I opened Pull Request for this. Please take a look. https://github.com/apache/trafficserver/pull/5074
- Masaori 2019年2月27日(水) 6:32 Bryan Call <bc...@apache.org>: > +1 > > -Bryan > > > On Feb 25, 2019, at 5:06 PM, Masaori Koshiba <masa...@apache.org> wrote: > > > > Our conclusion is below > > > > 1). Move minimum OpenSSL version of ATS v9.0.0 to 1.0.2. > > > > 2). ATS v9.0.0 also drop support for the following platforms because of > > openssl version > > > > - CentOS 6 (OpenSSL v1.0.1e) > > - Ubuntu 14.04 (OpenSSL v1.0.1f) > > > > 3). ATS v8.x.x keeps OpenSSL 1.0.1 support until EOL > > > > For the vulnerabilities, I forgot about that. Thanks for pointing out. > > > > Thanks, > > Masaori > > > > 2019年2月25日(月) 23:13 Susan Hinrichs <shinr...@verizonmedia.com.invalid>: > > > >> Masaori, > >> > >> Sounds like good reasoning. I am completely ok with moving the minimum > >> with 1.0.2 as long as CentOS 6 is dropped at the same time. > >> > >> WRT the vulnerabilities in 1.0.1, RedHat has been cherry-picking back > >> security fixes from newer openssl's into their Openssl 1.0.1 version, > so it > >> is probably not that dangerous to use it. > >> > >> Susan > >> > >> On Sun, Feb 24, 2019 at 7:25 PM Masaori Koshiba <masa...@apache.org> > >> wrote: > >> > >>> This is incompatible change, so the change will be done on next major > >>> release, ATS 9. > >>> We’re going to have OpenSSL 1.0.1 with CentOS 6 support on ATS 8 > anyway. > >> It > >>> looks like > >>> ATS 8 will end of life at similar timing of CentOS 6[*1]. So people > using > >>> CentOS 6 can use > >>> OpenSSL 1.0.1 and ATS 8 until late 2020 by taking their own risks. > >>> > >>> # EOLs > >>> CentOS 6 : November 30, 2020 > >>> ATS 8 : September 2020 > >>> ATS 9 : July 2021 > >>> > >>> ATS 9 looks good timing for dropping support of OpenSSL 1.0.1 and > CentOS > >> 6. > >>> > >>> FWIW, 15 vulnerabilities of OpenSSL were found last 2 years[*1]. I’m > not > >>> sure how many of > >>> them affect version 1.0.1, but it looks quite dangerous to use it. > >>> > >>> [*1] > >>> > >>> > >> > https://wiki.centos.org/FAQ/General#head-fe8a0be91ee3e7dea812e8694491e1dde5b75e6d > >>> [*2] https://www.openssl.org/news/vulnerabilities.html > >>> > >>> Thanks, > >>> Masaori > >>> > >>> 2019年2月23日(土) 5:39 Susan Hinrichs <shinr...@verizonmedia.com.invalid>: > >>> > >>>> A quick search shows only instructions for how to build openssl 1.0.2 > >>> from > >>>> source on Rhel6/Centos6. If there is an epel-like rpm it does not > seem > >>> to > >>>> be well advertised. > >>>> > >>>> I'd suggest keeping the openssl minimum version to 1.0.1 until we stop > >>>> support for Centos 6. > >>>> > >>>> On Fri, Feb 22, 2019 at 11:41 AM Leif Hedstrom <zw...@apache.org> > >> wrote: > >>>> > >>>>> > >>>>> > >>>>>> On Feb 22, 2019, at 10:15 AM, Susan Hinrichs < > >>>> shinr...@verizonmedia.com.INVALID> > >>>>> wrote: > >>>>>> > >>>>>> Definitely at least drawing the line at openssl 1.0.1 makes sense. > >>> As > >>>>> Leif > >>>>>> notes moving to 1.0.2 for the baseline means that some supported > >>>>>> distributions cannot use the system openssl. For Centos6 anyway we > >>>>> require > >>>>>> a replacement for the system compiler which you can acquire from > >>>>>> devtoolset. Is there a similar epel mechanism to get a package > >> for a > >>>>> more > >>>>>> modern openssl? > >>>>> > >>>>> > >>>>> I could not find one on my existing CentOS 6 images, which has both > >>> EPEL > >>>>> and DevToolSet yum repos enabled. That doesn’t mean that there aren’t > >>>>> other, non-standard repos with newer OpenSSLs, but I think we should > >> be > >>>>> cautious recommending people to enable “rogue” yum repos in general. > >>>>> > >>>>> Cheers, > >>>>> > >>>>> — Leif > >>>>> > >>>>>> > >>>>>> On Fri, Feb 22, 2019 at 9:53 AM Leif Hedstrom <zw...@apache.org> > >>>> wrote: > >>>>>> > >>>>>>> > >>>>>>> > >>>>>>>> On Feb 21, 2019, at 11:37 PM, Masaori Koshiba < > >> masa...@apache.org> > >>>>>>> wrote: > >>>>>>>> > >>>>>>>> Hi all, > >>>>>>>> > >>>>>>>> Could we bump minimum requirements of OpenSSL version to 1.0.2 on > >>>> next > >>>>>>>> major release? > >>>>>>>> > >>>>>>>> I just noticed that SSLUtils says that Traffic Server requires an > >>>>> OpenSSL > >>>>>>>> library version 0.9.4 or greater [*1]. > >>>>>>>> But I think nobody is using such old OpenSSL. So we can bump > >>> minimum > >>>>>>>> version of OpenSSL. > >>>>>>>> > >>>>>>>> According to OpenSSL Release Strategy [*2], version 1.0.2 is > >>> current > >>>>>>>> minimum supported version by OpenSSL community. > >>>>>>>> And version 1.0.1 was end of support 2 years ago (at 2016-12-31). > >>>>> Version > >>>>>>>> 1.0.2 looks reasonable choice. > >>>>>>> > >>>>>>> > >>>>>>> Yes, we should do this for v9.0.0. This would effectively drop > >>> support > >>>>> for > >>>>>>> “stock” CentOS6, which only comes with OpenSSL v1.0.1, but I think > >>>>> that’s > >>>>>>> fine. For two reasons: > >>>>>>> > >>>>>>> 1) It’s the right thing to require at least 1.0.2, since 1.0.1 is > >>> not > >>>>>>> supported. > >>>>>>> > >>>>>>> 2) It’s not difficult to install a custom OpenSSL build if > >>> necessary. > >>>>>>> > >>>>>>> > >>>>>>> So, +1 on this, with the amendment that we also drop official > >>> support > >>>>> for > >>>>>>> the following platforms that are currently on the CI: > >>>>>>> > >>>>>>> CentOS 6 (OpenSSL v1.0.1e) > >>>>>>> Ubuntu 14.04 (OpenSSL v1.0.1f) > >>>>>>> > >>>>>>> (Debian7 was already dropped, because of lack of compiler > >> support). > >>>>>>> > >>>>>>> > >>>>>>> Cheers, > >>>>>>> > >>>>>>> — Leif > >>>>>>> > >>>>>>> > >>>>> > >>>>> > >>>> > >>> > >> > >
