On 17/02/17 17:35, Emmanuel Deloget wrote: > > Now, I have a question which is related to this. The way I'm doing > things, I will make sure that the new code is compatible with both > OpenSSL 1.0.x and OpenSSL 1.1. There is a good chance that it will be > compatible with version 0.9.8 as well, yet I can't stop wondering if > this is a good thing. OpenSSL 0.9.8 has been EoL'ed 12 month ago and I > believe it's OK to let it die. OpenVPN cannot rely on a dead SSL > library -- unless it wants to make sure that future vulnerabilities in > this old, deprecated version will affect it (and I'm not sure it's a > good thing). Same goes for OpenSSL 1.0.1 which has been declared out > of support in January 2017.
TL;DR: You can drop support for OpenSSL v1.0.1d and older, but we must support v1.0.1e until at least June 30, 2024. And now to why .... One thing is what the upstream OpenSSL supports or not. But there are commercial Linux vendors which maintains versions after upstream drops the support. The most obvious Linux vendor here is Red Hat. We have had a policy that the oldest Linux distribution we support is what Red Hat officially supports [1]. We do not consider the "extended support" scenarios, as that is services customers needs to pay extra for (and is quite costly, AFAIR). Currently, RHEL 5 (Red Hat Enterprise Linux 5) is the oldest supported distribution, so that is what we support. But that support expires March 31, 2017. So as of April 1st, 2017 RHEL 6 is the oldest distribution we support. With that said. Since we released OpenVPN v2.4 fairly recently (late December), we have not considered or planned for a long-term RHEL 5 support for that distribution, as that is going EOL very soon. [1] <https://access.redhat.com/support/policy/updates/errata/#Life_Cycle_Dates> > I understand that I'm the new guy in town, but can you allow me to > make the formal request to ditch OpenSSL 0.9.8, 1.0.0 and 1.0.1 and > require at least version 1.0.2? So to the RHEL releases and the OpenSSL versions. RHEL 5 ships with openssl-0.9.8e. Both RHEL 6 and RHEL 7 ships with openssl-1.0.1e. The way Red Hat releases works is that versions are close to never rebased, at least not core libraries such as OpenSSL. But Red Hat employs a lot of users to ensure all packages they distribute is secure and maintained. That means that security and important bug fixes will be backported from newer OpenSSL releases to the openssl-1.0.1e baseline. And this happens for the whole life cycle of each major release. Sometimes even features are backported as well. But I have gotten fairly clear signals that TLSv1.3 from openssl-1.1 will not be backported, as the code has changed too much since the 1.0.1 baseline. But I would be surprised if a future RHEL 8 does not ship with openssl-1.1.x -- kind regards, David Sommerseth OpenVPN Technologies, Inc
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
