OpenSSL 1.0.1 updates are here

Started by Gregg, March 16, 2012, 01:21:14 AM

Previous topic - Next topic

Gregg

OpenSSL 1.0.1 was released yesterday (US time) and we have updates here for both Apache 2.2.22 and 2.4.1.

The major change is for us is Support for TLS 1.1 & 1.2, so you can use an 256 bit cypher without the worry of the BEAST attack. I ran
Quays SSL Test against my server and both TLS 1.1 & 1.2 were listed as available, and my TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 cipher showed up as well. BEAST attack : Not vulnerable. Now it's a matter of the browsers catching up, I still have RC4-SHA as the second cipher allowed since it is not vulnerable to the BEAST.

One thing is, we have had more downloads of Non-SNI builds of Apache 2.2.x than SNI enabled ones. It is that reason we continue to supply SNI disabled builds over some objections. I feel why throw out our golden goose. The problem is however, it is impossible at this time to disable SNI support in 1.0.1, I gave it a gallant try. If I use them fixing the minor problem building 1.0.0 with SNI disabled as an indicator, it will never happen in 1.0.1. So those of you that have not wanted, it's the new thing and you will be getting it. Just because it is there does not mean you have to use it.

Change Log