Last time we had the discussion was 2010/2011.
We might increase minimum OpenSSL version for everything newer than
2.4.x to OpenSSL 1.0.1.
I think RHEL 6 and SLES11 both provide OpenSSL 1.0.1 at least as an
alternative. RHEL 7 and SLES 12 still seems to be at 1.0.1 (at least
without service pack). I do not know about BSD and others.
Of course increasing the minimum requirement to 1.0.1 makes backports a
bit more risky. On the other hand I think our support promise for old
OpenSSL is probably no longer true, because likely almost nobody will
test anything newer than 2.4.x with OpenSSL 0.9.8, 0.9.9 or 1.0.0. The
same statement might hold for 2.4.x, but there we are bound due to our
support for older platforms.
Do we have more data points? Opinions about increasing to 1.0.1?
Regards,
Rainer
