Am 13.03.2015 um 12:17 schrieb Mark Thomas:
On 12/03/2015 19:09, Christopher Schultz wrote:
Konstantin,
On 3/12/15 2:22 PM, Konstantin Kolinko wrote:
2015-03-12 18:59 GMT+03:00 Rainer Jung <rainer.j...@kippdata.de>:
Am 12.03.2015 um 14:04 schrieb Mark Thomas:
Given bug 57653 [1], the next 8.0.x release (which is already over due
from when I wanted to get it out) is going to need a new Tomcat native
release. This would also be an opportunity to update the OpenSSl
dependency in the Windows binaries.
One question is whether Tomcat native should switch to the 1.0.2 branch
or stick with 1.0.1. Thoughts?
A related question: when moving forward it would be easier if we could
require 0.9.8 as the minimum supported version so we could try to
(partially) stay in sync with mod_ssl. I'd say 0.9.8 (min) is fine, people
able to build tcnative themselves should be in a position to use a still
maintained version of OpenSSL and not rely on 0.9.7 (our current minimum
version).
Note that their January security announcement [1] mentions that
OpenSSL 0.9.8 and 1.0.0 are both approaching an EOL:
[1] https://www.openssl.org/news/secadv_20150108.txt
[quote]
As per our previous announcements and our Release Strategy
(https://www.openssl.org/about/releasestrat.html), support for OpenSSL versions
1.0.0 and 0.9.8 will cease on 31st December 2015. No security updates for these
releases will be provided after that date. Users of these releases are advised
to upgrade.
[/quote]
Perhaps we should add a warning to tcnative if it detects an OpenSSL
less than 1.0.1. Just a warning, at least for now. When 0.9.8 and 1.0.0
both go EOL, we can bump-up the required version in tcnative to 1.0.1
(at least).
1.0.2 would be better if it provides some additional ciphers, for
better security options. I agree that we would better wait a bit for
1.0.2a, b, or c.
We should definitely /support/ 1.0.2 (which I believe we do), but
OpenSSL is the kind of library that we probably want to let others beta
test first :)
So...
Stick with building with 1.0.1 for now.
No takers for doing the release - I'll start this today.
Just for information: the OpenSSL project has published an announcement
this evening:
========================== 8>< ====================
Forthcoming OpenSSL releases
============================
The OpenSSL project team would like to announce the forthcoming release
of OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf.
These releases will be made available on 19th March. They will fix a
number of security defects. The highest severity defect fixed by these
releases is classified as "high" severity.
========================== 8>< ====================
So that means 1.0.1l will be outdated in 4 days. We don't know yet,
whether the security issues apply to tcnative, so I don't have a strong
suggestion whether to better proceed and get this tcnative release done
or wait another 3 days for 1.0.1m. But I wanted to let you know, that a
new OpenSSL release is expected.
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
