2015-03-12 18:59 GMT+03:00 Rainer Jung <rainer.j...@kippdata.de>: > Am 12.03.2015 um 14:04 schrieb Mark Thomas: >> >> Given bug 57653 [1], the next 8.0.x release (which is already over due >> from when I wanted to get it out) is going to need a new Tomcat native >> release. This would also be an opportunity to update the OpenSSl >> dependency in the Windows binaries. >> >> One question is whether Tomcat native should switch to the 1.0.2 branch >> or stick with 1.0.1. Thoughts? > > > A related question: when moving forward it would be easier if we could > require 0.9.8 as the minimum supported version so we could try to > (partially) stay in sync with mod_ssl. I'd say 0.9.8 (min) is fine, people > able to build tcnative themselves should be in a position to use a still > maintained version of OpenSSL and not rely on 0.9.7 (our current minimum > version). >
Note that their January security announcement [1] mentions that OpenSSL 0.9.8 and 1.0.0 are both approaching an EOL: [1] https://www.openssl.org/news/secadv_20150108.txt [quote] As per our previous announcements and our Release Strategy (https://www.openssl.org/about/releasestrat.html), support for OpenSSL versions 1.0.0 and 0.9.8 will cease on 31st December 2015. No security updates for these releases will be provided after that date. Users of these releases are advised to upgrade. [/quote] 1.0.2 would be better if it provides some additional ciphers, for better security options. I agree that we would better wait a bit for 1.0.2a, b, or c. Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
