tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <rainer.j...@kippdata.de>
Subject Re: Tomcat native 1.1.33 release
Date Mon, 16 Mar 2015 20:17:16 GMT
Am 13.03.2015 um 12:17 schrieb Mark Thomas:
> On 12/03/2015 19:09, Christopher Schultz wrote:
>> Konstantin,
>>
>> On 3/12/15 2:22 PM, Konstantin Kolinko wrote:
>>> 2015-03-12 18:59 GMT+03:00 Rainer Jung <rainer.jung@kippdata.de>:
>>>> Am 12.03.2015 um 14:04 schrieb Mark Thomas:
>>>>>
>>>>> Given bug 57653 [1], the next 8.0.x release (which is already over due
>>>>> from when I wanted to get it out) is going to need a new Tomcat native
>>>>> release. This would also be an opportunity to update the OpenSSl
>>>>> dependency in the Windows binaries.
>>>>>
>>>>> One question is whether Tomcat native should switch to the 1.0.2 branch
>>>>> or stick with 1.0.1. Thoughts?
>>>>
>>>>
>>>> A related question: when moving forward it would be easier if we could
>>>> require 0.9.8 as the minimum supported version so we could try to
>>>> (partially) stay in sync with mod_ssl. I'd say 0.9.8 (min) is fine, people
>>>> able to build tcnative themselves should be in a position to use a still
>>>> maintained version of OpenSSL and not rely on 0.9.7 (our current minimum
>>>> version).
>>>>
>>>
>>>
>>> Note that their January security announcement [1] mentions that
>>> OpenSSL 0.9.8 and 1.0.0 are both approaching an EOL:
>>>
>>> [1] https://www.openssl.org/news/secadv_20150108.txt
>>>
>>> [quote]
>>> As per our previous announcements and our Release Strategy
>>> (https://www.openssl.org/about/releasestrat.html), support for OpenSSL versions
>>> 1.0.0 and 0.9.8 will cease on 31st December 2015. No security updates for these
>>> releases will be provided after that date. Users of these releases are advised
>>> to upgrade.
>>> [/quote]
>>
>> Perhaps we should add a warning to tcnative if it detects an OpenSSL
>> less than 1.0.1. Just a warning, at least for now. When 0.9.8 and 1.0.0
>> both go EOL, we can bump-up the required version in tcnative to 1.0.1
>> (at least).
>>
>>> 1.0.2 would be better if it provides some additional ciphers, for
>>> better security options. I agree that we would better wait a bit for
>>> 1.0.2a, b, or c.
>>
>> We should definitely /support/ 1.0.2 (which I believe we do), but
>> OpenSSL is the kind of library that we probably want to let others beta
>> test first :)
>
> So...
>
> Stick with building with 1.0.1 for now.
> No takers for doing the release - I'll start this today.

Just for information: the OpenSSL project has published an announcement 
this evening:

========================== 8>< ====================

Forthcoming OpenSSL releases
============================

The OpenSSL project team would like to announce the forthcoming release
of OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf.

These releases will be made available on 19th March. They will fix a
number of security defects. The highest severity defect fixed by these
releases is classified as "high" severity.

========================== 8>< ====================

So that means 1.0.1l will be outdated in 4 days. We don't know yet, 
whether the security issues apply to tcnative, so I don't have a strong 
suggestion whether to better proceed and get this tcnative release done 
or wait another 3 days for 1.0.1m. But I wanted to let you know, that a 
new OpenSSL release is expected.

Regards,

Rainer

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message