Shall I expect SHA3 support in OpenSSL-1.0.2 series?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Shall I expect SHA3 support in OpenSSL-1.0.2 series?

sathish reddy s
Hi All,
I saw Sha3 support in OpenSSL-1.1.1 branch. Shall I expect sha3 support in OpenSSL-1.0.2 branch?

Regards,
Sathish.
Reply | Threaded
Open this post in threaded view
|

Re: Shall I expect SHA3 support in OpenSSL-1.0.2 series?

Matt Caswell-2


On 24/04/2019 12:48, sathish reddy s wrote:
> /Hi All,/
>
> /I saw Sha3 support in OpenSSL-1.1.1 branch. Shall I expect sha3 support in
> OpenSSL-1.0.2 branch?/

No. As a rule we don't add new features to stable branches.

Matt

Reply | Threaded
Open this post in threaded view
|

Re: Shall I expect SHA3 support in OpenSSL-1.0.2 series?

sathish reddy s
Hi,

I found the following line at https://www.openssl.org/source/
"Our previous LTS version (1.0.2 series) will continue to be supported until 31st December 2019 (security fixes only during the last year of support)".

Is there any chance to add SHA3 support in the upcoming releases?



On Wed, Apr 24, 2019 at 5:29 PM Matt Caswell <[hidden email]> wrote:


On 24/04/2019 12:48, sathish reddy s wrote:
> /Hi All,/
>
> /I saw Sha3 support in OpenSSL-1.1.1 branch. Shall I expect sha3 support in
> OpenSSL-1.0.2 branch?/

No. As a rule we don't add new features to stable branches.

Matt

Reply | Threaded
Open this post in threaded view
|

Re: Shall I expect SHA3 support in OpenSSL-1.0.2 series?

Matt Caswell-2


On 24/04/2019 13:08, sathish reddy s wrote:
> Hi,
>
> I found the following line at https://www.openssl.org/source/
> "Our previous LTS version (1.0.2 series) will continue to be supported until
> 31st December 2019 (security fixes only during the last year of support)".
>
> Is there any chance to add SHA3 support in the upcoming releases?

No. 1.0.2 is a stable branch. Any releases of stable branches are for bug and
security fixes. In the case of 1.0.2 it is in the last year of support so its
only getting security fixes. SHA3 is a feature and does not qualify.

Matt

>
>
>
> On Wed, Apr 24, 2019 at 5:29 PM Matt Caswell <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>
>
>     On 24/04/2019 12:48, sathish reddy s wrote:
>     > /Hi All,/
>     >
>     > /I saw Sha3 support in OpenSSL-1.1.1 branch. Shall I expect sha3 support in
>     > OpenSSL-1.0.2 branch?/
>
>     No. As a rule we don't add new features to stable branches.
>
>     Matt
>
Reply | Threaded
Open this post in threaded view
|

RE: Shall I expect SHA3 support in OpenSSL-1.0.2 series?

Michael Wojcik
> From: openssl-users [mailto:[hidden email]] On Behalf Of
> Matt Caswell
> Sent: Wednesday, April 24, 2019 08:33
>
>
> On 24/04/2019 13:08, sathish reddy s wrote:
> >
> > I found the following line at https://www.openssl.org/source/
> > "Our previous LTS version (1.0.2 series) will continue to be supported until
> > 31st December 2019 (security fixes only during the last year of support)".
> >
> > Is there any chance to add SHA3 support in the upcoming releases?
>
> No. 1.0.2 is a stable branch. Any releases of stable branches are for bug and
> security fixes. In the case of 1.0.2 it is in the last year of support so its
> only getting security fixes. SHA3 is a feature and does not qualify.

Note that, as Matt wrote, OpenSSL 1.0.2 is in its final year of support. Security issues will be fixed for the next eight months. That's it.

Everyone should be moving to 1.1 now, unless they need FIPS 140-2 validation. Frankly, even if you need FIPS, you should be working on a 1.1-based branch, in anticipation of moving to FIPS-validated OpenSSL 3 (or 4, if that numbering change is accepted) when it's available. The alternative is to support 1.0.2 yourself, and I'd estimate that 99% of OpenSSL users aren't qualified to do that.

--
Michael Wojcik
Distinguished Engineer, Micro Focus