#DEfO has completed #ECH implementation for #nginx and there is a pull request:
https://github.com/nginx/nginx/pull/840
If you want to see ECH in nginx sooner rather than later, please jump in and review, give feedback, thumbs up, etc.

#DEfO has completed #ECH implementation for #nginx and there is a pull request:
https://github.com/nginx/nginx/pull/840
If you want to see ECH in nginx sooner rather than later, please jump in and review, give feedback, thumbs up, etc.
Security & tooling got stronger too! #vim 9.1.1508 now supports #Wayland clipboard & new language syntax, #myrlyn 0.9.7 improves sudo env handling, and key fixes landed in bind, #sudo, php8, #OpenSSL, libxml2, git & more. #Tumbleweed #openSUSE #Linux https://news.opensuse.org/2025/08/01/tw-monthly-update-july/
@froge that's a question I'd like to ask @mozilla_support ...
AFAIK #OpenSSL doesn't ship with any certificates at all...
Some interesting vulnerabilities were patched and #apache2 has released Apache/2.4.65.
Another commit landed in #OpenSSL: https://github.com/openssl/openssl/commit/6b93db7bfd572e81fac581c5be7b0d7509febb80
This time, it's a drive-by thing inspired by @jwildeboer who's working on S/MIME X.509 certificates: the X.509 standards renamed one of the bits in the keyUsage extension from `nonRepudiation` to `contentCommitment`, and OpenSSL only understood the old name.
Slowly improving the world one commit at a time.
@rolenthedeep I guess I’m in the 1% who doesn’t care what #Apple does from a UX perspective but would prefer it did a better job keeping #libcurl, #openssl, and other core libraries up to date.
I nominate https://docs.openssl.org/3.3/man3/d2i_X509/ as #OpenSSL's worst man page. And there's fierce competition for that award.
And in the end it does not even mention the weird behavior: it stores errors in an internal queue which mysteriously makes the *next* invoked function fail...
#OpenSSL -- OpenSSL Foundation endorses UN Open Source Principles
https://openssl-foundation.org/post/2025-08-07-un-open-source-principles/?utm_source=atom_feed
From #OpenSSL -- Blog on OpenSSL Foundation
I can confirm, #openssl team doesn't just merge new features
Improving the world, one PR at a time: https://github.com/smallstep/crypto/pull/811
The next release of #smallstep step-ca will accept the old name "nonRepudiation" in the X.509v3 keyUsage extension as a UX improvement for users coming from, e.g., #OpenSSL.
Inspired by @jwildeboer: https://social.wildeboer.net/@jwildeboer/114964280013823176
This stuff is hard enough without such pitfalls, no need to make it more complicated by green bikesheds, er, naming discussions.
And for some more context: Did you know #openssl 3.x is quite poor in its performance? https://www.haproxy.com/blog/state-of-ssl-stacks
I finally tried to replace #openssl with #aws-lc on some of my services. Unfortunately, #nginx and #mosquitto lack support for it. Instead, I successfully switched #BIND to use aws-lc.
I later also noticed that the #rustls compatibility shim is in nixpkgs 25.05, but here BIND is missing some variables. And despite the wrapper being explicitly made for nginx, it also fails here with
/nix/store/mkvc0lnnpmi604rqsjdlv1pmhr638nbd-binutils-2.44/bin/ld: objs/src/stream/ngx_stream_ssl_module.o: in function `ngx_stream_ssl_servername':
/build/nginx-1.28.0/src/stream/ngx_stream_ssl_module.c:606:(.text+0xd59): undefined reference to `SSL_SESSION_get0_hostname'
A shame. I wanted to change to more modern libraries.
Untested: #dovecot and #postfix (they lack a services.(dovecot2|postfix).package
variable to easily change the used package. A PR for dovecot is already open to add support for it.
Version 5.21 of the open source encryption protocol AmiSSL has been released for AmigaOS 3 and 4, which is now based on the latest version 3.5.1 (2025/07/01) of OpenSSL.
Decided to not use #libev and use #libevent instead for socket/timer/event loop/callback system. Other than I trust it more, I like the baked in #openssl support (will use for #telnet+tls later).
Additionally, going to try out sqlcipher (#sqlite3 + AES encryption baked in) for data storage. Everything will be stored in a sqlite3 database.
Using cmake and pkg-config, #C, sqlite3 (sqlcipher), libevent, and openssl.
Decided to just focus on developing the software on KDE neon distro (Ubuntu LTS) and worry about other OSes later. I spent too much time worrying about ease of build/install instructions for other operating systems instead of just deciding and moving forward.
Just released: #swad 0.12
swad is the "Simple Web Authentication Daemon". It basically offers adding form + #cookie #authentication to your reverse proxy (designed for and tested with #nginx "auth_request"). I created it mainly to defend against #malicious_bots, so among other credential checker modules for "real" logins, it offers a proof-of-work mechanism for guest logins doing the same #crypto #challenge known from #Anubis.
swad is written in pure #C with minimal dependencies (#zlib, #OpenSSL or compatible, and optionally #PAM), and designed to work on any #POSIX system. It compiles to a small binary (200 - 300 kiB depending on compiler and target platform).
This release brings (among a few bugfixes) improvements to make swad fit for "heavy load" scenarios: There's a new option to balance the load across multiple service worker threads, so all cores can be fully utilized if necessary, and it now keeps lots of transient objects in pools for reuse, which helps to avoid memory fragmentation and ultimately results in lower overall memory consumption.
Read more about it, download the .tar.xz, build and install it .... here: