openssl 1.0.2 and TLS 1.3

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

openssl 1.0.2 and TLS 1.3

The Doctor
Will that combination occur?
--
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising!
https://www.empire.kred/ROOTNK?t=94a1f39b  Look at Psalms 14 and 53 on Atheism
NB 24 Sept vote Liberal!  Quebec votez contre le PQ et le QS des 1 October 2018!
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: openssl 1.0.2 and TLS 1.3

Dr. Matthias St. Pierre
> Von: openssl-users <[hidden email]> Im Auftrag von The Doctor
> Gesendet: Dienstag, 11. September 2018 08:49
> An: [hidden email]; [hidden email]
> Betreff: [openssl-users] openssl 1.0.2 and TLS 1.3
>
> Will that combination occur?

Support for TLS 1.3 is a new feature in OpenSSL 1.1.1 which will be released today.
OpenSSL 1.0.2 is an LTS release which will only receive security updates and no new
features.

HTH,
Matthias

See also
https://wiki.openssl.org/index.php/TLS1.3
https://www.openssl.org/policies/releasestrat.html



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: openssl 1.0.2 and TLS 1.3

Matt Caswell-2


On 11/09/18 09:05, Dr. Matthias St. Pierre wrote:

>> Von: openssl-users <[hidden email]> Im Auftrag von The Doctor
>> Gesendet: Dienstag, 11. September 2018 08:49
>> An: [hidden email]; [hidden email]
>> Betreff: [openssl-users] openssl 1.0.2 and TLS 1.3
>>
>> Will that combination occur?
>
> Support for TLS 1.3 is a new feature in OpenSSL 1.1.1 which will be released today.
> OpenSSL 1.0.2 is an LTS release which will only receive security updates and no new
> features.

Strictly speaking 1.0.2 will receive bug fixes and security fixes until
the end of this year. From the end of this year until the end of 2019 it
will receive security fixes only. In any case it will receive no new
features (including TLSv1.3).

From the release of 1.1.1 (today), 1.1.0 will receive security fixes
only for one year.

Matt


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: openssl 1.0.2 and TLS 1.3

The Doctor
On Tue, Sep 11, 2018 at 09:31:23AM +0100, Matt Caswell wrote:

>
>
> On 11/09/18 09:05, Dr. Matthias St. Pierre wrote:
> >> Von: openssl-users <[hidden email]> Im Auftrag von The Doctor
> >> Gesendet: Dienstag, 11. September 2018 08:49
> >> An: [hidden email]; [hidden email]
> >> Betreff: [openssl-users] openssl 1.0.2 and TLS 1.3
> >>
> >> Will that combination occur?
> >
> > Support for TLS 1.3 is a new feature in OpenSSL 1.1.1 which will be released today.
> > OpenSSL 1.0.2 is an LTS release which will only receive security updates and no new
> > features.
>
> Strictly speaking 1.0.2 will receive bug fixes and security fixes until
> the end of this year. From the end of this year until the end of 2019 it
> will receive security fixes only. In any case it will receive no new
> features (including TLSv1.3).
>
> >From the release of 1.1.1 (today), 1.1.0 will receive security fixes
> only for one year.
>
> Matt
>
>

Got you.

So Openssh, NTPd, MOd_pagespeed have to adopt OPEnssl 1.1X API
in order to use TLS 1.3 .

>
> >
> > HTH,
> > Matthias
> >
> > See also
> > https://wiki.openssl.org/index.php/TLS1.3
> > https://www.openssl.org/policies/releasestrat.html
> >
> >
> >
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising!
https://www.empire.kred/ROOTNK?t=94a1f39b  Look at Psalms 14 and 53 on Atheism
NB 24 Sept vote Liberal!  Quebec votez contre le PQ et le QS des 1 October 2018!
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: openssl 1.0.2 and TLS 1.3

Matt Caswell-2


On 11/09/18 14:58, The Doctor wrote:

