So, it comes out that almost 1/3 of the contents of a openssl private key is made out of pre-calculated CRT params that are only necessary for performance and have nothing to do with security. Very interestingly, we can corrupt all of that and still have cryptographic operations running well with the corrupted private key PEM data in openssl. #openssl

[Released] zen.nginx – NGINX Docker image with OpenSSL 3.3.4 + post-quantum Falcon/OQS support, based on Alpine.

Features:
* NGINX 1.29.x+
* OpenSSL 3.3.4 with oqs-provider (Falcon512/1024)
* Built for strict mTLS and Zero Trust
* Minimal, ready for production use

Try it:
https://github.com/zenthracore/zen.nginx
https://hub.docker.com/r/zenthracore/zen.nginx

Open for feedback & contributions!

@cloudflare

#docker #nginx #openssl #pqc #falcon #linux #devops #security #opensource

First working Redis with post-quantum mTLS using Falcon (NIST finalist) — running in a hardened Alpine container with OpenSSL 3.3.4 + oqs-provider.
Falcon keys + certs generated inside the image, Redis launched via --tls-port, and PONGs confirmed via PQ mTLS.

GitHub: https://github.com/zenthracore/zen.redis
Docker: https://hub.docker.com/r/zenthracore/zen.redis

This might be the first public Redis instance running on PQ crypto.

AmiSSL 5.21 Update Released
#AmigaOS #AmiSSL #IBrowse #OpenSSL #RetroComputing #AmigaDevelopment #SecureAmiga
https://theoasisbbs.com/amissl-5-21-update-released/?feed_id=4157&_unique_id=686bc7a91ba25

#OpenSSL 3.5.1 (#LTS) has been released (#SSL / #TLS) https://openssl-library.org/

Would you say this is an accurate description of (some of the) #OpenSSL forks family tree?

(These are the OpenSSL forks #curl supports.)

"download time is reduced by ~13%" (for #curl)

... by adding some odd #OpenSSL functions we didn't know existed.

https://github.com/curl/curl/pull/17548

More interesting progress trying to make #swad suitable for very busy sites!

I realized that #TLS (both with #OpenSSL and #LibreSSL) is a *major* bottleneck. With TLS enabled, I couldn't cross 3000 requests per second, with somewhat acceptable response times (most below 500ms). Disabling TLS, I could really see the impact of a #lockfree queue as opposed to one protected by a #mutex. With the mutex, up to around 8000 req/s could be reached on the same hardware. And with a lockfree design, that quickly went beyond 10k req/s, but crashed.

So I read some scientific papers ... and redesigned a lot (*). And now it finally seems to work. My latest test reached a throughput of almost 25k req/s, with response times below 10ms for most requests! I really didn't expect to see *this* happen. Maybe it could do even more, didn't try yet.

Open issue: Can I do something about TLS? There *must* be some way to make it perform at least a *bit* better...

(*) edit: Here's the design I finally used, with a much simplified "dequeue" because the queues in question are guaranteed to have only a single consumer: https://dl.acm.org/doi/10.1145/248052.248106

May’s #Tumbleweed update rolled out #QEMU 10.0 for improved virtualization and #OpenSSL 3.5.0 with post-#quantum #crypto Security got serious with #CVE fixes #openSUSE https://news.opensuse.org/2025/06/02/tw-monthly-update-may/

A presentation by @mold at #OpenSSL and @openalt crossover in #Brno.

Prepare to poo your pants.

OpenSSL provides a few helpers to compare certificates.

X509_cmp(), which returns 0 on a match, and

EVP_PKEY_cmp(), which returns 1 on a match.

It's OK, tan-coloured landmines are safe to step on. Olive-coloured landmines will explode and you will die.

@forthy42 doof nur dass es keine Alternativen abselts von #OpenSSL, #LibreSSL & #NSS gibt - und wer #PCIDSS erfüllen muss, ist auf zertifizierte Binaries angewiesen!

#apt-listchanges: News
---------------------

#curl (8.13.0-2) unstable; urgency=medium

The curl #CLI is now back to using #OpenSSL, instead of #GnuTLS:
HTTP/3 support is still there, compared to the GnuTLS curl CLI.
The performance of HTTP/3 on OpenSSL is not as good, but it's also not used
by default.

-- Samuel Henrique <samueloph@debian.org> Sun, 06 Apr 2025 22:13:18 +0100

#Linux #Debian 13 #Trixie news

LibreSSL 4.1.0 released https://www.undeadly.org/cgi?action=article;sid=20250430112153 #openbsd #libressl #ssl #tls #security #openssl #networking #privacy #crypto #cryptography

Does anyone know how this new SSL cert expiry date thing is going to affect things like user authentication with SSL certs, i.e. for openvpn.

If we're running our own CA, can I get safari, chrome et al to accept longer cert expiry?

Meanwhile in #curl land, we can now do #HTTP3 with #ngtcp2 1.12.0 and #OpenSSL 3.5.

Thanks to lots of amazing people, including @icing and Tatsuhiro of ngtcp2 of course.

#Linux Weekly Roundup for April 13th, 2025: #LMDE 7 getting OEM support, #Pinta 3.0 ported to GTK4, #DXVK 2.6.1 improves support for #AMD Vega GPUs and several games, #OpenSSL 3.5, #fwupd 2.0.8, #IPFire gets post-quantum cryptography support, and more https://9to5linux.com/9to5linux-weekly-roundup-april-13th-2025