Re: [DISCUSS] Minimum version of OpenSSL

Fri, 22 Feb 2019 09:41:50 -0800 


> On Feb 22, 2019, at 10:15 AM, Susan Hinrichs 
> <shinr...@verizonmedia.com.INVALID> wrote:
> 
> Definitely at least drawing the line at openssl 1.0.1 makes sense.  As Leif
> notes moving to 1.0.2 for the baseline means that some supported
> distributions cannot use the system openssl.  For Centos6 anyway we require
> a replacement for the system compiler which you can acquire from
> devtoolset.  Is there a similar epel mechanism to get a package for a more
> modern openssl?


I could not find one on my existing CentOS 6 images, which has both EPEL and 
DevToolSet yum repos enabled. That doesn’t mean that there aren’t other, 
non-standard repos with newer OpenSSLs, but I think we should be cautious 
recommending people to enable “rogue” yum repos in general.

Cheers,

— Leif

> 
> On Fri, Feb 22, 2019 at 9:53 AM Leif Hedstrom <zw...@apache.org> wrote:
> 
>> 
>> 
>>> On Feb 21, 2019, at 11:37 PM, Masaori Koshiba <masa...@apache.org>
>> wrote:
>>> 
>>> Hi all,
>>> 
>>> Could we bump minimum requirements of OpenSSL version to 1.0.2 on next
>>> major release?
>>> 
>>> I just noticed that SSLUtils says that Traffic Server requires an OpenSSL
>>> library version 0.9.4 or greater [*1].
>>> But I think nobody is using such old OpenSSL. So we can bump minimum
>>> version of OpenSSL.
>>> 
>>> According to OpenSSL Release Strategy [*2], version 1.0.2 is current
>>> minimum supported version by OpenSSL community.
>>> And version 1.0.1 was end of support 2 years ago (at 2016-12-31). Version
>>> 1.0.2 looks reasonable choice.
>> 
>> 
>> Yes, we should do this for v9.0.0. This would effectively drop support for
>> “stock” CentOS6, which only comes with OpenSSL v1.0.1, but I think that’s
>> fine. For two reasons:
>> 
>> 1) It’s the right thing to require at least 1.0.2, since 1.0.1 is not
>> supported.
>> 
>> 2) It’s not difficult to install a custom OpenSSL build if necessary.
>> 
>> 
>> So, +1 on this, with the amendment that we also drop official support for
>> the following platforms that are currently on the CI:
>> 
>>        CentOS 6  (OpenSSL v1.0.1e)
>>        Ubuntu 14.04 (OpenSSL v1.0.1f)
>> 
>> (Debian7 was already dropped, because of lack of compiler support).
>> 
>> 
>> Cheers,
>> 
>> — Leif
>> 
>> 























					Reply via email to