On 12/18/18 1:59 AM, Christian Helmuth wrote:
With his work on issue 3039 [1] Josef Söntgen updated openssl to 1.0.2q (commits are already on the staging branch). It was not required to adapt curl or libssh in any way for this. As 1.0.2q has the same security patch level as 1.1.0j I wonder about your requirements for the 1.1 branch. Could you tell us more or maybe your application could also be satisfied by a recent 1.0 version?
On [1] it says:
"The latest stable version is the 1.1.1 series. This is also our Long Term Support (LTS) version... All users of 1.0.2 and 1.1.0 are encouraged to upgrade to 1.1.1 as soon as possible."
and on [2] it says:
"OpenSSL 1.1.1 is API and ABI compliant with OpenSSL 1.1.0 so most applications that work with 1.1.0 can gain many of the benefits of TLSv1.3 simply by dropping in the new OpenSSL version."
Our main goals are to stay on a LTS version and to utilize TLSv1.3 so stepping to 1.1.0 was more useful to us in the long term than stepping to 1.0.2.
[1] https://www.openssl.org/source/ [2] https://www.openssl.org/blog/blog/2018/09/11/release111/