digitalcourage.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
Diese Instanz wird betrieben von Digitalcourage e.V. für die Allgemeinheit. Damit wir das nachhaltig tun können, erheben wir einen jährlichen Vorausbeitrag von 1€/Monat per SEPA-Lastschrifteinzug.

Server stats:

812
active users

#openssl

2 posts2 participants0 posts today
openSUSE Linux<p>Security &amp; tooling got stronger too! <a href="https://fosstodon.org/tags/vim" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vim</span></a> 9.1.1508 now supports <a href="https://fosstodon.org/tags/Wayland" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Wayland</span></a> clipboard &amp; new language syntax, <a href="https://fosstodon.org/tags/myrlyn" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>myrlyn</span></a> 0.9.7 improves sudo env handling, and key fixes landed in bind, <a href="https://fosstodon.org/tags/sudo" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>sudo</span></a>, php8, <a href="https://fosstodon.org/tags/OpenSSL" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenSSL</span></a>, libxml2, git &amp; more. <a href="https://fosstodon.org/tags/Tumbleweed" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Tumbleweed</span></a> <a href="https://fosstodon.org/tags/openSUSE" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>openSUSE</span></a> <a href="https://fosstodon.org/tags/Linux" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Linux</span></a> <a href="https://news.opensuse.org/2025/08/01/tw-monthly-update-july/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">news.opensuse.org/2025/08/01/t</span><span class="invisible">w-monthly-update-july/</span></a></p>
Kevin Karhan :verified:<p><span class="h-card" translate="no"><a href="https://social.glitched.systems/@froge" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>froge</span></a></span> that's a question I'd like to ask <span class="h-card" translate="no"><a href="https://mastodon.social/@mozilla_support" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>mozilla_support</span></a></span> ...</p><ul><li>My assumption is that <a href="https://infosec.space/tags/Mozilla" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Mozilla</span></a>'s <a href="https://infosec.space/tags/NSS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NSS</span></a> not only supports a shitton of architectures with specific, custom code but also includes the <a href="https://infosec.space/tags/certificates" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>certificates</span></a> to trust per default, and those are thousands of CAs with potentially dozens of certificates each...</li></ul><p>AFAIK <a href="https://infosec.space/tags/OpenSSL" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenSSL</span></a> doesn't ship with any certificates at all...</p>
Nick<p>Some interesting vulnerabilities were patched and <a href="https://infosec.exchange/tags/apache2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>apache2</span></a> has released Apache/2.4.65.</p><p><a href="https://infosec.exchange/tags/SSL" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SSL</span></a> <a href="https://infosec.exchange/tags/OpenSSL" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenSSL</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a></p>
Clemens<p>Another commit landed in <a href="https://chaos.social/tags/OpenSSL" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenSSL</span></a>: <a href="https://github.com/openssl/openssl/commit/6b93db7bfd572e81fac581c5be7b0d7509febb80" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/openssl/openssl/com</span><span class="invisible">mit/6b93db7bfd572e81fac581c5be7b0d7509febb80</span></a></p><p>This time, it's a drive-by thing inspired by <span class="h-card" translate="no"><a href="https://social.wildeboer.net/@jwildeboer" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>jwildeboer</span></a></span> who's working on S/MIME X.509 certificates: the X.509 standards renamed one of the bits in the keyUsage extension from `nonRepudiation` to `contentCommitment`, and OpenSSL only understood the old name.</p><p>Slowly improving the world one commit at a time.</p>
Richard Levitte<p><span class="h-card" translate="no"><a href="https://mastodon.sl/@afink" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>afink</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@bagder" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>bagder</span></a></span> <a href="https://mastodon.nu/tags/OpenSSL" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenSSL</span></a> has some migration guides, are those functions not included in there?<br>Which two?</p>
daniel:// stenberg://<p>I nominate <a href="https://docs.openssl.org/3.3/man3/d2i_X509/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">docs.openssl.org/3.3/man3/d2i_</span><span class="invisible">X509/</span></a> as <a href="https://mastodon.social/tags/OpenSSL" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenSSL</span></a>'s worst man page. And there's fierce competition for that award.</p><p>And in the end it does not even mention the weird behavior: it stores errors in an internal queue which mysteriously makes the *next* invoked function fail...</p>
