You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Mark Thomas <ma...@apache.org> on 2015/03/12 14:04:59 UTC
Tomcat native 1.1.33 release
Given bug 57653 [1], the next 8.0.x release (which is already over due
from when I wanted to get it out) is going to need a new Tomcat native
release. This would also be an opportunity to update the OpenSSl
dependency in the Windows binaries.
One question is whether Tomcat native should switch to the 1.0.2 branch
or stick with 1.0.1. Thoughts?
Finally, while I could roll the release, does anyone want to pick this up?
Mark
[1] https://bz.apache.org/bugzilla/show_bug.cgi?id=57653
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Tomcat native 1.1.33 release
Posted by Rainer Jung <ra...@kippdata.de>.
Am 12.03.2015 um 15:05 schrieb Christopher Schultz:
> Mark,
>
> On 3/12/15 9:04 AM, Mark Thomas wrote:
>> Given bug 57653 [1], the next 8.0.x release (which is already over due
>> from when I wanted to get it out) is going to need a new Tomcat native
>> release. This would also be an opportunity to update the OpenSSl
>> dependency in the Windows binaries.
>>
>> One question is whether Tomcat native should switch to the 1.0.2 branch
>> or stick with 1.0.1. Thoughts?
>
> +1 for sticking with 1.0.1.
+1 here also. But we should rethink once 1.0.2a is out.
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Tomcat native 1.1.33 release
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Mark,
On 3/12/15 9:04 AM, Mark Thomas wrote:
> Given bug 57653 [1], the next 8.0.x release (which is already over due
> from when I wanted to get it out) is going to need a new Tomcat native
> release. This would also be an opportunity to update the OpenSSl
> dependency in the Windows binaries.
>
> One question is whether Tomcat native should switch to the 1.0.2 branch
> or stick with 1.0.1. Thoughts?
+1 for sticking with 1.0.1.
> Finally, while I could roll the release, does anyone want to pick this up?
>
> Mark
>
>
> [1] https://bz.apache.org/bugzilla/show_bug.cgi?id=57653
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
Re: Tomcat native 1.1.33 release
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Rainer,
On 3/19/15 10:16 AM, Rainer Jung wrote:
> Am 16.03.2015 um 21:26 schrieb Mark Thomas:
>> On 16/03/2015 20:17, Rainer Jung wrote:
>>> Am 13.03.2015 um 12:17 schrieb Mark Thomas:
>>>> On 12/03/2015 19:09, Christopher Schultz wrote:
>>>>> Konstantin,
>>>>>
>>>>> On 3/12/15 2:22 PM, Konstantin Kolinko wrote:
>>>>>> 2015-03-12 18:59 GMT+03:00 Rainer Jung <ra...@kippdata.de>:
>>>>>>> Am 12.03.2015 um 14:04 schrieb Mark Thomas:
>>>>>>>>
>>>>>>>> Given bug 57653 [1], the next 8.0.x release (which is already over
>>>>>>>> due
>>>>>>>> from when I wanted to get it out) is going to need a new Tomcat
>>>>>>>> native
>>>>>>>> release. This would also be an opportunity to update the OpenSSl
>>>>>>>> dependency in the Windows binaries.
>>>>>>>>
>>>>>>>> One question is whether Tomcat native should switch to the 1.0.2
>>>>>>>> branch
>>>>>>>> or stick with 1.0.1. Thoughts?
>>>>>>>
>>>>>>>
>>>>>>> A related question: when moving forward it would be easier if we
>>>>>>> could
>>>>>>> require 0.9.8 as the minimum supported version so we could try to
>>>>>>> (partially) stay in sync with mod_ssl. I'd say 0.9.8 (min) is fine,
>>>>>>> people
>>>>>>> able to build tcnative themselves should be in a position to use a
>>>>>>> still
>>>>>>> maintained version of OpenSSL and not rely on 0.9.7 (our current
>>>>>>> minimum
>>>>>>> version).
>>>>>>>
>>>>>>
>>>>>>
>>>>>> Note that their January security announcement [1] mentions that
>>>>>> OpenSSL 0.9.8 and 1.0.0 are both approaching an EOL:
>>>>>>
>>>>>> [1] https://www.openssl.org/news/secadv_20150108.txt
>>>>>>
>>>>>> [quote]
>>>>>> As per our previous announcements and our Release Strategy
>>>>>> (https://www.openssl.org/about/releasestrat.html), support for
>>>>>> OpenSSL versions
>>>>>> 1.0.0 and 0.9.8 will cease on 31st December 2015. No security
>>>>>> updates for these
>>>>>> releases will be provided after that date. Users of these releases
>>>>>> are advised
>>>>>> to upgrade.
