Depends on draft issue @t8m is working on this iteration.

We have defined, through the defined PGP key in doc/fingerprints.txt in the source repository, that [email protected] is the user that is going to create the releases.

To allow the commits created with this user, it needs to be established in our databases to be a valid author.

Tasks:

• Add CLAs for this users, or at the very least, insert it in our CLA db.
• Make sure that release-tools/publish-release.sh records a human reviewer and runs addrev on the staged commits

• What is OpenSSL
• Getting and installing OpenSSL
• Contents of the Guide
  • Links to the various other guide pages

Everything that we've not covered in any other conformance related tickets.

• Purpose of libcrypto and libssl
• Building a simple application using the libraries
• Introducing some key concepts
• Initialisation and de-initialisation of the libraries
• Library contexts
• Fetching algorithms and property queries
• Error handling
• Library conventions
  • get0/get1/set0/set1
  • CLASSNAME_func_name()
• Multi-threaded applications

some doc is here already: $ man crypto

risk: in case it doesn't work -> investigation and fix work.

There are a number of libcrypto subsystems that still depend on legacy code and aren't well (or at all) prepared for being used with provider implementations. This was a deliberate choice we made in the sprint/summer 2021 to be able to get 3.0.0 out. I recall PKCS#7 and CMS being mentioned at the time, and remember finding the PBE functionality as well (albeit late, so I think I "forgot" to mention it at the time).

There are also a number of openssl app commands that don't quite take providers into account (for example openssl enc -list, which will only display legacy algorithm implementation).

All of these cases need to brought to light... users are starting to notice these discrepancies, see for example openssl/openssl#20221.

The products of this effort should be a list of cases found, with an issue each on github.com attached.

folder to store the materials:
https://docs.google.com/presentation/d/1_hYv6qJE5_zVklQR-FJDCHvOODNF5vtVnkegqIdCkCU/

The list is here
https://docs.google.com/document/d/1DKv3YS739oNzJva0G4pd_w6ZF-pAn3HnrZDESoMcSMM/edit#

Feature Acceptance Criteria Document

Go through the todo items and identify work required to be done (create issues).

• Policy Document

There was a raise on handshake per second metrics for 100 threads but a drop for 500 and 1000 threads after midnight on 2023-06-02 on master branch. See https://graph.openssl.org/d/f6ded4d3-de2c-4279-ba89-21ab98970a96/handshakes-per-second?orgId=1&from=1685397600000&to=1685915999000

There were two commits merged:

openssl/openssl@cee0628

and

openssl/openssl@fc570b2

If the SSL RTT is the culprit for the drop we might want to make the call to ossl_time_now() optional. If the ossl_provider_doall_activated() is the culprit for both the raise and the drop it might be harder to fix but it should still be considered.

Create a quickstart and tutorial guide.

@mattcaswell: My proposed structure is a series of 6 man pages as follows. I will focus on pages 3 and 4 initially. 1 should be straight forward. 2, 5, and 6 can come a little later:

• work out general structure. done by @mattcaswell.

A "hello world" demo.
Write a demo app that interoperates with another QUIC implementation.

ddd_demoes should be updated.

• must be moved to demoes directory and up to date
• check for best practices tls stuff

(we don't refer to any of these demoes from man pages)

• What is TLS?
  • Confidentiality, Integrity, Authentication
• What are the different versions of SSL/TLS?
  • SSLv2, SSLv3, TLSv1.0, TLSv1.1, TLSv1.2, TLSv1.3
  • Version negotiation
• Trusted Certificate Store
  • What is a certificate?
  • What is a CA?
  • Getting a certficiate store
• Important objects for a TLS client application
  • SSL_CTX
  • SSL
  • BIO
• SSL_SESSION
  • Phases of a TLS connection
• Set up
  • Handshake
    • Resumption
  • Application data transfer
  • Shutdown
  • Cleanup
• Sockets and BIOs
• Hello World TLS client
  • Creating the SSL_CTX and SSL
  • Creating the socket and BIO
  • SNI
  • Verifying the server's certificate
  • Doing the handshake
  • Sending and receiving data
  • Shuting down the connection
  • Final clean up

