Announcement

Collapse
No announcement yet.

OpenSSL 3.2 Released With Client-Side QUIC, SSL/TLS Security Level 2 Default

Collapse
X
Collapse
 
  • Page of 2
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 2 template Next
  • #1

    OpenSSL 3.2 Released With Client-Side QUIC, SSL/TLS Security Level 2 Default

    Phoronix: OpenSSL 3.2 Released With Client-Side QUIC, SSL/TLS Security Level 2 Default

    OpenSSL 3.2 was released this morning as the latest major update to this widely-used cryptography and SSL/TLS project...

    OpenSSL 3.2 Released With Client-Side QUIC, SSL/TLS Security Level 2 Default - Phoronix
    https://www.phoronix.com/news/OpenSSL-3.2-Released
    Phoronix, Linux Hardware Reviews, Linux hardware benchmarks, Linux server benchmarks, Linux benchmarking, Desktop Linux, Linux performance, Open Source graphics, Linux How To, Ubuntu benchmarks, Ubuntu hardware, Phoronix Test Suite
    Tags: None
    • Likes 1
  • #2
    - On Windows is now support for using the Windows system certificate store as a source of trusted root certificates but is not yet enabled by default.
    I wonder why is everyone rushing to add this?
    First Mozilla with the new Firefox and now OpenSSL.
    Are they preparing to let Microsoft decide which certificates to be trusted on your system for all the programs that use them?
    Why are they wanting to give Microsoft more power?
    • Likes 4

    Comment

    • #3
      I know HTTP/3 sits on top of a QUIC layer (which itself sits on top of UPD), whereas previous versions of HTTP sit on top of TCP. I see a lot of open source projects out there that support up to HTTP/2, but not HTTP/3 yet. I am not fully versed on how/when/where these various projects might use OpenSSL as the encryption layer, but if they do, could this be why HTTP/3 support is not implemented yet (i.e. lack of QUIC support in the OpenSSL library)? If yes, happy to see the support coming. Maybe OpenSSL is not used at all here and I am missing something, but was something that came to mind for me.

      Comment

      • #4
        How acts OpenSSL on linux Oses actually?
        • Likes 1

        Comment

        • #5
          Originally posted by Danny3 View Post
          I wonder why is everyone rushing to add this?
          Enterprises may install (using various tooling/automation) internal use certificates into the Windows certificate store for their organization. Applications that do not support those certificates may either be banned entirely, or not function correctly (if they function at all) in those organizations. Not all vendors of apps may want to be able to work in the Enterprise Windows environment, but most likely do, so they will choose to implement the de facto standards.
          • Likes 8

          Comment

          • #6
            Originally posted by Danny3 View Post
            Are they preparing to let Microsoft decide which certificates to be trusted on your system for all the programs that use them?
            Why are they wanting to give Microsoft more power?
            Thay added support fro certificates from Windows Store, not banning certificates out of the Store.
            No one is forcing anyone to use something.
            • Likes 7

            Comment

            • #7
              Originally posted by ehansin View Post
              I know HTTP/3 sits on top of a QUIC layer (which itself sits on top of UPD), whereas previous versions of HTTP sit on top of TCP. I see a lot of open source projects out there that support up to HTTP/2, but not HTTP/3 yet. I am not fully versed on how/when/where these various projects might use OpenSSL as the encryption layer, but if they do, could this be why HTTP/3 support is not implemented yet (i.e. lack of QUIC support in the OpenSSL library)? If yes, happy to see the support coming. Maybe OpenSSL is not used at all here and I am missing something, but was something that came to mind for me.
              Nginx typically uses OpenSSL and the latest mainline version supports QUIC and HTTP/3 regardless of OpenSSL version. However, OpenSSL is not needed at all for QUIC or HTTP/3 just like OpenSSL is not needed for any earlier HTTP versions. QUIC is just an "extra" feature there, similarly there has been SSL/TLS sockets long time. But sure, using one OpenSSL API is more easier than using one for QUIC and another for TLS.
              Last edited by Jakobson; 23 November 2023, 02:23 PM.
              • Likes 1

              Comment

              • #8
                Originally posted by Jakobson View Post
                Nginx typically uses OpenSSL and the latest mainline version supports QUIC and HTTP/3 regardless of OpenSSL version. However, OpenSSL is not needed at all for QUIC or HTTP/3 just like OpenSSL is not needed for any earlier HTTP versions. QUIC is just an "extra" feature there, similarly there has been SSL/TLS sockets long time. But sure, using one OpenSSL API is more easier than using one for QUIC and another for TLS.
                Thanks!

                Comment

                • #9
                  - On Windows is now support for using the Windows system certificate store as a source of trusted root certificates but is not yet enabled by default.
                  I think there is a missing 'there', there. Perhaps it should read:

                  "- On Windows [there] is now support for using the Windows system certificate store as a source of trusted root certificates but is not yet enabled by default."

                  Comment

                  • #10
                    Originally posted by Danny3 View Post
                    I wonder why is everyone rushing to add this?
                    First Mozilla with the new Firefox and now OpenSSL.
                    Are they preparing to let Microsoft decide which certificates to be trusted on your system for all the programs that use them?
                    Why are they wanting to give Microsoft more power?
                    This is the correct way to do certificates: listen to the system. I often need to add root certificates, and going through all the programs that bundle their own store is a major PITA.
                    If you really want to not use the system store, that's what the openssl `SSL_CERT_DIR​` env variable is for.

                    Now, outdated systems no longer updating the store will cause problems, and maybe then there should be an option to use a bundled store. The intersection of systems one wants to support and that have an old certstore is usually well known.
                    • Likes 3

                    Comment

                    Previous 1 2 template Next
                    Working...
                    X