openssl / web Goto Github PK

inc/head.shtml, which is included by just about every file on the site, has these lines

<script src="https://code.jquery.com/jquery-3.5.1.min.js"></script>
<script>!window.jQuery && document.write(unescape('%3Cscript src="./inc/libs/jquery-3.5.1.min.js"%3E%3C/script%3E'))</script>

You should replace them with this single line:

<script src="/inc/libs/jquery-3.5.1.min.js"></script>

This will use the cached script and not go to a central site to download a file that is, well, already on your site. :)

ping @levitte

Should we have a FAQ about the opaque data structure stuff?

Currently, the old policies (as web pages) coexist with the new policies in the general and technical policies repos.
This needs to be rectified.

Hi,

ten days ago I added OpenSSL 3.0.0-alpha14 to CPython's pre-commit CI. Our CI just broke because
https://www.openssl.org/source/openssl-3.0.0-alpha14.tar.gz has been deleted and GH purged our build caches. I haven't had time to update Python 3.8 and 3.9 feature branches.

Please keep older alphas around for a little while longer.

Thanks!

Update sponsors page to list current sponsors and sync the donations and acks page to better match reality.
sponsors.diff.txt

According to https://datatracker.ietf.org/doc/draft-foudil-securitytxt/?include_text=1 a few changes need to be made to the security.txt This is currently in the .well-known directory. If changed, it will have to be re-signed.

Contact: mailto:[email protected]
Contact: https://www.openssl.org/community/#securityreports
Canonical: https://www.openssl.org/.well-known/security.txt
Encryption: https://www.openssl.org/news/openssl-security.asc
Acknowledgement: https://www.openssl.org/news/vulnerabilities.html
Policy: https://www.openssl.org/policies/secpolicy.html
Signature: https://www.openssl.org/.well-known/security.txt.asc

I am not making a PR since I can't re-sign the document. :)

According to 4.1 , perhaps a redirect-permanent from /security.txt to the well-known version is worthwhile as well.

This affects the "source" part of the website. From a posting to CFRG, https://mailarchive.ietf.org/arch/msg/cfrg/qLTveWOdTJcLn4HP3ev-vrj05Vg/:

I can confirm that I have abandoned all OCB patents
and placed into the public domain all OCB-related IP of mine.
While I have been telling people this for quite some time, I don't
think I ever made a proper announcement to the CFRG or on the
OCB webpage. Consider that done.

I hope people will use the scheme to do positive things.

phil

If should probably mention that the 1.0.2 FOM is based an and unsupported release, and that 3.0 will have an integrated crypto module, and perhaps little else about 1.0.2

The sitemap.txt file includes mention of roadmap.html and roadmap_2015-2016.html under policies, neither of which exists. The sitemap is available from the website at the bottom of the pages.

All the entries in the sitemap should be verified I suspect.

During submission of the first chunks of our CMP contribution I learned that there are some (implicit) coding-style rules that are not (yet) part of the official coding guideline at https://www.openssl.org/policies/codingstyle.html. In particular:

• in multi-line Boolean expressions, any && and || operators should not be given at the end of lines but at the beginning of the following line, with and extra indentation of 4 spaces.

Are there further such implicit rules to be followed?
Please update that Coding Style document accordingly.

Meanwhile we found that there is automated tool support for (re-)indenting source files:
the indent configuration file util\indent.pro, which is used by the util/openssl-format-source script.

Apparently this tool has not been used on many of the OpenSSL source files.
It this tool recommended to use, at least for new source files?

If so, also util\indent.pro should be updated to reflect all coding style rules, also those that are so far implicit.
In particular, the above rule on && and || is not reflected there. Would it be possible to state it as an indent rule, and if so, how to do it?

Moved from openssl/openssl#2264

bin/mk-sitemap needs to be modified to allow exclusions of some well chosen patterns.
Those patterns should be possible to give through a make variable. to allow the process that builds our web site to exclude things that are local to that build process.

The source archive https://www.openssl.org/source/old should list versions from new to old.

