On 17/02/17 17:35, Emmanuel Deloget wrote:
> Now, I have a question which is related to this. The way I'm doing
> things, I will make sure that the new code is compatible with both
> OpenSSL 1.0.x and OpenSSL 1.1. There is a good chance that it will be
> compatible with version 0.9.8 as well, yet I can't stop wondering if
> this is a good thing. OpenSSL 0.9.8 has been EoL'ed 12 month ago and I
> believe it's OK to let it die. OpenVPN cannot rely on a dead SSL
> library -- unless it wants to make sure that future vulnerabilities in
> this old, deprecated version will affect it (and I'm not sure it's a
> good thing). Same goes for OpenSSL 1.0.1 which has been declared out
> of support in January 2017.

TL;DR: You can drop support for OpenSSL v1.0.1d and older, but we must
support v1.0.1e until at least June 30, 2024.

And now to why ....

One thing is what the upstream OpenSSL supports or not.  But there are
commercial Linux vendors which maintains versions after upstream drops
the support.  The most obvious Linux vendor here is Red Hat.

We have had a policy that the oldest Linux distribution we support is
what Red Hat officially supports [1].  We do not consider the "extended
support" scenarios, as that is services customers needs to pay extra for
(and is quite costly, AFAIR).  Currently, RHEL 5 (Red Hat Enterprise
Linux 5) is the oldest supported distribution, so that is what we
support.  But that support expires March 31, 2017.  So as of April 1st,
2017 RHEL 6 is the oldest distribution we support.

With that said.  Since we released OpenVPN v2.4 fairly recently (late
December), we have not considered or planned for a long-term RHEL 5
support for that distribution, as that is going EOL very soon.


> I understand that I'm the new guy in town, but can you allow me to
> make the formal request to ditch OpenSSL 0.9.8, 1.0.0 and 1.0.1 and
> require at least version 1.0.2?

So to the RHEL releases and the OpenSSL versions.  RHEL 5 ships with
openssl-0.9.8e.  Both RHEL 6 and RHEL 7 ships with openssl-1.0.1e.

The way Red Hat releases works is that versions are close to never
rebased, at least not core libraries such as OpenSSL.  But Red Hat
employs a lot of users to ensure all packages they distribute is secure
and maintained.  That means that security and important bug fixes will
be backported from newer OpenSSL releases to the openssl-1.0.1e
baseline.  And this happens for the whole life cycle of each major release.

Sometimes even features are backported as well.  But I have gotten
fairly clear signals that TLSv1.3 from openssl-1.1 will not be
backported, as the code has changed too much since the 1.0.1 baseline.
But I would be surprised if a future RHEL 8 does not ship with openssl-1.1.x

kind regards,

David Sommerseth
OpenVPN Technologies, Inc

Attachment: signature.asc
Description: OpenPGP digital signature

Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
Openvpn-devel mailing list

Reply via email to