OpenSSL's maintainers have put the squeeze on insecure ciphers, with a raft of changes to how the project's operations.
The changes were announced here following an OpenSSL management committee (OMC) meeting in London.
The cryptography policy changes include making sure insecure configurations aren't enabled by default, but by compile-time switches, and “multi-prime RSA” will enforce a maximum number of prime factors by default.
The OMC's decided that it must be possible for new algorithms to be disabled at compile-time, and that new crypto algorithms should only interface to OpenSSL via its EVP (digital EnVeloPe library) API.
In future, any new crypto algorithm will need to be backed by a national or international standards body, and all ciphers will need to be specified at run-time to be enabled in the TLS layer.
Beyond the crypto-policy changes, the OMC has made a number of other changes to the project.
The most noticeable will be the end of the openssl-dev mailing list, partly because there was overlap between posts to that list and to openssl-users, and partly because the OMC wants GitHub to be the primary channel for developer discussions.
For policy communications, there's a new mailing list, openssl-project, “for discussions about the governance and policies of OpenSSL”. Anyone can sign on, but only the OMC and committers can post to it.
There will also be a renewed effort to reduce OpenSSL's technical debt, including cleaning up old tickets, and refactoring code. “The recent addition of the PACKET and WPACKET API’s in the libssl make the code much more clear, and also avoid hand-coded packet processing bugs,” the post stated.
The project's release cadence will change to weekly, on Tuesday, unless there's a severe vulnerability with known exploits.
The OMC says TLS 1.3 remains its highest-priority roadmap item (just as soon as the IETF finally signs off on the standard), and after that, the effort will turn to FIPS compliance. ®