A quick search shows only instructions for how to build openssl 1.0.2 from source on Rhel6/Centos6. If there is an epel-like rpm it does not seem to be well advertised.
I'd suggest keeping the openssl minimum version to 1.0.1 until we stop support for Centos 6. On Fri, Feb 22, 2019 at 11:41 AM Leif Hedstrom <zw...@apache.org> wrote: > > > > On Feb 22, 2019, at 10:15 AM, Susan Hinrichs > > <shinr...@verizonmedia.com.INVALID> > wrote: > > > > Definitely at least drawing the line at openssl 1.0.1 makes sense. As > Leif > > notes moving to 1.0.2 for the baseline means that some supported > > distributions cannot use the system openssl. For Centos6 anyway we > require > > a replacement for the system compiler which you can acquire from > > devtoolset. Is there a similar epel mechanism to get a package for a > more > > modern openssl? > > > I could not find one on my existing CentOS 6 images, which has both EPEL > and DevToolSet yum repos enabled. That doesn’t mean that there aren’t > other, non-standard repos with newer OpenSSLs, but I think we should be > cautious recommending people to enable “rogue” yum repos in general. > > Cheers, > > — Leif > > > > > On Fri, Feb 22, 2019 at 9:53 AM Leif Hedstrom <zw...@apache.org> wrote: > > > >> > >> > >>> On Feb 21, 2019, at 11:37 PM, Masaori Koshiba <masa...@apache.org> > >> wrote: > >>> > >>> Hi all, > >>> > >>> Could we bump minimum requirements of OpenSSL version to 1.0.2 on next > >>> major release? > >>> > >>> I just noticed that SSLUtils says that Traffic Server requires an > OpenSSL > >>> library version 0.9.4 or greater [*1]. > >>> But I think nobody is using such old OpenSSL. So we can bump minimum > >>> version of OpenSSL. > >>> > >>> According to OpenSSL Release Strategy [*2], version 1.0.2 is current > >>> minimum supported version by OpenSSL community. > >>> And version 1.0.1 was end of support 2 years ago (at 2016-12-31). > Version > >>> 1.0.2 looks reasonable choice. > >> > >> > >> Yes, we should do this for v9.0.0. This would effectively drop support > for > >> “stock” CentOS6, which only comes with OpenSSL v1.0.1, but I think > that’s > >> fine. For two reasons: > >> > >> 1) It’s the right thing to require at least 1.0.2, since 1.0.1 is not > >> supported. > >> > >> 2) It’s not difficult to install a custom OpenSSL build if necessary. > >> > >> > >> So, +1 on this, with the amendment that we also drop official support > for > >> the following platforms that are currently on the CI: > >> > >> CentOS 6 (OpenSSL v1.0.1e) > >> Ubuntu 14.04 (OpenSSL v1.0.1f) > >> > >> (Debian7 was already dropped, because of lack of compiler support). > >> > >> > >> Cheers, > >> > >> — Leif > >> > >> > >
