Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
mastodon.world is one of the many independent Mastodon servers you can use to participate in the fediverse.
Generic Mastodon server for anyone to use.

Administered by:

Server stats:

9K
active users

mastodon.world: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.8

#OpenSSL

9 posts9 participants0 posts today
Public *
tjhowse

Prepare to poo your pants.

OpenSSL provides a few helpers to compare certificates.

X509_cmp(), which returns 0 on a match, and

EVP_PKEY_cmp(), which returns 1 on a match.

It's OK, tan-coloured landmines are safe to step on. Olive-coloured landmines will explode and you will die.

#openssl#foss
Continued thread
Public *
Felix Palmen :freebsd: :c64:

Adding what was missing for intermediate certificates, I had great fun with #OpenSSL #API again. I mean, it never gets old. First test gave me a nice crash of #swad. Because ....

Well, to use a certificate (type X509 *), you call SSL_CTX_use_certificate(). Docs say "On success the reference counter of the x is incremented." (where x means the certificate). Great, so, call X509_free() directly afterwards to ensure this certificate gets destroyed whenever the SSL context gets destroyed.

So, just call the same function again for the intermediate certificates? No ... but there's SSL_CTX_add_extra_chain_cert() which *can* be used multiple times. Nice, call it in a loop as long as I find additional certificates in the cert file, and X509_free() them all directly after adding.

And then observe the crash. Well, it's documented, the manpage for SSL_CTX_add_extra_chain_cert() tells:

"The x509 certificate provided to SSL_CTX_add_extra_chain_cert() will be freed by the library when the SSL_CTX is destroyed. An application should not free the x509 object."

So, clearly my fault not reading this before. Consistency in API design is so overrated. 🤪

Public
Nicola Tuveri

#OpenSSL 📢 -- Call for speakers at the inaugural OpenSSL Conference

🔗 openssl-foundation.org/post/20

From #OpenSSL -- Blog on OpenSSL Foundation

OpenSSL Foundation · Call for speakers at the inaugural OpenSSL ConferenceThe first OpenSSL Conference will take place October 7–9, 2025 in Prague. It will be an excellent opportunity to learn more about OpenSSL. Talks will range from technical discussions of cryptography to open source communities to practical guidance for internet security. More to the point, it’s a great opportunity to speak about these topics. If you have expertise in a topic related to OpenSSL, please consider applying to be a speaker. In addition to the unique opportunity to address the OpenSSL community, speakers will receive a complimentary conference pass.
Public
LaF0rge

In case you haven't seen it yet, check out the analysis of the devastating state of [mostly] modern #OpenSSL by members of haproxy at haproxy.com/blog/state-of-ssl- - hard to imagine such massive performance regressions getting into mainline linux distributions unnoticed by the distributors. #linux #ssl

HAProxy TechnologiesThe State of SSL StacksThe SSL landscape has shifted dramatically. In this paper, we examine OpenSSL 3.x, BoringSSL, LibreSSL, WolfSSL, and AWS-LC with HAProxy.
Public
Vitex

#apt-listchanges: News
---------------------

#curl (8.13.0-2) unstable; urgency=medium

The curl #CLI is now back to using #OpenSSL, instead of #GnuTLS:
HTTP/3 support is still there, compared to the GnuTLS curl CLI.
The performance of HTTP/3 on OpenSSL is not as good, but it's also not used
by default.

-- Samuel Henrique <samueloph@debian.org> Sun, 06 Apr 2025 22:13:18 +0100

#Linux #Debian 13 #Trixie news

Public
Jérémy Lecour

Dans ce (long et très détaillé) article sur l’état des stacks SSL, l’équipe de #haproxy (confirmée par d’autres équipes telles que Curl, Akamai, Microsoft…) tacle lourdement #OpenSSL sur la qualité du code et surtout sur la gouvernance du projet. Ça pique.
haproxy.com/blog/state-of-ssl-

HAProxy TechnologiesThe State of SSL StacksThe SSL landscape has shifted dramatically. In this paper, we examine OpenSSL 3.x, BoringSSL, LibreSSL, WolfSSL, and AWS-LC with HAProxy.
Public *
.:. brainsik

Long, but great read from #HAProxy on the state of #TLS libraries. Includes some scathing remarks about the #OpenSSL project.

“The development team has degraded their project’s quality, failed to address ongoing issues, and consistently dismissed widespread community requests for even minor improvements.”

“This unfortunate situation considerably hurts QUIC protocol adoption. It even makes it difficult to develop or build test tools to monitor a QUIC server.”

“When some of the project members considered a 32% performance regression ‘pretty near’ the original performance, it signaled to our development team that any meaningful improvement was unlikely.”

“In blunt terms: running OpenSSL 3.0.2 as shipped with Ubuntu 22.04 results in 1/100 of #WolfSSL’s performance on identical hardware! To put this into perspective, you would have to deploy 100 times the number of machines to handle the same traffic, solely because of the underlying SSL library.”

infosec.exchange/@0xabad1dea/1

Infosec Exchangeabadidea (@0xabad1dea@infosec.exchange)After heartbleed in 2014, there were a lot of calls to abandon OpenSSL and support alternative libraries because it had written itself into a corner full of holes. I didn’t anticipate that 11 years later, there’d be a call to abandon OpenSSL because it’s written itself into a corner of running at 1% the performance of those very same alternative libraries https://www.haproxy.com/blog/state-of-ssl-stacks
Public
Matt "msw" Wilson

“AWS-LC looks like a very active project with a strong community. […] Even the recently reported performance issue was quickly fixed and released with the next version. […] This is definitely a library that anyone interested in the topic should monitor.”

#OpenSSL #BoringSSL #WolfSSL #AWSLC #HAProxy #OpenSource #FreeSoftware #FOSS #OSS #TLS #QUIC
haproxy.com/blog/state-of-ssl-

HAProxy TechnologiesThe State of SSL StacksThe SSL landscape has shifted dramatically. In this paper, we examine OpenSSL 3.x, BoringSSL, LibreSSL, WolfSSL, and AWS-LC with HAProxy.
Public
Nicola Tuveri

#OpenSSL 📢 -- Have Your Say! Vote Now in the Technical Advisory Committee Elections and Support Your Community

🔗 openssl-corporation.org/post/2

From #OpenSSL -- Blog on OpenSSL Corporation

OpenSSL Corporation · Have Your Say! Vote Now in the Technical Advisory Committee Elections and Support Your CommunityThank you to everyone who registered and to those who took the extra step to nominate candidates for the Technical Advisory Committees (TACs) of the OpenSSL Corporation and the OpenSSL Foundation. We are now at the final step—voting. Your participation in this phase is essential to bring the process to completion and ensure the strength of our shared governance. Election Timeline Start Date: April 28, 2025 at 12:00pm UTC Deadline for Voting: May 11, 2025 at 12:00pm UTC
ExploreLive feeds
About