OpenSSL 3.0.0 ya zo tare da manyan manyan canje -canje da haɓakawa

Darkcrizt

4 minti

Bayan shekaru uku na ci gaba da nau'ikan fitina 19 kwanan nan an sanar da sakin sabon sigar OpenSSL 3.0.0 wanne yana da canje -canje sama da 7500 masu haɓaka 350 sun ba da gudummawa kuma hakan yana wakiltar babban canji a cikin lambar sigar kuma hakan yana faruwa ne saboda sauyawa zuwa lambar gargajiya.

Daga yanzu, lamba ta farko (Manyan) a cikin lambar sigar za ta canza ne kawai lokacin da aka karya daidaituwa a matakin API / ABI, kuma na biyu (Ƙarami) lokacin da aka ƙara ayyuka ba tare da canza API / ABI ba. Sabuntawar gyara za su yi jigilar jirgi tare da canjin lamba na uku (facin). An zaɓi lambar 3.0.0 nan da nan bayan 1.1.1 don gujewa cin karo da module FIPS a ƙarƙashin ci gaba don OpenSSL, wanda aka ƙidaya 2.x.

Babban canji na biyu don aikin shine miƙa mulki daga lasisi biyu (OpenSSL da SSLeay) zuwa lasisin Apache 2.0. Lasisin OpenSSL na asali wanda aka yi amfani da shi a baya ya dogara ne akan lasisin Apache 1.0 na gado kuma yana buƙatar ambaton bayyananniyar OpenSSL a cikin kayan talla yayin amfani da ɗakunan karatu na OpenSSL, da kuma rubutu na musamman idan an kawo OpenSSL tare da samfurin.

Waɗannan buƙatun sun sa lasisin baya bai dace da GPL ba, yana mai wahalar amfani da OpenSSL a cikin ayyukan lasisi na GPL. Don ƙetare wannan rashin jituwa, ayyukan GPL sun tilasta tilasta aiwatar da takamaiman yarjejeniyoyin lasisi, wanda aka ƙara babban rubutun GPL tare da wani sashi wanda ke ba da izinin aikace -aikacen don haɗawa zuwa ɗakin karatu na OpenSSL da ambaton cewa GPL ba ya shafi ɗaurin OpenSSL. .

Menene sabo a cikin OpenSSL 3.0.0

Ga ɓangaren sabbin abubuwan da aka gabatar a cikin OpenSSL 3.0.0 za mu iya samun hakan an gabatar da sabon tsarin FIPS, que ya haɗa da aiwatar da alƙaluman almara wanda ya dace da daidaiton tsaro na FIPS 140-2 (an shirya tsarin takaddar don fara wannan watan, kuma ana tsammanin takaddar FIPS 140-2 a shekara mai zuwa). Sabuwar ƙirar ta fi sauƙi don amfani da haɗawa zuwa aikace -aikace da yawa ba zai zama da wahala fiye da canza fayil ɗin sanyi ba. Ta hanyar tsoho, FIPS yana da rauni kuma yana buƙatar zaɓi kunna-fips don kunna.

A cikin libcrypto an aiwatar da manufar masu ba da sabis da aka haɗa wanda ya maye gurbin manufar injuna (ENGINE API ya ragu). Tare da taimakon masu siyarwa, zaku iya ƙara aiwatar da algorithm na ku don ayyuka kamar ɓoyayyen ɓoyewa, ɓoyewa, mahimmin maɓalli, ƙididdigar MAC, ƙirƙira da tabbatar da sa hannun dijital.

An kuma haskaka hakan ƙarin tallafi don CMP, cewa Ana iya amfani da shi don neman takaddun shaida daga uwar garken CA, sabunta takaddun shaida, da soke takaddun shaida. Yin aiki tare da CMP ana yin shi ta sabon kayan aiki openssl-cmp, wanda kuma yana aiwatar da tallafi don tsarin CRMF da watsa buƙatun akan HTTP / HTTPS.

Bugu da ƙari An ba da shawarar sabon ƙirar shirye -shirye don mahimmin ƙarni: EVP_KDF (API Maɓallin Maɓallin Maɓalli), wanda ke sauƙaƙe shigar da sabbin ayyukan KDF da PRF. Tsohuwar EVP_PKEY API, ta hanyar abin da scrypt, TLS1 PRF da HKDF algorithms suka kasance, an sake tsara shi azaman matsakaicin matakin da aka aiwatar a saman EVP_KDF da EVP_MAC APIs.

Kuma a cikin aiwatar da ladabi TLS yana ba da ikon amfani da abokin ciniki na TLS da sabar da aka gina a cikin kwafin Linux don hanzarta ayyukan. Don ba da damar aiwatar da TLS da kernel na Linux ya bayar, zaɓi "SSL_OP_ENABLE_KTLS" ko saitin "kunna-ktls" dole ne a kunna.

A gefe guda kuma an ambaci hakan an koma wani muhimmin sashi na API zuwa rukunin da aka yanke- Amfani da kiran da aka yanke a cikin lambar aikin zai haifar da gargadi yayin tattarawa. The Ƙananan matakin API An haɗa shi da wasu algorithms an ayyana ba da dadewa ba.

Ana ba da tallafin hukuma a cikin OpenSSL 3.0.0 kawai don babban matakin EVP APIs, wanda aka zana daga wasu nau'ikan algorithms (wannan API ya haɗa, alal misali, EVP_EncryptInit_ex, EVP_EncryptUpdate, da EVP_EncryptFinal ayyuka). Za a cire APIs marasa amfani a ɗayan manyan sakewa na gaba. Ana aiwatar da ƙa'idodin algorithm na gado, kamar MD2 da DES, waɗanda ke samuwa ta hanyar EVP API, an koma su zuwa tsarin "gado" daban, wanda aka kashe ta hanyar tsoho.

Finalmente idan kuna sha'awar ƙarin sani game da shi, zaka iya duba bayanan A cikin mahaɗin mai zuwa.


Bar tsokaci

Your email address ba za a buga. Bukata filayen suna alama da *

*

*

  1. Wanda ke da alhakin bayanan: Miguel Ángel Gatón
  2. Manufar bayanan: Sarrafa SPAM, sarrafa sharhi.
  3. Halacci: Yarda da yarda
  4. Sadarwar bayanan: Ba za a sanar da wasu bayanan ga wasu kamfanoni ba sai ta hanyar wajibcin doka.
  5. Ajiye bayanai: Bayanin yanar gizo wanda Occentus Networks (EU) suka dauki nauyi
  6. Hakkoki: A kowane lokaci zaka iyakance, dawo da share bayanan ka.