Originally posted by @mspncp in #231 (comment)

Hi,

I’m trying to use the “OpenSSLBitcode” framework from Cocoapods,
I’ve been using OpenSSL-Universal for a while, but I now require Bitcode support for may app.
When I run “pod install” I get a "404 Not Found” error back as follows:

  $ pod install
  Analyzing dependencies
  Downloading dependencies
  Installing OpenSSLBitcode (1.0.217)

  [!] Error installing OpenSSLBitcode
  [!] /opt/local/bin/curl -f -L -o /var/folders/2z/lt84ktj14c107snw07w_6jz80000gn/T/d20200410-10182-rzp56r/file.tgz https://openssl.org/source/openssl-1.0.2q.tar.gz --create-dirs --netrc-optional --retry 2

    % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                   Dload  Upload   Total   Spent    Left  Speed
  100   338  100   338    0     0    338      0  0:00:01 --:--:--  0:00:01  1522
    0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  curl: (22) The requested URL returned error: 404 Not Found

My Podfile contains the following fragment:

  target ‘MyTargetApp' do
    pod 'OpenSSLBitcode'
  end

Am I doing something wrong, or is this a problem at your end?

Thanks in advance.

This two links below have <link rel="canonical" href="https://www.openssl.org/">, rather than the actual URL.
https://www.openssl.org/docs/OpenSSLStrategicArchitecture.html
https://www.openssl.org/docs/OpenSSL300Design.html

openssl/openssl#11914 added "Fully Pluggable TLSv1.3 Key Exchange" to libssl

@mattcaswell this seems like quite a significant new feature for libssl (I am pretty excited about it and its potential!): should we add a CHANGES and a NEWS entry for it?

Yes - it should have that. I'd actually like to blog about it at some point with some kind of tutorial type approach to explain how to use it.

Originally posted by @mattcaswell in openssl/openssl#11914 (comment)

This is a reminder for @mattcaswell , further down when we are approaching the release, as it is a great idea!

Something is wrong with formatting here: https://www.openssl.org/news/openssl-1.1.1-notes.inc that is affecting the HTML version: https://www.openssl.org/news/openssl-1.1.1-notes.html
The text version has the updates correctly appearing in the 1.1.0 notes file: https://www.openssl.org/news/cl110.txt

I'm not sure how to submit a pull request for this problem because the source files do not appear to be in this repository.

For instance, consider:

https://www.openssl.org/blog/blog/2016/10/24/f2f-roadmap/

On the right hand side, "Recent Posts" starts with "OpenSSL and Threads", which is currently the most recent blog entry. Thus, the navigation works exactly as expected.

In contrast, please consider:

https://www.openssl.org/blog/blog/2017/02/13/bylaws/

On the right hand side, "Recent Posts" starts with "Project Bylaws", which is no longer the most recent entry.

In complete analogy, please contrast:

https://www.openssl.org/blog/blog/2016/07/20/fips/

with:

https://www.openssl.org/blog/blog/2016/08/24/sweet32/

I see that on a pull request we cross build for various platforms. I'm wondering if any of those qualify for our primary or secondary platform list. That all seem to be using Ubuntu.

I have access to all official ports of Debian and am willing to support them. That's currently: amd64, arm64, armel, armhf, i386, mips64el, mipsel, ppc64el and s390x. I most likely have access or can get access to all unofficial ports too.

https://www.openssl.org/docs/manmaster/ leads to a broken page at the moment.

  | Name | Last modified | Size | Description
-- | -- | -- | -- | --

  | Parent Directory |   | - |  
  | man1/ | 2020-09-26 12:05 | - |  
  | man3/ | 2020-09-26 12:05 | - |  
  | man5/ | 2020-09-26 12:05 | - |  
  | man7/ | 2020-09-26 12:05 | - |  

Links like https://www.openssl.org/docs/manmaster/man3/SSL_read.html leads to

Page Not Found
Sorry, but the link you gave does not exist.

To get the latest news about OpenSSL, download the source, and so on, please see the sidebar or the buttons at the top of every page. For more information about the team and community around the project, or to start making your own contributions, start with the community page.

You are here: Home
Sitemap

https://www.openssl.org/docs/man1.1.1/ works fine.

https://www.openssl.org/source/mirror.html
AT ftp://gd.tuwien.ac.at/infosys/security/openssl/, CA http://openssl.skazkaforyou.com/ are no longer available. I found two unavailable mirror sites.

https://www.openssl.org/docs/faq.html#toc

In the following sentence:
"You can finder pointers to binary distributions in https://www.openssl.org/community/binaries.html . "

s/finder/find

How manual is the process of updating the website? Are there any pain points that can be automated? Roughly how often does it occur?

