On 12/03/2015 19:09, Christopher Schultz wrote: > Konstantin, > > On 3/12/15 2:22 PM, Konstantin Kolinko wrote: >> 2015-03-12 18:59 GMT+03:00 Rainer Jung <rainer.j...@kippdata.de>: >>> Am 12.03.2015 um 14:04 schrieb Mark Thomas: >>>> >>>> Given bug 57653 [1], the next 8.0.x release (which is already over due >>>> from when I wanted to get it out) is going to need a new Tomcat native >>>> release. This would also be an opportunity to update the OpenSSl >>>> dependency in the Windows binaries. >>>> >>>> One question is whether Tomcat native should switch to the 1.0.2 branch >>>> or stick with 1.0.1. Thoughts? >>> >>> >>> A related question: when moving forward it would be easier if we could >>> require 0.9.8 as the minimum supported version so we could try to >>> (partially) stay in sync with mod_ssl. I'd say 0.9.8 (min) is fine, people >>> able to build tcnative themselves should be in a position to use a still >>> maintained version of OpenSSL and not rely on 0.9.7 (our current minimum >>> version). >>> >> >> >> Note that their January security announcement [1] mentions that >> OpenSSL 0.9.8 and 1.0.0 are both approaching an EOL: >> >> [1] https://www.openssl.org/news/secadv_20150108.txt >> >> [quote] >> As per our previous announcements and our Release Strategy >> (https://www.openssl.org/about/releasestrat.html), support for OpenSSL >> versions >> 1.0.0 and 0.9.8 will cease on 31st December 2015. No security updates for >> these >> releases will be provided after that date. Users of these releases are >> advised >> to upgrade. >> [/quote] > > Perhaps we should add a warning to tcnative if it detects an OpenSSL > less than 1.0.1. Just a warning, at least for now. When 0.9.8 and 1.0.0 > both go EOL, we can bump-up the required version in tcnative to 1.0.1 > (at least). > >> 1.0.2 would be better if it provides some additional ciphers, for >> better security options. I agree that we would better wait a bit for >> 1.0.2a, b, or c. > > We should definitely /support/ 1.0.2 (which I believe we do), but > OpenSSL is the kind of library that we probably want to let others beta > test first :)
So... Stick with building with 1.0.1 for now. No takers for doing the release - I'll start this today. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
