Date: Wed, 11 Jun 2014 11:11:09 -0700 From: Charles Swiger <cswiger@mac.com> To: Ben Laurie <ben@links.org> Cc: "freebsd-security@freebsd.org security" <freebsd-security@freebsd.org> Subject: Re: OpenSSL end of life Message-ID: <9EE1267B-E571-4B5A-B59B-F87062DCB53E@mac.com> In-Reply-To: <CAG5KPzyYzcu0qF9m2Fjgh7tTC=RrSMpxzHiDX5zD8_U_aB8k2A@mail.gmail.com> References: <CAG5KPzyYzcu0qF9m2Fjgh7tTC=RrSMpxzHiDX5zD8_U_aB8k2A@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, Ben-- Thanks for soliciting feedback. On Jun 11, 2014, at 2:32 AM, Ben Laurie <ben@links.org> wrote: > We (the OpenSSL team) are considering a more aggressive EOL strategy. > > In particular, we may EOL 0.9.8 right now, and 1.0.0 when 1.0.2 comes > out (currently in beta). > > Going forward we would only maintain two versions, so when 1.0.3 comes > out, 1.0.1 would be EOL. > > What do people think about this? Most folks use the OpenSSL version provided by their OS vendor. OS vendors want to provide long-term support for at least some releases, because many users don't want to chase major version bumps too frequently. (This has strong implications towards ABI stability: even if you EOL 0.9.8 today, vendors will still need to support that for years down the road.) Some advanced users will be more willing to build, deploy, and validate "bleeding edge" versions. Other advanced users are using an OpenSSL version which is baked into the firmware of hardware load-balancers like F5's BIG-IP, Citrix Netscalers, Brocade's ADX, etc. The other group that comes to mind is software developers writing against OpenSSL. I don't want to generalize too far, but even fairly well-known projects like ClamAV who actively use SSL and check cert signing for their virus DB updates are just now starting to implement OpenSSL-0.9.8 functionality like CRL checks _after_ Heartbleed. Regards, -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9EE1267B-E571-4B5A-B59B-F87062DCB53E>