[matt@openssl.org: Re: [openssl-users] openssl 1.0.2 and TLS 1.3]

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[matt@openssl.org: Re: [openssl-users] openssl 1.0.2 and TLS 1.3]

The Doctor
----- Forwarded message from Matt Caswell <[hidden email]> -----

Date: Tue, 11 Sep 2018 15:01:38 +0100
From: Matt Caswell <[hidden email]>
To: [hidden email]
Subject: Re: [openssl-users] openssl 1.0.2 and TLS 1.3
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
        Thunderbird/52.9.1



On 11/09/18 14:58, The Doctor wrote:

> On Tue, Sep 11, 2018 at 09:31:23AM +0100, Matt Caswell wrote:
>>
>>
>> On 11/09/18 09:05, Dr. Matthias St. Pierre wrote:
>>>> Von: openssl-users <[hidden email]> Im Auftrag von The Doctor
>>>> Gesendet: Dienstag, 11. September 2018 08:49
>>>> An: [hidden email]; [hidden email]
>>>> Betreff: [openssl-users] openssl 1.0.2 and TLS 1.3
>>>>
>>>> Will that combination occur?
>>>
>>> Support for TLS 1.3 is a new feature in OpenSSL 1.1.1 which will be released today.
>>> OpenSSL 1.0.2 is an LTS release which will only receive security updates and no new
>>> features.
>>
>> Strictly speaking 1.0.2 will receive bug fixes and security fixes until
>> the end of this year. From the end of this year until the end of 2019 it
>> will receive security fixes only. In any case it will receive no new
>> features (including TLSv1.3).
>>
>> >From the release of 1.1.1 (today), 1.1.0 will receive security fixes
>> only for one year.
>>
>> Matt
>>
>>
>
> Got you.
>
> So Openssh, NTPd, MOd_pagespeed have to adopt OPEnssl 1.1X API
> in order to use TLS 1.3 .

Yes. I would encourage *all* applications still on the 1.0.x API to move
to 1.1.1 asap. By the end of next year there will be no supported
OpenSSL version that has the old API.


Matt

>
>>
>>>
>>> HTH,
>>> Matthias
>>>
>>> See also
>>> https://wiki.openssl.org/index.php/TLS1.3
>>> https://www.openssl.org/policies/releasestrat.html
>>>
>>>
>>>
>> --
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

----- End forwarded message -----

Heads up!!

--
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising!
https://www.empire.kred/ROOTNK?t=94a1f39b  Look at Psalms 14 and 53 on Atheism
NB 24 Sept vote Liberal!  Quebec votez contre le PQ et le QS des 1 October 2018!
Reply | Threaded
Open this post in threaded view
|

Re: [matt@openssl.org: Re: [openssl-users] openssl 1.0.2 and TLS 1.3]

Viktor Dukhovni


> On Sep 11, 2018, at 10:17 AM, The Doctor <[hidden email]> wrote:
>
> Yes. I would encourage *all* applications still on the 1.0.x API to move
> to 1.1.1 asap. By the end of next year there will be no supported
> OpenSSL version that has the old API.

All supported Postfix releases (3.0, 3.1, 3.2, 3.3 and the 3.4 snapshots)
work with OpenSSL 1.1.x at their most recent patch levels.  This was done
some time back.

Some new features in OpenSSL 1.1.1 could use new controls on the
Postfix side (though this is not essential), I'll try to get those
added this year.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: [matt@openssl.org: Re: [openssl-users] openssl 1.0.2 and TLS 1.3]

Viktor Dukhovni


> On Sep 11, 2018, at 11:20 AM, Viktor Dukhovni <[hidden email]> wrote:
>
> All supported Postfix releases (3.0, 3.1, 3.2, 3.3 and the 3.4 snapshots)
> work with OpenSSL 1.1.x at their most recent patch levels.  This was done
> some time back.

Small correction, not all the "bitrot" patches for 3.0 got merged, so
Postfix support for OpenSSL >= 1.1.x starts with Postfix 3.1.

--
        Viktor.