logoalt Hacker News

OpenSSL 4.0.0

255 pointsby petecooperyesterday at 5:45 PM83 commentsview on HN

Comments

capitol_yesterday at 6:10 PM

Finally encrypted client hello support \o/

show 3 replies
caycepyesterday at 7:23 PM

How is OpenSSl these days? I vaguely remember the big ruckus a while back, was it Heartbleed? where everyone to their horror realized it was maybe 1 or 2 people trying to maintain OpenSSL, and the OpenBSD people then throwing manpower at it to clear up a lot of old outstanding bugs. It seems like it is on firmer/more organized footing these days?

show 2 replies
georgthegreatyesterday at 7:10 PM

https://www.haproxy.com/blog/state-of-ssl-stacks

According to this one should not be using v3 at all..

show 1 reply
ibrahimhossaintoday at 6:33 AM

Manual opt out processes are becoming a major friction point. It's interesting how these tools only improve their defaults after a community backlash. Trust is so hard to build but so easy to burn in this space

rwmjyesterday at 7:15 PM

Compared to OpenSSL 3 this transition has been very smooth. Only dropping of "Engines" was a problem at all, and in Fedora most of those dependencies have been changed.

ge96yesterday at 6:40 PM

Just in time for the suckerpinch video

yjftsjthsd-hyesterday at 6:11 PM

As a complete non-expert:

On the one hand, looks like decent cleanup. (IIRC, engines in particular will not be missed).

On the other hand, breaking compatibility is always a tradeoff, and I still remember 3.x being... not universally loved.

show 1 reply
snvzztoday at 9:01 AM

Kind reminder we should be using Libressl.

semiquavertoday at 2:40 AM

Major version bump? I wonder how much slower it will get now.

show 1 reply
Neywinytoday at 12:51 AM

Good to see const more prevalent. Too often I have to add that in to libraries for embedded. Possibly I believe in const by default but it is what it is at this point

GZGavinZhaotoday at 2:27 AM

*Linux distro package maintainers screams

bensyversonyesterday at 7:46 PM

I just updated to 3.5x to get pq support. Anything that might tempt me to upgrade to 4.0?

show 1 reply
jmclnxyesterday at 6:58 PM

I wonder how hard it is to move from 3.x to 4.0.0 ?

From what I remember hearing, the move from 2 to 3 was hard.

show 1 reply
cookiengineertoday at 2:40 AM

> libcrypto no longer cleans up globally allocated data via atexit().

> OPENSSL_cleanup() now runs in a global destructor, or not at all by default.

Oh oh. Heartbleed 2.0 incoming.

I really do hope that they broke APIs specifically throwing errors or race conditions so that devs are forced to cleanup. Otherwise this is going to be a nightmare to find out in terms of maintenance and audits.

I mean it's a new major release so it's a valid design change. But I hope they're thinking of providing and migration/update guide or a checklist to reduce usage errata.

(I'm heavily in favor of deprecating the fixed version method names)

theowawayyesterday at 11:25 PM

oh no not another breaking ABI change

pixel_poppingyesterday at 9:36 PM

Mythos is coming for yaaaaa (just kidding).