OpenSSL 3.0 vs. SSL 3.0

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenSSL 3.0 vs. SSL 3.0

Christian Heimes
Hi,

I'm concerned about the version number of the upcoming major release of
OpenSSL. "OpenSSL 3.0" just sounds and looks way too close to "SSL 3.0".
It took us more than a decade to teach people that SSL 3.0 is bad and
should be avoided in favor of TLS. In my humble opinion, it's
problematic and confusing to use "OpenSSL 3.0" for the next major
version of OpenSSL and first release of OpenSSL with SSL 3.0 support.

You skipped version 2.0 for technical reasons, because (IIRC) 2.0 was
used / reserved for FIPS mode. May I suggest that you also skip 3.0 for
UX reasons and call the upcoming version "OpenSSL 4.0". That way you can
avoid any confusion with SSL 3.0.

Kind regards,
Christian
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL 3.0 vs. SSL 3.0

Michael Richardson

Christian Heimes <[hidden email]> wrote:
    > I'm concerned about the version number of the upcoming major release of
    > OpenSSL. "OpenSSL 3.0" just sounds and looks way too close to "SSL 3.0".
    > It took us more than a decade to teach people that SSL 3.0 is bad and
    > should be avoided in favor of TLS. In my humble opinion, it's
    > problematic and confusing to use "OpenSSL 3.0" for the next major
    > version of OpenSSL and first release of OpenSSL with SSL 3.0 support.

You make a good point which I had not thought about, having exhumed SSLx.y
From my brain.  +5

    > You skipped version 2.0 for technical reasons, because (IIRC) 2.0 was
    > used / reserved for FIPS mode. May I suggest that you also skip 3.0 for
    > UX reasons and call the upcoming version "OpenSSL 4.0". That way you can
    > avoid any confusion with SSL 3.0.

Integers are cheap.
And 4.0 is > 3.0, so (Open)SSL 4.0.0 must be better than SSL3.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     [hidden email]  http://www.sandelman.ca/        |   ruby on rails    [


signature.asc (497 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL 3.0 vs. SSL 3.0

Christian Heimes
On 27/02/2019 19.53, Michael Richardson wrote:

>
> Christian Heimes <[hidden email]> wrote:
>     > I'm concerned about the version number of the upcoming major release of
>     > OpenSSL. "OpenSSL 3.0" just sounds and looks way too close to "SSL 3.0".
>     > It took us more than a decade to teach people that SSL 3.0 is bad and
>     > should be avoided in favor of TLS. In my humble opinion, it's
>     > problematic and confusing to use "OpenSSL 3.0" for the next major
>     > version of OpenSSL and first release of OpenSSL with SSL 3.0 support.
>
> You make a good point which I had not thought about, having exhumed SSLx.y
> From my brain.  +5
>
>     > You skipped version 2.0 for technical reasons, because (IIRC) 2.0 was
>     > used / reserved for FIPS mode. May I suggest that you also skip 3.0 for
>     > UX reasons and call the upcoming version "OpenSSL 4.0". That way you can
>     > avoid any confusion with SSL 3.0.
>
> Integers are cheap.
> And 4.0 is > 3.0, so (Open)SSL 4.0.0 must be better than SSL3.
Thanks for your support!

I have created PR https://github.com/openssl/openssl/pull/8367 to bump
the version number to 4.0.0.

Christian


signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL 3.0 vs. SSL 3.0

Daniel Kahn Gillmor
In reply to this post by Christian Heimes
On Wed 2019-02-27 16:02:32 +0100, Christian Heimes wrote:
> In my humble opinion, it's problematic and confusing to use "OpenSSL
> 3.0" for the next major version of OpenSSL and first release of
> OpenSSL with SSL 3.0 support.

Sigh.  You're right, but i wish you weren't. :)

Part of the problem of course is the "SSL" in "OpenSSL" itself, which
has held back the industry from adopting the more accurate "TLS" label.
But i understand the value of the brand, and why that won't be changed
either.

fwiw, i support the suggestion to skip 3.0, and call it OpenSSL 4.0
directly.  Reducing confusion matters.

           --dkg