>>>>>> [/quote]
>>>>>
>>>>> Perhaps we should add a warning to tcnative if it detects an OpenSSL
>>>>> less than 1.0.1. Just a warning, at least for now. When 0.9.8 and
>>>>> 1.0.0
>>>>> both go EOL, we can bump-up the required version in tcnative to 1.0.1
>>>>> (at least).
>>>>>
>>>>>> 1.0.2 would be better if it provides some additional ciphers, for
>>>>>> better security options. I agree that we would better wait a bit for
>>>>>> 1.0.2a, b, or c.
>>>>>
>>>>> We should definitely /support/ 1.0.2 (which I believe we do), but
>>>>> OpenSSL is the kind of library that we probably want to let others
>>>>> beta
>>>>> test first :)
>>>>
>>>> So...
>>>>
>>>> Stick with building with 1.0.1 for now.
>>>> No takers for doing the release - I'll start this today.
>>>
>>> Just for information: the OpenSSL project has published an announcement
>>> this evening:
>>>
>>> ========================== 8>< ====================
>>>
>>> Forthcoming OpenSSL releases
>>> ============================
>>>
>>> The OpenSSL project team would like to announce the forthcoming release
>>> of OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf.
>>>
>>> These releases will be made available on 19th March. They will fix a
>>> number of security defects. The highest severity defect fixed by these
>>> releases is classified as "high" severity.
>>>
>>> ========================== 8>< ====================
>>>
>>> So that means 1.0.1l will be outdated in 4 days. We don't know yet,
>>> whether the security issues apply to tcnative, so I don't have a strong
>>> suggestion whether to better proceed and get this tcnative release done
>>> or wait another 3 days for 1.0.1m. But I wanted to let you know, that a
>>> new OpenSSL release is expected.
>>
>> I think we have to wait.
>>
>> I'll finish my various local checks but not go as far as uploading the
>> RC for voting.
>>
>> I'll drop the 1.1.33 tag at some point as well.
>
> The OpenSSL release is public now - though their web server is very busy
> right now.
>
> Most of the security issues (but not all) are in 1.0.2. So I think it is
> fine we stay on 1.0.1 a little while.
While I agree that most of the 12 issues fixed in this announcement of
the releases for, well, all branches of OpenSSL are not an issue,
assuming a sane server setup, some people prefer not to have sane setups ;)
Nobody should be using EXPORT ciphers, but evidently, *many* people
still are.
Though use of client certificates is relatively limited, /those/ are the
folks who are a) doing security correctly and b) vulnerable to
CVE-2015-0286.
So I stick with my +1 to stay with 1.0.1 for the time being, and I'm +1
to linking to 1.0.1m as I can see Mark is already doing.
-chris
Re: Tomcat native 1.1.33 release
Posted by Rainer Jung <ra...@kippdata.de>.
Am 16.03.2015 um 21:26 schrieb Mark Thomas:
> On 16/03/2015 20:17, Rainer Jung wrote:
>> Am 13.03.2015 um 12:17 schrieb Mark Thomas:
>>> On 12/03/2015 19:09, Christopher Schultz wrote:
>>>> Konstantin,
>>>>
>>>> On 3/12/15 2:22 PM, Konstantin Kolinko wrote:
>>>>> 2015-03-12 18:59 GMT+03:00 Rainer Jung <ra...@kippdata.de>:
>>>>>> Am 12.03.2015 um 14:04 schrieb Mark Thomas:
>>>>>>>
>>>>>>> Given bug 57653 [1], the next 8.0.x release (which is already over
>>>>>>> due
>>>>>>> from when I wanted to get it out) is going to need a new Tomcat
>>>>>>> native
>>>>>>> release. This would also be an opportunity to update the OpenSSl
>>>>>>> dependency in the Windows binaries.
>>>>>>>
>>>>>>> One question is whether Tomcat native should switch to the 1.0.2
>>>>>>> branch
>>>>>>> or stick with 1.0.1. Thoughts?