> On Tue, Sep 11, 2018 at 09:31:23AM +0100, Matt Caswell wrote:
>>
>>
>> On 11/09/18 09:05, Dr. Matthias St. Pierre wrote:
>>>> Von: openssl-users <[hidden email]> Im Auftrag von The Doctor
>>>> Gesendet: Dienstag, 11. September 2018 08:49
>>>> An: [hidden email]; [hidden email]
>>>> Betreff: [openssl-users] openssl 1.0.2 and TLS 1.3
>>>>
>>>> Will that combination occur?
>>>
>>> Support for TLS 1.3 is a new feature in OpenSSL 1.1.1 which will be released today.
>>> OpenSSL 1.0.2 is an LTS release which will only receive security updates and no new
>>> features.
>>
>> Strictly speaking 1.0.2 will receive bug fixes and security fixes until
>> the end of this year. From the end of this year until the end of 2019 it
>> will receive security fixes only. In any case it will receive no new
>> features (including TLSv1.3).
>>
>> >From the release of 1.1.1 (today), 1.1.0 will receive security fixes
>> only for one year.
>>
>> Matt
>>
>>
>
> Got you.
>
> So Openssh, NTPd, MOd_pagespeed have to adopt OPEnssl 1.1X API
> in order to use TLS 1.3 .

Yes. I would encourage *all* applications still on the 1.0.x API to move
to 1.1.1 asap. By the end of next year there will be no supported
OpenSSL version that has the old API.


Matt

>
>>
>>>
>>> HTH,
>>> Matthias
>>>
>>> See also
>>> https://wiki.openssl.org/index.php/TLS1.3
>>> https://www.openssl.org/policies/releasestrat.html
>>>
>>>
>>>
>> --
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: openssl 1.0.2 and TLS 1.3

OpenSSL - User mailing list
In reply to this post by The Doctor
>    So Openssh, NTPd, MOd_pagespeed have to adopt OPEnssl 1.1X API
    in order to use TLS 1.3 .
 
Yes.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: openssl 1.0.2 and TLS 1.3

The Doctor
In reply to this post by Matt Caswell-2
On Tue, Sep 11, 2018 at 03:01:38PM +0100, Matt Caswell wrote:

>
>
> On 11/09/18 14:58, The Doctor wrote:
> > On Tue, Sep 11, 2018 at 09:31:23AM +0100, Matt Caswell wrote:
> >>
> >>
> >> On 11/09/18 09:05, Dr. Matthias St. Pierre wrote:
> >>>> Von: openssl-users <[hidden email]> Im Auftrag von The Doctor
> >>>> Gesendet: Dienstag, 11. September 2018 08:49
> >>>> An: [hidden email]; [hidden email]
> >>>> Betreff: [openssl-users] openssl 1.0.2 and TLS 1.3
> >>>>
> >>>> Will that combination occur?
> >>>
> >>> Support for TLS 1.3 is a new feature in OpenSSL 1.1.1 which will be released today.
> >>> OpenSSL 1.0.2 is an LTS release which will only receive security updates and no new
> >>> features.
> >>
> >> Strictly speaking 1.0.2 will receive bug fixes and security fixes until
> >> the end of this year. From the end of this year until the end of 2019 it
> >> will receive security fixes only. In any case it will receive no new
> >> features (including TLSv1.3).
> >>
> >> >From the release of 1.1.1 (today), 1.1.0 will receive security fixes
> >> only for one year.
> >>
> >> Matt
> >>
> >>
> >
> > Got you.
> >
> > So Openssh, NTPd, MOd_pagespeed have to adopt OPEnssl 1.1X API
> > in order to use TLS 1.3 .
>
> Yes. I would encourage *all* applications still on the 1.0.x API to move
> to 1.1.1 asap. By the end of next year there will be no supported
> OpenSSL version that has the old API.
>
>
> Matt
>
>


I will forward this to the many mailing lists I belong to.

>
> >>
> >>>
> >>> HTH,
> >>> Matthias
> >>>
> >>> See also
> >>> https://wiki.openssl.org/index.php/TLS1.3
> >>> https://www.openssl.org/policies/releasestrat.html
> >>>
> >>>
> >>>
> >> --
> >> openssl-users mailing list
> >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> >
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising!
https://www.empire.kred/ROOTNK?t=94a1f39b  Look at Psalms 14 and 53 on Atheism
NB 24 Sept vote Liberal!  Quebec votez contre le PQ et le QS des 1 October 2018!
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: openssl 1.0.2 and TLS 1.3

gperrow
In reply to this post by Matt Caswell-2
AFAIK 1.1.1 does not support the FIPS module, which means that those of us who require FIPS must stay on 1.0.2. Any ETA on when FIPS support might be added?

