1. 17

  2. 9

    I found this document much more useful than an endless list of changes in the linked URLs.

    1. 1

      Thank you! I was having a difficult time parsing that format.

    2. 9

      Big takeaways from a better summary of changes:

      • Now licensed Apache v2 instead of OpenSSL+SSLeay.
      • Versioning scheme now essentially semver but apparently not explicitly so
      • Providers now include a FIPS-compliant provider OOTB
      • Low-level APIs deprecated; use high-level APIs only
      • Legacy algorithms relegated to a legacy provider
      • Use provider API instead of engine API
      • RFCs 4210, 4211, and 6712 implemented
      • HTTP client in libcrypto
      • Some new functionality for dealing with KDFs and MACs
      • Support for Linux kernel TLS

      (Not an OpenSSL expert, just used to use it a few years ago and had to keep up with releases so I know what most of this means at a high level even if I don’t directly use it anymore)

      1. 1

        The triple DES key wrap functionality now conforms to RFC 3217 but is no longer interoperable with OpenSSL 1.1.1.

        I suspect that will functionally kill triple des off. Nice!

        1. 1

          Was the version jump caused by LibreSSL calling itself 2.x?

          Improved adherence to Enhanced Security Services (ESS, RFC 2634 and RFC 5035) for the TSP and CMS Advanced Electronic Signatures (CAdES) implementations

          What the hell is any of this stuff?

          Correct the extended master secret constant on EBCDIC systems

          Uh huh wait what systems? I see the IBM support is going realllllly deep o_0

          The security strength of SHA1 and MD5 based signatures in TLS has been reduced

          I assume that this means some “strength” rating, but this is really funny if you just read it without thinking.