This sounds like a solid plan for deprecating support for older OSes and 
updating our requirements for OpenSSL.

Thanks,
Steven

On 2/25/19, 9:06 PM, "Masaori Koshiba" <masa...@apache.org> wrote:

    Our conclusion is below
    
    1). Move minimum OpenSSL version of ATS v9.0.0 to 1.0.2.
    
    2). ATS v9.0.0 also drop support for the following platforms because of
    openssl version
    
      - CentOS 6 (OpenSSL v1.0.1e)
      - Ubuntu 14.04 (OpenSSL v1.0.1f)
    
    3). ATS v8.x.x keeps OpenSSL 1.0.1 support until EOL
    
    For the vulnerabilities, I forgot about that. Thanks for pointing out.
    
    Thanks,
    Masaori
    
    2019年2月25日(月) 23:13 Susan Hinrichs <shinr...@verizonmedia.com.invalid>:
    
    > Masaori,
    >
    > Sounds like good reasoning.  I am completely ok with moving the minimum
    > with 1.0.2 as long as CentOS 6 is dropped at the same time.
    >
    > WRT the vulnerabilities in 1.0.1, RedHat has been cherry-picking back
    > security fixes from newer openssl's into their Openssl 1.0.1 version, so 
it
    > is probably not that dangerous to use it.
    >
    > Susan
    >
    > On Sun, Feb 24, 2019 at 7:25 PM Masaori Koshiba <masa...@apache.org>
    > wrote:
    >
    > > This is incompatible change, so the change will be done on next major
    > > release, ATS 9.
    > > We’re going to have OpenSSL 1.0.1 with CentOS 6 support on ATS 8 anyway.
    > It
    > > looks like
    > > ATS 8 will end of life at similar timing of CentOS 6[*1]. So people 
using
    > > CentOS 6 can use
    > > OpenSSL 1.0.1 and ATS 8 until late 2020 by taking their own risks.
    > >
    > > # EOLs
    > > CentOS 6 : November 30, 2020
    > > ATS 8 : September 2020
    > > ATS 9 : July 2021
    > >
    > > ATS 9 looks good timing for dropping support of OpenSSL 1.0.1 and CentOS
    > 6.
    > >
    > > FWIW, 15 vulnerabilities of OpenSSL were found last 2 years[*1]. I’m not
    > > sure how many of
    > > them affect version 1.0.1, but it looks quite dangerous to use it.
    > >
    > > [*1]
    > >
    > >
    > 
https://wiki.centos.org/FAQ/General#head-fe8a0be91ee3e7dea812e8694491e1dde5b75e6d
    > > [*2] https://www.openssl.org/news/vulnerabilities.html
    > >
    > > Thanks,
    > > Masaori
    > >
    > > 2019年2月23日(土) 5:39 Susan Hinrichs <shinr...@verizonmedia.com.invalid>:
    > >
    > > > A quick search shows only instructions for how to build openssl 1.0.2
    > > from
    > > > source on Rhel6/Centos6.  If there is an epel-like rpm it does not 
seem
    > > to
    > > > be well advertised.
    > > >
    > > > I'd suggest keeping the openssl minimum version to 1.0.1 until we stop
    > > > support for Centos 6.
    > > >
    > > > On Fri, Feb 22, 2019 at 11:41 AM Leif Hedstrom <zw...@apache.org>
    > wrote:
    > > >
    > > > >
    > > > >
    > > > > > On Feb 22, 2019, at 10:15 AM, Susan Hinrichs <
    > > > shinr...@verizonmedia.com.INVALID>
    > > > > wrote:
    > > > > >
    > > > > > Definitely at least drawing the line at openssl 1.0.1 makes sense.
    > > As
    > > > > Leif
    > > > > > notes moving to 1.0.2 for the baseline means that some supported
    > > > > > distributions cannot use the system openssl.  For Centos6 anyway 
we
    > > > > require
    > > > > > a replacement for the system compiler which you can acquire from
    > > > > > devtoolset.  Is there a similar epel mechanism to get a package
    > for a
    > > > > more
    > > > > > modern openssl?
    > > > >
    > > > >
    > > > > I could not find one on my existing CentOS 6 images, which has both
    > > EPEL
    > > > > and DevToolSet yum repos enabled. That doesn’t mean that there 
aren’t
    > > > > other, non-standard repos with newer OpenSSLs, but I think we should
    > be
    > > > > cautious recommending people to enable “rogue” yum repos in general.
    > > > >
    > > > > Cheers,
    > > > >
    > > > > — Leif
    > > > >
    > > > > >
    > > > > > On Fri, Feb 22, 2019 at 9:53 AM Leif Hedstrom <zw...@apache.org>
    > > > wrote:
    > > > > >
    > > > > >>
    > > > > >>
    > > > > >>> On Feb 21, 2019, at 11:37 PM, Masaori Koshiba <
    > masa...@apache.org>
    > > > > >> wrote:
    > > > > >>>
    > > > > >>> Hi all,
    > > > > >>>
    > > > > >>> Could we bump minimum requirements of OpenSSL version to 1.0.2 
on
    > > > next
    > > > > >>> major release?
    > > > > >>>
    > > > > >>> I just noticed that SSLUtils says that Traffic Server requires 
an
    > > > > OpenSSL
    > > > > >>> library version 0.9.4 or greater [*1].
    > > > > >>> But I think nobody is using such old OpenSSL. So we can bump
    > > minimum
    > > > > >>> version of OpenSSL.
    > > > > >>>
    > > > > >>> According to OpenSSL Release Strategy [*2], version 1.0.2 is
    > > current
    > > > > >>> minimum supported version by OpenSSL community.
    > > > > >>> And version 1.0.1 was end of support 2 years ago (at 
2016-12-31).
    > > > > Version
    > > > > >>> 1.0.2 looks reasonable choice.
    > > > > >>
    > > > > >>
    > > > > >> Yes, we should do this for v9.0.0. This would effectively drop
    > > support
    > > > > for
    > > > > >> “stock” CentOS6, which only comes with OpenSSL v1.0.1, but I 
think
    > > > > that’s
    > > > > >> fine. For two reasons:
    > > > > >>
    > > > > >> 1) It’s the right thing to require at least 1.0.2, since 1.0.1 is
    > > not
    > > > > >> supported.
    > > > > >>
    > > > > >> 2) It’s not difficult to install a custom OpenSSL build if
    > > necessary.
    > > > > >>
    > > > > >>
    > > > > >> So, +1 on this, with the amendment that we also drop official
    > > support
    > > > > for
    > > > > >> the following platforms that are currently on the CI:
    > > > > >>
    > > > > >>        CentOS 6  (OpenSSL v1.0.1e)
    > > > > >>        Ubuntu 14.04 (OpenSSL v1.0.1f)
    > > > > >>
    > > > > >> (Debian7 was already dropped, because of lack of compiler
    > support).
    > > > > >>
    > > > > >>
    > > > > >> Cheers,
    > > > > >>
    > > > > >> — Leif
    > > > > >>
    > > > > >>
    > > > >
    > > > >
    > > >
    > >
    >
    

Reply via email to