Discussion:
Here comes OpenSSL 3.0.0 - Very Important
(too old to reply)
Randall
2021-05-06 20:46:53 UTC
Permalink
OpenSSL 3.0.0-alpha15 just passed all tests on TNS/X, which is the last build before the official Beta starts next month. It's time to start planning what you are going to do in terms of migration. There are some critical things to consider.

From a source standpoint, you should be able to move from 1.0.2 directly to 3.0.0 with little or no issues. There is no binary compatibility between 1.0.2, 1.1.1, and 3.0.0.

OpenSSL 3.0.0 has a FIPS-compliant module. ITUGLIB needs to know if you are planning to use FIPS (we don't want to know if you're planning on certifying it yourself, that's your call). As with OpenSSL, the ITUGLIB team is not responsible for certification - that's between you and NIST. The critical thing is that if you are going to use ITUGLIB builds, do you want the FIPS module or not. As of this week, the guidance is for packagers (ITUGLIB) to include FIPS or not include it, depending on the build. So what we're looking at is:

For TNS/X, the following ITUGLIB builds are possible, but we need to know which ones you will want to use:
* 64-bit, unthreaded, with FIPS
* 64-bit, unthreaded, without FIPS
* 64-bit, PUT threaded, with FIPS
* 64-bit, PUT threaded, without FIPS
* 32-bit, SPT threaded, with FIPS
* 32-bit, SPT threaded, without FIPS

For TNS/E, the FIPS cannot be supported because there is no hardware randomization function available, so the possible ITUGLIB builds are:
* 64-bit, unthreaded, without FIPS
* 64-bit, PUT threaded, without FIPS
* 32-bit, SPT threaded, without FIPS

The other thing to consider is that you can build any of these or any other configurations you might want, like GUARDIAN builds, all on your own if you have c99 and git. You do need FLOSS for the SPT build, which is why only 32-bit models are currently available - FLOSS only comes in 32-bit.

Our ask, as ITUGLIB, is that you let us know what you need from us, so we can prepare the set of builds. Each OpenSSL 3.0.0 build takes a few hours to run through a build/test cycle so we would rather only build what the community needs. Note that we do not test the GUARDIAN builds because the standard test suite does not support TACL. That's why you really should use NonStop SSL, for any GUARDIAN applications. Please let us know here, or reply to me directly, as soon as you can, so we can plan.

Unlike the OpenSSL 1.1.1 (except IEEE) and 1.0.2 builds, floating point operations for OpenSSL 3.0.0 will be done using IEEE format by default. The IEEE format is required to pass the OpenSSL test suite as of 3.0.0. It is also the format used by the NonStop HTTP server, so when they move to support 3.0.0, the standard build should be compatible. You can do your own build with Tandem Float if you need to.

As always, if you find a bug or problem, let us know and we can try to get a fix looked at - if it is practical to do so, but no guarantees. We are all volunteers.

