As with Solaris 11.2
Solaris 11.3 delivers two versions of OpenSSL: the non-FIPS 140 version
(default) and the FIPS 140 version. They are both based on OpenSSL 1.0.1o (as of July 7th, 2015).
There are no major features added to Solaris 11.3 OpenSSL; however,
there are a couple of things that I would like to note.
EOL SSLv2 Support
SSLv2 protocol has been known to have issues for a while. Therefore, we
have decided it's about time to remove SSLv2 support from Solaris
OpenSSL. This should not be an issue for most applications out there, as
nobody should be using SSLv2 protocols these days. If your application
still does, please consider moving on to more secure TLS protocols.
With Solaris 11.3, SSLv2 entry points are replaced with stub functions,
and they are declared 'deprecated'. Thus, if you are building an
application which has references to the SSLv2 entry points, be prepared
to see some compiler warnings like:
warning: "SSLv2_client_method" is deprecated, declared in : "/usr/include/openssl/ssl.h", line 2035
Now, some of you may wonder: why are we not removing SSLv3 from Solaris
OpenSSL as well?
Unfortunately, there are some 3rd party applications which still only
support the SSLv3 protocol, thus, we feel that it's not time to remove
SSLv3 support from the OpenSSL library just yet. That's not to say SSLv3
protocol is an acceptable protocol. RFC 7568 Deprecating Secure Sockets Layer Version 3.0 was just published stating that "SSLv3 MUST NOT be used. Negotiation
of SSLv3 from any version of TLS
MUST NOT be permitted." Fortunately,
Oracle has already been implementing compliance with this RFC for a
while now, and most applications supported by Oracle Solaris
11.3 disable SSLv2 and SSLv3 by default. If you own an application
which only supports SSLv3, it is time to move onto the newer and more
secure protocols such as TLS 1.2. We won't be supporting SSLv3
protocols for too much longer.
OpenSSL Thread and Fork Safety (Part 2)
With S11.2, we attempted to make OpenSSL thread and fork safe by
default. (See "OpenSSL Thread and Fork Safety" under "OpenSSL on
However, the fix apparently wasn't complete, and we needed to extend the
With Solaris 11.3 OpenSSL, the following functions are now replaced with
stub functions. Instead of allowing other applications/libraries to
specify their own locking and thread identification callback functions,
Solaris now has an internal implementation of locking and thread
identification within Solaris OpenSSL that's not visible by the API
caller. Applications may still call those functions, but supplied
callback functions will not be used by Solaris OpenSSL.
What does that mean for you?
OpenSSL is now thread and fork safe by default, finally. You don't need
to make any modification to
your application nor to your library. You can relax and have a beer or two
That's all I have for now.