Definitely at least drawing the line at openssl 1.0.1 makes sense. As Leif notes moving to 1.0.2 for the baseline means that some supported distributions cannot use the system openssl. For Centos6 anyway we require a replacement for the system compiler which you can acquire from devtoolset. Is there a similar epel mechanism to get a package for a more modern openssl?
On Fri, Feb 22, 2019 at 9:53 AM Leif Hedstrom <zw...@apache.org> wrote: > > > > On Feb 21, 2019, at 11:37 PM, Masaori Koshiba <masa...@apache.org> > wrote: > > > > Hi all, > > > > Could we bump minimum requirements of OpenSSL version to 1.0.2 on next > > major release? > > > > I just noticed that SSLUtils says that Traffic Server requires an OpenSSL > > library version 0.9.4 or greater [*1]. > > But I think nobody is using such old OpenSSL. So we can bump minimum > > version of OpenSSL. > > > > According to OpenSSL Release Strategy [*2], version 1.0.2 is current > > minimum supported version by OpenSSL community. > > And version 1.0.1 was end of support 2 years ago (at 2016-12-31). Version > > 1.0.2 looks reasonable choice. > > > Yes, we should do this for v9.0.0. This would effectively drop support for > “stock” CentOS6, which only comes with OpenSSL v1.0.1, but I think that’s > fine. For two reasons: > > 1) It’s the right thing to require at least 1.0.2, since 1.0.1 is not > supported. > > 2) It’s not difficult to install a custom OpenSSL build if necessary. > > > So, +1 on this, with the amendment that we also drop official support for > the following platforms that are currently on the CI: > > CentOS 6 (OpenSSL v1.0.1e) > Ubuntu 14.04 (OpenSSL v1.0.1f) > > (Debian7 was already dropped, because of lack of compiler support). > > > Cheers, > > — Leif > >
