[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: TLSv1.3 supprt for 2.4.x?


On Wed, Sep 5, 2018 at 10:52 AM, Dennis Clarke <dclarke@xxxxxxxxxxxxx> wrote:
On 09/05/2018 07:36 AM, Stefan Eissing wrote:
A member of the OpenSSL project gave me a "go ahead" and we now have branch:

https://svn.apache.org/repos/asf/httpd/httpd/branches/tlsv1.3-for-2.4.x

as a copy of 2.4.x with 1827912,1827924,1827992,1828222,1828720,1828723,1833588,1833589,1839920,1839946 merged in. If was not a clean merge as some feature from trunk are not present in 2.4.x, so peer review/test is definitely desired.

I put a backport proposal into 2.4.x/STATUS

Cheers, Stefan


Awesome but there are plenty of folks that will want a simple tarball
with the usual autoconf/configure magic done for them. Could be a waste
of effort given that OpenSSL 1.1.1 release is 6 days away.

Not a waste of effort.

The project can't realistically deliver such a large changeset without wider
testing, the number of issues raised on multiple forums demonstrate that.
(Thankfully > 50% are users who were unaware of draft vs. final TLS
handshake signatures, and such inattentive users aren't productively
contributing to interoperability review.) Users who are prepared to
*constructively* engage on any proposed changeset should have few
problems with a couple extra steps.

I can't imagine the project releasing this changeset without first releasing
a stable 2.4.35, followed shortly thereafter with a less stable TLS 1.3
release. It appears to introduce a set of required(?) config changes,
something we've never purposefully done in a major.minor update.