Please update your openssl version

[scsijon]

The latest stable version is the 3.0 series (3.0.0) is now released at https://www.openssl.org/source/openssl-3.0.0.tar.gz. Also available is the 1.1.1 series at https://www.openssl.org/source/openssl-1.1.1l.tar.gz which is our Long Term Support (LTS) version, supported until 11th September 2023. All older versions (including 1.1.0, 1.0.2, 1.0.0 and 0.9.8) are now out of support and should not be used. Users of these older versions are encouraged to upgrade to 3.0 or 1.1.1 as soon as possible.

[April]

Why the disjointed release numbers?
OK 0.9.8 -- 1.0.0 -- 1.0.2 --1.1.0 --1.2.0 etc with 1.1.1 as an adjustment to 1.1.0 is fine

So why jump to 3.0 ? Where is 2.0?
You'll support 1.1.1 and 3.0 Can't you guys just use normal sequence numbering without the confusing jump arounds?

[scsijon]

Don't blame me, I just pass this information on to my groups for a number of the important packages I work with;

The varying numbers are/were stable releases, there were other release numbers for testing and interim releases covering such things as urgent CVE's untill confirmed fixes appeared, each had their own release number. Odd numbers are usually test versions as openssl follows the old linux numbering format of odd for test/development and even for release;

As far as 2.x is concerned it was mainly windows related as I was given to understand it so it would not appear in our tree;

3.x.x is a new methodology as i understand it that should ease the current daily grinding burden on the maintainers.

Internally, openssl didn't jump, it's just that externally it can appear as a jump.

Remember we are not dealing with one certificate source site, there are a 'few' hundred individuals covering everything imaginable relating to security across the network as well as many software packages and systems having their own certificate sets.
To give you an idea of the 'mess' that must be constantly dealt with. Currently within version 1.0.2, is the problem of the currently recommended certificate chain as presented to Let’s Encrypt ACME clients when new certificates are issued containing an intermediate certificate (ISRG Root X1) that is signed by an old DST Root CA X3 certificate that expires on 2021-09-30. Yes this exists at present! In some cases the OpenSSL 1.0.2 version will regard all the certificates issued by the Let’s Encrypt CA as having an expired trust chain and not just that single one, and it not known which system will error because it depends on the function that the individual piece of software or hardware equipment is carrying out. Which is why it's recomemded to update ASAP. There are currently workarounds with 1.0.2 for servers and client devices, but it's easier to get rid of the problem when their found with an update than deal with the complaints related to out badly of date versions even if their considered stable.

Hope that helped.

[mikeslr]

See my post here, viewtopic.php?f=4&t=4027.

A problem without a solution is just another environmental factor diminishing the joy of being alive.