2017-02-17 23:17 GMT+05:00 Илья Шипицин <chipits...@gmail.com>:
>
> Пт, 17 февр. 2017 г. в 22:21, David Sommerseth <openvpn@sf.lists.
> topphemmelig.net>:
>
>> On 17/02/17 17:35, Emmanuel Deloget wrote:
>> >
>> > Now, I have a question which is related to this. The way I'm doing
>> > things, I will make sure that the new code is compatible with both
>> > OpenSSL 1.0.x and OpenSSL 1.1. There is a good chance that it will be
>> > compatible with version 0.9.8 as well, yet I can't stop wondering if
>> > this is a good thing. OpenSSL 0.9.8 has been EoL'ed 12 month ago and I
>> > believe it's OK to let it die. OpenVPN cannot rely on a dead SSL
>> > library -- unless it wants to make sure that future vulnerabilities in
>> > this old, deprecated version will affect it (and I'm not sure it's a
>> > good thing). Same goes for OpenSSL 1.0.1 which has been declared out
>> > of support in January 2017.
>>
>> TL;DR: You can drop support for OpenSSL v1.0.1d and older, but we must
>> support v1.0.1e until at least June 30, 2024.
>
>
>
>
> I added openssl-1.0.1e to test matrix (do not pay attention to commit
> title, it happened accidently from iPad), so ...
>
> https://travis-ci.org/OpenVPN/openvpn/jobs/202709493
>
>
t_cltsrv.sh + openssl-1.0.1f = OK
t_cltsrv.sh + openssl-1.0.1e = FAIL
>
>
>
>
>>
>>
>> And now to why ....
>>
>> One thing is what the upstream OpenSSL supports or not. But there are
>> commercial Linux vendors which maintains versions after upstream drops
>> the support. The most obvious Linux vendor here is Red Hat.
>>
>> We have had a policy that the oldest Linux distribution we support is
>> what Red Hat officially supports [1]. We do not consider the "extended
>> support" scenarios, as that is services customers needs to pay extra for
>> (and is quite costly, AFAIR). Currently, RHEL 5 (Red Hat Enterprise
>> Linux 5) is the oldest supported distribution, so that is what we
>> support. But that support expires March 31, 2017. So as of April 1st,
>> 2017 RHEL 6 is the oldest distribution we support.
>>
>> With that said. Since we released OpenVPN v2.4 fairly recently (late
>> December), we have not considered or planned for a long-term RHEL 5
>> support for that distribution, as that is going EOL very soon.
>>
>> [1]
>> <https://access.redhat.com/support/policy/updates/errata/
>> #Life_Cycle_Dates>
>>
>>
>> > I understand that I'm the new guy in town, but can you allow me to
>> > make the formal request to ditch OpenSSL 0.9.8, 1.0.0 and 1.0.1 and
>> > require at least version 1.0.2?
>>
>> So to the RHEL releases and the OpenSSL versions. RHEL 5 ships with
>> openssl-0.9.8e. Both RHEL 6 and RHEL 7 ships with openssl-1.0.1e.
>>
>> The way Red Hat releases works is that versions are close to never
>> rebased, at least not core libraries such as OpenSSL. But Red Hat
>> employs a lot of users to ensure all packages they distribute is secure
>> and maintained. That means that security and important bug fixes will
>> be backported from newer OpenSSL releases to the openssl-1.0.1e
>> baseline. And this happens for the whole life cycle of each major
>> release.
>>
>> Sometimes even features are backported as well. But I have gotten
>> fairly clear signals that TLSv1.3 from openssl-1.1 will not be
>> backported, as the code has changed too much since the 1.0.1 baseline.
>> But I would be surprised if a future RHEL 8 does not ship with
>> openssl-1.1.x
>>
>>
>> --
>> kind regards,
>>
>> David Sommerseth
>> OpenVPN Technologies, Inc
>>
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot______
>> _________________________________________
>> Openvpn-devel mailing list
>> Openvpn-devel@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
