On Fri, Mar 16, 2018 at 8:07 AM, Rainer Jung <rainer.j...@kippdata.de> wrote: > Last time we had the discussion was 2010/2011. > > We might increase minimum OpenSSL version for everything newer than 2.4.x to > OpenSSL 1.0.1. > > I think RHEL 6 and SLES11 both provide OpenSSL 1.0.1 at least as an > alternative. RHEL 7 and SLES 12 still seems to be at 1.0.1 (at least without > service pack). I do not know about BSD and others. > > Of course increasing the minimum requirement to 1.0.1 makes backports a bit > more risky. On the other hand I think our support promise for old OpenSSL is > probably no longer true, because likely almost nobody will test anything > newer than 2.4.x with OpenSSL 0.9.8, 0.9.9 or 1.0.0. The same statement > might hold for 2.4.x, but there we are bound due to our support for older > platforms. > > Do we have more data points? Opinions about increasing to 1.0.1?
I prefer to see it bumped in 2.4 with 1-2 year window. My unmaintained SLES 11.0 is at 9.8h but I know from other contexts that 11.0 is very unique/unusable/unsupportable. But I poked around an update repo and could not find a 1.x anywhere. I am a bit surprised. But I don't think this should hold us or users back.
