Date: Wed, 11 Jun 2014 15:29:32 +0200 From: Dan Lukes <dan@obluda.cz> To: Ben Laurie <ben@links.org> Cc: freebsd-security <freebsd-security@freebsd.org> Subject: Re: OpenSSL end of life Message-ID: <539859BC.2050303@obluda.cz> In-Reply-To: <CAG5KPzxQm1ayF=p5pAsttHvxoAOFvNTvxhe6AS-auX27mxdywg@mail.gmail.com> References: <CAG5KPzyYzcu0qF9m2Fjgh7tTC=RrSMpxzHiDX5zD8_U_aB8k2A@mail.gmail.com> <5398482C.7020406@obluda.cz> <CAG5KPzxQm1ayF=p5pAsttHvxoAOFvNTvxhe6AS-auX27mxdywg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 06/11/14 15:00, Ben Laurie: >> Some of them wish to declare lifetime of particular version at the time of >> release. It will be possible no longer as embedded OpenSSL may become >> obsolete at any time. > > This is already true, because of bugs. And, in practice, no version of > OpenSSL (or anything else, pretty much) has a lifetime such that you > can safely make a non-upgradeable product from it. Don't mix security patch and upgrade. With security patch the ABI doesn't change. So I can just replace the compiled library by the new one patched and restart the daemon (or system). With new version, the same approach is not possible. All application needs to be recompiled. And if API become changed as well, then all applications needs to be reevaluated at the source level - and modified, if necessary according API changes. We can't just blindly compile old sources against new OpenSSL wishing for security, isn't it ? Even if the source will compile against new API, it doesn't mean it will work as expected - and - it's still secure. > Alternatively, can 9.3 not upgrade to a newer OpenSSL? Upgraded ? Yes, but upgraded to another version than 9.3 9.3 can be patched during it's lifetime, but 9.3-pX and 9.3-pY needs to be binary compatible. If it is not compatible, then it's no 9.3 anymore. > One modification I'd be prepared to contemplate is that 1.0.1 (for > example) is supported for some known period of time, even if it should > be EOL according to the versioning scheme. The question is: how long? > Sounds like you'd want 2 years. Almost acceptable for me. I wish to save 2year lifetime period for FreeBSD. It take some time the release will be prepared for release. The (possible) new version of OpenSSL needs to be imported, all code that use them needs to be re-evaluated because of possible API changes, the resulting system needs to be tested. It take months. Check release process of any FreeBSD ... If you will declare 2year minimal lifetime for OpenSSL, it will be hard to reach even 1year lifetime for FreeBSD ... So I'm wishing for something about 3 years from OpenSSL ... Be sure I understand that any version supported require resources. I'm not picking numbers randomly just because it's simple to write a number here ... Dan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?539859BC.2050303>