Re: [oss-security] Forthcoming OpenSSL Releases
Shawn, On Thu, 27 Oct 2022 at 02:00, Shawn Webb wrote: > I don't see anything on the CERT Vince site. Is there any way we could > coordinate a response via CERT? This is addressed within the "Prenotification policy" of https://www.openssl.org/policies/general/security-policy.html -- Regards, Christian Heinrich http://cmlh.id.au/contact
NSA Releases “Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations”
https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2462345/nsa-releases-eliminating-obsolete-transport-layer-security-tls-protocol-configu/ -- Regards, Christian Heinrich http://cmlh.id.au/contact
Re: LibreSSL
Paul, On Wed, 6 Jan 2021 at 04:29, Paul Dale wrote: > An article about LibreSSL and indirectly OpenSSL: > > https://lwn.net/SubscriberLink/841664/0ba4265680b9dadf/ TL;DR "One result of all this work is that Linux distributions have, in general, not shifted away from OpenSSL. Two distributions that did attempt to provide LibreSSL support were Alpine Linux and Gentoo. Alpine Linux supported LibreSSL as its primary TLS library for a while, but switched back to OpenSSL with the 3.9.0 release in January 2019. Gentoo never tried to switch over completely, but it supports LibreSSL as an alternative." https://lwn.net/ml/gentoo-dev/f87e940aed42fa95bd6557a02e4363380b8f1c0a.ca...@gentoo.org/ is also relevant to the threads that proposes to refactor the OpenSSL API -- Regards, Christian Heinrich http://cmlh.id.au/contact
Re: Project direction
Richard, On Mon, 2 Nov 2020 at 10:47, Christian Heinrich wrote: > Maybe we should define the problems that new end users experience > during onboarding instead and address those first? On Tue, 3 Nov 2020 at 02:52, Dick Franks wrote: > Better documentation would help enormously. I would recommend first approaching John Viega, Matt Messier, Pravir Chandra et al to update https://www.oreilly.com/library/view/network-security-with/059600270X/ based on their reader's feedback since this book hasn't been updated since 2002. Ivan Ristić would also add value as https://www.feistyduck.com/books/openssl-cookbook/ was recently updated (March 2016) and teaches https://www.feistyduck.com/training/the-best-ssl-and-tls-training-in-the-world too. -- Regards, Christian Heinrich http://cmlh.id.au/contact
Re: Project direction
Dr Dale, On Fri, 30 Oct 2020 at 10:45, Dr Paul Dale wrote: > The question was should we design our APIs to ease the pain existing > users of OpenSSL or should we be trying to attract new users. > The idea being that supporting existing users means not changing the > existing API, whereas catering to new users means working towards > a new fresh consistent API. As far as I am aware the competition isn't much better than us ¯\_(ツ)_/¯ "LibreSSL was great as alternative when Heartbleed first emerged, but LibreSSL development has lagged way behind OpenSSL to the point that OpenSSL 1.1.1 is miles ahead of LibreSSL in performance" to quote https://community.centminmod.com/threads/openssl-or-libressl-in-mid-2020.19810/ "There are no guarantees of API or ABI stability with this code: we are not aiming to replace OpenSSL as an open-source project." to quote https://www.chromium.org/Home/chromium-security/boringssl Maybe we should define the problems that new end users experience during onboarding instead and address those first? -- Regards, Christian Heinrich http://cmlh.id.au/contact