Skip to main content

Search

Items tagged with: OpenSSL


Three years ago I blogged about #OpenSSL's decision to deliberately block #QUIC progress in the world: daniel.haxx.se/blog/2021/10/25…

Which is timely with the OpenSSL 3.4.0 release announced just days ago: that still does not offer a working (and performant) QUIC API. (yes, there is an attempt there but it's not production grade)

It's almost like the writing was on the wall already a long time ago.


#openssl 3 does not seem to perform very well against the competition, as Willy of #haproxy fame details here: github.com/haproxy/haproxy/iss…


I read the new #openssl advisory several times and I can't tell if #curl is affected.

This advisory was unusually vague and badly written.


Since #openssl does not seem to fix any of the remaining #QUIC API problems in their upcoming 3.4 release, it will keep lagging behind.

openssl-library.org/post/2024-…


According to @bagder the stubborn way the #OpenSSL project is handling #QUIC implementation is directly responsible for delaying HTTP/3 adoption (1), and I tend to agree. When the project rejected the community QUIC patches and decided to go with their own design, it wasn't difficult to predict problems. This was proven right by the massive feature gaps (2) and performance issues (3) discovered by @icing when trying to marry OpenSSL QUIC to #curl. Even with API fixes released in version 3.3 the implementation is still inferior, and there is no good solution in sight.

1) lwn.net/Articles/983380/
2) github.com/openssl/openssl/dis…
3) github.com/icing/blog/blob/mai…


CVE-2024-5535 is an #OpenSSL problem that cannot be triggered by #curl

OpenSSL calls it it a low severity flaw. openssl.org/news/vulnerabiliti…

GitHub lists it as "critical" at 9.1 out of 10: github.com/advisories/GHSA-4fc…


unfortunately, the new #openssl version does not do #QUIC good enough for #curl to consider removing the experimental label from it:

curl.se/mail/distros-2024-04/0…


There are TLS servers that don't send the required close_notify alert message in certain conditions. #Google web servers do this if they think the that recipient isn't interested about the message body and no connection keep alive is set. Examples of such connections would be requests that end up with 0 byte message body while:
• HTTP/1.0 without "Connection: keep-alive" header or
• HTTP/1.1 with "Connection: close" header

This can cause some complications since #OpenSSL 3 defaults to erroring out if the close_notify is missing.

SSL_OP_IGNORE_UNEXPECTED_EOF option was added to enable talking to these non-compliant servers. Enabling this option removes truncation attack protection - so this option should really only be used when absolutely necessary. However, unless if you control the servers being talked to, you probably need to enable this option for now.

So why does Google terminate connections without close_notify? Likely it is done to save some resources when tearing down TLS connections. If you have billions of connections going on all the time, even some small savings add up quickly.

github.com/php/php-src/issues/…


Building #curl using #OpenSSL 3.2 #QUIC?

github.com/curl/curl/discussio…


We just created a #HOWTO for how to set up dev/test servers using our #TLS #EncryptedClientHello #ECH enabled forks of #OpenSSL #nginx and #curl running on #Debian. It should be very quick to get started using a new domain: guardianproject.info/2023/11/1…


I feel for you. I'm sure you are far from alone in such an unfortunate situation. I blame #OpenSSL for not caring much about their users.


The "#OpenSSL situation" will still make it tricky for ordinary people to enable HTTP/3.

As I blogged already two years ago: daniel.haxx.se/blog/2021/10/25…


"The #OpenSSL project really seems to be in a dead end for me, it's incompatible with #QUIC and unfixable performance-wise" / Willy Tarreau

mailarchive.ietf.org/arch/msg/…


„One might wonder how a punycode decoder that overflows on an example string from the RFC makes it into a cryptographic library released in '21.“ #OpenSSL

marc.info/?l=openbsd-ports-cvs…