[openssl-users] Why 1.0.1 AND 1.0.2 ?

Salz, Rich rsalz at akamai.com
Tue Sep 27 12:50:03 UTC 2016

(Can you change your mailer to plaintext, or at least get rid of the black-on-grey styling?)

> Reading the 1.0.2j CHANGES file, it appears that 1.0.2 was built from 1.0.1l.

That might be the time it was branched off from it.  At that point, the two releases are different.
>And my knowledge of OpenSSL is VERY VERY small.

Okay.  But you are going to have a hard time understanding changes, then.

>Looking at 1.0.1l, out of bug fixes, I've found some changes that do not look as bugfixes:

Those are security issues.  When someone publishes a paper that shows a weak DH key can be cracked in an hour, then a security toolkit must "move up" to longer keys by default.  This article might be useful: https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/ and the "SWEET32" article will talk about the DES changes.

> However, only the first one, in bold, appears in 1.0.1l and NOT in 1.0.2j .

 No.  The entry just before "28 jan" in the CHANGES file.

>Why OpenSSL still delivers 1.0.1* though 1.0.2* should provide the same changes plus new features ?

Your confusion is thinking that "upgraded security parameters" are new feature, and not security fixes.

>Because change "dhparam: generate 2048-bit parameters by default." appears in 1.0.1[n-l] and not in 1.0.2* ???

It is.

> I need to know in order to decide if I still manage 1.0.1 compatibility in addition to delivering 1.0.2[last version] .

You can do what you want :)  Openssl 1.0.1 becomes unsupported at the end of 2016. If you want to tell your users that you are ending support early, nobody can stop you. :)

More information about the openssl-users mailing list