Re: 0.9.8 vs 1.0.x
On Tue, Mar 26, 2013, Walter H. wrote: the major features that 1.0.x supports are openssl cms (http://www.openssl.org/docs/apps/cms.html) The CMS code is actually in OpenSSL 0.9.8 too but you need to explicitly include the configuration option enable-cms. OpenSSL 1.0.0 and later enable CMS by default. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: 0.9.8 vs 1.0.x
Hi, Gopakumar Pillai wrote: Hi, Can any one point me to a location where I can find the major differences between versions 0.9.8 and 1.0.x? Now that 0.9.8 may not live for long, planning to move to 1.0.x versions. Are they API compatible? Any other restrictions? API changes timeline: http://upstream-tracker.org/versions/openssl.html 0.9.8 vs 1.0.1e report: http://upstream-tracker.org/compat_reports/openssl/0.9.8_to_1.0.1e/compat_report.html 0.9.8 vs 1.0.1e visual diff for source code: http://upstream-tracker.org/pkgdiff_reports/openssl/0.9.8_to_1.0.1e/changes_report.html I can create and publish reports between any other combinations of versions if needed. -- Andrey Ponomarenko, ROSA Lab. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: 0.9.8 vs 1.0.x
the major features that 1.0.x supports are openssl ts (http://www.openssl.org/docs/apps/ts.html) openssl cms (http://www.openssl.org/docs/apps/cms.html) Greetings, Walter On 26.03.2013 18:50, Gopakumar Pillai wrote: Hi, Can any one point me to a location where I can find the major differences between versions 0.9.8 and 1.0.x? Now that 0.9.8 may not live for long, planning to move to 1.0.x versions. Are they API compatible? Any other restrictions? Thank You in advance. --Gopu smime.p7s Description: S/MIME Cryptographic Signature
Re: 0.9.8 vs 1.0.x
Well I discovered one thing this constant EVP_MAX_KEY_LENGTH changed when using FIPS from 32 to 64. The story is I am using 0.9.8 and this constant to assure the password a person may use by a user is not larger than this for AES128 ciphering as undetermined results happen on other platforms in other words I may cipher a file on one platform and decipher on another and if my key I used was greater than this constant I have issues (it don't work). Well makes sense there is a limit in password size. Well I was on Redhat linux and it had 1.0.x openssl and I had to define FIPS to use an ECDSA curve I was using to sign things. This constant EVP_MAX_KEY_LENGTH changed in size and when a user decided to use their password which was well above 32 bytes it accepted all of it and tried to use it to decipher something that had been ciphered a while back; well it did not work. So we have our own constant now and only accept passwords that are 32 bytes long though you can type in as much as you want we will only use 32 bytes. Also I hope the openssl 1.0.x is on all platforms including iOS. Well thats my experience. -- View this message in context: http://openssl.6102.n7.nabble.com/0-9-8-vs-1-0-x-tp44547p44549.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: 0.9.8 vs 1.0.x
You can also read the detailed list in the file CHANGES in the OpenSSL source code download, that file lists the changes, version by version going back several versions. However the file in the latest 1.0.x archive does not list which fixes were made to 0.9.8 after work started on version 1.0.0, so you should get both the latest 0.9.8 source download and the latest 1.0.x source download and compare the CHANGES files from both. Hopefully all the stuff that was fixed in later 0.9.8 releases was also fixed in various 1.0.x releases around the same dates, since this is the normal procedure of the project. Programs compiled against 0.9.8 headers will need to be recompiled before linking with 1.0.1 libraries or using them with 1.0.1 DLLs. This applies whenever any of the digits in the version number changes, but usually not if only the extra letter is changed e.g. from 1.0.1d to 1.0.1e . On 26-03-2013 20:15, Walter H. wrote: the major features that 1.0.x supports are openssl ts (http://www.openssl.org/docs/apps/ts.html) openssl cms (http://www.openssl.org/docs/apps/cms.html) On 26.03.2013 18:50, Gopakumar Pillai wrote: Hi, Can any one point me to a location where I can find the major differences between versions 0.9.8 and 1.0.x? Now that 0.9.8 may not live for long, planning to move to 1.0.x versions. Are they API compatible? Any other restrictions? Thank You in advance. --Gopu -- Jakob Bohm, CIO, partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. direct: +45 31 13 16 10 call:+4531131610 This message is only for its intended recipient, delete if misaddressed. WiseMo - Remote Service Management for PCs, Phones and Embedded __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: 0.9.8 vs 1.0.x