Regards,
Randall Becker
On behalf of the ITUGLIB Technical Committee
red floyd
2021-05-06 22:23:50 UTC
Permalink
Post by Randall
OpenSSL 3.0.0-alpha15 just passed all tests on TNS/X, which is the last build before the official Beta starts next month. It's time to start planning what you are going to do in terms of migration. There are some critical things to consider.
From a source standpoint, you should be able to move from 1.0.2 directly to 3.0.0 with little or no issues. There is no binary compatibility between 1.0.2, 1.1.1, and 3.0.0.
* 64-bit, unthreaded, with FIPS
* 64-bit, unthreaded, without FIPS
* 64-bit, PUT threaded, with FIPS
* 64-bit, PUT threaded, without FIPS
* 32-bit, SPT threaded, with FIPS
* 32-bit, SPT threaded, without FIPS
* 64-bit, unthreaded, without FIPS
* 64-bit, PUT threaded, without FIPS
* 32-bit, SPT threaded, without FIPS
The other thing to consider is that you can build any of these or any other configurations you might want, like GUARDIAN builds, all on your own if you have c99 and git. You do need FLOSS for the SPT build, which is why only 32-bit models are currently available - FLOSS only comes in 32-bit.
Our ask, as ITUGLIB, is that you let us know what you need from us, so we can prepare the set of builds. Each OpenSSL 3.0.0 build takes a few hours to run through a build/test cycle so we would rather only build what the community needs. Note that we do not test the GUARDIAN builds because the standard test suite does not support TACL. That's why you really should use NonStop SSL, for any GUARDIAN applications. Please let us know here, or reply to me directly, as soon as you can, so we can plan.
Unlike the OpenSSL 1.1.1 (except IEEE) and 1.0.2 builds, floating point operations for OpenSSL 3.0.0 will be done using IEEE format by default. The IEEE format is required to pass the OpenSSL test suite as of 3.0.0. It is also the format used by the NonStop HTTP server, so when they move to support 3.0.0, the standard build should be compatible. You can do your own build with Tandem Float if you need to.
As always, if you find a bug or problem, let us know and we can try to get a fix looked at - if it is practical to do so, but no guarantees. We are all volunteers.
Regards,
Randall Becker
On behalf of the ITUGLIB Technical Committee
Cool! Thanks, Randall!!

Just confirming something -- all the Nonstop changes are now integrated
upstream, is that correct? Or would we still want to download it from
ITUGLIB?
Randall
2021-05-07 14:02:41 UTC
Permalink
Post by Randall
OpenSSL 3.0.0-alpha15 just passed all tests on TNS/X, which is the last build before the official Beta starts next month. It's time to start planning what you are going to do in terms of migration. There are some critical things to consider.
From a source standpoint, you should be able to move from 1.0.2 directly to 3.0.0 with little or no issues. There is no binary compatibility between 1.0.2, 1.1.1, and 3.0.0.
* 64-bit, unthreaded, with FIPS
* 64-bit, unthreaded, without FIPS
* 64-bit, PUT threaded, with FIPS
* 64-bit, PUT threaded, without FIPS
* 32-bit, SPT threaded, with FIPS
* 32-bit, SPT threaded, without FIPS
* 64-bit, unthreaded, without FIPS
* 64-bit, PUT threaded, without FIPS
* 32-bit, SPT threaded, without FIPS
The other thing to consider is that you can build any of these or any other configurations you might want, like GUARDIAN builds, all on your own if you have c99 and git. You do need FLOSS for the SPT build, which is why only 32-bit models are currently available - FLOSS only comes in 32-bit.
Our ask, as ITUGLIB, is that you let us know what you need from us, so we can prepare the set of builds. Each OpenSSL 3.0.0 build takes a few hours to run through a build/test cycle so we would rather only build what the community needs. Note that we do not test the GUARDIAN builds because the standard test suite does not support TACL. That's why you really should use NonStop SSL, for any GUARDIAN applications. Please let us know here, or reply to me directly, as soon as you can, so we can plan.
Unlike the OpenSSL 1.1.1 (except IEEE) and 1.0.2 builds, floating point operations for OpenSSL 3.0.0 will be done using IEEE format by default. The IEEE format is required to pass the OpenSSL test suite as of 3.0.0. It is also the format used by the NonStop HTTP server, so when they move to support 3.0.0, the standard build should be compatible. You can do your own build with Tandem Float if you need to.
As always, if you find a bug or problem, let us know and we can try to get a fix looked at - if it is practical to do so, but no guarantees. We are all volunteers.
Regards,
Randall Becker
On behalf of the ITUGLIB Technical Committee
Cool! Thanks, Randall!!
Just confirming something -- all the Nonstop changes are now integrated
upstream, is that correct? Or would we still want to download it from
ITUGLIB?
The 3.0.0 branches contain all of the known changes for the NonStop port. That is the only one. The 1.1.1 port changes were not accepted because of timing and policy on the OpenSSL end. The ITUGLIB build will be provided for those who cannot build on their own. If people find a source problem, they can communicate it to me and I will try to have it integrated.

