Rainer, On 3/19/15 10:16 AM, Rainer Jung wrote: > Am 16.03.2015 um 21:26 schrieb Mark Thomas: >> On 16/03/2015 20:17, Rainer Jung wrote: >>> Am 13.03.2015 um 12:17 schrieb Mark Thomas: >>>> On 12/03/2015 19:09, Christopher Schultz wrote: >>>>> Konstantin, >>>>> >>>>> On 3/12/15 2:22 PM, Konstantin Kolinko wrote: >>>>>> 2015-03-12 18:59 GMT+03:00 Rainer Jung <rainer.j...@kippdata.de>: >>>>>>> Am 12.03.2015 um 14:04 schrieb Mark Thomas: >>>>>>>> >>>>>>>> Given bug 57653 [1], the next 8.0.x release (which is already over >>>>>>>> due >>>>>>>> from when I wanted to get it out) is going to need a new Tomcat >>>>>>>> native >>>>>>>> release. This would also be an opportunity to update the OpenSSl >>>>>>>> dependency in the Windows binaries. >>>>>>>> >>>>>>>> One question is whether Tomcat native should switch to the 1.0.2 >>>>>>>> branch >>>>>>>> or stick with 1.0.1. Thoughts? >>>>>>> >>>>>>> >>>>>>> A related question: when moving forward it would be easier if we >>>>>>> could >>>>>>> require 0.9.8 as the minimum supported version so we could try to >>>>>>> (partially) stay in sync with mod_ssl. I'd say 0.9.8 (min) is fine, >>>>>>> people >>>>>>> able to build tcnative themselves should be in a position to use a >>>>>>> still >>>>>>> maintained version of OpenSSL and not rely on 0.9.7 (our current >>>>>>> minimum >>>>>>> version). >>>>>>> >>>>>> >>>>>> >>>>>> Note that their January security announcement [1] mentions that >>>>>> OpenSSL 0.9.8 and 1.0.0 are both approaching an EOL: >>>>>> >>>>>> [1] https://www.openssl.org/news/secadv_20150108.txt >>>>>> >>>>>> [quote] >>>>>> As per our previous announcements and our Release Strategy >>>>>> (https://www.openssl.org/about/releasestrat.html), support for >>>>>> OpenSSL versions >>>>>> 1.0.0 and 0.9.8 will cease on 31st December 2015. No security >>>>>> updates for these >>>>>> releases will be provided after that date. Users of these releases >>>>>> are advised >>>>>> to upgrade. >>>>>> [/quote] >>>>> >>>>> Perhaps we should add a warning to tcnative if it detects an OpenSSL >>>>> less than 1.0.1. Just a warning, at least for now. When 0.9.8 and >>>>> 1.0.0 >>>>> both go EOL, we can bump-up the required version in tcnative to 1.0.1 >>>>> (at least). >>>>> >>>>>> 1.0.2 would be better if it provides some additional ciphers, for >>>>>> better security options. I agree that we would better wait a bit for >>>>>> 1.0.2a, b, or c. >>>>> >>>>> We should definitely /support/ 1.0.2 (which I believe we do), but >>>>> OpenSSL is the kind of library that we probably want to let others >>>>> beta >>>>> test first :) >>>> >>>> So... >>>> >>>> Stick with building with 1.0.1 for now. >>>> No takers for doing the release - I'll start this today. >>> >>> Just for information: the OpenSSL project has published an announcement >>> this evening: >>> >>> ========================== 8>< ==================== >>> >>> Forthcoming OpenSSL releases >>> ============================ >>> >>> The OpenSSL project team would like to announce the forthcoming release >>> of OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf. >>> >>> These releases will be made available on 19th March. They will fix a >>> number of security defects. The highest severity defect fixed by these >>> releases is classified as "high" severity. >>> >>> ========================== 8>< ==================== >>> >>> So that means 1.0.1l will be outdated in 4 days. We don't know yet, >>> whether the security issues apply to tcnative, so I don't have a strong >>> suggestion whether to better proceed and get this tcnative release done >>> or wait another 3 days for 1.0.1m. But I wanted to let you know, that a >>> new OpenSSL release is expected. >> >> I think we have to wait. >> >> I'll finish my various local checks but not go as far as uploading the >> RC for voting. >> >> I'll drop the 1.1.33 tag at some point as well. > > The OpenSSL release is public now - though their web server is very busy > right now. > > Most of the security issues (but not all) are in 1.0.2. So I think it is > fine we stay on 1.0.1 a little while.
While I agree that most of the 12 issues fixed in this announcement of the releases for, well, all branches of OpenSSL are not an issue, assuming a sane server setup, some people prefer not to have sane setups ;) Nobody should be using EXPORT ciphers, but evidently, *many* people still are. Though use of client certificates is relatively limited, /those/ are the folks who are a) doing security correctly and b) vulnerable to CVE-2015-0286. So I stick with my +1 to stay with 1.0.1 for the time being, and I'm +1 to linking to 1.0.1m as I can see Mark is already doing. -chris
signature.asc
Description: OpenPGP digital signature