• Connection and stream objects
  • What is a connection?
  • What is a stream?
  • The SSL object
  • Threading and connection/stream SSL objects
• The default stream
  • The default stream mode
• The incoming stream policy
• Creating a locally initiated stream
• Accepting remotely initiated streams
• Using streams for sending/receiving data
  • Restrictions when using streams
• Concluding a stream
• Resetting a stream
• Final clean up
• Hello World QUIC client with streams

From a premium support customer asking about this on the openssl-users list.

Issue: openssl/openssl#21185
PR: openssl/openssl#21186

1. Automation: openssl/omc-tools#19
2. Zabbix templates: https://github.openssl.org/sysadmin/sysadmin/pull/241
3. Deployment: https://github.openssl.org/sysadmin/config/pull/75

• Definitely Windows
• We might consider offering other platforms in future but Windows serves as a good MVP
• Proposal to serve as basis for further discussio

RFC 9000 section 10

PR #21429

ssia.

• Low CVEs: should we still make low CVEs public?
• Proposal: 'When we announce a low CVE, there must be a release with a scheduled date [possibly required to be within 4 weeks].'
• Release date should be mentioned in advisory text
• Date should be 'on or before'. We commit to the date.

This allows us to not always allocate an associated lock.

Refer to PR: openssl/openssl#21260

...communicate to OMC it was done.

Cisco's library: https://github.com/cisco/libacvp
Issue about 3.x support: cisco/libacvp#716
Report about problems: openssl/openssl#19909 & other issues by the creator

NetApp has been working on this recently.

If we switch labs, having this usable and feature complete would be very beneficial.

• check for usefulness and completeness

folder to store the materials:
https://docs.google.com/presentation/d/1_hYv6qJE5_zVklQR-FJDCHvOODNF5vtVnkegqIdCkCU/
https://drive.google.com/drive/folders/1z3LpH3EdZ0RO_rLFxxrhBWGjkOlJpE_W

• What is QUIC?
• Understanding how TLS is used in QUIC
• UDP and BIOs
  • BIO_s_dgram()
• QUIC time based events
  • SSL_handle_events()
  • SSL_get_event_timeout()
  • Thread assisted mode
• ALPN
• QUIC shutdown
• Hello World QUIC client
  • Differences between the Hello World TLS client and the QUIC client

Code was added to our buildbots (ci.buildbot.openssl.org) to deploy release staging. Unfortunately, buildbot is unhappy or has surprising behaviors. This needs some extended experimentation and fixing.

Currently observed oddities:

• The scheduler for release staging specifies codebases that should work, among others staging-tool for the staging tool repo, which should become part of the source stamps to the builds. Alas, it's still absent.

• The buildbot source step is... somewhat lacking. You're allowed to specify an "origin", thereby specifying a symbolic remote. However, subsequent fetches of the same source is done by URL, thereby bypassing the symbolic remote entirely.Our code to check if the source in one repository is the ancestor of the same source from another repository cannot work under these conditions, and needs to be refactored to work differently.

If SSL_OP_CLEANSE_PLAINTEXT is set we need to cleanse the decrypted data - one place where this needs to be done is in rstream code. Other is the release of a decrypted packet.

pr openssl/openssl#20856

Issue: openssl/openssl#21179
PR: openssl/openssl#21187

• Advantages of using non-blocking
• Non-blocking sockets vs non-blocking at the SSL API level
  • Setting a socket for non-blocking
  • SSL_set_blocking_mode()
• Checking the socket for readability/writability
• SSL_ERROR_WANT_READ and SSL_ERROR_WANT_WRITE
• SSL_net_read_desired() and SSL_net_write_desired()
• Non-blocking Hello World TLS client
• Non-blocking Hello World QUIC client