Hi Everyone,

I noticed that most of the OpenSSL downloads are still from the 1.0.2 series or older - there was recently even a 1.0.1 download. Is anyone having difficulty with the more recent versions of builds done by ITUGLIB? Are the builds on too recent RVUs? Is there something we can do better?

Thanks,
Randall

On 12/24/2021 11:01 AM, Randall wrote:
> Hi Everyone,
>
> I noticed that most of the OpenSSL downloads are still from the 1.0.2 series or older - there was recently even a 1.0.1 download. Is anyone having difficulty with the more recent versions of builds done by ITUGLIB? Are the builds on too recent RVUs? Is there something we can do better?
>

Hi Randall, I haven't downloaded in a while, but I'm wondering if it's
the API change in 1.1.x? Nothing to do with your awesome efforts
at all?

On Friday, December 24, 2021 at 3:10:52 p.m. UTC-5, red floyd wrote:
> On 12/24/2021 11:01 AM, Randall wrote:
> > Hi Everyone,
> >
> > I noticed that most of the OpenSSL downloads are still from the 1.0.2 series or older - there was recently even a 1.0.1 download. Is anyone having difficulty with the more recent versions of builds done by ITUGLIB? Are the builds on too recent RVUs? Is there something we can do better?
> >
> Hi Randall, I haven't downloaded in a while, but I'm wondering if it's
> the API change in 1.1.x? Nothing to do with your awesome efforts
> at all?

The API had a fairly minimal set of changes at 1.1.x compared to 1.0.2. Most programs should not see a significant change, AFAIK - if any at all. There are some method signature changes but if you use the recommended #define macros, you should be insulated. The 3.0 change dealt with new cyphers and changes to DLL handling of engines (moved to "providers"). We rebuilt curl using 1.0.2 and 1.1.1 with no changes that we could see. 3.0.x has a small initialization change, I think. Remember that 1.0.2 does not receive any fixes, so you could be vulnerable to CVE fixes that have been applied to 1.1.1 and 3.0.1. The biggest difference is that 1.1.x has new cyphers that 1.0.2 does not know, so if you are talking to a more up-to-date server (or client), you *can* vs. might not be able to. The most important change at 3.0 is that the OpenSSL code on NonStop is identical to standard code; and that PRNGD is no longer used on L-series (replaced by the x86 hardware randomizer, so FIPS certification is now possible). There have been certificate format changes but those were done after 1.0.2 was deprecated. Check the release notes at openssl.org.

On Saturday, December 25, 2021 at 8:55:00 p.m. UTC-5, Randall wrote:
> On Friday, December 24, 2021 at 3:10:52 p.m. UTC-5, red floyd wrote:
> > On 12/24/2021 11:01 AM, Randall wrote:
> > > Hi Everyone,
> > >
> > > I noticed that most of the OpenSSL downloads are still from the 1.0.2 series or older - there was recently even a 1.0.1 download. Is anyone having difficulty with the more recent versions of builds done by ITUGLIB? Are the builds on too recent RVUs? Is there something we can do better?
> > >
> > Hi Randall, I haven't downloaded in a while, but I'm wondering if it's
> > the API change in 1.1.x? Nothing to do with your awesome efforts
> > at all?
> The API had a fairly minimal set of changes at 1.1.x compared to 1.0.2. Most programs should not see a significant change, AFAIK - if any at all. There are some method signature changes but if you use the recommended #define macros, you should be insulated. The 3.0 change dealt with new cyphers and changes to DLL handling of engines (moved to "providers"). We rebuilt curl using 1.0.2 and 1.1.1 with no changes that we could see. 3.0.x has a small initialization change, I think. Remember that 1.0.2 does not receive any fixes, so you could be vulnerable to CVE fixes that have been applied to 1.1.1 and 3.0.1. The biggest difference is that 1.1.x has new cyphers that 1.0.2 does not know, so if you are talking to a more up-to-date server (or client), you *can* vs. might not be able to. The most important change at 3.0 is that the OpenSSL code on NonStop is identical to standard code; and that PRNGD is no longer used on L-series (replaced by the x86 hardware randomizer, so FIPS certification is now possible). There have been certificate format changes but those were done after 1.0.2 was deprecated. Check the release notes at openssl.org.

In case anyone is wondering about compatibility of OpenSSL 1.1.1 and NonStop SSL, the SPR that comes with L21.06 is 1.1.1k. Although slightly older than the ITUGLIB build, NonStop SSL has the new protocols, cyphers, and certificates that are also in the ITUGLIB OpenSSL build. 1.0.2 is starting to show come cracks in terms of compatibiity, so please think about upgrading. Staying on unsupported versions is not a good plan.

Although, some of the CVEs applicable to 1.0.2 have fixes, but they are only available on a fee basis - it costs real (not cheap!) money to get the fixes from the OpenSSL team beyond 1.0.2u - and if you want help with that, please reach out to me and we can work something out. The more people who do, the less expensive it will be.