Slashdot Mirror
OpenSSL 1.0.2 Released
kthreadd writes The OpenSSL project has released its second feature release of the OpenSSL 1.0 series, version 1.0.2 which is ABI compatible with the 1.0.0 and 1.0.1 series. Major new features in this release include Suite B support for TLS 1.2 and DTLS 1.2 and support for DTLS 1.2. selection. Other major changes include TLS automatic EC curve selection, an API to set TLS supported signature algorithms and curves, the SSL_CONF configuration API, support for TLS Brainpool, support for ALPN and support for CMS support for RSA-PSS, RSA-OAEP, ECDH and X9.42 DH.
http://www.libressl.org/
That site doesn't support SSL...
Why start with something bad to make something good. If you want a good SSL library, try PolarSSL. It's a quite unknown, but great library. Unlike OpenSSL, this one has good documentation. The Hiawatha webserver uses it and it easily gives me an A+ score at SSL labs.
It doesn't have to be like this. All we need to do is make sure we keep talking.
We tried contacting the PolarSSL developers about contributing code to fix their random number problem. No response. No random numbers -> no security.
No matter what the security problem, it's always the random numbers, or lack thereof that is the problem.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
SSL/TLS has nothing to do with what certificates the client and server trust. You can bootstrap a TLS stream using a pre-shared key if you want, or with DANE, or with explicitly selected certificates. The fact that most clients use CAs for trust anchors is not a failure of SSL/TLS.
libressl is NOT portable. Supporting BSD and Linux is not the definition of "portable" (see also: "We play both types of music: Country and Western"). The libressl code depends on the non-standard #include_next preprocessor directive, so it can only build with GCC (and probably clang, which emulates many GCC-isms). Forget about building on Windows using Microsoft's C compiler.
OpenSSL remains the only portable SSL library that can be used by both open source and commercial developers alike. Which is really a shame, because OpenSSL sucks. All the bad things the libressl people have said about OpenSSL are absolutely true.
The key sequence to access my Slashdot bookmark in Firefox is Alt-B-S. I don't believe this is a coincidence.
Do you think the absence of documentation is due only to laziness?
Yes. "Never attribute to malice that which can be explained by incompetence." Not every fuckup is a conspiracy.
I don't know any programmers who like writing documentation. Start with that, and add that the OpenSSL code is complicated and poorly written, and it's no wonder the documentation is lacking.
Sorry but that's all just pure baseless speculation on your part and fear mongering. The NSA can snoop SSL traffice regardless of ssl library simply by doing a man in the middle attack. And you'd never know it either, since they would be using a recognized root certificate. So I don't see what this issue has to do with openssl. And If they can brute force sniff SSL, I don't see how other ssl libraries are much safer.
Several of the OpenSSL developers have commented here on slashdot and expressed chagrin combined with determination to fix the problems which years ago were not considered problems--they were bad but accepted solutions for the portability problem. But times have changed, and openssl is changing too. As others have said it's still the most portable, and it is a good choice, and I do trust it. I think their response to heartbleed was admirable. They acknowledged and fixed the problem promptly.
NOT portable .... Forget about building on Windows using Microsoft's C compiler.
Just because one compiler for one platform fails to support a popular C extension doesn't mean the library isn't portable.
You can always choose to complie on that platform using one of the compliers that *does* support the extension.
Actually, libressl supports OS X and HP-UX as well. Some groundwork is in place for supporting AIX and IRIX (I no longer have access to AIX to continue porting, and I'm not sure IRIX will ever work right). If you really wanted it to work with MSVC, you could write, test, and propose the patches to make it work. I'm all for eliminating GCCisms (the areas I've been poking at the code I'm not trying to eliminate GCCisms, not my priority).
I'm starting to think GNU is the problem with "GNU/Linux" these days.
You _can_ do so, but the hardcoded reliance on the master signature authorities in nearly every popular software tool makes such efforts problematic. It's exceedingly difficult to _excise_ these master keys, or to display them as "not trusted due to federal key access", without breaking many tools.
OpenSSL remains the only portable SSL library that can be used by both open source and commercial developers alike. Which is really a shame, because OpenSSL sucks. All the bad things the libressl people have said about OpenSSL are absolutely true.
We have GnuTLS which is only one year younger than OpenSSL, has a nicer API, is portable to Windows, has a better track record with regard to binary compatibility, a better build system, and can be used by commercial software (it’s LGPLv2.1). Comparison of features with other SSL libraries.