OpenSSL end of life
Charles Swiger
cswiger at mac.com
Wed Jun 11 18:11:10 UTC 2014
Hi, Ben--
Thanks for soliciting feedback.
On Jun 11, 2014, at 2:32 AM, Ben Laurie <ben at links.org> wrote:
> We (the OpenSSL team) are considering a more aggressive EOL strategy.
>
> In particular, we may EOL 0.9.8 right now, and 1.0.0 when 1.0.2 comes
> out (currently in beta).
>
> Going forward we would only maintain two versions, so when 1.0.3 comes
> out, 1.0.1 would be EOL.
>
> What do people think about this?
Most folks use the OpenSSL version provided by their OS vendor.
OS vendors want to provide long-term support for at least some releases,
because many users don't want to chase major version bumps too frequently.
(This has strong implications towards ABI stability: even if you EOL 0.9.8
today, vendors will still need to support that for years down the road.)
Some advanced users will be more willing to build, deploy, and validate
"bleeding edge" versions. Other advanced users are using an OpenSSL
version which is baked into the firmware of hardware load-balancers like
F5's BIG-IP, Citrix Netscalers, Brocade's ADX, etc.
The other group that comes to mind is software developers writing against OpenSSL.
I don't want to generalize too far, but even fairly well-known projects like ClamAV
who actively use SSL and check cert signing for their virus DB updates are just now
starting to implement OpenSSL-0.9.8 functionality like CRL checks _after_ Heartbleed.
Regards,
--
-Chuck
More information about the freebsd-security
mailing list