>>>>>>
>>>>>>
>>>>>> A related question: when moving forward it would be easier if we could
>>>>>> require 0.9.8 as the minimum supported version so we could try to
>>>>>> (partially) stay in sync with mod_ssl. I'd say 0.9.8 (min) is fine,
>>>>>> people
>>>>>> able to build tcnative themselves should be in a position to use a
>>>>>> still
>>>>>> maintained version of OpenSSL and not rely on 0.9.7 (our current
>>>>>> minimum
>>>>>> version).
>>>>>>
>>>>>
>>>>>
>>>>> Note that their January security announcement [1] mentions that
>>>>> OpenSSL 0.9.8 and 1.0.0 are both approaching an EOL:
>>>>>
>>>>> [1] https://www.openssl.org/news/secadv_20150108.txt
>>>>>
>>>>> [quote]
>>>>> As per our previous announcements and our Release Strategy
>>>>> (https://www.openssl.org/about/releasestrat.html), support for
>>>>> OpenSSL versions
>>>>> 1.0.0 and 0.9.8 will cease on 31st December 2015. No security
>>>>> updates for these
>>>>> releases will be provided after that date. Users of these releases
>>>>> are advised
>>>>> to upgrade.
>>>>> [/quote]
>>>>
>>>> Perhaps we should add a warning to tcnative if it detects an OpenSSL
>>>> less than 1.0.1. Just a warning, at least for now. When 0.9.8 and 1.0.0
>>>> both go EOL, we can bump-up the required version in tcnative to 1.0.1
>>>> (at least).
>>>>
>>>>> 1.0.2 would be better if it provides some additional ciphers, for
>>>>> better security options. I agree that we would better wait a bit for
>>>>> 1.0.2a, b, or c.
>>>>
>>>> We should definitely /support/ 1.0.2 (which I believe we do), but
>>>> OpenSSL is the kind of library that we probably want to let others beta
>>>> test first :)
>>>
>>> So...
>>>
>>> Stick with building with 1.0.1 for now.
>>> No takers for doing the release - I'll start this today.
>>
>> Just for information: the OpenSSL project has published an announcement
>> this evening:
>>
>> ========================== 8>< ====================
>>
>> Forthcoming OpenSSL releases
>> ============================
>>
>> The OpenSSL project team would like to announce the forthcoming release
>> of OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf.
>>
>> These releases will be made available on 19th March. They will fix a
>> number of security defects. The highest severity defect fixed by these
>> releases is classified as "high" severity.
>>
>> ========================== 8>< ====================
>>
>> So that means 1.0.1l will be outdated in 4 days. We don't know yet,
>> whether the security issues apply to tcnative, so I don't have a strong
>> suggestion whether to better proceed and get this tcnative release done
>> or wait another 3 days for 1.0.1m. But I wanted to let you know, that a
>> new OpenSSL release is expected.
>
> I think we have to wait.
>
> I'll finish my various local checks but not go as far as uploading the
> RC for voting.
>
> I'll drop the 1.1.33 tag at some point as well.
The OpenSSL release is public now - though their web server is very busy
right now.
Most of the security issues (but not all) are in 1.0.2. So I think it is
fine we stay on 1.0.1 a little while.
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Tomcat native 1.1.33 release
Posted by Mark Thomas <ma...@apache.org>.
On 16/03/2015 20:17, Rainer Jung wrote:
> Am 13.03.2015 um 12:17 schrieb Mark Thomas:
>> On 12/03/2015 19:09, Christopher Schultz wrote:
>>> Konstantin,
>>>
>>> On 3/12/15 2:22 PM, Konstantin Kolinko wrote:
>>>> 2015-03-12 18:59 GMT+03:00 Rainer Jung <ra...@kippdata.de>:
>>>>> Am 12.03.2015 um 14:04 schrieb Mark Thomas:
>>>>>>
>>>>>> Given bug 57653 [1], the next 8.0.x release (which is already over
>>>>>> due
>>>>>> from when I wanted to get it out) is going to need a new Tomcat
>>>>>> native
>>>>>> release. This would also be an opportunity to update the OpenSSl
>>>>>> dependency in the Windows binaries.
>>>>>>
>>>>>> One question is whether Tomcat native should switch to the 1.0.2
>>>>>> branch
>>>>>> or stick with 1.0.1. Thoughts?
