OpenSSL 1.1.0 improvements 27 feb 2016 | Last updated: 27 feb 2016 00:01

OpenSSL 1.1.0 adds configuration options and uses saner defaults

OpenSSL 1.1.0 improvements

I received a notification from GitHub for an Issue I opened on the OpenSSL repo. The issue's description was "Remove EGD support or make EGD support configurable".
Digging into the commits on the OpenSSL repo I found some more interesting tidbits that I wanted to share with you. For a full changelog see the OpenSSL GitHub repo

Looking at it all, it seems that OpenSSL is playing catch-up with LibreSSL a bit, but we are expecting a load of new vulnerabilities coming week. Seems that one of 'm was leaked via GitHub and there's mention of CVE-2016-0705 and CVE-2016-0799 as well.


Looks like the OpenSSL team did see some sense in the changes that LibreSSL applied and removed a number of feature.

Feature LibreSSL
GOST engine Removed <2.0, added different implementation in 2.1.2
JPAKE protocol Removed <2.0
40-bit ciphers Removed <2.0
56-bit ciphers Removed <2.0
4758cca engine Removed <2.0
aep engine Removed <2.0
atalla engine Removed <2.0
cswift engine Removed <2.0
nuron engine Removed <2.0
gmp engine Removed <2.0
sureware engine Removed <2.0
TLS heartbeat Removed <2.0
Sony NEWS4 platform Removed <2.0
BEOS and BEOS_R5 platform Removed <2.0
NeXT platform Removed <2.0
SUNOS platform Removed <2.0
MPE/iX platform Removed <2.0
Sinix/ReliantUNIX RM400 platform Removed <2.0
DGUX platform Removed <2.0
NCR platform Removed <2.0
Tandem platform Removed <2.0
Cray platform Removed <2.0
16-bit platforms such as WIN16 Removed <2.0

Disabled by default

Feature LibreSSL
EGD random Removed <2.0
DTLS heartbeat Removed <2.0
Compression Removed <2.0
SSLv2 Removed <2.0


As of last month, OpenSSL added a knob OPENSSL_NO_EGD which luckily is exactly the same as what we already have for LibreSSL. Apart from making this configurable, EGD is also disabled by default as this is required on so few systems.


Also known as the CRIME attack. Compression is now disabled by default and must be specifically enabled by clearing the option on the SSL context SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION)

Deprecated interfaces

Not quite yet. Still defaults to exposing the deprecated methods and structs but advises building with -DOPENSSL_API_COMPAT=0x10100000L which hides the declarations.
This is quite unneccessary, I believe we have patches (and thus a sufficient number of examples) to enable this by default. Require projects to build with -DOPENSSL_API_COMPAT=0x10000000L if they really need them!

LibreSSL removed all deprecated interfaces prior to initial release


You'll probably find my repository of patches helpful. There's also a repository of patches if you want to build without SSLv3