Donate
‹ Back
Deploy360 7 September 2016

OpenSSL 1.1.0 released

Kevin Meynell
By Kevin MeynellManager, Technical and Operational Engagements

OpenSSLCatching up on developments from last week, and it’s worth mentioning that version 1.1.0 of OpenSSL has been released. As well as removing support for deprecated cryptographic protocols including SSLv2, this release is notable for adding support for DANE (DNS-based Authentication of Named Entities) and Certificate Transparency.

OpenSSL is an open-source software library developed by the OpenSSL Software Foundation that is estimated to be used by over two-thirds of all web servers. The core library implements basic cryptographic functions, with support for a variety of programming languages being provided through the use of wrappers. There are versions available for Windows, MacOS, Linux and other Unix-like operating systems, as well as OpenVMS and System i.

With DANE, a domain administrator is able to certify their public keys by storing them in the DNS if it is enabled for DNSSEC. This is done through TLSA records that associate a TLS certificate or public key with a particular domain name, which may then be cryptographically asserted via DNSSEC. The advantage is that less reliance needs to be placed on third party Certificate Authorities (CAs), which have in the past accidentally or fraudulently issued incorrect certificates. DANE can be used for a variety of applications as well as web servers, and we previously highlighted how to use it with mail servers, so it is extremely important for the widespread deployment of DANE to have support included in OpenSSL.

Certificate Transparency is an experimental IETF standard (RFC 6962) for monitoring and auditing digital certificates. This allows website users and domain owners to identify mistakenly or maliciously issued certificates using Certificate Transparency logs that verify that each submitted certificate has a valid signature chain leading back to a trusted root certificate. Certificate Transparency monitors can then check these logs for suspicious activity, whilst Certificate Auditors (possibly built into clients) can check logs against each other for consistency and integrity.

Further Information

At Deploy360, we encourage the use of TLS, DNSSEC and DANE. Please take a look at our Start Here page to understand how you can get started with these technologies.

‹ Back

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

DNS over TLS: experience from the Go6lab
DNS over TLS: experience from the Go6lab
Deploy3605 September 2017

DNS over TLS: experience from the Go6lab

After the experiment with DPRIVE at IETF99, we thought we’d try to implement it in the Go6lab and see how this actually works...

Want To Quickly Create A TLSA Record For DANE / DNSSEC?
Deploy3606 December 2013

Want To Quickly Create A TLSA Record For DANE / DNSSEC?

Would you like to use the DANE protocol to secure your SSL/TLS certificate via DNSSEC?  If so, the first step...

FakeID, Android, Certificates, and Implementation Details
Deploy36011 August 2014

FakeID, Android, Certificates, and Implementation Details

Security firm Bluebox Security has uncovered a vulnerability in Google's Android mobile operating system , which could allow attackers to...

Join the conversation with Internet Society members around the world