We've found that upstream-tracker.org was a good place to start. Unfortunately, it only performs comparisons from one release to the next, so what we did was download one of the tools that makes up upstream-tracker and ran it against the specific release we were using and the release to which we were intending to upgrade to. This provides a report of the symbols that have changed in the public API to the library, which is just a detailed starting point. Pete On 3/26/13 3:44 PM, Jakob Bohm wrote: You can also read the detailed list in the file CHANGES in the OpenSSL source code download, that file lists the changes, version by version going back several versions. However the file in the latest 1.0.x archive does not list which fixes were made to 0.9.8 after work started on version 1.0.0, so you should get both the latest 0.9.8 source download and the latest 1.0.x source download and compare the CHANGES files from both. Hopefully all the stuff that was fixed in later 0.9.8 releases was also fixed in various 1.0.x releases around the same dates, since this is the normal procedure of the project. Programs compiled against 0.9.8 headers will need to be recompiled before linking with 1.0.1 libraries or using them with 1.0.1 DLLs. This applies whenever any of the digits in the version number changes, but usually not if only the extra letter is changed e.g. from 1.0.1d to 1.0.1e . On 26-03-2013 20:15, Walter H. wrote: the major features that 1.0.x supports are openssl ts (http://www.openssl.org/docs/apps/ts.html) openssl cms (http://www.openssl.org/docs/apps/cms.html) On 26.03.2013 18:50, Gopakumar Pillai wrote: Hi, Can any one point me to a location where I can find the major differences between versions 0.9.8 and 1.0.x? Now that 0.9.8 may not live for long, planning to move to 1.0.x versions. Are they API compatible? Any other restrictions? Thank You in advance. --Gopu __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: 0.9.8 vs 1.0.x
You are doing it very very wrong. It has been known at least since the 1970s that trying to use ASCII letters (with or without parity) directly as the encryption key is a bad idea, because human entered text has only about 1 to 2 bits of entropy per letter and even machine generated random text contains at most 6.5 bits per character, while the security of the encryption algorithms requires the full 8 bits per byte of entropy. There are lots of well thought out standard methods to use a human entered string as the most secret part of the input that determines the full key, and OpenSSL contains implementations of at least two of them. Such algorithms are called Password-Based-Key-Derivation Functions and generally work with an almost unlimited password length (passwords longer than 500 million letters can hit some limits, but who would memorize such a long password and then type it in by hand?). You should also be aware that the key length is different for different algorithms, and EVP_MAX_KEY_LENGTH constant is simply the largest of all the key lengths of all the algorithms included, which is obviously NOT the key length of any particular algorithm you may choose. There is an EVP function that returns the (constant) key length of the algorithm you use, just in case you didn't already know (like if the code can select between different algorithms). Code compiled against any given version of OpenSSL can safely assume that the length returned by that EVP function will be at most the value of EVP_MAX_KEY_LENGTH from that OpenSSL version, nothing else. On 26-03-2013 20:32, redpath wrote: Well I discovered one thing this constant EVP_MAX_KEY_LENGTH changed when using FIPS from 32 to 64. The story is I am using 0.9.8 and this constant to assure the password a person may use by a user is not larger than this for AES128 ciphering as undetermined results happen on other platforms in other words I may cipher a file on one platform and decipher on another and if my key I used was greater than this constant I have issues (it don't work). Well makes sense there is a limit in password size. Well I was on Redhat linux and it had 1.0.x openssl and I had to define FIPS to use an ECDSA curve I was using to sign things. This constant EVP_MAX_KEY_LENGTH changed in size and when a user decided to use their password which was well above 32 bytes it accepted all of it and tried to use it to decipher something that had been ciphered a while back; well it did not work. So we have our own constant now and only accept passwords that are 32 bytes long though you can type in as much as you want we will only use 32 bytes. Also I hope the openssl 1.0.x is on all platforms including iOS. Well thats my experience. -- View this message in context: http://openssl.6102.n7.nabble.com/0-9-8-vs-1-0-x-tp44547p44549.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org -- Jakob Bohm, CIO, partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. direct: +45 31 13 16 10 call:+4531131610 This message is only for its intended recipient, delete if misaddressed. WiseMo - Remote Service Management for PCs, Phones and Embedded __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: 0.9.8 vs 1.0.x