Nicola Tuveri<p><a href="https://floss.social/tags/OpenSSL" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenSSL</span></a> 📢 -- OpenSSL Foundation endorses UN Open Source Principles</p><p>🔗 <a href="https://openssl-foundation.org/post/2025-08-07-un-open-source-principles/?utm_source=atom_feed" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">openssl-foundation.org/post/20</span><span class="invisible">25-08-07-un-open-source-principles/?utm_source=atom_feed</span></a></p><p>From <a href="https://floss.social/tags/OpenSSL" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenSSL</span></a> -- Blog on OpenSSL Foundation</p>
Clemens<p>'We are pleased to inform you that we accept your proposal “<a href="https://chaos.social/tags/RedHat" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>RedHat</span></a>​'s path to post-quantum cryptography with OpenSSL” for the <a href="https://chaos.social/tags/OpenSSL" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenSSL</span></a> Conference'</p><p>Looks like I'm going to Prague in October!</p>
Mynacol<p>And for some more context: Did you know <a class="hashtag" href="https://social.mynacol.xyz/tag/openssl" rel="nofollow noopener" target="_blank">#openssl</a> 3.x is quite poor in its performance? <a href="https://www.haproxy.com/blog/state-of-ssl-stacks" rel="nofollow noopener" target="_blank">https://www.haproxy.com/blog/state-of-ssl-stacks</a></p>
Mynacol<p>I finally tried to replace <a class="hashtag" href="https://social.mynacol.xyz/tag/openssl" rel="nofollow noopener" target="_blank">#openssl</a> with <a class="hashtag" href="https://social.mynacol.xyz/tag/aws" rel="nofollow noopener" target="_blank">#aws</a>-lc on some of my services. Unfortunately, <a class="hashtag" href="https://social.mynacol.xyz/tag/nginx" rel="nofollow noopener" target="_blank">#nginx</a> and <a class="hashtag" href="https://social.mynacol.xyz/tag/mosquitto" rel="nofollow noopener" target="_blank">#mosquitto</a> lack support for it. Instead, I successfully switched <a class="hashtag" href="https://social.mynacol.xyz/tag/bind" rel="nofollow noopener" target="_blank">#BIND</a> to use aws-lc.</p><p>I later also noticed that the <a class="hashtag" href="https://social.mynacol.xyz/tag/rustls" rel="nofollow noopener" target="_blank">#rustls</a> compatibility shim is in nixpkgs 25.05, but here BIND is missing some variables. And despite the wrapper being explicitly made for nginx, it also fails here with</p><pre><code>/nix/store/mkvc0lnnpmi604rqsjdlv1pmhr638nbd-binutils-2.44/bin/ld: objs/src/stream/ngx_stream_ssl_module.o: in function `ngx_stream_ssl_servername': /build/nginx-1.28.0/src/stream/ngx_stream_ssl_module.c:606:(.text+0xd59): undefined reference to `SSL_SESSION_get0_hostname' </code></pre><p>A shame. I wanted to change to more modern libraries.</p><p>Untested: <a class="hashtag" href="https://social.mynacol.xyz/tag/dovecot" rel="nofollow noopener" target="_blank">#dovecot</a> and <a class="hashtag" href="https://social.mynacol.xyz/tag/postfix" rel="nofollow noopener" target="_blank">#postfix</a> (they lack a <code>services.(dovecot2|postfix).package</code> variable to easily change the used package. A PR for dovecot is already open to add support for it.</p>
testssl.sh :verified:<p>testssl.sh makes it easier now for also for MacOS users to run a <a href="https://infosec.exchange/tags/QUIC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>QUIC</span></a> protocol test -- if you have <a href="https://infosec.exchange/tags/openssl" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>openssl</span></a> from e.g. <a href="https://infosec.exchange/tags/homebrew" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>homebrew</span></a> installed.</p><p>It automagically uses that one for testing QUIC then, in 3.3dev.</p>
KielKontrovers Blog<p><span class="h-card" translate="no"><a href="https://norden.social/@nilz" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>nilz</span></a></span> hatte schon befürchtet, dass der Podcast diese Vorurteile aufgreift. Diese Einzelentwickler*innen gibt es auch, aber ist nicht die Masse.OSS ist Big Business, problematisch sind manchmal kleine Projekte, die tatsächlich wichtig sind, aber zu wenig betreut, siehe auch <a href="https://norden.social/tags/OpenSSL" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenSSL</span></a> .Diese kleinen Projekte, die nicht essentiell sind, sind nicht so bedeutend oder problematisch, wenn was schief geht. Fehler gibt es ja auch bei closed source, das ist kein Alleinstellungsmerkmal.</p>