Note: The OpenSSL tarball download distribution can be used to build the NonStop port - the OpenSSL team prefers that way anyway, so you really only need a c99 compiler (and FLOSS for SPT). tar. and gunzip - all from HPE.
red floyd
2021-05-11 00:57:36 UTC
Permalink
Post by Randall
Post by Randall
OpenSSL 3.0.0-alpha15 just passed all tests on TNS/X, which is the last build before the official Beta starts next month. It's time to start planning what you are going to do in terms of migration. There are some critical things to consider.
From a source standpoint, you should be able to move from 1.0.2 directly to 3.0.0 with little or no issues. There is no binary compatibility between 1.0.2, 1.1.1, and 3.0.0.
* 64-bit, unthreaded, with FIPS
* 64-bit, unthreaded, without FIPS
* 64-bit, PUT threaded, with FIPS
* 64-bit, PUT threaded, without FIPS
* 32-bit, SPT threaded, with FIPS
* 32-bit, SPT threaded, without FIPS
* 64-bit, unthreaded, without FIPS
* 64-bit, PUT threaded, without FIPS
* 32-bit, SPT threaded, without FIPS
The other thing to consider is that you can build any of these or any other configurations you might want, like GUARDIAN builds, all on your own if you have c99 and git. You do need FLOSS for the SPT build, which is why only 32-bit models are currently available - FLOSS only comes in 32-bit.
Our ask, as ITUGLIB, is that you let us know what you need from us, so we can prepare the set of builds. Each OpenSSL 3.0.0 build takes a few hours to run through a build/test cycle so we would rather only build what the community needs. Note that we do not test the GUARDIAN builds because the standard test suite does not support TACL. That's why you really should use NonStop SSL, for any GUARDIAN applications. Please let us know here, or reply to me directly, as soon as you can, so we can plan.
Unlike the OpenSSL 1.1.1 (except IEEE) and 1.0.2 builds, floating point operations for OpenSSL 3.0.0 will be done using IEEE format by default. The IEEE format is required to pass the OpenSSL test suite as of 3.0.0. It is also the format used by the NonStop HTTP server, so when they move to support 3.0.0, the standard build should be compatible. You can do your own build with Tandem Float if you need to.
As always, if you find a bug or problem, let us know and we can try to get a fix looked at - if it is practical to do so, but no guarantees. We are all volunteers.
Regards,
Randall Becker
On behalf of the ITUGLIB Technical Committee
Cool! Thanks, Randall!!
Just confirming something -- all the Nonstop changes are now integrated
upstream, is that correct? Or would we still want to download it from
ITUGLIB?
The 3.0.0 branches contain all of the known changes for the NonStop port. That is the only one. The 1.1.1 port changes were not accepted because of timing and policy on the OpenSSL end. The ITUGLIB build will be provided for those who cannot build on their own. If people find a source problem, they can communicate it to me and I will try to have it integrated.
Note: The OpenSSL tarball download distribution can be used to build the NonStop port - the OpenSSL team prefers that way anyway, so you really only need a c99 compiler (and FLOSS for SPT). tar. and gunzip - all from HPE.
Thanks for all your hard work, Randall!!!!
Randall
2021-05-11 21:08:10 UTC
Permalink
Post by red floyd
Post by Randall
Post by Randall
OpenSSL 3.0.0-alpha15 just passed all tests on TNS/X, which is the last build before the official Beta starts next month. It's time to start planning what you are going to do in terms of migration. There are some critical things to consider.
From a source standpoint, you should be able to move from 1.0.2 directly to 3.0.0 with little or no issues. There is no binary compatibility between 1.0.2, 1.1.1, and 3.0.0.
* 64-bit, unthreaded, with FIPS
* 64-bit, unthreaded, without FIPS
* 64-bit, PUT threaded, with FIPS
* 64-bit, PUT threaded, without FIPS
* 32-bit, SPT threaded, with FIPS
* 32-bit, SPT threaded, without FIPS
* 64-bit, unthreaded, without FIPS
* 64-bit, PUT threaded, without FIPS
* 32-bit, SPT threaded, without FIPS
