Shall I expect SHA3 support in OpenSSL-1.0.2 series?

Michael Wojcik Michael.Wojcik at microfocus.com
Wed Apr 24 13:32:23 UTC 2019


> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of
> Matt Caswell
> Sent: Wednesday, April 24, 2019 08:33
>
>
> On 24/04/2019 13:08, sathish reddy s wrote:
> >
> > I found the following line at https://www.openssl.org/source/
> > "Our previous LTS version (1.0.2 series) will continue to be supported until
> > 31st December 2019 (security fixes only during the last year of support)".
> >
> > Is there any chance to add SHA3 support in the upcoming releases?
>
> No. 1.0.2 is a stable branch. Any releases of stable branches are for bug and
> security fixes. In the case of 1.0.2 it is in the last year of support so its
> only getting security fixes. SHA3 is a feature and does not qualify.

Note that, as Matt wrote, OpenSSL 1.0.2 is in its final year of support. Security issues will be fixed for the next eight months. That's it.

Everyone should be moving to 1.1 now, unless they need FIPS 140-2 validation. Frankly, even if you need FIPS, you should be working on a 1.1-based branch, in anticipation of moving to FIPS-validated OpenSSL 3 (or 4, if that numbering change is accepted) when it's available. The alternative is to support 1.0.2 yourself, and I'd estimate that 99% of OpenSSL users aren't qualified to do that.

--
Michael Wojcik
Distinguished Engineer, Micro Focus




More information about the openssl-users mailing list