>>>>>
>>>>>
>>>>> A related question: when moving forward it would be easier if we could
>>>>> require 0.9.8 as the minimum supported version so we could try to
>>>>> (partially) stay in sync with mod_ssl. I'd say 0.9.8 (min) is fine,
>>>>> people
>>>>> able to build tcnative themselves should be in a position to use a
>>>>> still
>>>>> maintained version of OpenSSL and not rely on 0.9.7 (our current
>>>>> minimum
>>>>> version).
>>>>>
>>>>
>>>>
>>>> Note that their January security announcement [1] mentions that
>>>> OpenSSL 0.9.8 and 1.0.0 are both approaching an EOL:
>>>>
>>>> [1] https://www.openssl.org/news/secadv_20150108.txt
>>>>
>>>> [quote]
>>>> As per our previous announcements and our Release Strategy
>>>> (https://www.openssl.org/about/releasestrat.html), support for
>>>> OpenSSL versions
>>>> 1.0.0 and 0.9.8 will cease on 31st December 2015. No security
>>>> updates for these
>>>> releases will be provided after that date. Users of these releases
>>>> are advised
>>>> to upgrade.
>>>> [/quote]
>>>
>>> Perhaps we should add a warning to tcnative if it detects an OpenSSL
>>> less than 1.0.1. Just a warning, at least for now. When 0.9.8 and 1.0.0
>>> both go EOL, we can bump-up the required version in tcnative to 1.0.1
>>> (at least).
>>>
>>>> 1.0.2 would be better if it provides some additional ciphers, for
>>>> better security options. I agree that we would better wait a bit for
>>>> 1.0.2a, b, or c.
>>>
>>> We should definitely /support/ 1.0.2 (which I believe we do), but
>>> OpenSSL is the kind of library that we probably want to let others beta
>>> test first :)
>>
>> So...
>>
>> Stick with building with 1.0.1 for now.
>> No takers for doing the release - I'll start this today.
>
> Just for information: the OpenSSL project has published an announcement
> this evening:
>
> ========================== 8>< ====================
>
> Forthcoming OpenSSL releases
> ============================
>
> The OpenSSL project team would like to announce the forthcoming release
> of OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf.
>
> These releases will be made available on 19th March. They will fix a
> number of security defects. The highest severity defect fixed by these
> releases is classified as "high" severity.
>
> ========================== 8>< ====================
>
> So that means 1.0.1l will be outdated in 4 days. We don't know yet,
> whether the security issues apply to tcnative, so I don't have a strong
> suggestion whether to better proceed and get this tcnative release done
> or wait another 3 days for 1.0.1m. But I wanted to let you know, that a
> new OpenSSL release is expected.
I think we have to wait.
I'll finish my various local checks but not go as far as uploading the
RC for voting.
I'll drop the 1.1.33 tag at some point as well.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Tomcat native 1.1.33 release
Posted by Rainer Jung <ra...@kippdata.de>.
Am 13.03.2015 um 12:17 schrieb Mark Thomas:
> On 12/03/2015 19:09, Christopher Schultz wrote:
>> Konstantin,
>>
>> On 3/12/15 2:22 PM, Konstantin Kolinko wrote:
>>> 2015-03-12 18:59 GMT+03:00 Rainer Jung <ra...@kippdata.de>:
>>>> Am 12.03.2015 um 14:04 schrieb Mark Thomas:
>>>>>
>>>>> Given bug 57653 [1], the next 8.0.x release (which is already over due
>>>>> from when I wanted to get it out) is going to need a new Tomcat native
>>>>> release. This would also be an opportunity to update the OpenSSl
>>>>> dependency in the Windows binaries.
>>>>>
>>>>> One question is whether Tomcat native should switch to the 1.0.2 branch
>>>>> or stick with 1.0.1. Thoughts?
>>>>
>>>>
>>>> A related question: when moving forward it would be easier if we could
>>>> require 0.9.8 as the minimum supported version so we could try to
>>>> (partially) stay in sync with mod_ssl. I'd say 0.9.8 (min) is fine, people
>>>> able to build tcnative themselves should be in a position to use a still
>>>> maintained version of OpenSSL and not rely on 0.9.7 (our current minimum
>>>> version).
>>>>
>>>
>>>
>>> Note that their January security announcement [1] mentions that
>>> OpenSSL 0.9.8 and 1.0.0 are both approaching an EOL:
>>>
>>> [1] https://www.openssl.org/news/secadv_20150108.txt
>>>
>>> [quote]
>>> As per our previous announcements and our Release Strategy
>>> (https://www.openssl.org/about/releasestrat.html), support for OpenSSL versions
>>> 1.0.0 and 0.9.8 will cease on 31st December 2015. No security updates for these
>>> releases will be provided after that date. Users of these releases are advised
>>> to upgrade.
