Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenSSL 1.0.2 Released

Posted by timothy on from the early-days dept.

kthreadd writes The OpenSSL project has released its second feature release of the OpenSSL 1.0 series, version 1.0.2 which is ABI compatible with the 1.0.0 and 1.0.1 series. Major new features in this release include Suite B support for TLS 1.2 and DTLS 1.2 and support for DTLS 1.2. selection. Other major changes include TLS automatic EC curve selection, an API to set TLS supported signature algorithms and curves, the SSL_CONF configuration API, support for TLS Brainpool, support for ALPN and support for CMS support for RSA-PSS, RSA-OAEP, ECDH and X9.42 DH.

5 of 97 comments (clear)

  1. Re:Obligatory reminder that an alternative exists by TechyImmigrant · · Score: 5, Informative

    We tried contacting the PolarSSL developers about contributing code to fix their random number problem. No response. No random numbers -> no security.

    No matter what the security problem, it's always the random numbers, or lack thereof that is the problem.

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  2. Re:libressl-2.1.3 by Anon+E.+Muss · · Score: 5, Insightful

    libressl is NOT portable. Supporting BSD and Linux is not the definition of "portable" (see also: "We play both types of music: Country and Western"). The libressl code depends on the non-standard #include_next preprocessor directive, so it can only build with GCC (and probably clang, which emulates many GCC-isms). Forget about building on Windows using Microsoft's C compiler.

    OpenSSL remains the only portable SSL library that can be used by both open source and commercial developers alike. Which is really a shame, because OpenSSL sucks. All the bad things the libressl people have said about OpenSSL are absolutely true.

    --
    The key sequence to access my Slashdot bookmark in Firefox is Alt-B-S. I don't believe this is a coincidence.
  3. Re:Do you really trust the OpenSSL Corporation? by Anonymous Coward · · Score: 5, Insightful

    Do you think the absence of documentation is due only to laziness?

    Yes. "Never attribute to malice that which can be explained by incompetence." Not every fuckup is a conspiracy.

    I don't know any programmers who like writing documentation. Start with that, and add that the OpenSSL code is complicated and poorly written, and it's no wonder the documentation is lacking.

  4. Re:libressl-2.1.3 by armanox · · Score: 5, Informative

    Actually, libressl supports OS X and HP-UX as well. Some groundwork is in place for supporting AIX and IRIX (I no longer have access to AIX to continue porting, and I'm not sure IRIX will ever work right). If you really wanted it to work with MSVC, you could write, test, and propose the patches to make it work. I'm all for eliminating GCCisms (the areas I've been poking at the code I'm not trying to eliminate GCCisms, not my priority).

    --
    I'm starting to think GNU is the problem with "GNU/Linux" these days.
  5. Re:libressl-2.1.3 by peppepz · · Score: 5, Interesting

    OpenSSL remains the only portable SSL library that can be used by both open source and commercial developers alike. Which is really a shame, because OpenSSL sucks. All the bad things the libressl people have said about OpenSSL are absolutely true.

    We have GnuTLS which is only one year younger than OpenSSL, has a nicer API, is portable to Windows, has a better track record with regard to binary compatibility, a better build system, and can be used by commercial software (it’s LGPLv2.1). Comparison of features with other SSL libraries.