all for eliminating GCCisms (the areas I've been poking at the code I'm not trying to eliminate GCCisms, not my priority).
        • by armanox ( 826486 )
          I forgot Solaris in the supported list! Tested on Solaris 10-11.
        • by dkf ( 304284 )

          I'm not sure IRIX will ever work right

          That matches my memory of trying to build things with the IRIX C compiler too, especially in 64-bit mode. Or were you talking about libressl specifically?

          • by armanox ( 826486 )
            I was referencing libressl in particular on this one. MIPS Pro, when set to c99, seems to handle most code that isn't bound to GCC with some exceptions. I'm building everything 32-bit here, so I can't speak for the 64 bit quirks. I'm also using GCC 4.7 for libressl, among other things that won't build right (php-5.6 and httpd-2.4 being the big ones on that particular box, I've built a lot of things on IRIX to bring stuff up to date though).
      • by MSG ( 12810 )

        OpenSSL remains the only portable SSL library that can be used by both open source and commercial developers alike

        Kind of. Its license actually isn't compatible with the GPL, so there's a whole lot of Free Software developers that can't use it.

      • Re:libressl-2.1.3 (Score:5, Interesting)

        by peppepz ( 1311345 ) on Sunday January 25, 2015 @03:05AM (#48897057)

        OpenSSL remains the only portable SSL library that can be used by both open source and commercial developers alike. Which is really a shame, because OpenSSL sucks. All the bad things the libressl people have said about OpenSSL are absolutely true.

        We have GnuTLS [gnutls.org] which is only one year younger than OpenSSL, has a nicer API, is portable to Windows, has a better track record with regard to binary compatibility, a better build system, and can be used by commercial software (it’s LGPLv2.1). Comparison of features with other SSL libraries [wikipedia.org].

        • OpenSSL remains the only portable SSL library that can be used by both open source and commercial developers alike. Which is really a shame, because OpenSSL sucks. All the bad things the libressl people have said about OpenSSL are absolutely true.

          We have GnuTLS [gnutls.org] which is only one year younger than OpenSSL, has a nicer API, is portable to Windows, has a better track record with regard to binary compatibility, a better build system, and can be used by commercial software (it’s LGPLv2.1). Comparison of features with other SSL libraries [wikipedia.org].

          It also has a much worse track record in security, which is why no one uses it as the a primary SSL library and only as a library for operating on certificates.

          • by Anonymous Coward

            Care to provide any actual statistics for that claim, or are you just one of those annoying morons with a habit of being FUDsy against anything with "Gnu" in the name?

            • Care to provide any actual statistics for that claim, or are you just one of those annoying morons with a habit of being FUDsy against anything with "Gnu" in the name?

              No, I prefer GPL when other choices are equal. GnuTLS has just never had a very good reputation, and even from the most optimistic point of view, it has always been secondary to OpenSSL just by having fewer users and fewer developers. I would be great if it was better, but it has had some unfortunately design choice and a long string of serious vulnerabilities. Just look it up.

          • Can someone provide a rundown on the advantages and drawbacks of these libraries, with a particular focus on network-facing applications?
      • Forget about building on Windows using Microsoft's C compiler.

        not my fault your shitty OS doesn't run our security tools. as far as GCC, GCC compiles for almost every platform under the sun, including windows. So the fact it doesn't compile with MS C is a moot point. heck, I can even cross compile for windoze in GNU/Linux

    • by Anonymous Coward on Saturday January 24, 2015 @08:21PM (#48895697)

      http://www.libressl.org/ [libressl.org]

      That site doesn't support SSL...

      • Because it doesn't need it.

        • It's back to the future, future year, WTH isn't every communication secure? It's not a problem with overhead anymore.

          • Two reasons:
            a) Not everything needs to be secure. Some things definitely. More things than we have now certainly. But not everything.
            b) Things break. For example virtual hosting breaks. You can only properly do SSL over virtual hosting if you have an SSL certificate covering all virtual hosts, and those are not free or cheap. Proxying and Caching has issues too. Yes you can do something and there are workarounds, but currently the security arsenal we have is not suitable for the wide variety of applications

          • And in Back to the Future, wasn't Marty's communications with Snake monitored by his Corporate Overload?
        • A site where I'm supposed to get the core of my security from? If this doesn't need some way to ensure that I really connect with it instead of an intercepting mitm that injects its own version, what does?

          • The download link is an external FTP server. So, no, you aren't supposed to download anything from that site.

          • by Desler ( 1608317 )

            If this doesn't need some way to ensure that I really connect with it instead of an intercepting mitm that injects its own version, what does?

            In what universe do you live in that SSL prevents a MITM attack? MITM attacks exist in order to allow an attacker to monitor and modify your supposedly "secure" connections. You ensure that what you downloaded is what you meant to download by using the signify utility as mentioned on the page and verify that the package you download was signed by the OpenSSL devs.

            • by Desler ( 1608317 )

              And to head off the obvious rejoinder, yes, their private key can be compromised to allow an attacker to sign malicious packages. But if that is a genuine concern, why would you possibly trust the security of the SSL connection to their site?

            • by fnj ( 64210 )

              In what universe do you live ... You ensure that what you downloaded is what you meant to download by using the signify utility as mentioned on the page and verify that the package you download was signed by the OpenSSL devs.

              LibreSSL files signed using OpenSSL's private key? In what universe do YOU live?

