OpenSSL 3.0.0-alpha15 just passed all tests on TNS/X, which is the last build before the official Beta starts next month. It's time to start planning what you are going to do in terms of migration. There are some critical things to consider.certification - that's between you and NIST. The critical thing is that if you are going to use ITUGLIB builds, do you want the FIPS module or not. As of this week, the guidance is for packagers (ITUGLIB) to include FIPS or not include it, depending on
From a source standpoint, you should be able to move from 1.0.2 directly to 3.0.0 with little or no issues. There is no binary compatibility between 1.0.2, 1.1.1, and 3.0.0.
OpenSSL 3.0.0 has a FIPS-compliant module. ITUGLIB needs to know if you are planning to use FIPS (we don't want to know if you're planning on certifying it yourself, that's your call). As with OpenSSL, the ITUGLIB team is not responsible for
For TNS/X, the following ITUGLIB builds are possible, but we need to know which ones you will want to use:available - FLOSS only comes in 32-bit.
* 64-bit, unthreaded, with FIPS
* 64-bit, unthreaded, without FIPS
* 64-bit, PUT threaded, with FIPS
* 64-bit, PUT threaded, without FIPS
* 32-bit, SPT threaded, with FIPS
* 32-bit, SPT threaded, without FIPS
For TNS/E, the FIPS cannot be supported because there is no hardware randomization function available, so the possible ITUGLIB builds are:
* 64-bit, unthreaded, without FIPS
* 64-bit, PUT threaded, without FIPS
* 32-bit, SPT threaded, without FIPS
The other thing to consider is that you can build any of these or any other configurations you might want, like GUARDIAN builds, all on your own if you have c99 and git. You do need FLOSS for the SPT build, which is why only 32-bit models are currently
Our ask, as ITUGLIB, is that you let us know what you need from us, so we can prepare the set of builds. Each OpenSSL 3.0.0 build takes a few hours to run through a build/test cycle so we would rather only build what the community needs. Note that wedo not test the GUARDIAN builds because the standard test suite does not support TACL. That's why you really should use NonStop SSL, for any GUARDIAN applications. Please let us know here, or reply to me directly, as soon as you can, so we can plan.
Unlike the OpenSSL 1.1.1 (except IEEE) and 1.0.2 builds, floating point operations for OpenSSL 3.0.0 will be done using IEEE format by default. The IEEE format is required to pass the OpenSSL test suite as of 3.0.0. It is also the format used by theNonStop HTTP server, so when they move to support 3.0.0, the standard build should be compatible. You can do your own build with Tandem Float if you need to.
As always, if you find a bug or problem, let us know and we can try to get a fix looked at - if it is practical to do so, but no guarantees. We are all volunteers.
Regards,
Randall Becker
On behalf of the ITUGLIB Technical Committee
On 5/6/2021 1:46 PM, Randall wrote:certification - that's between you and NIST. The critical thing is that if you are going to use ITUGLIB builds, do you want the FIPS module or not. As of this week, the guidance is for packagers (ITUGLIB) to include FIPS or not include it, depending on
OpenSSL 3.0.0-alpha15 just passed all tests on TNS/X, which is the last build before the official Beta starts next month. It's time to start planning what you are going to do in terms of migration. There are some critical things to consider.
From a source standpoint, you should be able to move from 1.0.2 directly to 3.0.0 with little or no issues. There is no binary compatibility between 1.0.2, 1.1.1, and 3.0.0.
