[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NOTICE: Intent to T&R 2.4.36

On Wed, Oct 10, 2018, 14:53 Mark Blackman <mark@xxxxxxxxxxxxx> wrote:

Does the TLSv1.3 support need to be production ready?

TLSv1.3 is presumably an opt-in feature and as long as it doesn’t endanger existing behaviours, I would have assumed it’s relatively safe to release with caveats in the docs. 
Of course, once there’s more take-up of TLSv1.3, then the test suite needs to be useful. Getting real-world feedback about something completely new that doesn’t endanger existing behaviours outside of TLSv1.3 is probably worthwhile.

Were it so easy...

It turns out httpd through 2.4.35 remain incompatible with changes to openssl 1.1.1. This was disappointing from this project's perspective, the issues are tracked on openssl project GitHub tickets.

If everything is good about this candidate, it should build and run against 1.1.0, or 1.1.1, whether or not TLS 1.3 is enabled or avoided.

Ben Laurie last decade tried to address this with mod_tls, but mod_ssl remains deeply tied to the internal behavior of libssl and libcrypto, to a degree that it is effectively impossible to drop in 1.1.1 due to mechanical changes in the protocol.

Dropping httpd 2.4.any into openssl 1.1.1 is a mess that several committers have applied a great deal of attention to. We've undergone the same problems with 1.1.0, 1.0.1, 1.0.0 and 0.9.8, so this didn't come as a surprise.