On 03/16/2018 01:33 PM, Yann Ylavic wrote: > On Fri, Mar 16, 2018 at 1:11 PM, Eric Covener <cove...@gmail.com> wrote: >> On Fri, Mar 16, 2018 at 7:57 AM, Stefan Eissing >> <stefan.eiss...@greenbytes.de> wrote: >>> Hi Rainer, >>> >>> thanks for solving this issue. The version check indeed was missing. I do >>> not think supporting ACME on servers with such old OpenSSL is really >>> something to strive for. I'd have settled for a check von 1.0.2 even. If >>> your changed check makes it working for 1.0.1 also, that's fine. >>> >>> My (a tad philosophical) point of view is that security on the public >>> network is only achievable and *maintainable* by ever moving forward to the >>> lastest, best efforts of the community. If you stick on version, even if >>> that worked fine at the time, you'll get owned. >>> >>> Again, 2.4.x promises support for 0.9.8a+, so the check was missing. Maybe >>> this is a reason for a 2.6.x that is a re-vamped 2.4.x but with a revisited >>> baseline? Without mpm-prefork, http/0.9 and other cruft? A man can dream... >> >> 2.6 aside, should we just pick a date that openssl < 1.0.1 (or >> whatever) compat will be dropped from 2.4 and add it to the >> announcement template/website? I don't think we're ultimately doing >> anyone favors here. > > +1, and while at it I think I think we should even require 1.0.2 (if > possible) since 1.0.1 in no longer supported at OpenSSL. >
-0.5. You still have supported versions of Openssl 1.0.1 out there (at least the packages delivered with RedHat / CentOS 6). Increasing the requirement to 1.0.1 seems fine though. Regards RĂ¼diger