Subject: | |
From: | |
Reply To: | |
Date: | Sun, 5 Feb 2017 01:37:24 +1100 |
Content-Type: | multipart/signed |
Parts/Attachments: |
|
|
On Saturday, 4 February 2017 3:29:32 PM AEDT David Sommerseth wrote:
> On 03/02/17 17:22, Andrew C Aitchison wrote:
> > SL6 uses OpenSSL v1.0.1, which is no longer supported by OpenSSL
> > ( https://www.openssl.org/policies/releasestrat.html ).
> > v1.0.2 which may be a drop in replacement is supported until the end of
> > 2019.
>
> Just wanted to point out that regardless of OpenSSL's life cycles, Red
> Hat will continue to support, backport and fix issues with OpenSSL
> v1.0.1 as long as they have a distribution shipping with that version.
>
> > https://access.redhat.com/solutions/1530413
> > explains Red Hat's position on this, but it can only be read by
> > those with a Red Hat contract.
>
> That URL basically says what I just said in the previous paragraph.
> Otherwise - as already pointed out, for many of these KB articles, you
> just need to have a free account. I would highly recommend people to
> sign up there, as there's lots of good info here.
>
> > Could SL make a similar statement which is available to anyone who
> > has access to SL ?
> >
> > I'm particularly asking since I'm trying to build the latest exim,
> > which does not support openssl v1.0.1
> > https://lists.exim.org/lurker/message/20170131.025153.592b38db.en.html
> >
> > As we are into 2017, the oldest OpenSSL supported by the OpenSSL
> > project
> > is 1.0.2, so that is now the oldest version which the Exim Maintainers
> > formally "support" for Exim. As of yet, I do not believe that any
> > changes have been merged which would break support for older OpenSSL,
> > but you are on your own if you try to use such.
>
> There seems to be a Fedora EPEL package with Exim 4.88 ready for EL6
> already: https://koji.fedoraproject.org/koji/buildinfo?buildID=835727
>
> > I can of course build a local OpenSSL v1.0.2 for exim, but if there were
> > a system version it would be simpler for me.
>
> OpenSSL 1.0.2 as a system package will require a rebuild of all packages
> depending on OpenSSL 1.0.1. Which is why Red Hat rather puts efforts
> into keeping 1.0.1 up-to-date by backporting fixes from newer upstream
> releases. Doing that often requires less resources and keeps a far more
> stable environment in a longer run.
I do wonder if it will mean that EL6 or EL7 won't see TLS1.3 support though -
or if they wholesale backport the entire TLS1.3 to OpenSSL 1.0.1.
IIRC, TLS1.3 is supposed to arrive in OpenSSL 1.1.1
--
Steven Haigh
Email: [log in to unmask]
Web: https://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897
|
|
|