Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

alt

Daniel Nashed

OpenSSL versions software vendors are using

Daniel Nashed – 5 December 2021 09:02:08

When looking into Splunk over the weekend I realized again that software vendors often are using quite old versions of important security related software like OpenSSL.
So I looked into the OpenSSL history and found out that OpenSSL 1.0.2 was the last version which was FIPS 140 supported.

After removal of FIPS 140 support in 1.1.0 it is back in OpenSSL 3.0.

So this hopefully open the door for many software vendors to switch to a newer OpenSSL version.
My current Splunk server on Docker uses: "OpenSSL 1.0.2y-fips  16 Feb 2021".

This is quite up to date from security patch point of view.
But when you have a look into the major improvements in more recent OpenSSL versions, it is really time to move.

I have already build my nshcertool on OpenSSL 3.0 and there have been only some minor changes I had to take care of.
It now compiles and works for both versions.  

Notes/Domino is currently using OpenSSL 1.1.1 and now that OpenSSL 3.0 is available switching to OpenSSL 3.0 is the next logical move.

Redhat switched to OpenSSL 3.0 with RHEL/Centos Stream 9 as I mentioned in an earlier post.
So this might be another reason why software vendors might look into OpenSSL 3.0 soon.

On the other hand relying on the OpenSSL version installed on an operating system might not be the best strategy in most cases.
But shipping your own OpenSSL version requires to build it in a way that it can run on the oldest OS version you support.


-- Daniel


Major version releases
Version  Released           Last minor version
1.0.2    22 January 2015    1.0.2u (20 December 2019)
1.1.0    25 August 2016     1.1.0l (10 September 2019)
1.1.1    11 September 2018  ongoing development
3.0.0     7 September 2021  ongoing development

Additional information:
https://en.wikipedia.org/wiki/OpenSSL



Links

    Archives


    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]