Graeme

-----Original Message-----
From: openssl-users <[hidden email]> On Behalf Of Matt Caswell
Sent: September 11, 2018 4:31 AM
To: [hidden email]
Subject: Re: [openssl-users] openssl 1.0.2 and TLS 1.3



On 11/09/18 09:05, Dr. Matthias St. Pierre wrote:

>> Von: openssl-users <[hidden email]> Im Auftrag von The Doctor
>> Gesendet: Dienstag, 11. September 2018 08:49
>> An: [hidden email]; [hidden email]
>> Betreff: [openssl-users] openssl 1.0.2 and TLS 1.3
>>
>> Will that combination occur?
>
> Support for TLS 1.3 is a new feature in OpenSSL 1.1.1 which will be released today.
> OpenSSL 1.0.2 is an LTS release which will only receive security updates and no new
> features.

Strictly speaking 1.0.2 will receive bug fixes and security fixes until
the end of this year. From the end of this year until the end of 2019 it
will receive security fixes only. In any case it will receive no new
features (including TLSv1.3).

From the release of 1.1.1 (today), 1.1.0 will receive security fixes
only for one year.

Matt


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: openssl 1.0.2 and TLS 1.3

Matt Caswell-2


On 11/09/18 15:12, Perrow, Graeme wrote:
> AFAIK 1.1.1 does not support the FIPS module, which means that those of us who require FIPS must stay on 1.0.2. Any ETA on when FIPS support might be added?

TBD. Likely to be next year (before the EOL of 1.0.2) IMO. Our
development focus is now shifting from implementing TLSv1.3 to
implementing the new FIPS module.

Matt


>
> Graeme
>
> -----Original Message-----
> From: openssl-users <[hidden email]> On Behalf Of Matt Caswell
> Sent: September 11, 2018 4:31 AM
> To: [hidden email]
> Subject: Re: [openssl-users] openssl 1.0.2 and TLS 1.3
>
>
>
> On 11/09/18 09:05, Dr. Matthias St. Pierre wrote:
>>> Von: openssl-users <[hidden email]> Im Auftrag von The Doctor
>>> Gesendet: Dienstag, 11. September 2018 08:49
>>> An: [hidden email]; [hidden email]
>>> Betreff: [openssl-users] openssl 1.0.2 and TLS 1.3
>>>
>>> Will that combination occur?
>>
>> Support for TLS 1.3 is a new feature in OpenSSL 1.1.1 which will be released today.
>> OpenSSL 1.0.2 is an LTS release which will only receive security updates and no new
>> features.
>
> Strictly speaking 1.0.2 will receive bug fixes and security fixes until
> the end of this year. From the end of this year until the end of 2019 it
> will receive security fixes only. In any case it will receive no new
> features (including TLSv1.3).
>
> From the release of 1.1.1 (today), 1.1.0 will receive security fixes
> only for one year.
>
> Matt
>
>
>
>>
>> HTH,
>> Matthias
>>
>> See also
>> https://wiki.openssl.org/index.php/TLS1.3
>> https://www.openssl.org/policies/releasestrat.html
>>
>>
>>
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: openssl 1.0.2 and TLS 1.3

Viktor Dukhovni
In reply to this post by The Doctor


> On Sep 11, 2018, at 9:58 AM, The Doctor <[hidden email]> wrote:
>
> So Openssh, NTPd, MOd_pagespeed have to adopt OPEnssl 1.1X API
> in order to use TLS 1.3 .

OpenSSH does not use TLS or libssl, so does not need that OpenSSL
1.1.x feature.  It could still benefit from libcrypto algorithm
improvements that result in more constant behaviour and/or other
improvements.  While OpenBSD may be slow to port to OpenSSL 1.1.x,
porting OpenSSH to 1.1.x is not difficult.  Christos Zoulas has
done that for NetBSD, the latest HPN patches port OpenSSH to
OpenSSL 1.1.0 [ I used the HPN patches for OpenSSH 7.7p1 as a
starting point, and have a clean build of OpenSSH 7.8p1 with
OpenSSL 1.1.x after some minor improvements. ]

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users