Am 16.03.2018 um 13:20 schrieb Eric Covener:
On Fri, Mar 16, 2018 at 8:07 AM, Rainer Jung <rainer.j...@kippdata.de> wrote:
Last time we had the discussion was 2010/2011.
We might increase minimum OpenSSL version for everything newer than 2.4.x to
OpenSSL 1.0.1.
I think RHEL 6 and SLES11 both provide OpenSSL 1.0.1 at least as an
alternative. RHEL 7 and SLES 12 still seems to be at 1.0.1 (at least without
service pack). I do not know about BSD and others.
Of course increasing the minimum requirement to 1.0.1 makes backports a bit
more risky. On the other hand I think our support promise for old OpenSSL is
probably no longer true, because likely almost nobody will test anything
newer than 2.4.x with OpenSSL 0.9.8, 0.9.9 or 1.0.0. The same statement
might hold for 2.4.x, but there we are bound due to our support for older
platforms.
Do we have more data points? Opinions about increasing to 1.0.1?
I prefer to see it bumped in 2.4 with 1-2 year window.
My unmaintained SLES 11.0 is at 9.8h but I know from other contexts
that 11.0 is very unique/unusable/unsupportable. But I poked around
an update repo and could not find a 1.x anywhere. I am a bit
surprised. But I don't think this should hold us or users back.
I found this page
https://www.suse.com/documentation/suse-best-practices/singlehtml/securitymodule/securitymodule.html
which mentions >>the “SUSE Linux Enterprise 11 Security Module”,
providing enhancements to SUSE Linux Enterprise 11 SP3, and later SP4.<<
The packages are in a special repository named
"nu_novell_com:SLE11-Security-Module", details on that page. I have not
tried it though.
Regards,
Rainer