OpenSSL 3.0.0 has a FIPS-compliant module. ITUGLIB needs to know if you are planning to use FIPS (we don't want to know if you're planning on certifying it yourself, that's your call). As with OpenSSL, the ITUGLIB team is not responsible for
currently available - FLOSS only comes in 32-bit.For TNS/X, the following ITUGLIB builds are possible, but we need to know which ones you will want to use:
* 64-bit, unthreaded, with FIPS
* 64-bit, unthreaded, without FIPS
* 64-bit, PUT threaded, with FIPS
* 64-bit, PUT threaded, without FIPS
* 32-bit, SPT threaded, with FIPS
* 32-bit, SPT threaded, without FIPS
For TNS/E, the FIPS cannot be supported because there is no hardware randomization function available, so the possible ITUGLIB builds are:
* 64-bit, unthreaded, without FIPS
* 64-bit, PUT threaded, without FIPS
* 32-bit, SPT threaded, without FIPS
The other thing to consider is that you can build any of these or any other configurations you might want, like GUARDIAN builds, all on your own if you have c99 and git. You do need FLOSS for the SPT build, which is why only 32-bit models are
do not test the GUARDIAN builds because the standard test suite does not support TACL. That's why you really should use NonStop SSL, for any GUARDIAN applications. Please let us know here, or reply to me directly, as soon as you can, so we can plan.Our ask, as ITUGLIB, is that you let us know what you need from us, so we can prepare the set of builds. Each OpenSSL 3.0.0 build takes a few hours to run through a build/test cycle so we would rather only build what the community needs. Note that we
NonStop HTTP server, so when they move to support 3.0.0, the standard build should be compatible. You can do your own build with Tandem Float if you need to.Unlike the OpenSSL 1.1.1 (except IEEE) and 1.0.2 builds, floating point operations for OpenSSL 3.0.0 will be done using IEEE format by default. The IEEE format is required to pass the OpenSSL test suite as of 3.0.0. It is also the format used by the
As always, if you find a bug or problem, let us know and we can try to get a fix looked at - if it is practical to do so, but no guarantees. We are all volunteers.
Regards,
Randall Becker
On behalf of the ITUGLIB Technical Committee
Cool! Thanks, Randall!!
Just confirming something -- all the Nonstop changes are now integrated upstream, is that correct? Or would we still want to download it from ITUGLIB?
On Thursday, May 6, 2021 at 6:23:51 p.m. UTC-4, red floyd wrote:certification - that's between you and NIST. The critical thing is that if you are going to use ITUGLIB builds, do you want the FIPS module or not. As of this week, the guidance is for packagers (ITUGLIB) to include FIPS or not include it, depending on
On 5/6/2021 1:46 PM, Randall wrote:
OpenSSL 3.0.0-alpha15 just passed all tests on TNS/X, which is the last build before the official Beta starts next month. It's time to start planning what you are going to do in terms of migration. There are some critical things to consider.
From a source standpoint, you should be able to move from 1.0.2 directly to 3.0.0 with little or no issues. There is no binary compatibility between 1.0.2, 1.1.1, and 3.0.0.
OpenSSL 3.0.0 has a FIPS-compliant module. ITUGLIB needs to know if you are planning to use FIPS (we don't want to know if you're planning on certifying it yourself, that's your call). As with OpenSSL, the ITUGLIB team is not responsible for
currently available - FLOSS only comes in 32-bit.
For TNS/X, the following ITUGLIB builds are possible, but we need to know which ones you will want to use:
* 64-bit, unthreaded, with FIPS
* 64-bit, unthreaded, without FIPS
* 64-bit, PUT threaded, with FIPS
* 64-bit, PUT threaded, without FIPS
* 32-bit, SPT threaded, with FIPS
* 32-bit, SPT threaded, without FIPS
For TNS/E, the FIPS cannot be supported because there is no hardware randomization function available, so the possible ITUGLIB builds are:
* 64-bit, unthreaded, without FIPS
* 64-bit, PUT threaded, without FIPS
* 32-bit, SPT threaded, without FIPS
The other thing to consider is that you can build any of these or any other configurations you might want, like GUARDIAN builds, all on your own if you have c99 and git. You do need FLOSS for the SPT build, which is why only 32-bit models are
do not test the GUARDIAN builds because the standard test suite does not support TACL. That's why you really should use NonStop SSL, for any GUARDIAN applications. Please let us know here, or reply to me directly, as soon as you can, so we can plan.
