[openssl-dev] 1.0.1t ?

Salz, Rich rsalz at akamai.com
Wed Mar 23 16:47:24 UTC 2016

> 1.0.1t does not currently have a planned release date. Releases are
> scheduled on an as-needed basis, typically (although not always) as a result
> of security defects being discovered. We normally only announce a release
> date for security fixes a few days in advance.

And note that 1.0.1 is on a security-fixes-only state.

> > Disabling  SSLv2 in a default build will break applications we have
> > released that depended on SSLv2 by default like release 2.2.29 of
> > Apache’s httpd.
> >
> > We can change our SSL build but would rather have fixes in an official
> > release.

Yes, we broke compatibility in our desire to make sure everyone was "safe" from the attack.  Sorry about that; we'll fix it next time a security patch for 1.0.1 comes out.

One approach is to look at the branch in our GIT repo's and cherry-pick the fix to your release for now.

More information about the openssl-dev mailing list