OpenSSL and Heimdal
Gary Palmer
gpalmer at freebsd.org
Wed May 2 23:28:23 UTC 2012
On Wed, May 02, 2012 at 11:45:27PM +0100, Matt Dawson wrote:
> On Wednesday 02 May 2012 23:14:41 Mark Felder wrote:
> > Why go out of your way and use mod_gnutls?
>
> Because it supports TLSv1.[1|2], which was the PP's question, whereas
> OpenSSL doesn't and doesn't show any signs of doing so in the near
> future:
>
> https://www.openssl.org/support/funding/wishlist.html
>
> Note well the "If and when."
>
> IE might be the only client with support for those protocols right now
> but somebody has to lead the way on the server side or you end up with
> a mutual apathy loop (AKA positive can't be arsed feedback loop).
Their website is out of date. This is from CHANGES in OpenSSL 1.01a:
Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.1:
o TLS/DTLS heartbeat support.
o SCTP support.
o RFC 5705 TLS key material exporter.
o RFC 5764 DTLS-SRTP negotiation.
o Next Protocol Negotiation.
o PSS signatures in certificates, requests and CRLs.
o Support for password based recipient info for CMS.
o Support TLS v1.2 and TLS v1.1.
o Preliminary FIPS capability for unvalidated 2.0 FIPS module.
o SRP support.
Note the 3rd last bullet point.
Regards,
Gary
More information about the freebsd-security
mailing list