git.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NOTICE: Intent to T&R 2.4.36


FWIW, I've been running 2.4.36-dev at revision 1841586 for 19 days 35 minutes as of this writing and I've seen no problems up to this point. Granted I only get a few thousand hits a day and not millions but so far so good. Haven't had many tls/1.3 but I would assume that's to be expected for another week or two until Chrome 70 and Firefox 63 come out.

Now off to build .36

On 10/10/2018 1:29 PM, William A Rowe Jr wrote:
On Wed, Oct 10, 2018, 14:53 Mark Blackman <mark@xxxxxxxxxxxxx> wrote:


Does the TLSv1.3 support need to be production ready?

TLSv1.3 is presumably an opt-in feature and as long as it doesn’t endanger
existing behaviours, I would have assumed it’s relatively safe to release
with caveats in the docs.
Of course, once there’s more take-up of TLSv1.3, then the test suite needs
to be useful. Getting real-world feedback about something completely new
that doesn’t endanger existing behaviours outside of TLSv1.3 is probably
worthwhile.


Were it so easy...

It turns out httpd through 2.4.35 remain incompatible with changes to
openssl 1.1.1. This was disappointing from this project's perspective, the
issues are tracked on openssl project GitHub tickets.

If everything is good about this candidate, it should build and run against
1.1.0, or 1.1.1, whether or not TLS 1.3 is enabled or avoided.

Ben Laurie last decade tried to address this with mod_tls, but mod_ssl
remains deeply tied to the internal behavior of libssl and libcrypto, to a
degree that it is effectively impossible to drop in 1.1.1 due to mechanical
changes in the protocol.

Dropping httpd 2.4.any into openssl 1.1.1 is a mess that several committers
have applied a great deal of attention to. We've undergone the same
problems with 1.1.0, 1.0.1, 1.0.0 and 0.9.8, so this didn't come as a
surprise.