>>> [/quote]
>>
>> Perhaps we should add a warning to tcnative if it detects an OpenSSL
>> less than 1.0.1. Just a warning, at least for now. When 0.9.8 and 1.0.0
>> both go EOL, we can bump-up the required version in tcnative to 1.0.1
>> (at least).
>>
>>> 1.0.2 would be better if it provides some additional ciphers, for
>>> better security options. I agree that we would better wait a bit for
>>> 1.0.2a, b, or c.
>>
>> We should definitely /support/ 1.0.2 (which I believe we do), but
>> OpenSSL is the kind of library that we probably want to let others beta
>> test first :)
>
> So...
>
> Stick with building with 1.0.1 for now.
> No takers for doing the release - I'll start this today.
Just for information: the OpenSSL project has published an announcement
this evening:
========================== 8>< ====================
Forthcoming OpenSSL releases
============================
The OpenSSL project team would like to announce the forthcoming release
of OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf.
These releases will be made available on 19th March. They will fix a
number of security defects. The highest severity defect fixed by these
releases is classified as "high" severity.
========================== 8>< ====================
So that means 1.0.1l will be outdated in 4 days. We don't know yet,
whether the security issues apply to tcnative, so I don't have a strong
suggestion whether to better proceed and get this tcnative release done
or wait another 3 days for 1.0.1m. But I wanted to let you know, that a
new OpenSSL release is expected.
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Tomcat native 1.1.33 release
Posted by Mark Thomas <ma...@apache.org>.
On 12/03/2015 19:09, Christopher Schultz wrote:
> Konstantin,
>
> On 3/12/15 2:22 PM, Konstantin Kolinko wrote:
>> 2015-03-12 18:59 GMT+03:00 Rainer Jung <ra...@kippdata.de>:
>>> Am 12.03.2015 um 14:04 schrieb Mark Thomas:
>>>>
>>>> Given bug 57653 [1], the next 8.0.x release (which is already over due
>>>> from when I wanted to get it out) is going to need a new Tomcat native
>>>> release. This would also be an opportunity to update the OpenSSl
>>>> dependency in the Windows binaries.
>>>>
>>>> One question is whether Tomcat native should switch to the 1.0.2 branch
>>>> or stick with 1.0.1. Thoughts?
>>>
>>>
>>> A related question: when moving forward it would be easier if we could
>>> require 0.9.8 as the minimum supported version so we could try to
>>> (partially) stay in sync with mod_ssl. I'd say 0.9.8 (min) is fine, people
>>> able to build tcnative themselves should be in a position to use a still
>>> maintained version of OpenSSL and not rely on 0.9.7 (our current minimum
>>> version).
>>>
>>
>>
>> Note that their January security announcement [1] mentions that
>> OpenSSL 0.9.8 and 1.0.0 are both approaching an EOL:
>>
>> [1] https://www.openssl.org/news/secadv_20150108.txt
>>
>> [quote]
>> As per our previous announcements and our Release Strategy
>> (https://www.openssl.org/about/releasestrat.html), support for OpenSSL versions
>> 1.0.0 and 0.9.8 will cease on 31st December 2015. No security updates for these
>> releases will be provided after that date. Users of these releases are advised
>> to upgrade.
>> [/quote]
>
> Perhaps we should add a warning to tcnative if it detects an OpenSSL
> less than 1.0.1. Just a warning, at least for now. When 0.9.8 and 1.0.0
> both go EOL, we can bump-up the required version in tcnative to 1.0.1
> (at least).
>
>> 1.0.2 would be better if it provides some additional ciphers, for
>> better security options. I agree that we would better wait a bit for
>> 1.0.2a, b, or c.
>
> We should definitely /support/ 1.0.2 (which I believe we do), but
> OpenSSL is the kind of library that we probably want to let others beta
> test first :)
So...
Stick with building with 1.0.1 for now.
No takers for doing the release - I'll start this today.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Tomcat native 1.1.33 release
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Konstantin,
On 3/12/15 2:22 PM, Konstantin Kolinko wrote:
> 2015-03-12 18:59 GMT+03:00 Rainer Jung <ra...@kippdata.de>:
>> Am 12.03.2015 um 14:04 schrieb Mark Thomas:
>>>
>>> Given bug 57653 [1], the next 8.0.x release (which is already over due
>>> from when I wanted to get it out) is going to need a new Tomcat native
>>> release. This would also be an opportunity to update the OpenSSl
>>> dependency in the Windows binaries.
