<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 11/06/2015 16:47, OpenSSL wrote:<br>
</div>
<blockquote cite="mid:20150611144708.GA16030@openssl.org"
type="cite">
<pre wrap="">-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
OpenSSL version 1.0.2b released
===============================
OpenSSL - The Open Source toolkit for SSL/TLS
<a class="moz-txt-link-freetext" href="http://www.openssl.org/">http://www.openssl.org/</a>
The OpenSSL project team is pleased to announce the release of
version 1.0.2b of our open source toolkit for SSL/TLS. For details
of changes and known issues see the release notes at:
<a class="moz-txt-link-freetext" href="http://www.openssl.org/news/openssl-1.0.2-notes.html">http://www.openssl.org/news/openssl-1.0.2-notes.html</a>
OpenSSL 1.0.2b is available for download via HTTP and FTP from the
following master locations (you can find the various FTP mirrors under
<a class="moz-txt-link-freetext" href="http://www.openssl.org/source/mirror.html">http://www.openssl.org/source/mirror.html</a>):
* <a class="moz-txt-link-freetext" href="http://www.openssl.org/source/">http://www.openssl.org/source/</a>
* <a class="moz-txt-link-freetext" href="ftp://ftp.openssl.org/source/">ftp://ftp.openssl.org/source/</a>
The distribution file name is:
o openssl-1.0.2b.tar.gz
Size: 5281009
MD5 checksum: 7729b259e2dea7d60b32fc3934d6984b
SHA1 checksum: 9006e53ca56a14d041e3875320eedfa63d82aba7
The checksums were calculated using the following commands:
openssl md5 openssl-1.0.2b.tar.gz
openssl sha1 openssl-1.0.2b.tar.gz
Yours,
The OpenSSL Project Team.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJVeZNdAAoJENnE0m0OYESRYscIAKrJik5qyPifnVhWRHVTUXot
NYhfl+h+ooHequRyz9ug7Wz3vdUioftuOYlX0eJBBZ+YvskVk27U9tjY+plFnRjq
vpdNKfa6bSL9rjztZObupvbCnhYRdDkcJRqLi8HfPb53UlZS/ALIbpDi1FPqIErs
Bc7D/toD0nDoQUONLVQw/aSZNWWCaACO09326K2xX/jZGEsQbhCWdlkERfO3RzRW
RBN0RnR+k8XBaqy6TRELF1vlYdHe83Dqxg1h3KBTBJ+yOFXvQblPoZO4GnkAyoNA
8EGhbzgWsjg6OIroUbnbbq50avvya/2eDmY+N3gNg5wOrYBNZlWShy91WGZ4378=
=rcRW
-----END PGP SIGNATURE-----
</pre>
</blockquote>
<tt>Note: Why are OpenSSL releases still signed only with <br>
MD5 and SHA1?</tt><tt><br>
</tt><tt><br>
</tt><tt>Even the gpg signature of the tarball is SHA1-based.</tt><br>
<tt><br>
</tt><tt>Why isn't there also a detached S/MIME / CMS signature </tt><tt><br>
</tt><tt>for the tarballs, preferably </tt><tt>using a code/object
</tt><tt><br>
</tt><tt>signing</tt><tt> certificate from someone like GlobalSign.<br>
i.e. Something that can be verified with the command:<br>
<br>
old-trusted-openssl smime -verify </tt><tt><tt>-inform PEM </tt>-in
\ <br>
openssl-1.0.2b.tar.gz.sig -binary -content \<br>
openssl-1.0.2b.tar.gz -out /dev/null -CAfile \<br>
/etc/ssl/certificates/foo.pem<br>
<br>
(add option "-purpose codesign" once implemented by <br>
the users "old-trusted-openssl").<br>
<br>
If old-trused-openssl is a recent version, a similar <br>
"old-trused-openssl cms" command can also be used, but <br>
verify compatibility with old copies should be maintained <br>
for a few years (don't prevent upgrading openssl because <br>
the users needs to upgrade openssl).<br>
</tt><br>
<pre class="moz-signature" cols="72">Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. <a class="moz-txt-link-freetext" href="http://www.wisemo.com">http://www.wisemo.com</a>
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded </pre>
</body>
</html>