LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

February 2017

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS February 2017

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: OpenSSL in SL6 ?
From:	David Sommerseth <[log in to unmask]>
Reply To:	[log in to unmask]
Date:	Sun, 5 Feb 2017 21:07:35 +0100
Content-Type:	text/plain
Parts/Attachments:	text/plain (60 lines)

On 04/02/17 15:37, Steven Haigh wrote:
> On Saturday, 4 February 2017 3:29:32 PM AEDT David Sommerseth wrote:
>> On 03/02/17 17:22, Andrew C Aitchison wrote:
>>> SL6 uses OpenSSL v1.0.1, which is no longer supported by OpenSSL
>>> ( https://www.openssl.org/policies/releasestrat.html ).
>>> v1.0.2 which may be a drop in replacement is supported until the end of
>>> 2019.
>>
>> Just wanted to point out that regardless of OpenSSL's life cycles, Red
>> Hat will continue to support, backport and fix issues with OpenSSL
>> v1.0.1 as long as they have a distribution shipping with that version.
>>
>>> https://access.redhat.com/solutions/1530413
>>> explains Red Hat's position on this, but it can only be read by
>>> those with a Red Hat contract.
>>
>> That URL basically says what I just said in the previous paragraph.
>> Otherwise - as already pointed out, for many of these KB articles, you
>> just need to have a free account.  I would highly recommend people to
>> sign up there, as there's lots of good info here.
>>
>>> Could SL make a similar statement which is available to anyone who
>>> has access to SL ?
>>>
>>> I'm particularly asking since I'm trying to build the latest exim,
>>> which does not support openssl v1.0.1
>>> https://lists.exim.org/lurker/message/20170131.025153.592b38db.en.html
>>>
>>>    As we are into 2017, the oldest OpenSSL supported by the OpenSSL
>>>    project
>>>    is 1.0.2, so that is now the oldest version which the Exim Maintainers
>>>    formally "support" for Exim. As of yet, I do not believe that any
>>>    changes have been merged which would break support for older OpenSSL,
>>>    but you are on your own if you try to use such.
>>
>> There seems to be a Fedora EPEL package with Exim 4.88 ready for EL6
>> already: https://koji.fedoraproject.org/koji/buildinfo?buildID=835727
>>
>>> I can of course build a local OpenSSL v1.0.2 for exim, but if there were
>>> a system version it would be simpler for me.
>>
>> OpenSSL 1.0.2 as a system package will require a rebuild of all packages
>> depending on OpenSSL 1.0.1.  Which is why Red Hat rather puts efforts
>> into keeping 1.0.1 up-to-date by backporting fixes from newer upstream
>> releases.  Doing that often requires less resources and keeps a far more
>> stable environment in a longer run.
> 
> I do wonder if it will mean that EL6 or EL7 won't see TLS1.3 support though - 
> or if they wholesale backport the entire TLS1.3 to OpenSSL 1.0.1.
> 
> IIRC, TLS1.3 is supposed to arrive in OpenSSL 1.1.1

<https://bugzilla.redhat.com/show_bug.cgi?id=1416715>


-- 
kind regards,

David Sommerseth

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV