TLS 1.3 and the release

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

TLS 1.3 and the release

OpenSSL - User mailing list

You probably know by now that TLS 1.3 was just released as RFC 8446; https://www.rfc-editor.org/info/rfc8446  This note is just trying to forestall a number of question threads.

 

Our release plan called for one final beta (there were various draft-interop things to take out and some other little nits) and then the official release. We have had no discussion of changing that plan.

 

Matt has already prepared a PR (the number escapes me), and there are a couple of open issues we still have to resolve. If all goes well, however, the final beta should begin very soon.

 

Thanks to everyone in the OpenSSL community for your help and support!

 

 

 


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-project] TLS 1.3 and the release

Richard Levitte - VMS Whacker-2
In message <[hidden email]> on Sat, 11 Aug 2018 13:37:07 +0000, "Salz, Rich" <[hidden email]> said:

rsalz> Matt has already prepared a PR (the number escapes me)

https://github.com/openssl/openssl/pull/6741

--
Richard Levitte         [hidden email]
OpenSSL Project         http://www.openssl.org/~levitte/
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: TLS 1.3 and the release

Michael Richardson
In reply to this post by OpenSSL - User mailing list

Salz, Rich via openssl-users <[hidden email]> wrote:
    > You probably know by now that TLS 1.3 was just released as RFC 8446;
    > https://www.rfc-editor.org/info/rfc8446 This note is just trying to
    > forestall a number of question threads.

    > Our release plan called for one final beta (there were various
    > draft-interop things to take out and some other little nits) and then
    > the official release. We have had no discussion of changing that plan.

SUPER DUPER !!!!

There are a bunch of non-openssl-project issues that are gonna need some
coordination if we are gonna get TLS 1.3 out there better.

I'm just dealing with trying to get openssl 1.1.0 to get installed on Ubuntu
bionic.  Yes, there is a package, but all the other packages depend upon
1.0.x.... and many things are linking against 1.0.x rather than 1.1, when
both are installed...  I don't know why they build stuff against 1.0.x
rather than 1.1.0: I think it's a packaging oops.

The story is worse for Xenial, on which many containers are presently based.
Debian jessie/stretch and Devuan jessie/ascii might be in better situation,
or maybe my observations of them are tainted by having installed from source.

I realize that this is "not your problem", but I want to suggest that we open
an Issue now in order to attract google hits so that it can be coordinated.
In particular there are dozens of ubuntu PPAs that have rebuilds of openssl +
XYZ, but 3/4 of them are stale... it would be nice to nominate a non-lame "winner"
I can open such an Issue if you like.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        | network architect  [
]     [hidden email]  http://www.sandelman.ca/        |   ruby on rails    [


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

signature.asc (497 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: TLS 1.3 and the release

PGNet Dev-6
> I'm just dealing with trying to get openssl 1.1.0 to get installed on Ubuntu
> bionic.  Yes, there is a package, but all the other packages depend upon
> 1.0.x.... and many things are linking against 1.0.x rather than 1.1, when
> both are installed...  I don't know why they build stuff against 1.0.x
> rather than 1.1.0: I think it's a packaging oops.

In the "I'm guessing this is NOT news to anyone HERE" category ....

Even the packages that DO 'build against' 1.1.0 frequently do so by
banking on deprecated symbols made possible by lazy (imo) api-compat usage.

Packagers are frequently NOT cleaning up their openssl version-check
logic, and cleaning out old-/deprecated- symbols.  In my experience,
most seem not to be interested, either; instead, the response mantra to
entreaties about clean/modern "--api=1.1.0" compatibility is "that's not
what the distros provide; just use that".

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: TLS 1.3 and the release

Michael Richardson

PGNet Dev <[hidden email]> wrote:
    >> I'm just dealing with trying to get openssl 1.1.0 to get installed on Ubuntu
    >> bionic.  Yes, there is a package, but all the other packages depend upon
    >> 1.0.x.... and many things are linking against 1.0.x rather than 1.1, when
    >> both are installed...  I don't know why they build stuff against 1.0.x
    >> rather than 1.1.0: I think it's a packaging oops.

    > In the "I'm guessing this is NOT news to anyone HERE" category ....

No kidding.
If we want to push making TLS available 1.3, then we need to do some remedial
work where.

    > Even the packages that DO 'build against' 1.1.0 frequently do so by banking
    > on deprecated symbols made possible by lazy (imo) api-compat usage.

I found that libssl-dev was not upgraded from 1.0.0 version to 1.1.0 version
when I did the dist-upgrade.  Once I flushed that, I could then rebuild
things like ruby (and it's openssl module) against 1.1.0 correctly, and
*THEN* re-install libssl1.0 to make openssh happy.

    > Packagers are frequently NOT cleaning up their openssl version-check logic,
    > and cleaning out old-/deprecated- symbols.  In my experience, most seem not
    > to be interested, either; instead, the response mantra to entreaties about
    > clean/modern "--api=1.1.0" compatibility is "that's not what the distros
    > provide; just use that".

+1.


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

signature.asc (497 bytes) Download Attachment