Our ask, as ITUGLIB, is that you let us know what you need from us, so we can prepare the set of builds. Each OpenSSL 3.0.0 build takes a few hours to run through a build/test cycle so we would rather only build what the community needs. Note that we
NonStop HTTP server, so when they move to support 3.0.0, the standard build should be compatible. You can do your own build with Tandem Float if you need to.
Unlike the OpenSSL 1.1.1 (except IEEE) and 1.0.2 builds, floating point operations for OpenSSL 3.0.0 will be done using IEEE format by default. The IEEE format is required to pass the OpenSSL test suite as of 3.0.0. It is also the format used by the
their own. If people find a source problem, they can communicate it to me and I will try to have it integrated.Cool! Thanks, Randall!!
As always, if you find a bug or problem, let us know and we can try to get a fix looked at - if it is practical to do so, but no guarantees. We are all volunteers.
Regards,
Randall Becker
On behalf of the ITUGLIB Technical Committee
Just confirming something -- all the Nonstop changes are now integrated
upstream, is that correct? Or would we still want to download it from
ITUGLIB?
The 3.0.0 branches contain all of the known changes for the NonStop port. That is the only one. The 1.1.1 port changes were not accepted because of timing and policy on the OpenSSL end. The ITUGLIB build will be provided for those who cannot build on
Note: The OpenSSL tarball download distribution can be used to build the NonStop port - the OpenSSL team prefers that way anyway, so you really only need a c99 compiler (and FLOSS for SPT). tar. and gunzip - all from HPE.
On 5/7/21 7:02 AM, Randall wrote:certification - that's between you and NIST. The critical thing is that if you are going to use ITUGLIB builds, do you want the FIPS module or not. As of this week, the guidance is for packagers (ITUGLIB) to include FIPS or not include it, depending on
On Thursday, May 6, 2021 at 6:23:51 p.m. UTC-4, red floyd wrote:
On 5/6/2021 1:46 PM, Randall wrote:
OpenSSL 3.0.0-alpha15 just passed all tests on TNS/X, which is the last build before the official Beta starts next month. It's time to start planning what you are going to do in terms of migration. There are some critical things to consider.
From a source standpoint, you should be able to move from 1.0.2 directly to 3.0.0 with little or no issues. There is no binary compatibility between 1.0.2, 1.1.1, and 3.0.0.
OpenSSL 3.0.0 has a FIPS-compliant module. ITUGLIB needs to know if you are planning to use FIPS (we don't want to know if you're planning on certifying it yourself, that's your call). As with OpenSSL, the ITUGLIB team is not responsible for
currently available - FLOSS only comes in 32-bit.
For TNS/X, the following ITUGLIB builds are possible, but we need to know which ones you will want to use:
* 64-bit, unthreaded, with FIPS
* 64-bit, unthreaded, without FIPS
* 64-bit, PUT threaded, with FIPS
* 64-bit, PUT threaded, without FIPS
* 32-bit, SPT threaded, with FIPS
* 32-bit, SPT threaded, without FIPS
For TNS/E, the FIPS cannot be supported because there is no hardware randomization function available, so the possible ITUGLIB builds are:
* 64-bit, unthreaded, without FIPS
* 64-bit, PUT threaded, without FIPS
* 32-bit, SPT threaded, without FIPS
The other thing to consider is that you can build any of these or any other configurations you might want, like GUARDIAN builds, all on your own if you have c99 and git. You do need FLOSS for the SPT build, which is why only 32-bit models are
we do not test the GUARDIAN builds because the standard test suite does not support TACL. That's why you really should use NonStop SSL, for any GUARDIAN applications. Please let us know here, or reply to me directly, as soon as you can, so we can plan.
