#OpenSSL
@rolenthedeep I guess I’m in the 1% who doesn’t care what #Apple does from a UX perspective but would prefer it did a better job keeping #libcurl, #openssl, and other core libraries up to date.
After some discussions about #openssl and it's manuals, I've come to wonder how relevant it is to keep to the #manpage format for all your #documentation.
I nominate https://docs.openssl.org/3.3/man3/d2i_X509/ as #OpenSSL's worst man page. And there's fierce competition for that award.
And in the end it does not even mention the weird behavior: it stores errors in an internal queue which mysteriously makes the *next* invoked function fail...
#OpenSSL 
-- OpenSSL Foundation endorses UN Open Source Principles
https://openssl-foundation.org/post/2025-08-07-un-open-source-principles/?utm_source=atom_feed
From #OpenSSL -- Blog on OpenSSL Foundation
I can confirm, #openssl team doesn't just merge new features 
Improving the world, one PR at a time: https://github.com/smallstep/crypto/pull/811
The next release of #smallstep step-ca will accept the old name "nonRepudiation" in the X.509v3 keyUsage extension as a UX improvement for users coming from, e.g., #OpenSSL.
Inspired by @jwildeboer: https://social.wildeboer.net/@jwildeboer/114964280013823176
This stuff is hard enough without such pitfalls, no need to make it more complicated by green bikesheds, er, naming discussions.
And for some more context: Did you know #openssl 3.x is quite poor in its performance? https://www.haproxy.com/blog/state-of-ssl-stacks
I finally tried to replace #openssl with #aws-lc on some of my services. Unfortunately, #nginx and #mosquitto lack support for it. Instead, I successfully switched #BIND to use aws-lc.
I later also noticed that the #rustls compatibility shim is in nixpkgs 25.05, but here BIND is missing some variables. And despite the wrapper being explicitly made for nginx, it also fails here with
/nix/store/mkvc0lnnpmi604rqsjdlv1pmhr638nbd-binutils-2.44/bin/ld: objs/src/stream/ngx_stream_ssl_module.o: in function `ngx_stream_ssl_servername':
/build/nginx-1.28.0/src/stream/ngx_stream_ssl_module.c:606:(.text+0xd59): undefined reference to `SSL_SESSION_get0_hostname'
A shame. I wanted to change to more modern libraries.
Untested: #dovecot and #postfix (they lack a services.(dovecot2|postfix).package variable to easily change the used package. A PR for dovecot is already open to add support for it.
@nilz hatte schon befürchtet, dass der Podcast diese Vorurteile aufgreift. Diese Einzelentwickler*innen gibt es auch, aber ist nicht die Masse.OSS ist Big Business, problematisch sind manchmal kleine Projekte, die tatsächlich wichtig sind, aber zu wenig betreut, siehe auch #OpenSSL .Diese kleinen Projekte, die nicht essentiell sind, sind nicht so bedeutend oder problematisch, wenn was schief geht. Fehler gibt es ja auch bei closed source, das ist kein Alleinstellungsmerkmal.
Version 5.21 of the open source encryption protocol AmiSSL has been released for AmigaOS 3 and 4, which is now based on the latest version 3.5.1 (2025/07/01) of OpenSSL.
KEKS кодек и криптографические сообщения
Данная статья напоминает о проблемах X.509 PKI и реализаций ASN.1. Предлагает компактный, быстрый, детерминированный, потоковый и простой формат кодирования данных KEKS, а также криптографические сообщения для подписи и шифрования данных с поддержкой пост-квантовых алгоритмов.
Just released: #swad 0.12 
swad is the "Simple Web Authentication Daemon". It basically offers adding form + #cookie #authentication to your reverse proxy (designed for and tested with #nginx "auth_request"). I created it mainly to defend against #malicious_bots, so among other credential checker modules for "real" logins, it offers a proof-of-work mechanism for guest logins doing the same #crypto #challenge known from #Anubis.
swad is written in pure #C with minimal dependencies (#zlib, #OpenSSL or compatible, and optionally #PAM), and designed to work on any #POSIX system. It compiles to a small binary (200 - 300 kiB depending on compiler and target platform).
This release brings (among a few bugfixes) improvements to make swad fit for "heavy load" scenarios: There's a new option to balance the load across multiple service worker threads, so all cores can be fully utilized if necessary, and it now keeps lots of transient objects in pools for reuse, which helps to avoid memory fragmentation and ultimately results in lower overall memory consumption.
Read more about it, download the .tar.xz, build and install it .... here:
#cybersecurity #openssl #cybernewswire #press-release #openssl-announcement #cybersecurity-tips #cyber-security-awareness #good-company
Origin | Interest | Match
Oh boy, I have a lead! And it's NOT related to #TLS. I finally noticed another pattern: #swad only #crashed when running as a #daemon. The daemonizing wasn't the problem, but the default logging configuration attached to it: "fake async", by letting a #threadpool job do the logging.
Forcing THAT even when running in foreground, I can finally reproduce a crash. And I wouldn't be surprised if that was actually the reason for crashing "pretty quickly" with #LibreSSL (and only rarely with #OpenSSL), I mean, something going rogue in your address space can have the weirdest effects.