From Fedora Project Wiki

< Changes

Revision as of 06:53, 8 August 2017 by Tmraz (talk | contribs) (Dependencies)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

OpenSSL 1.1.0

Summary

Rebase of OpenSSL package to 1.1.0 version

Owner

Current status

Detailed Description

Update the OpenSSL library to the 1.1.0 branch in Fedora to bring multiple big improvements, new cryptographic algorithms, and new API that allows for keeping ABI stability in future upgrades. We will also add compat openssl102 package so the applications and other dependencies which are not ported yet to the new API continue to work.

Benefit to Fedora

The main benefit is to be able to keep with any improvements the upstream development of OpenSSL brings. The old 1.0.2 branch will get only bug fixes and security fixes. To get any new features we need to rebase to the 1.1.0 branch which brings long awaited API/ABI cleanup.

Scope

  • Proposal owners: Prepare and test rebased openssl package. Prepare and test compat-openssl10 package. Help with patching and rebuilding dependent packages.
  • Other developers: Patch and rebuild your package if it uses OpenSSL library (proposal owner will help).
  • Release engineering: N/A unless we decide that separate branch is needed. Mass rebuild will not help as the packages have to be patched for the API changes.
  • Policies and guidelines: N/A
  • Trademark approval: N/A

Upgrade/compatibility impact

There should be no impact except for continued removal/deprecation of old insecure algorithms and protocols which we performed already for multiple OpenSSL updates.

How To Test

If your application uses OpenSSL to communicate via TLS or perform other tasks that use cryptographic algorithms from OpenSSL, please test whether it continues to work properly.

Fedora packaging guidelines state that any applications which can use an SSL certificate from a file SHOULD also accept a PKCS#11 URI in place of the filename. Please ensure that this also continues to work properly.

User Experience

N/A

Dependencies

There are 604 dependent packages in Rawhide linked to libcrypto and/or libssl which need to be patched (for packages where upstream did not patch them already) and rebuilt after the rebase. However preliminary testing showed that thanks to the symbol versioning applications work even if both openssl-1.1.0 and openssl-1.0.2 is pulled into the same process. So it is not critically needed to rebuild everything at once if compat library compat-openssl10 package is provided.

Contingency Plan

  • Contingency mechanism: Revert OpenSSL back to 1.0.2 branch, rebuild the packages that were previously rebuilt with 1.1.0 package.
  • Contingency deadline: Beta
  • Blocks release? No
  • Blocks product? No

Documentation

OpenSSL 1.1.0 branch ChangeLog

1.1 API changes documentation

Release Notes