On Friday, 17 February 2017 18:18:27 CEST David Sommerseth wrote: > On 17/02/17 17:35, Emmanuel Deloget wrote: > > I understand that I'm the new guy in town, but can you allow me to > > make the formal request to ditch OpenSSL 0.9.8, 1.0.0 and 1.0.1 and > > require at least version 1.0.2? > > So to the RHEL releases and the OpenSSL versions. RHEL 5 ships with > openssl-0.9.8e. Both RHEL 6 and RHEL 7 ships with openssl-1.0.1e. > > The way Red Hat releases works is that versions are close to never > rebased, at least not core libraries such as OpenSSL.
Both core libraries and non-core libraries are rebased in RHEL. Case in point, RHEL 6 originally shipped with openssl-1.0.0[1]. But rebases to releases that are ABI incompatible happen only to packages that are explicitly excluded[2] from ABI guarantee. OpenSSL is not one of such packages. For obvious reasons, I hope. > But Red Hat > employs a lot of users to ensure all packages they distribute is secure > and maintained. That means that security and important bug fixes will > be backported from newer OpenSSL releases to the openssl-1.0.1e > baseline. And this happens for the whole life cycle of each major release. Correct[3]. > Sometimes even features are backported as well. Unfortunately because RHEL-6 is currently in Production Phase 2, soon entering Phase 3, providing new feature like openssl-1.0.2 would be an exception[4]. > But I have gotten > fairly clear signals that TLSv1.3 from openssl-1.1 will not be > backported, as the code has changed too much since the 1.0.1 baseline. > But I would be surprised if a future RHEL 8 does not ship with openssl-1.1.x Well, openssl-1.1.0 is already available for Fedora rawhide :) (Hope I don't sound too much like a markedroid, but I appreciate the support for RHEL you provide so I wanted to let you know exactly where everything is, the least I can do) 1 - http://vault.centos.org/6.0/os/x86_64/Packages/ openssl-1.0.0-4.el6.x86_64.rpm 2 - https://access.redhat.com/articles/rhel-abi-compatibility 3 - https://access.redhat.com/security/updates/backporting 4 - https://access.redhat.com/support/policy/updates/errata -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
signature.asc
Description: This is a digitally signed message part.
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
