> On Feb 21, 2019, at 11:37 PM, Masaori Koshiba <masa...@apache.org> wrote:
>
> Hi all,
>
> Could we bump minimum requirements of OpenSSL version to 1.0.2 on next
> major release?
>
> I just noticed that SSLUtils says that Traffic Server requires an OpenSSL
> library version 0.9.4 or greater [*1].
> But I think nobody is using such old OpenSSL. So we can bump minimum
> version of OpenSSL.
>
> According to OpenSSL Release Strategy [*2], version 1.0.2 is current
> minimum supported version by OpenSSL community.
> And version 1.0.1 was end of support 2 years ago (at 2016-12-31). Version
> 1.0.2 looks reasonable choice.
Yes, we should do this for v9.0.0. This would effectively drop support for
“stock” CentOS6, which only comes with OpenSSL v1.0.1, but I think that’s fine.
For two reasons:
1) It’s the right thing to require at least 1.0.2, since 1.0.1 is not supported.
2) It’s not difficult to install a custom OpenSSL build if necessary.
So, +1 on this, with the amendment that we also drop official support for the
following platforms that are currently on the CI:
CentOS 6 (OpenSSL v1.0.1e)
Ubuntu 14.04 (OpenSSL v1.0.1f)
(Debian7 was already dropped, because of lack of compiler support).
Cheers,
— Leif
