Slashdot Mirror
OpenSSL 1.0.2 Released
kthreadd writes The OpenSSL project has released its second feature release of the OpenSSL 1.0 series, version 1.0.2 which is ABI compatible with the 1.0.0 and 1.0.1 series. Major new features in this release include Suite B support for TLS 1.2 and DTLS 1.2 and support for DTLS 1.2. selection. Other major changes include TLS automatic EC curve selection, an API to set TLS supported signature algorithms and curves, the SSL_CONF configuration API, support for TLS Brainpool, support for ALPN and support for CMS support for RSA-PSS, RSA-OAEP, ECDH and X9.42 DH.
SSL/TLS has nothing to do with what certificates the client and server trust. You can bootstrap a TLS stream using a pre-shared key if you want, or with DANE, or with explicitly selected certificates. The fact that most clients use CAs for trust anchors is not a failure of SSL/TLS.
libressl is NOT portable. Supporting BSD and Linux is not the definition of "portable" (see also: "We play both types of music: Country and Western"). The libressl code depends on the non-standard #include_next preprocessor directive, so it can only build with GCC (and probably clang, which emulates many GCC-isms). Forget about building on Windows using Microsoft's C compiler.
OpenSSL remains the only portable SSL library that can be used by both open source and commercial developers alike. Which is really a shame, because OpenSSL sucks. All the bad things the libressl people have said about OpenSSL are absolutely true.
The key sequence to access my Slashdot bookmark in Firefox is Alt-B-S. I don't believe this is a coincidence.
Do you think the absence of documentation is due only to laziness?
Yes. "Never attribute to malice that which can be explained by incompetence." Not every fuckup is a conspiracy.
I don't know any programmers who like writing documentation. Start with that, and add that the OpenSSL code is complicated and poorly written, and it's no wonder the documentation is lacking.
It's an affront to common sense that the Internet's security largely relies on this wretched library, with its utterly dismal coding standards, its hideously, and unnecessarily, baroque and complex API, and its pathetic documentation.
Sorry but that's all just pure baseless speculation on your part and fear mongering. The NSA can snoop SSL traffice regardless of ssl library simply by doing a man in the middle attack. And you'd never know it either, since they would be using a recognized root certificate. So I don't see what this issue has to do with openssl. And If they can brute force sniff SSL, I don't see how other ssl libraries are much safer.
Several of the OpenSSL developers have commented here on slashdot and expressed chagrin combined with determination to fix the problems which years ago were not considered problems--they were bad but accepted solutions for the portability problem. But times have changed, and openssl is changing too. As others have said it's still the most portable, and it is a good choice, and I do trust it. I think their response to heartbleed was admirable. They acknowledged and fixed the problem promptly.
NOT portable .... Forget about building on Windows using Microsoft's C compiler.
Just because one compiler for one platform fails to support a popular C extension doesn't mean the library isn't portable.
You can always choose to complie on that platform using one of the compliers that *does* support the extension.