FRESH

Hacker News

Home

OpenSSL 4.0.0

280 points by petecooper

by capitol_

4 subcomments

Finally encrypted client hello support \o/

by georgthegreat

1 subcomments

https://www.haproxy.com/blog/state-of-ssl-stacks
According to this one should not be using v3 at all..

by caycep

2 subcomments

How is OpenSSl these days? I vaguely remember the big ruckus a while back, was it Heartbleed? where everyone to their horror realized it was maybe 1 or 2 people trying to maintain OpenSSL, and the OpenBSD people then throwing manpower at it to clear up a lot of old outstanding bugs. It seems like it is on firmer/more organized footing these days?

by rwmj

0 subcomment

Compared to OpenSSL 3 this transition has been very smooth. Only dropping of "Engines" was a problem at all, and in Fedora most of those dependencies have been changed.

by ge96

0 subcomment

Just in time for the suckerpinch video

by ibrahimhossain

0 subcomment

Manual opt out processes are becoming a major friction point. It's interesting how these tools only improve their defaults after a community backlash. Trust is so hard to build but so easy to burn in this space

by yjftsjthsd-h

1 subcomments

As a complete non-expert:
On the one hand, looks like decent cleanup. (IIRC, engines in particular will not be missed).
On the other hand, breaking compatibility is always a tradeoff, and I still remember 3.x being... not universally loved.

by cookiengineer

0 subcomment

> libcrypto no longer cleans up globally allocated data via atexit().
> OPENSSL_cleanup() now runs in a global destructor, or not at all by default.
Oh oh. Heartbleed 2.0 incoming.
I really do hope that they broke APIs specifically throwing errors or race conditions so that devs are forced to cleanup. Otherwise this is going to be a nightmare to find out in terms of maintenance and audits.
I mean it's a new major release so it's a valid design change. But I hope they're thinking of providing and migration/update guide or a checklist to reduce usage errata.
(I'm heavily in favor of deprecating the fixed version method names)

by jmclnx

1 subcomments

I wonder how hard it is to move from 3.x to 4.0.0 ?
From what I remember hearing, the move from 2 to 3 was hard.

by bensyverson

1 subcomments

I just updated to 3.5x to get pq support. Anything that might tempt me to upgrade to 4.0?

by semiquaver

1 subcomments

Major version bump? I wonder how much slower it will get now.

by Neywiny

0 subcomment

Good to see const more prevalent. Too often I have to add that in to libraries for embedded. Possibly I believe in const by default but it is what it is at this point

by GZGavinZhao

0 subcomment

*Linux distro package maintainers screams

by snvzz

0 subcomment

Kind reminder we should be using Libressl.

by theowaway

0 subcomment

oh no not another breaking ABI change

by pixel_popping

0 subcomment

Mythos is coming for yaaaaa (just kidding).