![]() Historically APIs in OpenSSL have been bifurcated into two buckets: “high-level” APIs which provide a layer of abstraction between the user and their choice of algorithm (though the algorithm selection may be a parameter to one of these high-level APIs), and “low-level” APIs which are algorithm specific. There have been a bevy of breaking API changes in this release, some expected, and some unexpected. From a security standard, the Apache License is a great choice for OpenSSL since it requires that any changes to the source code be explicitly enumerated. modifications to the software be explicitly enumerated. Finally, the OpenSSL project has been released under a standard open-source license, specifically Apache License v2. OpenSSL has historically been licensed under its own hodgepodge of licensing terms. If the patch level changes, there is likely a security fix worth applying whereas if the minor version changes dollars to donuts you will be having a conversation with your application vendor! Licensing Changes This is useful as it encapsulates more information directly in the version string. Where 3 denotes the major version, 0 denotes the minor milestone, and 1 represents the patch level. Going forward, OpenSSL will be more closely aligned with semantic versioning utilizing a version string such as: 3.0.1 Previous versions of OpenSSL relied on the iconic “lettering” system, such as OpenSSL 1.1.1k. Additionally, OpenSSL 3.0 includes a new module which enforces only FIPS compliant cryptography, though as of this writing it has not finished the third-party validation required. OpenSSL 3.0 constitutes a major version and is NOT backwards compatible. OpenSSL 3.0 brings with it several notable changes, including a new versioning system and a different open-source license structure. ![]() ![]() In fact, OpenSSL 1.1.1 was designated an LTS release, and will receive security fixes until September of 2023. As of now, the OpenSSL 1.1.1 branch is still under active development, so while it’s worth evaluating the lift to upgrade your applications, as of yet there is no urgency. OpenSSL 3.0 has been released, and with it there are some notable changes to the popular library used almost everywhere for implementing SSL/TLS.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |