On 16/03/2015 20:17, Rainer Jung wrote: > Am 13.03.2015 um 12:17 schrieb Mark Thomas: >> On 12/03/2015 19:09, Christopher Schultz wrote: >>> Konstantin, >>> >>> On 3/12/15 2:22 PM, Konstantin Kolinko wrote: >>>> 2015-03-12 18:59 GMT+03:00 Rainer Jung <rainer.j...@kippdata.de>: >>>>> Am 12.03.2015 um 14:04 schrieb Mark Thomas: >>>>>> >>>>>> Given bug 57653 [1], the next 8.0.x release (which is already over >>>>>> due >>>>>> from when I wanted to get it out) is going to need a new Tomcat >>>>>> native >>>>>> release. This would also be an opportunity to update the OpenSSl >>>>>> dependency in the Windows binaries. >>>>>> >>>>>> One question is whether Tomcat native should switch to the 1.0.2 >>>>>> branch >>>>>> or stick with 1.0.1. Thoughts? >>>>> >>>>> >>>>> A related question: when moving forward it would be easier if we could >>>>> require 0.9.8 as the minimum supported version so we could try to >>>>> (partially) stay in sync with mod_ssl. I'd say 0.9.8 (min) is fine, >>>>> people >>>>> able to build tcnative themselves should be in a position to use a >>>>> still >>>>> maintained version of OpenSSL and not rely on 0.9.7 (our current >>>>> minimum >>>>> version). >>>>> >>>> >>>> >>>> Note that their January security announcement [1] mentions that >>>> OpenSSL 0.9.8 and 1.0.0 are both approaching an EOL: >>>> >>>> [1] https://www.openssl.org/news/secadv_20150108.txt >>>> >>>> [quote] >>>> As per our previous announcements and our Release Strategy >>>> (https://www.openssl.org/about/releasestrat.html), support for >>>> OpenSSL versions >>>> 1.0.0 and 0.9.8 will cease on 31st December 2015. No security >>>> updates for these >>>> releases will be provided after that date. Users of these releases >>>> are advised >>>> to upgrade. >>>> [/quote] >>> >>> Perhaps we should add a warning to tcnative if it detects an OpenSSL >>> less than 1.0.1. Just a warning, at least for now. When 0.9.8 and 1.0.0 >>> both go EOL, we can bump-up the required version in tcnative to 1.0.1 >>> (at least). >>> >>>> 1.0.2 would be better if it provides some additional ciphers, for >>>> better security options. I agree that we would better wait a bit for >>>> 1.0.2a, b, or c. >>> >>> We should definitely /support/ 1.0.2 (which I believe we do), but >>> OpenSSL is the kind of library that we probably want to let others beta >>> test first :) >> >> So... >> >> Stick with building with 1.0.1 for now. >> No takers for doing the release - I'll start this today. > > Just for information: the OpenSSL project has published an announcement > this evening: > > ========================== 8>< ==================== > > Forthcoming OpenSSL releases > ============================ > > The OpenSSL project team would like to announce the forthcoming release > of OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf. > > These releases will be made available on 19th March. They will fix a > number of security defects. The highest severity defect fixed by these > releases is classified as "high" severity. > > ========================== 8>< ==================== > > So that means 1.0.1l will be outdated in 4 days. We don't know yet, > whether the security issues apply to tcnative, so I don't have a strong > suggestion whether to better proceed and get this tcnative release done > or wait another 3 days for 1.0.1m. But I wanted to let you know, that a > new OpenSSL release is expected.
I think we have to wait. I'll finish my various local checks but not go as far as uploading the RC for voting. I'll drop the 1.1.33 tag at some point as well. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
