From owner-freebsd-security@FreeBSD.ORG  Wed Jun 11 18:11:10 2014
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 81C3B298
 for <freebsd-security@freebsd.org>; Wed, 11 Jun 2014 18:11:10 +0000 (UTC)
Received: from mail-in7.apple.com (mail-out7.apple.com [17.151.62.29])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 5817723D8
 for <freebsd-security@freebsd.org>; Wed, 11 Jun 2014 18:11:09 +0000 (UTC)
Received: from mail-out.apple.com (bramley.apple.com [17.151.62.49])
 (using TLS with cipher RC4-MD5 (128/128 bits))
 (Client did not present a certificate)
 by mail-in7.apple.com (Apple Secure Mail Relay) with SMTP id
 0A.33.30831.DBB98935; Wed, 11 Jun 2014 11:11:09 -0700 (PDT)
MIME-version: 1.0
Content-transfer-encoding: 7BIT
Content-type: text/plain; CHARSET=US-ASCII
Received: from relay8.apple.com ([17.128.113.102]) by local.mail-out.apple.com
 (Oracle Communications Messaging Server 7.0.5.30.0 64bit (built Oct
 22 2013))
 with ESMTP id <0N7000DC2NUCJSE1@local.mail-out.apple.com> for
 freebsd-security@freebsd.org; Wed, 11 Jun 2014 11:11:09 -0700 (PDT)
X-AuditID: 11973e16-f792a6d00000786f-81-53989bbd3800
Received: from [17.149.227.5] (Unknown_Domain [17.149.227.5])
 (using TLS with cipher AES128-SHA (128/128 bits))
 (Client did not present a certificate)	by relay8.apple.com (Apple SCV relay)
 with SMTP id 1C.AC.11638.EBB98935; Wed, 11 Jun 2014 11:11:10 -0700 (PDT)
Subject: Re: OpenSSL end of life
From: Charles Swiger <cswiger@mac.com>
In-reply-to: <CAG5KPzyYzcu0qF9m2Fjgh7tTC=RrSMpxzHiDX5zD8_U_aB8k2A@mail.gmail.com>
Date: Wed, 11 Jun 2014 11:11:09 -0700
Message-id: <9EE1267B-E571-4B5A-B59B-F87062DCB53E@mac.com>
References: <CAG5KPzyYzcu0qF9m2Fjgh7tTC=RrSMpxzHiDX5zD8_U_aB8k2A@mail.gmail.com>
To: Ben Laurie <ben@links.org>
X-Mailer: Apple Mail (2.1510)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrHLMWRmVeSWpSXmKPExsUiON3OUHfv7BnBBnv6VSx6Nj1hc2D0mPFp
 PksAYxSXTUpqTmZZapG+XQJXRvO5bawFK7krJkz+x9TA2MvZxcjJISFgIjHp+SomCFtM4sK9
 9WxdjFwcQgIzmSQetL9jBEnwCghK/Jh8j6WLkYODWUBe4uB5WZAws4CWxPdHrSwQ9UuYJM4f
 nsYEM/TarZmsILaQQDeTxJUXwiC9wgIKEkduK4OYbAJqEhMm8oBUcAoES7z+2cwCYrMIqEr8
 +7iTFWK8l8SjxxOhLrCSWHu7jRFiYoDEqcYnYDUiAnISv29/YYHYKitx+txzsHMkBL6zSszb
 9oV5AqPwLCQfzEL4YBaSDxYwMq9iFMpNzMzRzcwz10ssKMhJ1UvOz93ECAlgsR2MD1dZHWIU
 4GBU4uFlqJ0RLMSaWFZcmXuIUZqDRUmcV33G9GAhgfTEktTs1NSC1KL4otKc1OJDjEwcnFIN
 jJU/Nwd+LH12T+SblawZw9zG8lqTXw9eTOXddfyj7hUXvftXY5jXsm2eccnzu/skztr4Uyse
 H+PQ2RA7U16zx984mVX6flLOjT9Tnk6q9zyTPceTea6H5nWTm6sLH3YfPHT/772tXlVabq1G
 ws1Gs+f+WO+yaWKhpE1W+lrWy5/XbjFybDf9babEUpyRaKjFXFScCACgmSHEQQIAAA==
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprHLMWRmVeSWpSXmKPExsUiOPUxq+6+2TOCDU495bRYNJvTomfTEzYH
 Jo8Zn+azeGxumsMWwBTFZZOSmpNZllqkb5fAlXFl1UHmgsPcFYfPtrM2MM7n7GLk5JAQMJG4
 dmsmK4QtJnHh3nq2LkYuDiGBbiaJ5o132EESzAJaEjf+vWTqYuTg4BXQk9j+Sw7EFBZQkDhy
 WxnEZBNQk5gwkQekmFMgUGLz7ENsIDaLgKrEv487WSGGeEk8ejyREcLWlli28DUziM0rYCXR
 dvUzmC0kECBxqvEJWL2IgJzE79tfWCAuk5U4fe45ywRG/llI7pmFcM8sJFMXMDKvYhQoSs1J
 rLTQSywoyEnVS87P3cQICrWGwrQdjE3LrQ4xCnAwKvHwMtTOCBZiTSwrrsw9xCjBwawkwhvR
 DBTiTUmsrEotyo8vKs1JLT7EKM3BoiTO+2n69GAhgfTEktTs1NSC1CKYLBMHp1QDo3LqdN5b
 c9Z82NJy9P9nw7DjJh+TTBfc/uCx6IFjfcD66NvHO29v28TjzJGkrOn0qDngwUlVUzOheqcf
 Ae/fHXQ9XPf74j33ue8PTK2+/Ctjnf8up6Vzri80u8e8vle82cn8zSl74eaahcqvv5hXVe3Z
 fX8Pg0lDHkefxstjSesfbbW/dmbhmcdKLMUZiYZazEXFiQBzAJ0bMQIAAA==
Cc: "freebsd-security@freebsd.org security" <freebsd-security@freebsd.org>
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Jun 2014 18:11:10 -0000

Hi, Ben--

Thanks for soliciting feedback.

On Jun 11, 2014, at 2:32 AM, Ben Laurie <ben@links.org> wrote:
> We (the OpenSSL team) are considering a more aggressive EOL strategy.
> 
> In particular, we may EOL 0.9.8 right now, and 1.0.0 when 1.0.2 comes
> out (currently in beta).
> 
> Going forward we would only maintain two versions, so when 1.0.3 comes
> out, 1.0.1 would be EOL.
> 
> What do people think about this?


Most folks use the OpenSSL version provided by their OS vendor.

OS vendors want to provide long-term support for at least some releases,
because many users don't want to chase major version bumps too frequently.
(This has strong implications towards ABI stability: even if you EOL 0.9.8
today, vendors will still need to support that for years down the road.)

Some advanced users will be more willing to build, deploy, and validate
"bleeding edge" versions.  Other advanced users are using an OpenSSL
version which is baked into the firmware of hardware load-balancers like
F5's BIG-IP, Citrix Netscalers, Brocade's ADX, etc.

The other group that comes to mind is software developers writing against OpenSSL.
I don't want to generalize too far, but even fairly well-known projects like ClamAV
who actively use SSL and check cert signing for their virus DB updates are just now
starting to implement OpenSSL-0.9.8 functionality like CRL checks _after_ Heartbleed.

Regards,
-- 
-Chuck