[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

openssl: 2.2.1 release

From: Vasilij Schneidermann
Subject: openssl: 2.2.1 release
Date: Mon, 5 Jul 2021 23:04:25 +0200


What started out as a quest to fix compilation warnings in the openssl
egg, ended with a few more user-visible changes than that:

- The minimum OpenSSL version has been bumped to 1.1.0 to avoid the
  deprecated server/client version APIs. These have been replaced with a
  single API call to set both the minimum and maximum supported protocol
  version. Therefore it's now possible to accept a TLS version range,
  such as from TLSv1.0 up to TLSv1.2.
- TLSv1.3 support is detected and exposed at runtime.
- The `supported-ssl-protocols`, `ssl-min-protocol` and
  `ssl-max-protocol` allow testing supported protocol versions at runtime.
- The `openssl` module has been internally renamed to `(openssl
  socket)`, but is reexported under its old name for compatibility
  reasons. I intend to drop that alias whenever C6 happens.
- The `(openssl cipher)`, `(openssl digest)`, `(openssl random)` and
  `(openssl version)` modules have been introduced. The `(openssl
  cipher)` and `(openssl digest)` modules expose both low- and
  high-level procedures to work with ciphers and message digests. The
  `(openssl random)` module provides access to a CSPRNG. The `(openssl
  version)` module allows testing for the OpenSSL version and
- Examples have been added for the `(openssl cipher)`, `(openssl
  digest)` and `(openssl socket)` modules.
- A test suite covering all modules has been introduced and contains
  further module usage examples.

It's not all roses though. The OpenSSL APIs are historically grown and
not always easy to use. I've tried to avoid exposing as many footguns as
possible, but I'm certain that there's more work to do in this regard.
Please let me know if any of you run into troubles.

Further work ahead:

- OpenSSL 3 compatibility: I'll work on this whenever a stable release
  has been made available on Arch Linux. Resolving the compilation
  warnings made this task easier, but I expect new compilation warnings
  to appear.
- Exposing additional APIs. Candidates:
  - Hex encoding/decoding: Dubious utility (the task has been solved
    well enough by other eggs, hex encoding uses colon separator,
    decoding fails on empty buffer).
  - Base64 encoding/decoding: Dubious utility (there is a fast enough
    base64 egg, encoding uses newlines, decoding fails on empty buffer).
  - Certificate handling: Messy APIs.
  - Asymmetric cryptography: Messy APIs.
  - Password derivation: Messy APIs intertwined with asymmetric
  - HMAC: Unsure if enough benefit.
  - Bignum: Unsure if enough benefit (might be worth it for number
    theory procedures).
  - Other APIs: Please let me know about any worth exposing.

Some of the above issues have been resolved by OpenSSL 3, but would need
to be implemented in Terms of OpenSSL 1.1.0. Perhaps it would make more
sense to write a binding to Botan instead...


Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]