The other thing to consider is that you can build any of these or any other configurations you might want, like GUARDIAN builds, all on your own if you have c99 and git. You do need FLOSS for the SPT build, which is why only 32-bit models are currently available - FLOSS only comes in 32-bit.
Our ask, as ITUGLIB, is that you let us know what you need from us, so we can prepare the set of builds. Each OpenSSL 3.0.0 build takes a few hours to run through a build/test cycle so we would rather only build what the community needs. Note that we do not test the GUARDIAN builds because the standard test suite does not support TACL. That's why you really should use NonStop SSL, for any GUARDIAN applications. Please let us know here, or reply to me directly, as soon as you can, so we can plan.
Unlike the OpenSSL 1.1.1 (except IEEE) and 1.0.2 builds, floating point operations for OpenSSL 3.0.0 will be done using IEEE format by default. The IEEE format is required to pass the OpenSSL test suite as of 3.0.0. It is also the format used by the NonStop HTTP server, so when they move to support 3.0.0, the standard build should be compatible. You can do your own build with Tandem Float if you need to.
As always, if you find a bug or problem, let us know and we can try to get a fix looked at - if it is practical to do so, but no guarantees. We are all volunteers.
Regards,
Randall Becker
On behalf of the ITUGLIB Technical Committee
Cool! Thanks, Randall!!
Just confirming something -- all the Nonstop changes are now integrated
upstream, is that correct? Or would we still want to download it from
ITUGLIB?
The 3.0.0 branches contain all of the known changes for the NonStop port. That is the only one. The 1.1.1 port changes were not accepted because of timing and policy on the OpenSSL end. The ITUGLIB build will be provided for those who cannot build on their own. If people find a source problem, they can communicate it to me and I will try to have it integrated.
Note: The OpenSSL tarball download distribution can be used to build the NonStop port - the OpenSSL team prefers that way anyway, so you really only need a c99 compiler (and FLOSS for SPT). tar. and gunzip - all from HPE.
Thanks for all your hard work, Randall!!!!
Glad to be of service :)
Randall
2021-05-17 18:46:20 UTC
Permalink
Post by Randall
OpenSSL 3.0.0-alpha15 just passed all tests on TNS/X, which is the last build before the official Beta starts next month. It's time to start planning what you are going to do in terms of migration. There are some critical things to consider.
From a source standpoint, you should be able to move from 1.0.2 directly to 3.0.0 with little or no issues. There is no binary compatibility between 1.0.2, 1.1.1, and 3.0.0.
* 64-bit, unthreaded, with FIPS
* 64-bit, unthreaded, without FIPS
* 64-bit, PUT threaded, with FIPS
* 64-bit, PUT threaded, without FIPS
* 32-bit, SPT threaded, with FIPS
* 32-bit, SPT threaded, without FIPS
* 64-bit, unthreaded, without FIPS
* 64-bit, PUT threaded, without FIPS
* 32-bit, SPT threaded, without FIPS
The other thing to consider is that you can build any of these or any other configurations you might want, like GUARDIAN builds, all on your own if you have c99 and git. You do need FLOSS for the SPT build, which is why only 32-bit models are currently available - FLOSS only comes in 32-bit.
Our ask, as ITUGLIB, is that you let us know what you need from us, so we can prepare the set of builds. Each OpenSSL 3.0.0 build takes a few hours to run through a build/test cycle so we would rather only build what the community needs. Note that we do not test the GUARDIAN builds because the standard test suite does not support TACL. That's why you really should use NonStop SSL, for any GUARDIAN applications. Please let us know here, or reply to me directly, as soon as you can, so we can plan.
Unlike the OpenSSL 1.1.1 (except IEEE) and 1.0.2 builds, floating point operations for OpenSSL 3.0.0 will be done using IEEE format by default. The IEEE format is required to pass the OpenSSL test suite as of 3.0.0. It is also the format used by the NonStop HTTP server, so when they move to support 3.0.0, the standard build should be compatible. You can do your own build with Tandem Float if you need to.
As always, if you find a bug or problem, let us know and we can try to get a fix looked at - if it is practical to do so, but no guarantees. We are all volunteers.