    • by Aethedor ( 973725 ) on Saturday January 24, 2015 @08:29PM (#48895735) Homepage

      Why start with something bad to make something good. If you want a good SSL library, try PolarSSL [polarssl.org]. It's a quite unknown, but great library. Unlike OpenSSL, this one has good documentation. The Hiawatha webserver [hiawatha-webserver.org] uses it and it easily gives me an A+ score at SSL labs [ssllabs.com].

      • by TechyImmigrant ( 175943 ) on Saturday January 24, 2015 @09:08PM (#48895873) Homepage Journal

        We tried contacting the PolarSSL developers about contributing code to fix their random number problem. No response. No random numbers -> no security.

        No matter what the security problem, it's always the random numbers, or lack thereof that is the problem.

        • And they got swallowed up by ARM, so don't count on cross platform compatibility.

          With any security software, just because it runs, it doesn't mean it works.

        • by Anonymous Coward

          No matter what the security problem, it's always the random numbers, or lack thereof that is the problem.

          (checks apt-get before making a fool of himself) ... Why the hell hasn't somebody made libRNG?

          p.s. Seriously, how hard could it be to split out the RNG code of openssl or libressl and make it the gold standard? Yeah, I know it's generally unproductive to ask such rhetorical questions. Yes, I'm a coder that could do it (never looked at openssl code, but I'm sure I've dealt with worse, so I know it's possible), but I have no desire to become the owner of such a project, so I won't even bother to look at the e

          • by Keruo ( 771880 )

            Why the hell hasn't somebody made libRNG?

            .. no desire to become the owner of such a project..

            You do realize that you answered your own question right there?

          • No matter what the security problem, it's always the random numbers, or lack thereof that is the problem.

            (checks apt-get before making a fool of himself) ... Why the hell hasn't somebody made libRNG?

            p.s. Seriously, how hard could it be to split out the RNG code of openssl or libressl and make it the gold standard? Yeah, I know it's generally unproductive to ask such rhetorical questions. Yes, I'm a coder that could do it (never looked at openssl code, but I'm sure I've dealt with worse, so I know it's possible), but I have no desire to become the owner of such a project, so I won't even bother to look at the effort required. Nor will you, probably. I have plenty of other things occupying my time. Maybe in another 20 years, if I'm retired by then...

            Because on a unix system you just read from /dev/random anyway. Random seeds is an operating system responsibility, you can not make good random numbers without a little good random seed.

        • Can you tell me more about that random number problem?
          • Yes, when I get back in the office and get the details. In hand wavey terms, 0 entropy in specfic VMs on specific headless servers, because it trusts the kernel to get it right.

            • I've done some statistics analysis on the output of PolarSSL's random generator. Looks good to me. Some while ago, they improved the random generator (now using AES). How long ago did you have problems with PolarSSL's random generator? If it was a long time ago, perhaps look at its current generator. Maybe your issue has been solved.
    • Wow is supports Windows and OpenVMS?

      • by armanox ( 826486 )
        Windows yes. I haven't seen anyone submit patches for OpenVMS, and I don't have an OpenVMS system to even try on. It does, however, support OS X, Net and Free BSD, HP-UX, and Solaris. I used to have it working for AIX and IRIX, but changes in the 2.1.x release have broken them for now, and I'm not sure that I'll ever get IRIX working again.
    • This is what I was wondering. That major bug in OpenSSL that caused security issues in applications using it - which caused LibreSSL to be created in the first place - has that been fixed?
  • by Anonymous Coward

    It's an affront to common sense that the Internet's security largely relies on this wretched library, with its utterly dismal coding standards, its hideously, and unnecessarily, baroque and complex API, and its pathetic documentation.

    • It's an affront to common sense to put security as an afterthought on top of another protocol instead of making it an intrinsic part of the protocol. But that's what you get when you use ancient technology (and yes, TCP is ancient by computer standards) and simply refuse to accept that it is necessary to invest into it.

      But security does not sell. Only now people finally start to slowly catch on and realize that there might be a reason for security. They still don't know jack about it. They only know they "k

      • This is stupid.

        If there's one lesson in the history of computing, it's that every type of possible side-channel leaks information like crazy if not properly controlled. So in what world does it make sense to mix up your application or transport protocol with your security protocol? The examples you give have nothing to do with the underlying transport protocols, or overlaying application protocols that have been in use.

        • by DamonHD ( 794830 )

          +1

          The security should work independently of details of the underlying medium and without relying on its exact implementation. A byte stream (observed or not) is just that. Likewise an unreliable packet stream.

          This is what we have abstraction for.

          Rgds

          Damon

    • by reikae ( 80981 )

      It makes sense that a library that exists (duh, but was anything else available in 1998?), is free of charge, and does its job will become widely used. Has a technically superior future alternative ever taken over something that was available when needed? Makes me think of IPv6, but I'm not sure the comparison works.

  • The Ellipse has been broken and is a major security risk

  • First of full disclosure...I am a member of the OpenSSL development team.

    I've read a lot of anti-OpenSSL comments here along with some fairly amusing conspiracy theories! Some criticism is fair but much is not in my view.

    OpenSSL is a very different project to what it was a year ago. This time last year the development team was very small (6 people...not all of whom were active coders, most of whom were doing it in their spare time). Supporting the project was (and still is) a thankless task, and they did th

    • obnoxious feature request, throw in support for twofish, and try and get the TLS standards body to add twofish as a supported protocol next version. Just two cents.
    • Thank you. Did you fix the problems that were a major issue which was brought out last time, and which brought about LibreSSL?

Houston, Tranquillity Base here. The Eagle has landed. -- Neil Armstrong

Working...