Re: OpenSSL end of life

Hi, Ben--

Thanks for soliciting feedback.

On Jun 11, 2014, at 2:32 AM, Ben Laurie <ben@links.org> wrote:
> We (the OpenSSL team) are considering a more aggressive EOL strategy.
> 
> In particular, we may EOL 0.9.8 right now, and 1.0.0 when 1.0.2 comes
> out (currently in beta).
> 
> Going forward we would only maintain two versions, so when 1.0.3 comes
> out, 1.0.1 would be EOL.
> 
> What do people think about this?

Most folks use the OpenSSL version provided by their OS vendor.

OS vendors want to provide long-term support for at least some releases,
because many users don't want to chase major version bumps too frequently.
(This has strong implications towards ABI stability: even if you EOL 0.9.8
today, vendors will still need to support that for years down the road.)

Some advanced users will be more willing to build, deploy, and validate
"bleeding edge" versions.  Other advanced users are using an OpenSSL
version which is baked into the firmware of hardware load-balancers like
F5's BIG-IP, Citrix Netscalers, Brocade's ADX, etc.

The other group that comes to mind is software developers writing against OpenSSL.
I don't want to generalize too far, but even fairly well-known projects like ClamAV
who actively use SSL and check cert signing for their virus DB updates are just now
starting to implement OpenSSL-0.9.8 functionality like CRL checks _after_ Heartbleed.

Regards,
-- 
-Chuck

_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"