On 04/02/17 15:37, Steven Haigh wrote: > On Saturday, 4 February 2017 3:29:32 PM AEDT David Sommerseth wrote: >> On 03/02/17 17:22, Andrew C Aitchison wrote: >>> SL6 uses OpenSSL v1.0.1, which is no longer supported by OpenSSL >>> ( https://www.openssl.org/policies/releasestrat.html ). >>> v1.0.2 which may be a drop in replacement is supported until the end of >>> 2019. >> >> Just wanted to point out that regardless of OpenSSL's life cycles, Red >> Hat will continue to support, backport and fix issues with OpenSSL >> v1.0.1 as long as they have a distribution shipping with that version. >> >>> https://access.redhat.com/solutions/1530413 >>> explains Red Hat's position on this, but it can only be read by >>> those with a Red Hat contract. >> >> That URL basically says what I just said in the previous paragraph. >> Otherwise - as already pointed out, for many of these KB articles, you >> just need to have a free account. I would highly recommend people to >> sign up there, as there's lots of good info here. >> >>> Could SL make a similar statement which is available to anyone who >>> has access to SL ? >>> >>> I'm particularly asking since I'm trying to build the latest exim, >>> which does not support openssl v1.0.1 >>> https://lists.exim.org/lurker/message/20170131.025153.592b38db.en.html >>> >>> As we are into 2017, the oldest OpenSSL supported by the OpenSSL >>> project >>> is 1.0.2, so that is now the oldest version which the Exim Maintainers >>> formally "support" for Exim. As of yet, I do not believe that any >>> changes have been merged which would break support for older OpenSSL, >>> but you are on your own if you try to use such. >> >> There seems to be a Fedora EPEL package with Exim 4.88 ready for EL6 >> already: https://koji.fedoraproject.org/koji/buildinfo?buildID=835727 >> >>> I can of course build a local OpenSSL v1.0.2 for exim, but if there were >>> a system version it would be simpler for me. >> >> OpenSSL 1.0.2 as a system package will require a rebuild of all packages >> depending on OpenSSL 1.0.1. Which is why Red Hat rather puts efforts >> into keeping 1.0.1 up-to-date by backporting fixes from newer upstream >> releases. Doing that often requires less resources and keeps a far more >> stable environment in a longer run. > > I do wonder if it will mean that EL6 or EL7 won't see TLS1.3 support though - > or if they wholesale backport the entire TLS1.3 to OpenSSL 1.0.1. > > IIRC, TLS1.3 is supposed to arrive in OpenSSL 1.1.1
<https://bugzilla.redhat.com/show_bug.cgi?id=1416715> -- kind regards, David Sommerseth