>>>
>>> One question is whether Tomcat native should switch to the 1.0.2 branch
>>> or stick with 1.0.1. Thoughts?
>>
>>
>> A related question: when moving forward it would be easier if we could
>> require 0.9.8 as the minimum supported version so we could try to
>> (partially) stay in sync with mod_ssl. I'd say 0.9.8 (min) is fine, people
>> able to build tcnative themselves should be in a position to use a still
>> maintained version of OpenSSL and not rely on 0.9.7 (our current minimum
>> version).
>>
>
>
> Note that their January security announcement [1] mentions that
> OpenSSL 0.9.8 and 1.0.0 are both approaching an EOL:
>
> [1] https://www.openssl.org/news/secadv_20150108.txt
>
> [quote]
> As per our previous announcements and our Release Strategy
> (https://www.openssl.org/about/releasestrat.html), support for OpenSSL versions
> 1.0.0 and 0.9.8 will cease on 31st December 2015. No security updates for these
> releases will be provided after that date. Users of these releases are advised
> to upgrade.
> [/quote]
Perhaps we should add a warning to tcnative if it detects an OpenSSL
less than 1.0.1. Just a warning, at least for now. When 0.9.8 and 1.0.0
both go EOL, we can bump-up the required version in tcnative to 1.0.1
(at least).
> 1.0.2 would be better if it provides some additional ciphers, for
> better security options. I agree that we would better wait a bit for
> 1.0.2a, b, or c.
We should definitely /support/ 1.0.2 (which I believe we do), but
OpenSSL is the kind of library that we probably want to let others beta
test first :)
-chris
Re: Tomcat native 1.1.33 release
Posted by Konstantin Kolinko <kn...@gmail.com>.
2015-03-12 18:59 GMT+03:00 Rainer Jung <ra...@kippdata.de>:
> Am 12.03.2015 um 14:04 schrieb Mark Thomas:
>>
>> Given bug 57653 [1], the next 8.0.x release (which is already over due
>> from when I wanted to get it out) is going to need a new Tomcat native
>> release. This would also be an opportunity to update the OpenSSl
>> dependency in the Windows binaries.
>>
>> One question is whether Tomcat native should switch to the 1.0.2 branch
>> or stick with 1.0.1. Thoughts?
>
>
> A related question: when moving forward it would be easier if we could
> require 0.9.8 as the minimum supported version so we could try to
> (partially) stay in sync with mod_ssl. I'd say 0.9.8 (min) is fine, people
> able to build tcnative themselves should be in a position to use a still
> maintained version of OpenSSL and not rely on 0.9.7 (our current minimum
> version).
>
Note that their January security announcement [1] mentions that
OpenSSL 0.9.8 and 1.0.0 are both approaching an EOL:
[1] https://www.openssl.org/news/secadv_20150108.txt
[quote]
As per our previous announcements and our Release Strategy
(https://www.openssl.org/about/releasestrat.html), support for OpenSSL versions
1.0.0 and 0.9.8 will cease on 31st December 2015. No security updates for these
releases will be provided after that date. Users of these releases are advised
to upgrade.
[/quote]
1.0.2 would be better if it provides some additional ciphers, for
better security options. I agree that we would better wait a bit for
1.0.2a, b, or c.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Tomcat native 1.1.33 release
Posted by Rainer Jung <ra...@kippdata.de>.
Am 12.03.2015 um 14:04 schrieb Mark Thomas:
> Given bug 57653 [1], the next 8.0.x release (which is already over due
> from when I wanted to get it out) is going to need a new Tomcat native
> release. This would also be an opportunity to update the OpenSSl
> dependency in the Windows binaries.
>
> One question is whether Tomcat native should switch to the 1.0.2 branch
> or stick with 1.0.1. Thoughts?
A related question: when moving forward it would be easier if we could
require 0.9.8 as the minimum supported version so we could try to
(partially) stay in sync with mod_ssl. I'd say 0.9.8 (min) is fine,
people able to build tcnative themselves should be in a position to use
a still maintained version of OpenSSL and not rely on 0.9.7 (our current
minimum version).
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org