On Wed, 25 Sep 2013 17:44:48 +0200 Rainer Jung <[email protected]> wrote:
> On 25.09.2013 07:33, Kaspar Brand wrote: > > On 23.09.2013 11:17, Joe Orton wrote: > >> On Sun, Sep 22, 2013 at 12:32:23PM +0200, Kaspar Brand wrote: > >>> Feedback on this approach is again very welcome. Increasing the > >>> minimum required OpenSSL version from 0.9.7 to 0.9.8a shouldn't > >>> be of concern, IMO, as 0.9.7 is no longer maintained, and 0.9.8a > >>> was released in October 2005 already. > >> > >> I'd guess this is uncontroversial for trunk, but might be worth > >> flagging up in a separate thread since people did care about 0.9.7 > >> last time we had a poll. Or you could just slip it in and anybody > >> who is not paying attention to dev@ can suffer the consequences ;) > > > > Ok, let's do that then. For the sake of completeness: these are the > > threads started in May 2010 and July 2011, respectively: > > > > https://mail-archives.apache.org/mod_mbox/httpd-dev/201005.mbox/%[email protected]%3E > > > > https://mail-archives.apache.org/mod_mbox/httpd-dev/201107.mbox/%[email protected]%3E > > > > In the first thread, Joe asked about going straight to 1.0[.0], and > > people were mostly concerned about 0.9.8 (not 0.9.7) at that time. > > See e.g. > > > > https://mail-archives.apache.org/mod_mbox/httpd-dev/201005.mbox/%[email protected]%3E > > https://mail-archives.apache.org/mod_mbox/httpd-dev/201006.mbox/%[email protected]%3E > > > > What I put together about two years ago is still true: > > > >> Some more data points: > >> > >> - the last OpenSSL 0.9.6 release (0.9.6m) is from March 2004 > >> > >> - OpenSSL 0.9.8 was released in July 2005 > >> > >> - the last OpenSSL 0.9.7 release (0.9.7m) is from February 2007 > >> > >> - OpenSSL 1.0.0 was released in March 2010 > >> > >> I.e., no one should try to compile trunk against OpenSSL 0.9.6 > >> these days, IMO (and even 0.9.7 isn't really a good idea, as the > >> official releases are no longer maintained). I see no good reason to support 0.9.7 - in fact the user who insists on using this can (with 2.4) likely obtain the 2.4.6 mod_ssl sources and use those in perpetuity. Outdated crypto is more dangerous than no crypto, IMHO. > > Speaking of mod_ssl in 2.4.x, I can hardly imagine that OS vendors > > which consider shipping 2.4 (as opposed to 2.2) would still want to > > compile this against OpenSSL 0.9.7 (even Solaris is now at 1.0.0, > > FYI). > > Yes, Solaris 11 uses 1.0.0, only Solaris 10 is still at 0.9.7. But the > lib is installed under sfw and not directly linked in in the platform > ldap lib or similar. So building and installing a custom ssl build and > using it for httpd is not a real problem, because there won't be > incompatibilities. > > The other OS originally mentioned to still use 0.9.7 was RHEL 4 which > I guess now, 3 years later, is no longer of concern. > > > So, QUESTION: is there anyone who still thinks that going to OpenSSL > > 0.9.8a for trunk (and very likely for 2.4.x, when backporting) is a > > bad idea? If so, please raise your voice. I don't see a 'compatibility' concern; we ensure we won't change how users consume mod_ssl. We promise nothing with respect to 3rd party libraries. Anyone adopting 2.4.x since that .0 release, who didn't also adopt at -minimum- 0.9.8 was a fool who needs a prod to adjust things appropriately.
