From Fedora Project Wiki
Line 60: Line 60:
  
 
If your application uses OpenSSL to communicate via TLS or perform other tasks that use cryptographic algorithms from OpenSSL, please test whether it continues to work properly.
 
If your application uses OpenSSL to communicate via TLS or perform other tasks that use cryptographic algorithms from OpenSSL, please test whether it continues to work properly.
 +
 +
Fedora [[Packaging:SSLCertificateHandling|packaging guidelines]] state that any applications which can use an SSL certificate from a file SHOULD also accept a PKCS#11 URI in place of the filename. Please ensure that this also continues to work properly.
  
 
== User Experience ==
 
== User Experience ==

Revision as of 14:28, 19 September 2016

OpenSSL 1.1.0

Summary

Rebase of OpenSSL package to 1.1.0 version

Owner

Current status

  • Targeted release: Fedora 26
  • Last updated: 2016-09-19
  • Tracker bug: <will be assigned by the Wrangler>

Detailed Description

Update the OpenSSL library to the 1.1.0 branch in Fedora to bring multiple big improvements, new cryptographic algorithms, and new API that allows for keeping ABI stability in future upgrades. We will also add compat openssl102 package so the applications and other dependencies which are not ported yet to the new API continue to work.

Benefit to Fedora

The main benefit is to be able to keep with any improvements the upstream development of OpenSSL brings. The old 1.0.2 branch will get only bug fixes and security fixes. To get any new features we need to rebase to the 1.1.0 branch which brings long awaited API/ABI cleanup.

Scope

  • Proposal owners: Prepare and test rebased openssl package. Prepare and test compat openssl102 package. Help with patching and rebuilding dependent packages.
  • Other developers: Patch and rebuild your package if it uses OpenSSL library (proposal owner will help).
  • Release engineering: N/A unless we decide that separate branch is needed. Mass rebuild will not help as the packages have to be patched for the API changes.
  • Policies and guidelines: N/A
  • Trademark approval: N/A

Upgrade/compatibility impact

There should be no impact except for continued removal/deprecation of old insecure algorithms and protocols which we performed already for multiple OpenSSL updates.

How To Test

If your application uses OpenSSL to communicate via TLS or perform other tasks that use cryptographic algorithms from OpenSSL, please test whether it continues to work properly.

Fedora packaging guidelines state that any applications which can use an SSL certificate from a file SHOULD also accept a PKCS#11 URI in place of the filename. Please ensure that this also continues to work properly.

User Experience

N/A

Dependencies

There are 604 dependent packages in Rawhide linked to libcrypto and/or libssl which need to be patched (for packages where upstream did not patch them already) and rebuilt after the rebase.

Contingency Plan

  • Contingency mechanism: Revert OpenSSL back to 1.0.2 branch, rebuild the packages that were previously rebuilt with 1.1.0 package.
  • Contingency deadline: Beta
  • Blocks release? No
  • Blocks product? No

Documentation

1.1.0 branch ChangeLog

API changes documentation

Release Notes