Our ask, as ITUGLIB, is that you let us know what you need from us, so we can prepare the set of builds. Each OpenSSL 3.0.0 build takes a few hours to run through a build/test cycle so we would rather only build what the community needs. Note that
the NonStop HTTP server, so when they move to support 3.0.0, the standard build should be compatible. You can do your own build with Tandem Float if you need to.
Unlike the OpenSSL 1.1.1 (except IEEE) and 1.0.2 builds, floating point operations for OpenSSL 3.0.0 will be done using IEEE format by default. The IEEE format is required to pass the OpenSSL test suite as of 3.0.0. It is also the format used by
their own. If people find a source problem, they can communicate it to me and I will try to have it integrated.Cool! Thanks, Randall!!
As always, if you find a bug or problem, let us know and we can try to get a fix looked at - if it is practical to do so, but no guarantees. We are all volunteers.
Regards,
Randall Becker
On behalf of the ITUGLIB Technical Committee
Just confirming something -- all the Nonstop changes are now integrated >> upstream, is that correct? Or would we still want to download it from
ITUGLIB?
The 3.0.0 branches contain all of the known changes for the NonStop port. That is the only one. The 1.1.1 port changes were not accepted because of timing and policy on the OpenSSL end. The ITUGLIB build will be provided for those who cannot build on
Note: The OpenSSL tarball download distribution can be used to build the NonStop port - the OpenSSL team prefers that way anyway, so you really only need a c99 compiler (and FLOSS for SPT). tar. and gunzip - all from HPE.
Thanks for all your hard work, Randall!!!!
OpenSSL 3.0.0-alpha15 just passed all tests on TNS/X, which is the last build before the official Beta starts next month. It's time to start planning what you are going to do in terms of migration. There are some critical things to consider.certification - that's between you and NIST. The critical thing is that if you are going to use ITUGLIB builds, do you want the FIPS module or not. As of this week, the guidance is for packagers (ITUGLIB) to include FIPS or not include it, depending on
From a source standpoint, you should be able to move from 1.0.2 directly to 3.0.0 with little or no issues. There is no binary compatibility between 1.0.2, 1.1.1, and 3.0.0.
OpenSSL 3.0.0 has a FIPS-compliant module. ITUGLIB needs to know if you are planning to use FIPS (we don't want to know if you're planning on certifying it yourself, that's your call). As with OpenSSL, the ITUGLIB team is not responsible for
For TNS/X, the following ITUGLIB builds are possible, but we need to know which ones you will want to use:available - FLOSS only comes in 32-bit.
* 64-bit, unthreaded, with FIPS
* 64-bit, unthreaded, without FIPS
* 64-bit, PUT threaded, with FIPS
* 64-bit, PUT threaded, without FIPS
* 32-bit, SPT threaded, with FIPS
* 32-bit, SPT threaded, without FIPS
For TNS/E, the FIPS cannot be supported because there is no hardware randomization function available, so the possible ITUGLIB builds are:
* 64-bit, unthreaded, without FIPS
* 64-bit, PUT threaded, without FIPS
* 32-bit, SPT threaded, without FIPS
The other thing to consider is that you can build any of these or any other configurations you might want, like GUARDIAN builds, all on your own if you have c99 and git. You do need FLOSS for the SPT build, which is why only 32-bit models are currently
Our ask, as ITUGLIB, is that you let us know what you need from us, so we can prepare the set of builds. Each OpenSSL 3.0.0 build takes a few hours to run through a build/test cycle so we would rather only build what the community needs. Note that wedo not test the GUARDIAN builds because the standard test suite does not support TACL. That's why you really should use NonStop SSL, for any GUARDIAN applications. Please let us know here, or reply to me directly, as soon as you can, so we can plan.
Unlike the OpenSSL 1.1.1 (except IEEE) and 1.0.2 builds, floating point operations for OpenSSL 3.0.0 will be done using IEEE format by default. The IEEE format is required to pass the OpenSSL test suite as of 3.0.0. It is also the format used by theNonStop HTTP server, so when they move to support 3.0.0, the standard build should be compatible. You can do your own build with Tandem Float if you need to.
