This is incompatible change, so the change will be done on next major release, ATS 9. We’re going to have OpenSSL 1.0.1 with CentOS 6 support on ATS 8 anyway. It looks like ATS 8 will end of life at similar timing of CentOS 6[*1]. So people using CentOS 6 can use OpenSSL 1.0.1 and ATS 8 until late 2020 by taking their own risks.
# EOLs CentOS 6 : November 30, 2020 ATS 8 : September 2020 ATS 9 : July 2021 ATS 9 looks good timing for dropping support of OpenSSL 1.0.1 and CentOS 6. FWIW, 15 vulnerabilities of OpenSSL were found last 2 years[*1]. I’m not sure how many of them affect version 1.0.1, but it looks quite dangerous to use it. [*1] https://wiki.centos.org/FAQ/General#head-fe8a0be91ee3e7dea812e8694491e1dde5b75e6d [*2] https://www.openssl.org/news/vulnerabilities.html Thanks, Masaori 2019年2月23日(土) 5:39 Susan Hinrichs <shinr...@verizonmedia.com.invalid>: > A quick search shows only instructions for how to build openssl 1.0.2 from > source on Rhel6/Centos6. If there is an epel-like rpm it does not seem to > be well advertised. > > I'd suggest keeping the openssl minimum version to 1.0.1 until we stop > support for Centos 6. > > On Fri, Feb 22, 2019 at 11:41 AM Leif Hedstrom <zw...@apache.org> wrote: > > > > > > > > On Feb 22, 2019, at 10:15 AM, Susan Hinrichs < > shinr...@verizonmedia.com.INVALID> > > wrote: > > > > > > Definitely at least drawing the line at openssl 1.0.1 makes sense. As > > Leif > > > notes moving to 1.0.2 for the baseline means that some supported > > > distributions cannot use the system openssl. For Centos6 anyway we > > require > > > a replacement for the system compiler which you can acquire from > > > devtoolset. Is there a similar epel mechanism to get a package for a > > more > > > modern openssl? > > > > > > I could not find one on my existing CentOS 6 images, which has both EPEL > > and DevToolSet yum repos enabled. That doesn’t mean that there aren’t > > other, non-standard repos with newer OpenSSLs, but I think we should be > > cautious recommending people to enable “rogue” yum repos in general. > > > > Cheers, > > > > — Leif > > > > > > > > On Fri, Feb 22, 2019 at 9:53 AM Leif Hedstrom <zw...@apache.org> > wrote: > > > > > >> > > >> > > >>> On Feb 21, 2019, at 11:37 PM, Masaori Koshiba <masa...@apache.org> > > >> wrote: > > >>> > > >>> Hi all, > > >>> > > >>> Could we bump minimum requirements of OpenSSL version to 1.0.2 on > next > > >>> major release? > > >>> > > >>> I just noticed that SSLUtils says that Traffic Server requires an > > OpenSSL > > >>> library version 0.9.4 or greater [*1]. > > >>> But I think nobody is using such old OpenSSL. So we can bump minimum > > >>> version of OpenSSL. > > >>> > > >>> According to OpenSSL Release Strategy [*2], version 1.0.2 is current > > >>> minimum supported version by OpenSSL community. > > >>> And version 1.0.1 was end of support 2 years ago (at 2016-12-31). > > Version > > >>> 1.0.2 looks reasonable choice. > > >> > > >> > > >> Yes, we should do this for v9.0.0. This would effectively drop support > > for > > >> “stock” CentOS6, which only comes with OpenSSL v1.0.1, but I think > > that’s > > >> fine. For two reasons: > > >> > > >> 1) It’s the right thing to require at least 1.0.2, since 1.0.1 is not > > >> supported. > > >> > > >> 2) It’s not difficult to install a custom OpenSSL build if necessary. > > >> > > >> > > >> So, +1 on this, with the amendment that we also drop official support > > for > > >> the following platforms that are currently on the CI: > > >> > > >> CentOS 6 (OpenSSL v1.0.1e) > > >> Ubuntu 14.04 (OpenSSL v1.0.1f) > > >> > > >> (Debian7 was already dropped, because of lack of compiler support). > > >> > > >> > > >> Cheers, > > >> > > >> — Leif > > >> > > >> > > > > >
