OpenSSL 1.0.1i offers many improvements worth upgrading. Intel in particular worked closely with OpenSSL team to drastically improve the performance when mixed with an Intel CPU. Beside the important security patches that are already applied into Enterprise Linux release, we added several new patches, including the work done by Google on elliptic ciphers.
The patents section of README file lists patents that may apply to you if you want to use OpenSSL. It is your responsibility to make sure that a specific technology can be used in your country, server or website. For information on intellectual property rights, please consult a lawyer. The AXIVO team does not offer legal advice.
OpenSSL 1.0.1i is available for Enterprise Linux 6 and 7 releases, into our repository:
All AXIVO performance RPM packages dependent on OpenSSL (i.e. MariaDB, Nginx, PHP, Sphinx, etc.) are currently compiled with the new 1.0.1i+ version. Follow the procedure listed below, in order to properly upgrade OpenSSL to latest version.
- EC (with Google 64bits optimizations), IDEA, MDC-2, SCTP and SRP enabled
- FIPS and RC5 disabled
- Robust Forward Secrecy compliance
With openssl.x86_64 RPM installed in your system, remove the openssl.i686 RPM:
Install the new OpenSSL package:
Now you can upgrade properly any AXIVO RPM that is dependent on OpenSSL 1.0.1i+ version and also enjoy an improved and more secure SSL interface between your server and the users accessing it.
Patent History and Other Restrictions
The following cipher technologies have patents that are either expired or free to use:
The following cipher technologies have patents that are valid:
- MDC-2 patent no. 4,908,861 -- expired on 03/13/2007
- IDEA patent no. 5,214,703 -- expired on 07/01/2012
- SRP patent no. 6,539,479 -- owned by Stanford U., free to use
Following the recommendations of the Standards for Efficient Cryptography Group , RFC 4492 specifies a list of 25 named curves for use in TLS, with field size ranging from 160 to 571 bits. Both OpenSSL and the Mozilla NSS library support all those curves. In addition, TLS allows peers to indicate support for unnamed prime and/or characteristic-2 curves. The OpenSSL elliptic curve library supports unnamed curves, while NSS does not.
- RC5 patent no. 5,724,428 -- expires on 11/01/2015, disabled in all AXIVO packages
- EC multiple patents -- owned by Certicom (IPR disclosure)
Benchmarks and Security
Compared to previous RSA tests, the Google optimized Ephemeral Elliptic Curve Diffie-Hellman key exchange over P-224 runs at twice the speed of standard OpenSSL, while atomic elliptic curve operations are up to 4 times faster. The implementation is immune to timing attacks.