Пт, 17 февр. 2017 г. в 22:21, David Sommerseth <
open...@sf.lists.topphemmelig.net>:
> On 17/02/17 17:35, Emmanuel Deloget wrote:
> >
> > Now, I have a question which is related to this. The way I'm doing
> > things, I will make sure that the new code is compatible with both
> > OpenSSL 1.0.x and OpenSSL 1.1. There is a good chance that it will be
> > compatible with version 0.9.8 as well, yet I can't stop wondering if
> > this is a good thing. OpenSSL 0.9.8 has been EoL'ed 12 month ago and I
> > believe it's OK to let it die. OpenVPN cannot rely on a dead SSL
> > library -- unless it wants to make sure that future vulnerabilities in
> > this old, deprecated version will affect it (and I'm not sure it's a
> > good thing). Same goes for OpenSSL 1.0.1 which has been declared out
> > of support in January 2017.
>
> TL;DR: You can drop support for OpenSSL v1.0.1d and older, but we must
> support v1.0.1e until at least June 30, 2024.
I added openssl-1.0.1e to test matrix (do not pay attention to commit
title, it happened accidently from iPad), so ...
https://travis-ci.org/OpenVPN/openvpn/jobs/202709493
>
>
> And now to why ....
>
> One thing is what the upstream OpenSSL supports or not. But there are
> commercial Linux vendors which maintains versions after upstream drops
> the support. The most obvious Linux vendor here is Red Hat.
>
> We have had a policy that the oldest Linux distribution we support is
> what Red Hat officially supports [1]. We do not consider the "extended
> support" scenarios, as that is services customers needs to pay extra for
> (and is quite costly, AFAIR). Currently, RHEL 5 (Red Hat Enterprise
> Linux 5) is the oldest supported distribution, so that is what we
> support. But that support expires March 31, 2017. So as of April 1st,
> 2017 RHEL 6 is the oldest distribution we support.
>
> With that said. Since we released OpenVPN v2.4 fairly recently (late
> December), we have not considered or planned for a long-term RHEL 5
> support for that distribution, as that is going EOL very soon.
>
> [1]
> <https://access.redhat.com/support/policy/updates/errata/#Life_Cycle_Dates
> >
>
>
> > I understand that I'm the new guy in town, but can you allow me to
> > make the formal request to ditch OpenSSL 0.9.8, 1.0.0 and 1.0.1 and
> > require at least version 1.0.2?
>
> So to the RHEL releases and the OpenSSL versions. RHEL 5 ships with
> openssl-0.9.8e. Both RHEL 6 and RHEL 7 ships with openssl-1.0.1e.
>
> The way Red Hat releases works is that versions are close to never
> rebased, at least not core libraries such as OpenSSL. But Red Hat
> employs a lot of users to ensure all packages they distribute is secure
> and maintained. That means that security and important bug fixes will
> be backported from newer OpenSSL releases to the openssl-1.0.1e
> baseline. And this happens for the whole life cycle of each major release.
>
> Sometimes even features are backported as well. But I have gotten
> fairly clear signals that TLSv1.3 from openssl-1.1 will not be
> backported, as the code has changed too much since the 1.0.1 baseline.
> But I would be surprised if a future RHEL 8 does not ship with
> openssl-1.1.x
>
>
> --
> kind regards,
>
> David Sommerseth
> OpenVPN Technologies, Inc
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