Richard Levitte<p><span class="h-card" translate="no"><a href="https://mastodon.social/@Viss" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>Viss</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@bagder" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>bagder</span></a></span><br>For some, it seems to work. My experience of bug bounties (through <a href="https://mastodon.nu/tags/openssl" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>openssl</span></a>) has mostly been slop, even before AI entered the scene. <span class="h-card" translate="no"><a href="https://mastodon.social/@bagder" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>bagder</span></a></span> has had a better experience, it seems.</p>
Felix Palmen :freebsd: :c64:<p>Just released: <a href="https://mastodon.bsd.cafe/tags/swad" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>swad</span></a> 0.12 🥂</p><p>swad is the "Simple Web Authentication Daemon". It basically offers adding form + <a href="https://mastodon.bsd.cafe/tags/cookie" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cookie</span></a> <a href="https://mastodon.bsd.cafe/tags/authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>authentication</span></a> to your reverse proxy (designed for and tested with <a href="https://mastodon.bsd.cafe/tags/nginx" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>nginx</span></a> "auth_request"). I created it mainly to defend against <a href="https://mastodon.bsd.cafe/tags/malicious_bots" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malicious_bots</span></a>, so among other credential checker modules for "real" logins, it offers a proof-of-work mechanism for guest logins doing the same <a href="https://mastodon.bsd.cafe/tags/crypto" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>crypto</span></a> <a href="https://mastodon.bsd.cafe/tags/challenge" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>challenge</span></a> known from <a href="https://mastodon.bsd.cafe/tags/Anubis" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Anubis</span></a>.</p><p>swad is written in pure <a href="https://mastodon.bsd.cafe/tags/C" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>C</span></a> with minimal dependencies (<a href="https://mastodon.bsd.cafe/tags/zlib" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>zlib</span></a>, <a href="https://mastodon.bsd.cafe/tags/OpenSSL" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenSSL</span></a> or compatible, and optionally <a href="https://mastodon.bsd.cafe/tags/PAM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PAM</span></a>), and designed to work on any <a href="https://mastodon.bsd.cafe/tags/POSIX" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>POSIX</span></a> system. It compiles to a small binary (200 - 300 kiB depending on compiler and target platform).</p><p>This release brings (among a few bugfixes) improvements to make swad fit for "heavy load" scenarios: There's a new option to balance the load across multiple service worker threads, so all cores can be fully utilized if necessary, and it now keeps lots of transient objects in pools for reuse, which helps to avoid memory fragmentation and ultimately results in lower overall memory consumption.</p><p>Read more about it, download the .tar.xz, build and install it .... here:</p><p><a href="https://github.com/Zirias/swad" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">github.com/Zirias/swad</span><span class="invisible"></span></a></p>
daniel:// stenberg://<p>Would you say this is an accurate description of (some of the) <a href="https://mastodon.social/tags/OpenSSL" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenSSL</span></a> forks family tree?</p><p>(These are the OpenSSL forks <a href="https://mastodon.social/tags/curl" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>curl</span></a> supports.)</p>
Felix Palmen :freebsd: :c64:<p>Oh boy, I have a lead! And it's NOT related to <a href="https://mastodon.bsd.cafe/tags/TLS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TLS</span></a>. I finally noticed another pattern: <a href="https://mastodon.bsd.cafe/tags/swad" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>swad</span></a> only <a href="https://mastodon.bsd.cafe/tags/crashed" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>crashed</span></a> when running as a <a href="https://mastodon.bsd.cafe/tags/daemon" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>daemon</span></a>. The daemonizing wasn't the problem, but the default logging configuration attached to it: "fake async", by letting a <a href="https://mastodon.bsd.cafe/tags/threadpool" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threadpool</span></a> job do the logging.</p><p>Forcing THAT even when running in foreground, I can finally reproduce a crash. And I wouldn't be surprised if that was actually the reason for crashing "pretty quickly" with <a href="https://mastodon.bsd.cafe/tags/LibreSSL" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LibreSSL</span></a> (and only rarely with <a href="https://mastodon.bsd.cafe/tags/OpenSSL" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenSSL</span></a>), I mean, something going rogue in your address space can have the weirdest effects.</p>
