From Fedora Project Wiki
 
(11 intermediate revisions by 6 users not shown)
Line 7: Line 7:
* Name: [[User:tmraz| Tomáš Mráz]]
* Name: [[User:tmraz| Tomáš Mráz]]
* Email: tmraz@redhat.com
* Email: tmraz@redhat.com
* Release notes owner: <!--- To be assigned by docs team [[User:FASAccountName| Release notes owner name]] <email address> -->
* Release notes owner: <!--- To be assigned by docs team [[User:FASAccountName| Release notes owner name]] <email address> --> [mailto:sclark@fedoraproject.org Simon Clark] ([[User:sclark|sclark]])
<!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo)
<!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo)
* FESCo shepherd: [[User:FASAccountName| Shehperd name]] <email address>
* FESCo shepherd: [[User:FASAccountName| Shehperd name]] <email address>
Line 27: Line 27:
CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development
CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development
-->
-->
* Tracker bug: <will be assigned by the Wrangler>
* Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=1381131 #1381131]


== Detailed Description ==
== Detailed Description ==
Line 41: Line 41:
    
    
== Scope ==
== Scope ==
* Proposal owners: Prepare and test rebased openssl package. Prepare and test compat openssl102 package. Help with patching and rebuilding dependent packages.
* Proposal owners: Prepare and test rebased openssl package. Prepare and test compat-openssl10 package. Help with patching and rebuilding dependent packages.


* Other developers: Patch and rebuild your package if it uses OpenSSL library (proposal owner will help).
* Other developers: Patch and rebuild your package if it uses OpenSSL library (proposal owner will help).
Line 51: Line 51:
* Policies and guidelines: N/A
* Policies and guidelines: N/A


* Trademark approval: N/A  
* Trademark approval: N/A


== Upgrade/compatibility impact ==
== Upgrade/compatibility impact ==
Line 60: Line 60:


If your application uses OpenSSL to communicate via TLS or perform other tasks that use cryptographic algorithms from OpenSSL, please test whether it continues to work properly.
If your application uses OpenSSL to communicate via TLS or perform other tasks that use cryptographic algorithms from OpenSSL, please test whether it continues to work properly.
Fedora [[Packaging:SSLCertificateHandling|packaging guidelines]] state that any applications which can use an SSL certificate from a file SHOULD also accept a PKCS#11 URI in place of the filename. Please ensure that this also continues to work properly.


== User Experience ==
== User Experience ==
Line 67: Line 69:
== Dependencies ==
== Dependencies ==


There are 604 dependent packages in Rawhide linked to libcrypto and/or libssl which need to be patched (for packages where upstream did not patch them already) and rebuilt after the rebase.
There are 604 dependent packages in Rawhide linked to libcrypto and/or libssl which need to be patched (for packages where upstream did not patch them already) and rebuilt after the rebase. However preliminary testing showed that thanks to the symbol versioning applications work even if both openssl-1.1.0 and openssl-1.0.2 is pulled into the same process. So it is not critically needed to rebuild everything at once if compat library compat-openssl10 package is provided.


== Contingency Plan ==
== Contingency Plan ==
Line 81: Line 83:
== Documentation ==
== Documentation ==


[https://www.openssl.org/news/cl110.txt|OpenSSL 1.1.0 branch ChangeLog]
[https://www.openssl.org/news/cl110.txt OpenSSL 1.1.0 branch ChangeLog]


[https://wiki.openssl.org/index.php/1.1_API_Changes|1.1 API changes documentation]
[https://wiki.openssl.org/index.php/1.1_API_Changes 1.1 API changes documentation]


== Release Notes ==
== Release Notes ==
Line 92: Line 94:
-->
-->


[[Category:ChangePageIncomplete]]
[[Category:ChangeAcceptedF26]]
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->

Latest revision as of 06:53, 8 August 2017

OpenSSL 1.1.0

Summary

Rebase of OpenSSL package to 1.1.0 version

Owner

Current status

Detailed Description

Update the OpenSSL library to the 1.1.0 branch in Fedora to bring multiple big improvements, new cryptographic algorithms, and new API that allows for keeping ABI stability in future upgrades. We will also add compat openssl102 package so the applications and other dependencies which are not ported yet to the new API continue to work.

Benefit to Fedora

The main benefit is to be able to keep with any improvements the upstream development of OpenSSL brings. The old 1.0.2 branch will get only bug fixes and security fixes. To get any new features we need to rebase to the 1.1.0 branch which brings long awaited API/ABI cleanup.

Scope

  • Proposal owners: Prepare and test rebased openssl package. Prepare and test compat-openssl10 package. Help with patching and rebuilding dependent packages.
  • Other developers: Patch and rebuild your package if it uses OpenSSL library (proposal owner will help).
  • Release engineering: N/A unless we decide that separate branch is needed. Mass rebuild will not help as the packages have to be patched for the API changes.
  • Policies and guidelines: N/A
  • Trademark approval: N/A

Upgrade/compatibility impact

There should be no impact except for continued removal/deprecation of old insecure algorithms and protocols which we performed already for multiple OpenSSL updates.

How To Test

If your application uses OpenSSL to communicate via TLS or perform other tasks that use cryptographic algorithms from OpenSSL, please test whether it continues to work properly.

Fedora packaging guidelines state that any applications which can use an SSL certificate from a file SHOULD also accept a PKCS#11 URI in place of the filename. Please ensure that this also continues to work properly.

User Experience

N/A

Dependencies

There are 604 dependent packages in Rawhide linked to libcrypto and/or libssl which need to be patched (for packages where upstream did not patch them already) and rebuilt after the rebase. However preliminary testing showed that thanks to the symbol versioning applications work even if both openssl-1.1.0 and openssl-1.0.2 is pulled into the same process. So it is not critically needed to rebuild everything at once if compat library compat-openssl10 package is provided.

Contingency Plan

  • Contingency mechanism: Revert OpenSSL back to 1.0.2 branch, rebuild the packages that were previously rebuilt with 1.1.0 package.
  • Contingency deadline: Beta
  • Blocks release? No
  • Blocks product? No

Documentation

OpenSSL 1.1.0 branch ChangeLog

1.1 API changes documentation

Release Notes