[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
openssl: 2.2.1 release
From: |
Vasilij Schneidermann |
Subject: |
openssl: 2.2.1 release |
Date: |
Mon, 5 Jul 2021 23:04:25 +0200 |
Hello,
What started out as a quest to fix compilation warnings in the openssl
egg, ended with a few more user-visible changes than that:
- The minimum OpenSSL version has been bumped to 1.1.0 to avoid the
deprecated server/client version APIs. These have been replaced with a
single API call to set both the minimum and maximum supported protocol
version. Therefore it's now possible to accept a TLS version range,
such as from TLSv1.0 up to TLSv1.2.
- TLSv1.3 support is detected and exposed at runtime.
- The `supported-ssl-protocols`, `ssl-min-protocol` and
`ssl-max-protocol` allow testing supported protocol versions at runtime.
- The `openssl` module has been internally renamed to `(openssl
socket)`, but is reexported under its old name for compatibility
reasons. I intend to drop that alias whenever C6 happens.
- The `(openssl cipher)`, `(openssl digest)`, `(openssl random)` and
`(openssl version)` modules have been introduced. The `(openssl
cipher)` and `(openssl digest)` modules expose both low- and
high-level procedures to work with ciphers and message digests. The
`(openssl random)` module provides access to a CSPRNG. The `(openssl
version)` module allows testing for the OpenSSL version and
configuration.
- Examples have been added for the `(openssl cipher)`, `(openssl
digest)` and `(openssl socket)` modules.
- A test suite covering all modules has been introduced and contains
further module usage examples.
It's not all roses though. The OpenSSL APIs are historically grown and
not always easy to use. I've tried to avoid exposing as many footguns as
possible, but I'm certain that there's more work to do in this regard.
Please let me know if any of you run into troubles.
Further work ahead:
- OpenSSL 3 compatibility: I'll work on this whenever a stable release
has been made available on Arch Linux. Resolving the compilation
warnings made this task easier, but I expect new compilation warnings
to appear.
- Exposing additional APIs. Candidates:
- Hex encoding/decoding: Dubious utility (the task has been solved
well enough by other eggs, hex encoding uses colon separator,
decoding fails on empty buffer).
- Base64 encoding/decoding: Dubious utility (there is a fast enough
base64 egg, encoding uses newlines, decoding fails on empty buffer).
- Certificate handling: Messy APIs.
- Asymmetric cryptography: Messy APIs.
- Password derivation: Messy APIs intertwined with asymmetric
cryptography.
- HMAC: Unsure if enough benefit.
- Bignum: Unsure if enough benefit (might be worth it for number
theory procedures).
- Other APIs: Please let me know about any worth exposing.
Some of the above issues have been resolved by OpenSSL 3, but would need
to be implemented in Terms of OpenSSL 1.1.0. Perhaps it would make more
sense to write a binding to Botan instead...
Vasilij
signature.asc
Description: PGP signature
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- openssl: 2.2.1 release,
Vasilij Schneidermann <=