Hi Igor, On Fri, Jan 26, 2018 at 05:07:10PM +1100, Igor Cicimov wrote: > Hi Willy, > > On Fri, Jan 26, 2018 at 3:47 PM, Willy Tarreau <w...@1wt.eu> wrote: > > > On Fri, Jan 26, 2018 at 01:26:35AM +1100, Igor Cicimov wrote: > > > Or you meant using the haproxy 16.04 image actually. Ok, another option > > is > > > to compile it myself with the openssl version I have atm. > > > > What mostly matters is the version used to *build* haproxy, because > > some features have to be known at build time. If you pick an haproxy > > package made for a more recent distro using 1.0.2 or later, it will > > enable ALPN. Whether or not it will work on your current distro with > > your locally rebuilt openssl is a big question of course. > > > > You should definitely avoid building openssl yourself, it's the best > > way to forget about upgrading it when a vulnerability is disclosed. > > However if you're already doing it for other reasons it's different > > and then maybe you can build your own haproxy with this openssl > > version. But as Lukas said, the easiest solution is to upgrade the > > distro :-) > > > > Willy > > > > > So that's actually what my initial question was aiming at. While building > the deb archive for ubuntu trusty lets say doesn't it make sense to build > it using the latest stable openssl 1.0.2 just for the sake of the > features?
I don't know what version ships in standard with this distro, but it makes sense to me that the packages that are built for a distro work with the distro's default package versions and do not require some hacks by the user. So if the distro uses 1.0.2 by default it would make sense. If it uses 1.0.1, it wouldn't make sense to add an extra dependency on an external, possibly less maintained, package. But that's just my opinion, I'm not a distro packager. However that's the type of issues we've had to deal with in our enterprise version since users expect the packages to work by default and a few advanced users also want the best features which are unfortunately not compatible with the default distro :-/ And recently we've seen a progress in the right direction (eg with RHEL 7.4 IIRC) though that breaks again the compatibility with users of older packages! I really think that the whole mess around this is caused by the fact that H2 requires ALPN which was not present in the openssl version shipped with most distros when it was released, and that the lack of visibility of any future long term supported openssl version doesn't encourage distro vendors to provide large scale upgrades. Willy