Nicola Tuveri<p>I’ve been elected to represent the Academic community in the OpenSSL’s Foundation BAC/TAC and Corporation TAC! 🎓🔐</p><p>If you’re working in crypto, systems security, or FOSS research, join the conversation on the OpenSSL Communities Forum—especially the Academic community. Your input can shape OpenSSL’s roadmap.</p><p><a href="https://openssl-communities.org/d/4cn9aVQH/welcome-from-your-academic-representative-in-the-openssl-foundation-bac-tac-and-corporation-tacs" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">openssl-communities.org/d/4cn9</span><span class="invisible">aVQH/welcome-from-your-academic-representative-in-the-openssl-foundation-bac-tac-and-corporation-tacs</span></a></p><p><a href="https://floss.social/tags/OpenSSL" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenSSL</span></a> <a href="https://floss.social/tags/FOSS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FOSS</span></a> <a href="https://floss.social/tags/FLOSS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FLOSS</span></a> <a href="https://floss.social/tags/cryptography" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cryptography</span></a> <a href="https://floss.social/tags/Academia" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Academia</span></a> <a href="https://floss.social/tags/AcademicChatter" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AcademicChatter</span></a></p>
Felix Palmen :freebsd: :c64:<p>I need help. First the question: On <a href="https://mastodon.bsd.cafe/tags/FreeBSD" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FreeBSD</span></a>, with all ports built with <a href="https://mastodon.bsd.cafe/tags/LibreSSL" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LibreSSL</span></a>, can I somehow use the <a href="https://mastodon.bsd.cafe/tags/clang" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>clang</span></a> <a href="https://mastodon.bsd.cafe/tags/thread" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>thread</span></a> <a href="https://mastodon.bsd.cafe/tags/sanitizer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>sanitizer</span></a> on a binary actually using LibreSSL and get sane output?</p><p>What I now observe debugging <a href="https://mastodon.bsd.cafe/tags/swad" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>swad</span></a>:</p><p>- A version built with <a href="https://mastodon.bsd.cafe/tags/OpenSSL" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenSSL</span></a> (from base) doesn't crash. At least I tried very hard, really stressing it with <a href="https://mastodon.bsd.cafe/tags/jmeter" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>jmeter</span></a>, to no avail. Built with LibreSSL, it does crash.<br>- Less relevant: the OpenSSL version also performs slightly better, but needs almost twice the RAM<br>- The thread sanitizer finds nothing to complain when built with OpenSSL<br>- It complains a lot with LibreSSL, but the reports look "fishy", e.g. it seems to intercept some OpenSSL API functions (like SHA384_Final)<br>- It even complains when running with a single-thread event loop.<br>- I use a single SSL_CTX per listening socket, creating SSL objects from it per connection ... also with multithreading; according to a few sources, this should be supported and safe.<br>- I can't imagine doing that on a *single* thread could break with LibreSSL, I mean, this would make SSL_CTX pretty much pointless<br>- I *could* imagine sharing the SSL_CTX with multiple threads to create their SSL objects from *might* not be safe with LibreSSL, but no idea how to verify as long as the thread sanitizer gives me "delusional" output 😳</p>
PurpleJillybeans :PrideDisk:<p>:DuckDuckGo: <a href="https://kind.social/tags/DuckDuckFedi" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DuckDuckFedi</span></a> :</p><p>Where could I find docs for historical versions of <a href="https://kind.social/tags/OpenSSL" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenSSL</span></a>? I'm trying to set up a CA for <a href="https://kind.social/tags/RetroComputing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>RetroComputing</span></a> machines with OpenSSL 0.9.6b, but the little bit of documentation that came with it isn't telling me much. Basically need to create a CA certificate I can put on client machines so that they won't complain about self-signed certs.</p>
daniel:// stenberg://<p>"download time is reduced by ~13%" (for <a href="https://mastodon.social/tags/curl" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>curl</span></a>)</p><p>... by adding some odd <a href="https://mastodon.social/tags/OpenSSL" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenSSL</span></a> functions we didn't know existed.</p><p><a href="https://github.com/curl/curl/pull/17548" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">github.com/curl/curl/pull/17548</span><span class="invisible"></span></a></p>