On Fri, Mar 16, 2018 at 1:11 PM, Eric Covener <cove...@gmail.com> wrote: > On Fri, Mar 16, 2018 at 7:57 AM, Stefan Eissing > <stefan.eiss...@greenbytes.de> wrote: >> Hi Rainer, >> >> thanks for solving this issue. The version check indeed was missing. I do >> not think supporting ACME on servers with such old OpenSSL is really >> something to strive for. I'd have settled for a check von 1.0.2 even. If >> your changed check makes it working for 1.0.1 also, that's fine. >> >> My (a tad philosophical) point of view is that security on the public >> network is only achievable and *maintainable* by ever moving forward to the >> lastest, best efforts of the community. If you stick on version, even if >> that worked fine at the time, you'll get owned. >> >> Again, 2.4.x promises support for 0.9.8a+, so the check was missing. Maybe >> this is a reason for a 2.6.x that is a re-vamped 2.4.x but with a revisited >> baseline? Without mpm-prefork, http/0.9 and other cruft? A man can dream... > > 2.6 aside, should we just pick a date that openssl < 1.0.1 (or > whatever) compat will be dropped from 2.4 and add it to the > announcement template/website? I don't think we're ultimately doing > anyone favors here.
+1, and while at it I think I think we should even require 1.0.2 (if possible) since 1.0.1 in no longer supported at OpenSSL.