Konstantin, On 3/12/15 2:22 PM, Konstantin Kolinko wrote: > 2015-03-12 18:59 GMT+03:00 Rainer Jung <rainer.j...@kippdata.de>: >> Am 12.03.2015 um 14:04 schrieb Mark Thomas: >>> >>> Given bug 57653 [1], the next 8.0.x release (which is already over due >>> from when I wanted to get it out) is going to need a new Tomcat native >>> release. This would also be an opportunity to update the OpenSSl >>> dependency in the Windows binaries. >>> >>> One question is whether Tomcat native should switch to the 1.0.2 branch >>> or stick with 1.0.1. Thoughts? >> >> >> A related question: when moving forward it would be easier if we could >> require 0.9.8 as the minimum supported version so we could try to >> (partially) stay in sync with mod_ssl. I'd say 0.9.8 (min) is fine, people >> able to build tcnative themselves should be in a position to use a still >> maintained version of OpenSSL and not rely on 0.9.7 (our current minimum >> version). >> > > > Note that their January security announcement [1] mentions that > OpenSSL 0.9.8 and 1.0.0 are both approaching an EOL: > > [1] https://www.openssl.org/news/secadv_20150108.txt > > [quote] > As per our previous announcements and our Release Strategy > (https://www.openssl.org/about/releasestrat.html), support for OpenSSL > versions > 1.0.0 and 0.9.8 will cease on 31st December 2015. No security updates for > these > releases will be provided after that date. Users of these releases are advised > to upgrade. > [/quote]
Perhaps we should add a warning to tcnative if it detects an OpenSSL less than 1.0.1. Just a warning, at least for now. When 0.9.8 and 1.0.0 both go EOL, we can bump-up the required version in tcnative to 1.0.1 (at least). > 1.0.2 would be better if it provides some additional ciphers, for > better security options. I agree that we would better wait a bit for > 1.0.2a, b, or c. We should definitely /support/ 1.0.2 (which I believe we do), but OpenSSL is the kind of library that we probably want to let others beta test first :) -chris
signature.asc
Description: OpenPGP digital signature
