From OpenSSL download page (https://www.openssl.org/source/):
Note: The latest stable version is the 1.1.1 series. This is also our Long Term Support (LTS) version, supported until 11th September 2023. All other versions (including 1.1.0, 1.0.2, 1.0.0 and 0.9.8) are now out of support and should not be used. Users of these older versions are encourage to upgrade to 1.1.1 as soon as possible. Extended support for 1.0.2 to gain access to security fixes for that version is available. While I understand they do offer paid support for previous versions, I don’t think it is wise for httpd to openly support a discouraged code. Previous OpenSSL versions were fun, but it is time to move on. Just my $.02. Alex > On Mar 18, 2020, at 09:44, jean-frederic clere <[email protected]> wrote: > > On 18/03/2020 11:09, Ruediger Pluem wrote: >>> On 3/18/20 9:36 AM, [email protected] wrote: >>> Author: jfclere >>> Date: Wed Mar 18 08:36:46 2020 >>> New Revision: 1875349 >>> >>> URL: http://svn.apache.org/viewvc?rev=1875349&view=rev >>> Log: >>> Add sha512 >>> >>> Modified: >>> httpd/site/trunk/tools/roll.sh >>> >>> Modified: httpd/site/trunk/tools/roll.sh >>> URL: >>> http://svn.apache.org/viewvc/httpd/site/trunk/tools/roll.sh?rev=1875349&r1=1875348&r2=1875349&view=diff >>> ============================================================================== >>> --- httpd/site/trunk/tools/roll.sh (original) >>> +++ httpd/site/trunk/tools/roll.sh Wed Mar 18 08:36:46 2020 >>> @@ -103,9 +103,11 @@ openssl="`which openssl 2> /dev/null | h >>> md5sum="`which md5sum 2> /dev/null | head -1`" >>> sha1sum="`which sha1sum 2> /dev/null | head -1`" >>> sha256sum="`which sha256sum 2> /dev/null | head -1`" >>> +sha512sum="`which sha512sum 2> /dev/null | head -1`" >>> md5="`which md5 2> /dev/null | head -1`" >>> sha1="`which sha1 2> /dev/null | head -1`" >>> sha256="`which sha256 2> /dev/null | head -1`" >>> +sha512sum="`which sha512sum 2> /dev/null | head -1`" >> Should the above be sha512 instead of sha512sum? >> Are we sure that openssl / gpg are capable of sha512 for a reasonable span >> of versions or is it worth checking for a >> minimal version? > > gpg looks good, openssl > 1.0.0 is good too and 10 years old no? > >> Regards >> Rüdiger > > > -- > Cheers > > Jean-Frederic
