18 comments

[ 2.6 ms ] story [ 39.5 ms ] thread
Finally encrypted client hello support \o/
(comment deleted)
As a complete non-expert:

On the one hand, looks like decent cleanup. (IIRC, engines in particular will not be missed).

On the other hand, breaking compatibility is always a tradeoff, and I still remember 3.x being... not universally loved.

Just in time for the suckerpinch video
I wonder how hard it is to move from 3.x to 4.0.0 ?

From what I remember hearing, the move from 2 to 3 was hard.

Compared to OpenSSL 3 this transition has been very smooth. Only dropping of "Engines" was a problem at all, and in Fedora most of those dependencies have been changed.
How is OpenSSl these days? I vaguely remember the big ruckus a while back, was it Heartbleed? where everyone to their horror realized it was maybe 1 or 2 people trying to maintain OpenSSL, and the OpenBSD people then throwing manpower at it to clear up a lot of old outstanding bugs. It seems like it is on firmer/more organized footing these days?
I just updated to 3.5x to get pq support. Anything that might tempt me to upgrade to 4.0?
oh no not another breaking ABI change
Good to see const more prevalent. Too often I have to add that in to libraries for embedded. Possibly I believe in const by default but it is what it is at this point
*Linux distro package maintainers screams
> libcrypto no longer cleans up globally allocated data via atexit().

> OPENSSL_cleanup() now runs in a global destructor, or not at all by default.

Oh oh. Heartbleed 2.0 incoming.

I really do hope that they broke APIs specifically throwing errors or race conditions so that devs are forced to cleanup. Otherwise this is going to be a nightmare to find out in terms of maintenance and audits.

I mean it's a new major release so it's a valid design change. But I hope they're thinking of providing and migration/update guide or a checklist to reduce usage errata.

(I'm heavily in favor of deprecating the fixed version method names)

Major version bump? I wonder how much slower it will get now.
Manual opt out processes are becoming a major friction point. It's interesting how these tools only improve their defaults after a community backlash. Trust is so hard to build but so easy to burn in this space
Kind reminder we should be using Libressl.