Deploy360 7 September 2016

OpenSSL 1.1.0 released

By Kevin MeynellFormer Senior Manager, Technical and Operational Engagement

OpenSSLCatching up on developments from last week, and it’s worth mentioning that version 1.1.0 of OpenSSL has been released. As well as removing support for deprecated cryptographic protocols including SSLv2, this release is notable for adding support for DANE (DNS-based Authentication of Named Entities) and Certificate Transparency.

OpenSSL is an open-source software library developed by the OpenSSL Software Foundation that is estimated to be used by over two-thirds of all web servers. The core library implements basic cryptographic functions, with support for a variety of programming languages being provided through the use of wrappers. There are versions available for Windows, MacOS, Linux and other Unix-like operating systems, as well as OpenVMS and System i.

With DANE, a domain administrator is able to certify their public keys by storing them in the DNS if it is enabled for DNSSEC. This is done through TLSA records that associate a TLS certificate or public key with a particular domain name, which may then be cryptographically asserted via DNSSEC. The advantage is that less reliance needs to be placed on third party Certificate Authorities (CAs), which have in the past accidentally or fraudulently issued incorrect certificates. DANE can be used for a variety of applications as well as web servers, and we previously highlighted how to use it with mail servers, so it is extremely important for the widespread deployment of DANE to have support included in OpenSSL.

Certificate Transparency is an experimental IETF standard (RFC 6962) for monitoring and auditing digital certificates. This allows website users and domain owners to identify mistakenly or maliciously issued certificates using Certificate Transparency logs that verify that each submitted certificate has a valid signature chain leading back to a trusted root certificate. Certificate Transparency monitors can then check these logs for suspicious activity, whilst Certificate Auditors (possibly built into clients) can check logs against each other for consistency and integrity.

Further Information

At Deploy360, we encourage the use of TLS, DNSSEC and DANE. Please take a look at our Start Here page to understand how you can get started with these technologies.

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Improving Technical Security 15 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,...

Improving Technical Security 14 March 2019

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map...

Improving Technical Security 13 March 2019

IPv6 Security for IPv4 Engineers

It is often argued that IPv4 practices should be forgotten when deploying IPv6, as after all IPv6 is a...