Discussion:
OpenSSL Support Notice
(too old to reply)
Randall
2023-02-19 23:37:57 UTC
Permalink
Hi Everyone,

I want to remind people that the OpenSSL 1.1.1 version thread goes off support on Sept 11, 2023, which is 204 days from now - just over 6 months, meaning no security fixes will be available after that time. Currently, only security fixes are made available. After that, fixes will only be available via support contract (which I can facilitate, but it is not a trivial cost because of the OpenSSL extended support contract cost). ITUGLIB will stop building 1.1.1 releases when OpenSSL stops delivering fixes on (or around) that date. OpenSSL 1.0.2 is currently in this state.

Migration to OpenSSL 3.x as soon as you can is recommended. There are a few reasons:

1. Functional and security fix support is currently available.
2. Upgrading to 3.x generally only requires recompile for your application.
3. OpenSSL versions 3.x, 1.1.1, and 1.0.2 can generally communicate with each other, as long as common cyphers are available at both ends - which they generally are. You do have to be careful to ensure that your certificates are usable on all versions.
4. The 3.x thread is identical to the standard OpenSSL code base without change for NonStop. You can easily build OpenSSL yourself from git or with the standard OpenSSL tarballs. 1.1.1 requires that someone (usually me) apply patches manually to the ITUGLIB repository.
5. An added bonus for git users on L-series (as well as OpenSSL users), you do not need to run PRNDG, because the NonStop build supports the x86 hardware random number generator.

Regards,
Randall Becker
On Behalf of the ITUGLIB Technical Committee
Randall
2023-02-20 17:30:30 UTC
Permalink
Post by Randall
Hi Everyone,
I want to remind people that the OpenSSL 1.1.1 version thread goes off support on Sept 11, 2023, which is 204 days from now - just over 6 months, meaning no security fixes will be available after that time. Currently, only security fixes are made available. After that, fixes will only be available via support contract (which I can facilitate, but it is not a trivial cost because of the OpenSSL extended support contract cost). ITUGLIB will stop building 1.1.1 releases when OpenSSL stops delivering fixes on (or around) that date. OpenSSL 1.0.2 is currently in this state.
1. Functional and security fix support is currently available.
2. Upgrading to 3.x generally only requires recompile for your application.
3. OpenSSL versions 3.x, 1.1.1, and 1.0.2 can generally communicate with each other, as long as common cyphers are available at both ends - which they generally are. You do have to be careful to ensure that your certificates are usable on all versions.
4. The 3.x thread is identical to the standard OpenSSL code base without change for NonStop. You can easily build OpenSSL yourself from git or with the standard OpenSSL tarballs. 1.1.1 requires that someone (usually me) apply patches manually to the ITUGLIB repository.
5. An added bonus for git users on L-series (as well as OpenSSL users), you do not need to run PRNDG, because the NonStop build supports the x86 hardware random number generator.
Regards,
Randall Becker
On Behalf of the ITUGLIB Technical Committee
Edit: Should be PRNGD
Randall
2023-03-23 14:28:47 UTC
Permalink
Post by Randall
Post by Randall
Hi Everyone,
I want to remind people that the OpenSSL 1.1.1 version thread goes off support on Sept 11, 2023, which is 204 days from now - just over 6 months, meaning no security fixes will be available after that time. Currently, only security fixes are made available. After that, fixes will only be available via support contract (which I can facilitate, but it is not a trivial cost because of the OpenSSL extended support contract cost). ITUGLIB will stop building 1.1.1 releases when OpenSSL stops delivering fixes on (or around) that date. OpenSSL 1.0.2 is currently in this state.
1. Functional and security fix support is currently available.
2. Upgrading to 3.x generally only requires recompile for your application.
3. OpenSSL versions 3.x, 1.1.1, and 1.0.2 can generally communicate with each other, as long as common cyphers are available at both ends - which they generally are. You do have to be careful to ensure that your certificates are usable on all versions.
4. The 3.x thread is identical to the standard OpenSSL code base without change for NonStop. You can easily build OpenSSL yourself from git or with the standard OpenSSL tarballs. 1.1.1 requires that someone (usually me) apply patches manually to the ITUGLIB repository.
5. An added bonus for git users on L-series (as well as OpenSSL users), you do not need to run PRNDG, because the NonStop build supports the x86 hardware random number generator.
Regards,
Randall Becker
On Behalf of the ITUGLIB Technical Committee
Edit: Should be PRNGD
OpenSSL 3.1 is in the pipeline now. This release seems to be primarily a result of FIPS-140-3 standards instead of the FIPS-140-2 used in 3.0. A bit of a surprise is that OpenSSL 3.1 planned support (LTS) runs until March 2025 while 3.0 runs until September 2026. ITUGLIB will be building and deploying both. The OpenSSL 3.1 notice should come out in the next day or two.
Randall
2023-03-28 21:04:47 UTC
Permalink
Post by Randall
Post by Randall
Post by Randall
Hi Everyone,
I want to remind people that the OpenSSL 1.1.1 version thread goes off support on Sept 11, 2023, which is 204 days from now - just over 6 months, meaning no security fixes will be available after that time. Currently, only security fixes are made available. After that, fixes will only be available via support contract (which I can facilitate, but it is not a trivial cost because of the OpenSSL extended support contract cost). ITUGLIB will stop building 1.1.1 releases when OpenSSL stops delivering fixes on (or around) that date. OpenSSL 1.0.2 is currently in this state.
1. Functional and security fix support is currently available.
2. Upgrading to 3.x generally only requires recompile for your application.
3. OpenSSL versions 3.x, 1.1.1, and 1.0.2 can generally communicate with each other, as long as common cyphers are available at both ends - which they generally are. You do have to be careful to ensure that your certificates are usable on all versions.
4. The 3.x thread is identical to the standard OpenSSL code base without change for NonStop. You can easily build OpenSSL yourself from git or with the standard OpenSSL tarballs. 1.1.1 requires that someone (usually me) apply patches manually to the ITUGLIB repository.
5. An added bonus for git users on L-series (as well as OpenSSL users), you do not need to run PRNDG, because the NonStop build supports the x86 hardware random number generator.
Regards,
Randall Becker
On Behalf of the ITUGLIB Technical Committee
Edit: Should be PRNGD
OpenSSL 3.1 is in the pipeline now. This release seems to be primarily a result of FIPS-140-3 standards instead of the FIPS-140-2 used in 3.0. A bit of a surprise is that OpenSSL 3.1 planned support (LTS) runs until March 2025 while 3.0 runs until September 2026. ITUGLIB will be building and deploying both. The OpenSSL 3.1 notice should come out in the next day or two.
A good read on the 1.1.1 End of Life is available at https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/
Loading...