While doing a larger OpenSSL usability study, we found out that many online man pages that are linked from relevant Stack Overflow threads are inaccessible, since they miss a redirect (which is a pity!).

Specifically, many pages link to commands in this way:

• https://www.openssl.org/docs/apps/rsa.html

which has a redirect for

• https://www.openssl.org/docs/manmaster/apps/rsa.html

However, in the manmaster section, the subsections are no longer apps/ssl/crypto but man1/man3/man5/man7.

Sure, it may not seem that important, but half of the man page links from various internet tutorials our participants (~70 people) wanted to use got them a 404 on OpenSSL pages. Fixing would only require a handful of redirects.

These rewrites would be needed (order matters, since the structure changed):

Of the overview manuals (man7), I couldn't find the counterparts of Ed25519.html, RSA-PSS.html, X25519.html and ossl_store.html, but I suspect these were newly written when moving to the manX system.

Another possibility is to redirect things like /docs/apps/rsa.html to a particular version of OpenSSL (e.g. /docs/man1.1.0/apps/rsa.html). This would now require the apps/ssl/crypto to manX translation, but I think it would be unwise to bind on a particular API version.

Because our web production is divided into multiple directories (/docs and /blog are separated from the rest of our web), it should be available as a script separated from openssl/web.git, and should also be made to handle two extra arguments:

• the base directory (currently hard-coded to /var/www/openssl, which misses out on anything /docs or /blog)
• the corresponding base URL

We have .well-known/security.txt in git and it's even in /var/www but it appears as a 404 at https://openssl.org/.well-known/security.txt even before Akamai. I don't have access to the Apache logs to figure out why.

See openssl/openssl#2282

https://www.openssl.org/news/changelog.html

Changes between 1.1.1 and 3.0.0 [xx XXX xxxx]
Changes between 1.1.1a and 1.1.1b [xx XXX xxxx]
Changes between 1.1.1 and 1.1.1a [20 Nov 2018]
Changes between 1.1.0i and 1.1.1 [11 Sep 2018]
Changes between 1.1.0h and 1.1.0i [xx XXX xxxx]

1.1.1c and d are missing, and the timestamps are missing.

Hello OpenSSL folks,

While navigating through old content I found that the certificate for rt.openssl.org expired almost a month ago.

Issued On	Friday, January 1, 2021 at 10:37:23 PM
Expires On	Thursday, April 1, 2021 at 11:37:23 PM

I appreciate if you could take a look at it.

Thanks

This page

https://www.openssl.org/news/changelog.html

contains this text

"This is the changelog for the master branch, the one that is currently
in active development. The plain-text / markdown version of this
document is available here:"

and a link to:

https://www.openssl.org/news/changelog.md

However, the 'changelog.md' page returns a "Page Not Found."

https://www.openssl.org/docs/standards.html page still refers to RFC 2898 for version 2.0.

Clearly not critical but worth updating.

If you go to the FIPS wiki page it states that a new FIPS module will be available with the OpenSSL 1.1 series . However, this is most definitely not the case, as the OpenSSL project has stated that the new FIPS module will instead be usable only with OpenSSL 3.0 and later.

A new validation effort is to develop and validate a new open source based cryptographic module was announced in July 2016[5]. This new module will be usable with OpenSSL release 1.1. It will provisionally be called OpenSSL FIPS Object Module 3.0. 

For example, there's no mention of TLS 1.3, and I believe there are a few other ones missing as well. We might want to mentioned SM2, SM3, SM4, ...

Matt reported: We also need to fix the script so that it doesn't leave trailing whitespace at the end of a line. MITRE seem to strip it before they merge our changes. So if you then later regen the json for
some minor update it shows loads of changes...

In the paragraph committers.html, L92ff there are email links to [email protected] and [email protected]. Are these still correct? I don't know whether openssl-team still exists, but openssl-dev was certainly abandoned. Which are the correct replacements? openssl-project is not open to other OpenSSL contributors.

Also the github handles @openssl/team and @openssl/dev seem to be outdated.

Don't just link to the github repo - render the markdown for the policies on the website.

