from Hacker News

OpenSSL 3 Strategic Architecture

by jbaviat on 3/1/19, 8:53 AM with 20 comments

  • by zdw on 3/2/19, 3:17 PM

    The OpenSSL strategy seems to be to try to leapfrog LibreSSL in terms of version numbers (which already has released a 2.x branch, hence their 3.x versioning), and revise their API, but still have considerable complexity.

    The LibreSSL approach was to write a new library and API, libtls, which does away with the substantial configuration complexity in applications: https://man.openbsd.org/tls_init.3

    I'd argue that LibreSSL's is the better approach.

  • by tptacek on 3/2/19, 4:50 PM

    The Core will implement a property based look-up feature for finding algorithms, e.g. it might allow you find an algorithm where "fips=true", or "keysize=128, constant_time=true".

    Why? What designer builds a system this way, without knowing precisely what algorithm they're using?

  • by tatersolid on 3/2/19, 11:25 AM

    Yikes. Backwards compatibility is tough.

    Strange that with the bump to 3.0 they didn’t at least announce the removal legacy primitives and TLS versions. Are they going to support DES and RC4 forever?

  • by snvzz on 3/2/19, 9:08 AM

    Still prefer libressl. A shame that openssl's history of failing at security is rewarded with donations and use, rather than shunned.

  • by brians on 3/2/19, 2:50 PM

    Neat. I look forward to better FIPS handling and the deprecation story.

    And to vulnerabilities from the loadable module support. Getting the property based binding right looks tough!