Changed API symbols is only a subset of functionality changes, which is why it is so useful that the OpenSSL project provides an actual list of changes, formatted for human consumption. But if you do want to look for hidden or undocumented changes, just do a straight-forward text compare of the unpacked source tarballs. P.S. Don't CC me, I do obviously read the list. On 26-03-2013 20:50, Peter Beal wrote: We've found that upstream-tracker.org was a good place to start. Unfortunately, it only performs comparisons from one release to the next, so what we did was download one of the tools that makes up upstream-tracker and ran it against the specific release we were using and the release to which we were intending to upgrade to. This provides a report of the symbols that have changed in the public API to the library, which is just a detailed starting point. Pete On 3/26/13 3:44 PM, Jakob Bohm wrote: You can also read the detailed list in the file CHANGES in the OpenSSL source code download, that file lists the changes, version by version going back several versions. However the file in the latest 1.0.x archive does not list which fixes were made to 0.9.8 after work started on version 1.0.0, so you should get both the latest 0.9.8 source download and the latest 1.0.x source download and compare the CHANGES files from both. Hopefully all the stuff that was fixed in later 0.9.8 releases was also fixed in various 1.0.x releases around the same dates, since this is the normal procedure of the project. Programs compiled against 0.9.8 headers will need to be recompiled before linking with 1.0.1 libraries or using them with 1.0.1 DLLs. This applies whenever any of the digits in the version number changes, but usually not if only the extra letter is changed e.g. from 1.0.1d to 1.0.1e . On 26-03-2013 20:15, Walter H. wrote: the major features that 1.0.x supports are openssl ts (http://www.openssl.org/docs/apps/ts.html) openssl cms (http://www.openssl.org/docs/apps/cms.html) On 26.03.2013 18:50, Gopakumar Pillai wrote: Hi, Can any one point me to a location where I can find the major differences between versions 0.9.8 and 1.0.x? Now that 0.9.8 may not live for long, planning to move to 1.0.x versions. Are they API compatible? Any other restrictions? Thank You in advance. --Gopu __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org -- Jakob Bohm, CIO, partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. direct: +45 31 13 16 10 call:+4531131610 This message is only for its intended recipient, delete if misaddressed. WiseMo - Remote Service Management for PCs, Phones and Embedded __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: 0.9.8 vs 1.0.x
I knew this was coming about the password and of course we take this password and create a key through Password-based Key derivation but point is the constant changed and we should have used our own. That was the only surprise for us. And yes I use AES_BLOCK_SIZE and other constants but you would think using EVP_EncryptInit_ex you can use the EVP constant. Live and learn. -- View this message in context: http://openssl.6102.n7.nabble.com/0-9-8-vs-1-0-x-tp44547p44554.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: 0.9.8 vs 1.0.x
From: owner-openssl-us...@openssl.org On Behalf Of Walter H. Sent: Tuesday, 26 March, 2013 15:16 the major features that 1.0.x supports are openssl ts (http://www.openssl.org/docs/apps/ts.html) openssl cms (http://www.openssl.org/docs/apps/cms.html) Although much of 'cms' was already in 'smime'. Also on commandline: generic pkeyparam, genpkey, pkey, pkeyutl. In library corresponding EVP_PKEY_CTX stuff. A small but sometimes important change: digest/signature are now distinct so you can do e.g. ecdsa-sha256 as well as ecdsa-sha1. For x509 verification (including during SSL/TLS handshake) using CApath (directory of cert files with hashnames or links) the hash algorithm changed and these must be re-hashed. 1.0.*1* adds TLSv1.1 and 1.2 (including GCM and SHA2 suites). snip __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
