[openssl-users] OpenSSL version 1.0.2b released

[Jakob Bohm]

On 11/06/2015 16:47, OpenSSL wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>     OpenSSL version 1.0.2b released
>     ===============================
>
>     OpenSSL - The Open Source toolkit for SSL/TLS
>     http://www.openssl.org/
>
>     The OpenSSL project team is pleased to announce the release of
>     version 1.0.2b of our open source toolkit for SSL/TLS. For details
>     of changes and known issues see the release notes at:
>
>          http://www.openssl.org/news/openssl-1.0.2-notes.html
>
>     OpenSSL 1.0.2b is available for download via HTTP and FTP from the
>     following master locations (you can find the various FTP mirrors under
>     http://www.openssl.org/source/mirror.html):
>
>       * http://www.openssl.org/source/
>       * ftp://ftp.openssl.org/source/
>
>     The distribution file name is:
>
>      o openssl-1.0.2b.tar.gz
>        Size: 5281009
>        MD5 checksum: 7729b259e2dea7d60b32fc3934d6984b
>        SHA1 checksum: 9006e53ca56a14d041e3875320eedfa63d82aba7
>
>     The checksums were calculated using the following commands:
>
>      openssl md5 openssl-1.0.2b.tar.gz
>      openssl sha1 openssl-1.0.2b.tar.gz
>
>     Yours,
>
>     The OpenSSL Project Team.
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQEcBAEBAgAGBQJVeZNdAAoJENnE0m0OYESRYscIAKrJik5qyPifnVhWRHVTUXot
> NYhfl+h+ooHequRyz9ug7Wz3vdUioftuOYlX0eJBBZ+YvskVk27U9tjY+plFnRjq
> vpdNKfa6bSL9rjztZObupvbCnhYRdDkcJRqLi8HfPb53UlZS/ALIbpDi1FPqIErs
> Bc7D/toD0nDoQUONLVQw/aSZNWWCaACO09326K2xX/jZGEsQbhCWdlkERfO3RzRW
> RBN0RnR+k8XBaqy6TRELF1vlYdHe83Dqxg1h3KBTBJ+yOFXvQblPoZO4GnkAyoNA
> 8EGhbzgWsjg6OIroUbnbbq50avvya/2eDmY+N3gNg5wOrYBNZlWShy91WGZ4378=
> =rcRW
> -----END PGP SIGNATURE-----
Note: Why are OpenSSL releases still signed only with
MD5 and SHA1?

Even the gpg signature of the tarball is SHA1-based.

Why isn't there also a detached S/MIME / CMS signature
for the tarballs, preferably using a code/object
signingcertificate from someone like GlobalSign.
i.e. Something that can be verified with the command:

old-trusted-openssl smime -verify -inform PEM -in \
openssl-1.0.2b.tar.gz.sig -binary -content \
openssl-1.0.2b.tar.gz -out /dev/null -CAfile \
/etc/ssl/certificates/foo.pem

(add option "-purpose codesign" once implemented by
the users "old-trusted-openssl").

If old-trused-openssl is a recent version, a similar
"old-trused-openssl cms" command can also be used, but
verify compatibility with old copies should be maintained
for a few years (don't prevent upgrading openssl because
the users needs to upgrade openssl).

Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150612/705fd11e/attachment.html>