Regards,
Randall Becker
On behalf of the ITUGLIB Technical Committee
Just a timing update. 3.0.0 Beta1 is now officially due 30 June 2021. This date is set because of FIPS lab requirement. I expect to have builds ready for our community testing around that date. The set of builds are expected to be the same set as the current bunch for the 1.1.1 series (mostly because no one has requested a new build, and we have had requests to preserve some existing builds). Just a reminder that you cannot just drop 3.0.0 into your environment to replace 1.1.1. You must recompile your application to use 3.0.0 if you are on 1.1.1 or 1.0.2.
Randall
2021-05-20 15:38:01 UTC
Permalink
Post by Randall
Post by Randall
OpenSSL 3.0.0-alpha15 just passed all tests on TNS/X, which is the last build before the official Beta starts next month. It's time to start planning what you are going to do in terms of migration. There are some critical things to consider.
From a source standpoint, you should be able to move from 1.0.2 directly to 3.0.0 with little or no issues. There is no binary compatibility between 1.0.2, 1.1.1, and 3.0.0.
* 64-bit, unthreaded, with FIPS
* 64-bit, unthreaded, without FIPS
* 64-bit, PUT threaded, with FIPS
* 64-bit, PUT threaded, without FIPS
* 32-bit, SPT threaded, with FIPS
* 32-bit, SPT threaded, without FIPS
* 64-bit, unthreaded, without FIPS
* 64-bit, PUT threaded, without FIPS
* 32-bit, SPT threaded, without FIPS
The other thing to consider is that you can build any of these or any other configurations you might want, like GUARDIAN builds, all on your own if you have c99 and git. You do need FLOSS for the SPT build, which is why only 32-bit models are currently available - FLOSS only comes in 32-bit.
Our ask, as ITUGLIB, is that you let us know what you need from us, so we can prepare the set of builds. Each OpenSSL 3.0.0 build takes a few hours to run through a build/test cycle so we would rather only build what the community needs. Note that we do not test the GUARDIAN builds because the standard test suite does not support TACL. That's why you really should use NonStop SSL, for any GUARDIAN applications. Please let us know here, or reply to me directly, as soon as you can, so we can plan.
Unlike the OpenSSL 1.1.1 (except IEEE) and 1.0.2 builds, floating point operations for OpenSSL 3.0.0 will be done using IEEE format by default. The IEEE format is required to pass the OpenSSL test suite as of 3.0.0. It is also the format used by the NonStop HTTP server, so when they move to support 3.0.0, the standard build should be compatible. You can do your own build with Tandem Float if you need to.
As always, if you find a bug or problem, let us know and we can try to get a fix looked at - if it is practical to do so, but no guarantees. We are all volunteers.
Regards,
Randall Becker
On behalf of the ITUGLIB Technical Committee
Just a timing update. 3.0.0 Beta1 is now officially due 30 June 2021. This date is set because of FIPS lab requirement. I expect to have builds ready for our community testing around that date. The set of builds are expected to be the same set as the current bunch for the 1.1.1 series (mostly because no one has requested a new build, and we have had requests to preserve some existing builds). Just a reminder that you cannot just drop 3.0.0 into your environment to replace 1.1.1. You must recompile your application to use 3.0.0 if you are on 1.1.1 or 1.0.2.
Alpha17 has come out today - the last Alpha! Yay! The next release will be Beta1. Note that for our builds, all floats will be IEEE. This is required to certify the code as functional - as in passing all OpenSSL test cases. The 1.1.1 build used float neutral except for the specific IEEE build. When we release the packaged builds, everything will be IEEE. If you have not used floats this should not be an issue. Note that not using IEEE can cause interoperability issues with off-platform clients and servers, so IEEE is highly recommended.

Again, please let me know here or privately whether you would like a Beta version for testing.

Regards,
Randall Becker
On Behalf of the ITUGLIB Technical Committee

Loading...