Projects / OpenSSL

OpenSSL

The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, fully featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) as well as a full-strength general-purpose cryptography library.

Tags

Recent releases

  •  09 Jan 2014 07:27

    Release Notes: A TLS record tampering bug was fixed. A carefully crafted invalid handshake could crash OpenSSL with a NULL pointer exception (CVE-2013-4353). Original DTLS digest and encryption contexts are kept in retransmission structures so that the previous session parameters can be used if they need to be re-sent (CVE-2013-6450). A SSL_OP_SAFARI_ECDHE_ECDSA_BUG option (part of SSL_OP_ALL) which avoids preferring ECDHE-ECDSA ciphers when the client appears to be Safari on OS X was added.

    •  07 Feb 2013 12:20

      Release Notes: A weakness in the handling of CBC ciphersuites in SSL, TLS, and DTLS, exploited through timing differences arising during MAC processing, was fixed. This vulnerability was reported as CVE-2013-0169. A flaw in the handling of CBC ciphersuites in TLS 1.1 and TLS 1.2 on AES-NI supporting platforms was fixed. This vulnerability was reported as CVE-2012-2686. A flaw in the handling of OCSP response verification, exploitable with a denial of service attack, was fixed. This vulnerability was reported as CVE-2013-0166.

      •  06 Jun 2012 16:01

        Release Notes: Record length are now sanity checked before skipping explicit IV in TLS 1.2, 1.1, and DTLS, to avoid possible DoS attacks. A possible deadlock when decoding public keys has been fixed. The TLS 1.0 record version number is no longer used in the initial client hello if renegotiating. tkeylen in now initialized properly when encrypting CMS messages. In FIPS mode, composite ciphers are no longer used, as they are not approved.

        •  20 Apr 2012 10:59

          Release Notes: A check has been added for potentially exploitable overflows in asn1_d2i_read_bio, BUF_mem_grow, and BUF_mem_grow_clean. Workarounds have been introduced for some broken servers which "hang" if a client hello record length exceeds 255 bytes. Incorrect use of TLS 1.2 SHA-256 ciphersuites in TLS 1.0 and 1.1 connections is now avoided. A segmentation fault in the Vector Permutation AES module has been fixed.

          •  14 Mar 2012 15:36

            Release Notes: Initial TLSv1.1 support and TLS v1.2 support were implemented. Many improvements and minor bugfixes were made.

            Recent comments

            01 Jan 2003 16:50 toop

            Not free anymore
            http://www.deadly.org/article.php3?sid=20020924004335 (http://www.deadly.org/article.php3?sid=20020924004335)


            It means that OpenSSL is becoming a non-free software project, because
            the code from Sun contains licenses which invoke patent litigation;
            the licence on the new code basically builds a contract that says "if
            you use this code, you cannot sue Sun".


            http://marc.theaimsgroup.com/?l=openbsd-misc&m=103280816316720&w=2 (http://marc.theaimsgroup.com/?l=openbsd-misc&m=103280816316720&w=2)

            30 Dec 2002 16:49 levitte

            Re: OpenSSL
            Yes, OpenSSL is based on SSLeay. SSLeay is dead, and a few people took the last source (0.9.1b) and made it into OpenSSL (0.9.1c). OpenSSL has developped from there.

            22 Jul 2002 18:13 OneSmallStep4Man

            OPEN SSL API DOCUMENTATION
            Could anyone recommend a good place to get documentation on OpenSSL? I've downloaded the software and I need to port it to VxWorks as a client. I would like to find documentation that describes the necessary API calls and the order that they must be called.

            THANKS!

            10 Jul 2001 12:21 petra

            Re: OpenSSL

            > Uhhh.... They are the same thing.
            > SSLeay was renamed to OpenSSL, AFAIK.


            To quote OpenSSL's page, "OpenSSL is based on the excellent SSLeay library..."


            > I would warn you - if you want
            > documentation for your software - look
            > elsewhere.


            Or you could visit openssl.org/docs and read the library function definitions, then subscribe to the mailing list and read the source to the example programs (like openssl itself). The documentation isn't perfect, but its available.

            25 Jun 2001 15:37 cypherpunks

            I highly recommend ignoring anything this guy says!
            Before using OpenSSL, I used SSLeay which was good in its own right but I believe that OpenSSL has a bigger and brighter future than SSLeay.

            Uhhh.... They are the same thing. SSLeay was renamed to OpenSSL, AFAIK. So yeah, considering that SSLeay is dead, I'd say that OpenSSL has a brighter future. Or, considering that they are the same thing, I guess they have the same future.

            OpenSSL is easy to setup and use and compiles on a variety of systems. I would highly recommend OpenSSL to anyone wanting well done SSL support!

            I would warn you - if you want documentation for your software - look elsewhere. Then come back here because there is nothing else. I would highly recommend OpenSSL to anyone wanting free/opensource SSL support because you have no other real choice!

            Screenshot

            Project Spotlight

            OpenStack4j

            A Fluent OpenStack client API for Java.

            Screenshot

            Project Spotlight

            TurnKey TWiki Appliance

            A TWiki appliance that is easy to use and lightweight.