(13 intermediate revisions by 6 users not shown) | |||
Line 6: | Line 6: | ||
== Owner == | == Owner == | ||
* Name: [[User:tmraz| Tomáš Mráz]] | * Name: [[User:tmraz| Tomáš Mráz]] | ||
* Email: tmraz@redhat.com | * Email: tmraz@redhat.com | ||
* Release notes owner: <!--- To be assigned by docs team [[User:FASAccountName| Release notes owner name]] <email address> --> | * Release notes owner: <!--- To be assigned by docs team [[User:FASAccountName| Release notes owner name]] <email address> --> [mailto:sclark@fedoraproject.org Simon Clark] ([[User:sclark|sclark]]) | ||
<!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo) | <!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo) | ||
* FESCo shepherd: [[User:FASAccountName| Shehperd name]] <email address> | * FESCo shepherd: [[User:FASAccountName| Shehperd name]] <email address> | ||
Line 28: | Line 27: | ||
CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development | CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development | ||
--> | --> | ||
* Tracker bug: | * Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=1381131 #1381131] | ||
== Detailed Description == | == Detailed Description == | ||
Line 42: | Line 41: | ||
== Scope == | == Scope == | ||
* Proposal owners: Prepare and test rebased openssl package. Prepare and test compat | * Proposal owners: Prepare and test rebased openssl package. Prepare and test compat-openssl10 package. Help with patching and rebuilding dependent packages. | ||
* Other developers: Patch and rebuild your package if it uses OpenSSL library (proposal owner will help). | * Other developers: Patch and rebuild your package if it uses OpenSSL library (proposal owner will help). | ||
Line 52: | Line 51: | ||
* Policies and guidelines: N/A | * Policies and guidelines: N/A | ||
* Trademark approval: N/A | * Trademark approval: N/A | ||
== Upgrade/compatibility impact == | == Upgrade/compatibility impact == | ||
Line 61: | Line 60: | ||
If your application uses OpenSSL to communicate via TLS or perform other tasks that use cryptographic algorithms from OpenSSL, please test whether it continues to work properly. | If your application uses OpenSSL to communicate via TLS or perform other tasks that use cryptographic algorithms from OpenSSL, please test whether it continues to work properly. | ||
Fedora [[Packaging:SSLCertificateHandling|packaging guidelines]] state that any applications which can use an SSL certificate from a file SHOULD also accept a PKCS#11 URI in place of the filename. Please ensure that this also continues to work properly. | |||
== User Experience == | == User Experience == | ||
Line 68: | Line 69: | ||
== Dependencies == | == Dependencies == | ||
There are 604 dependent packages in Rawhide linked to libcrypto and/or libssl which need to be patched (for packages where upstream did not patch them already) and rebuilt after the rebase. However preliminary testing showed that thanks to the symbol versioning applications work even if both openssl-1.1.0 and openssl-1.0.2 is pulled into the same process. So it is not critically needed to rebuild everything at once if compat library compat-openssl10 package is provided. | |||
== Contingency Plan == | == Contingency Plan == | ||
Line 82: | Line 83: | ||
== Documentation == | == Documentation == | ||
[https://www.openssl.org/news/cl110.txt | [https://www.openssl.org/news/cl110.txt OpenSSL 1.1.0 branch ChangeLog] | ||
[https://wiki.openssl.org/index.php/1.1_API_Changes | [https://wiki.openssl.org/index.php/1.1_API_Changes 1.1 API changes documentation] | ||
== Release Notes == | == Release Notes == | ||
Line 93: | Line 94: | ||
--> | --> | ||
[[Category: | [[Category:ChangeAcceptedF26]] | ||
<!-- When your change proposal page is completed and ready for review and announcement --> | <!-- When your change proposal page is completed and ready for review and announcement --> | ||
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler --> | <!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler --> |
Latest revision as of 06:53, 8 August 2017
OpenSSL 1.1.0
Summary
Rebase of OpenSSL package to 1.1.0 version
Owner
- Name: Tomáš Mráz
- Email: tmraz@redhat.com
- Release notes owner: Simon Clark (sclark)
Current status
Detailed Description
Update the OpenSSL library to the 1.1.0 branch in Fedora to bring multiple big improvements, new cryptographic algorithms, and new API that allows for keeping ABI stability in future upgrades. We will also add compat openssl102 package so the applications and other dependencies which are not ported yet to the new API continue to work.
Benefit to Fedora
The main benefit is to be able to keep with any improvements the upstream development of OpenSSL brings. The old 1.0.2 branch will get only bug fixes and security fixes. To get any new features we need to rebase to the 1.1.0 branch which brings long awaited API/ABI cleanup.
Scope
- Proposal owners: Prepare and test rebased openssl package. Prepare and test compat-openssl10 package. Help with patching and rebuilding dependent packages.
- Other developers: Patch and rebuild your package if it uses OpenSSL library (proposal owner will help).
- Release engineering: N/A unless we decide that separate branch is needed. Mass rebuild will not help as the packages have to be patched for the API changes.
- List of deliverables: N/A
- Policies and guidelines: N/A
- Trademark approval: N/A
Upgrade/compatibility impact
There should be no impact except for continued removal/deprecation of old insecure algorithms and protocols which we performed already for multiple OpenSSL updates.
How To Test
If your application uses OpenSSL to communicate via TLS or perform other tasks that use cryptographic algorithms from OpenSSL, please test whether it continues to work properly.
Fedora packaging guidelines state that any applications which can use an SSL certificate from a file SHOULD also accept a PKCS#11 URI in place of the filename. Please ensure that this also continues to work properly.
User Experience
N/A
Dependencies
There are 604 dependent packages in Rawhide linked to libcrypto and/or libssl which need to be patched (for packages where upstream did not patch them already) and rebuilt after the rebase. However preliminary testing showed that thanks to the symbol versioning applications work even if both openssl-1.1.0 and openssl-1.0.2 is pulled into the same process. So it is not critically needed to rebuild everything at once if compat library compat-openssl10 package is provided.
Contingency Plan
- Contingency mechanism: Revert OpenSSL back to 1.0.2 branch, rebuild the packages that were previously rebuilt with 1.1.0 package.
- Contingency deadline: Beta
- Blocks release? No
- Blocks product? No
Documentation
OpenSSL 1.1.0 branch ChangeLog