Matt reported:

bin/vulnxml2json.py -i news/vulnerabilities.xml -c CVE-2019-1551
Traceback (most recent call last):
  File "bin/vulnxml2json.py", line 42, in <module>
    response = urllib.urlopen(options.schema)
  File "/usr/lib/python2.7/urllib.py", line 87, in urlopen
    return opener.open(url)
  File "/usr/lib/python2.7/urllib.py", line 215, in open
    return getattr(self, name)(url)
  File "/usr/lib/python2.7/urllib.py", line 445, in open_https
    h.endheaders(data)
  File "/usr/lib/python2.7/httplib.py", line 1065, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 892, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 854, in send
    self.connect()
  File "/usr/lib/python2.7/httplib.py", line 1290, in connect
    server_hostname=server_hostname)
  File "/usr/lib/python2.7/ssl.py", line 369, in wrap_socket
    _context=self)
  File "/usr/lib/python2.7/ssl.py", line 599, in __init__
    self.do_handshake()
  File "/usr/lib/python2.7/ssl.py", line 828, in do_handshake
    self._sslobj.do_handshake()
IOError: [Errno socket error] [SSL: CERTIFICATE_VERIFY_FAILED]
certificate verify failed (_ssl.c:727)

This is on Ubuntu with an up to date CA-certs file. The workaround is to download the schema manually and add it to the command line, the script should catch this error and give the details on how to do that

The downloads page at https://www.openssl.org/source/ says:

PGP keys for the signatures are available from the  OMC page. Current members that sign releases include Richard Levitte, Stephen Henson and Matt Caswell.

However, there is no listing for Stephen Henson on the OMC page at https://www.openssl.org/community/omc.html. I'm guessing he no longer signs releases.

As discussed in openssl/openssl#18015:

The URL of the coding guidelines recently changed
from https://www.openssl.org/policies/codingstyle.htm
https://www.openssl.org/policies/codingstyle.html
to https://www.openssl.org/policies/technical/coding-style.html.

Many search engines and likely also various external web pages still point to the old location.
So some forward pointer, ideally an automatic redirect or rewrite rule should be placed there.

It would be very appreciated if you would provide an easy to find direct link to the release-notes from the page with the downloads, to the changelog/release-notes for that particular release. Perhaps right next to the download link?

When opening the website in mobile devices (like iPhone6 plus or other devices that have got even smaller screen sizes), the heading looks too large and makes itself overflow the screen width. Decrease heading font size maybe a good option.

The manual 'index' pages such as https://www.openssl.org/docs/man1.1.1/man1/, just do the equivalent of a directory listing, showing filename and meta-data. As suggested by Jakob Bohm on the openssl-users mailing list:

Consider at least including the one-line manpage summaries on the index
pages (the ones displayed by the apropos command on POSIX systems).

We get asked how to enable weak ciphers. The FAQ should talk about the compiling flags and the @SECLEVEL thing.

Navigating to this page there are no links to old 3.0 alpha releases:
https://www.openssl.org/source/old/

However, the releases do exist if you happen to know the right location:
https://www.openssl.org/source/old/3.0/

This repo currently has none 😢

(from openssl/openssl#6803)

The very first CSS rule in /inc/screen.css has the style font: inherit. This suppresses the effect of all B<> perldoc tags that we insert painstakingly into the man pages' source.

In the latest blog entry, there are several links that are probably not rendered as intended, for example:

• "[crypto/th-lock.c][https://github.com/openssl/openssl/blob/OpenSSL_1_0_2-stable/crypto/threads/th-lock.c]"
• "[crypto/threads_win.c][https://github.com/openssl/openssl/blob/OpenSSL_1_1_0-stable/crypto/threads_win.c#L25]"
• "[test/crltest.c][https://github.com/richsalz/openssl/blob/master/test/crltest.c#L284]"

to name only a few of these fragments, cited verbatim.

In addition to GOST, there's also a TPM engine available at https://sourceforge.net/projects/trousers/files/OpenSSL%20TPM%20Engine/

https://www.openssl.org is up though. The reason why I'd like to submit this issue is that some of my dependencies in an iOS project point at openssl.org without www.

Is this an issue or should I start transitioning my dependencies (cocoapods) towards www domain name? :)