As always, if you find a bug or problem, let us know and we can try to get a fix looked at - if it is practical to do so, but no guarantees. We are all volunteers.
Regards,
Randall Becker
On behalf of the ITUGLIB Technical Committee
On Thursday, May 6, 2021 at 4:46:54 p.m. UTC-4, Randall wrote:certification - that's between you and NIST. The critical thing is that if you are going to use ITUGLIB builds, do you want the FIPS module or not. As of this week, the guidance is for packagers (ITUGLIB) to include FIPS or not include it, depending on
OpenSSL 3.0.0-alpha15 just passed all tests on TNS/X, which is the last build before the official Beta starts next month. It's time to start planning what you are going to do in terms of migration. There are some critical things to consider.
From a source standpoint, you should be able to move from 1.0.2 directly to 3.0.0 with little or no issues. There is no binary compatibility between 1.0.2, 1.1.1, and 3.0.0.
OpenSSL 3.0.0 has a FIPS-compliant module. ITUGLIB needs to know if you are planning to use FIPS (we don't want to know if you're planning on certifying it yourself, that's your call). As with OpenSSL, the ITUGLIB team is not responsible for
currently available - FLOSS only comes in 32-bit.For TNS/X, the following ITUGLIB builds are possible, but we need to know which ones you will want to use:
* 64-bit, unthreaded, with FIPS
* 64-bit, unthreaded, without FIPS
* 64-bit, PUT threaded, with FIPS
* 64-bit, PUT threaded, without FIPS
* 32-bit, SPT threaded, with FIPS
* 32-bit, SPT threaded, without FIPS
For TNS/E, the FIPS cannot be supported because there is no hardware randomization function available, so the possible ITUGLIB builds are:
* 64-bit, unthreaded, without FIPS
* 64-bit, PUT threaded, without FIPS
* 32-bit, SPT threaded, without FIPS
The other thing to consider is that you can build any of these or any other configurations you might want, like GUARDIAN builds, all on your own if you have c99 and git. You do need FLOSS for the SPT build, which is why only 32-bit models are
do not test the GUARDIAN builds because the standard test suite does not support TACL. That's why you really should use NonStop SSL, for any GUARDIAN applications. Please let us know here, or reply to me directly, as soon as you can, so we can plan.Our ask, as ITUGLIB, is that you let us know what you need from us, so we can prepare the set of builds. Each OpenSSL 3.0.0 build takes a few hours to run through a build/test cycle so we would rather only build what the community needs. Note that we
NonStop HTTP server, so when they move to support 3.0.0, the standard build should be compatible. You can do your own build with Tandem Float if you need to.Unlike the OpenSSL 1.1.1 (except IEEE) and 1.0.2 builds, floating point operations for OpenSSL 3.0.0 will be done using IEEE format by default. The IEEE format is required to pass the OpenSSL test suite as of 3.0.0. It is also the format used by the
current bunch for the 1.1.1 series (mostly because no one has requested a new build, and we have had requests to preserve some existing builds). Just a reminder that you cannot just drop 3.0.0 into your environment to replace 1.1.1. You must recompileAs always, if you find a bug or problem, let us know and we can try to get a fix looked at - if it is practical to do so, but no guarantees. We are all volunteers.
Regards,Just a timing update. 3.0.0 Beta1 is now officially due 30 June 2021. This date is set because of FIPS lab requirement. I expect to have builds ready for our community testing around that date. The set of builds are expected to be the same set as the
Randall Becker
On behalf of the ITUGLIB Technical Committee
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 285 |
Nodes: | 16 (2 / 14) |
Uptime: | 76:32:55 |
Calls: | 6,489 |
Files: | 12,096 |
Messages: | 5,276,221 |