On 25.09.2013 07:33, Kaspar Brand wrote: > On 23.09.2013 11:17, Joe Orton wrote: >> On Sun, Sep 22, 2013 at 12:32:23PM +0200, Kaspar Brand wrote: >>> Feedback on this approach is again very welcome. Increasing the minimum >>> required OpenSSL version from 0.9.7 to 0.9.8a shouldn't be of concern, >>> IMO, as 0.9.7 is no longer maintained, and 0.9.8a was released in >>> October 2005 already. >> >> I'd guess this is uncontroversial for trunk, but might be worth flagging >> up in a separate thread since people did care about 0.9.7 last time we >> had a poll. Or you could just slip it in and anybody who is not paying >> attention to dev@ can suffer the consequences ;) > > Ok, let's do that then. For the sake of completeness: these are the > threads started in May 2010 and July 2011, respectively: > > https://mail-archives.apache.org/mod_mbox/httpd-dev/201005.mbox/%3c20100525124551.ga11...@redhat.com%3E > > https://mail-archives.apache.org/mod_mbox/httpd-dev/201107.mbox/%3c4e35065d.30...@velox.ch%3E > > In the first thread, Joe asked about going straight to 1.0[.0], and > people were mostly concerned about 0.9.8 (not 0.9.7) at that time. See e.g. > > https://mail-archives.apache.org/mod_mbox/httpd-dev/201005.mbox/%3ca40a83c6-5030-4226-a09a-a6393cb6e...@apache.org%3E > https://mail-archives.apache.org/mod_mbox/httpd-dev/201006.mbox/%3c4c0535a9.10...@kippdata.de%3E > > What I put together about two years ago is still true: > >> Some more data points: >> >> - the last OpenSSL 0.9.6 release (0.9.6m) is from March 2004 >> >> - OpenSSL 0.9.8 was released in July 2005 >> >> - the last OpenSSL 0.9.7 release (0.9.7m) is from February 2007 >> >> - OpenSSL 1.0.0 was released in March 2010 >> >> I.e., no one should try to compile trunk against OpenSSL 0.9.6 these >> days, IMO (and even 0.9.7 isn't really a good idea, as the official >> releases are no longer maintained). > > Speaking of mod_ssl in 2.4.x, I can hardly imagine that OS vendors which > consider shipping 2.4 (as opposed to 2.2) would still want to compile > this against OpenSSL 0.9.7 (even Solaris is now at 1.0.0, FYI).
Yes, Solaris 11 uses 1.0.0, only Solaris 10 is still at 0.9.7. But the lib is installed under sfw and not directly linked in in the platform ldap lib or similar. So building and installing a custom ssl build and using it for httpd is not a real problem, because there won't be incompatibilities. The other OS originally mentioned to still use 0.9.7 was RHEL 4 which I guess now, 3 years later, is no longer of concern. > So, QUESTION: is there anyone who still thinks that going to OpenSSL > 0.9.8a for trunk (and very likely for 2.4.x, when backporting) is a bad > idea? If so, please raise your voice. Not me. Rainer
