You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@trafficserver.apache.org by Masaori Koshiba <ma...@apache.org> on 2019/02/22 06:37:13 UTC
[DISCUSS] Minimum version of OpenSSL
Hi all,
Could we bump minimum requirements of OpenSSL version to 1.0.2 on next
major release?
I just noticed that SSLUtils says that Traffic Server requires an OpenSSL
library version 0.9.4 or greater [*1].
But I think nobody is using such old OpenSSL. So we can bump minimum
version of OpenSSL.
According to OpenSSL Release Strategy [*2], version 1.0.2 is current
minimum supported version by OpenSSL community.
And version 1.0.1 was end of support 2 years ago (at 2016-12-31). Version
1.0.2 looks reasonable choice.
If we could bump minimum version of OpenSSL, we can remove many ifdefs in
SSL components.
> With regards to current and future releases the OpenSSL project has
adopted the following policy:
>
> - Version 1.1.0 will be supported until one year after the release of
1.1.1
> - Version 1.0.2 will be supported until 2019-12-31 (LTS).
> - Version 1.0.1 is no longer supported.
> - Version 1.0.0 is no longer supported.
> - Version 0.9.8 is no longer supported.
[*1]
https://github.com/apache/trafficserver/blob/c811aea9e0484433fbdd63e0fa6b9fbab87085eb/iocore/net/SSLUtils.cc#L85-L88
[*2] https://www.openssl.org/policies/releasestrat.html
Thanks,
Masaori
Re: [DISCUSS] Minimum version of OpenSSL
Posted by Masaori Koshiba <ma...@apache.org>.
I opened Pull Request for this. Please take a look.
https://github.com/apache/trafficserver/pull/5074
- Masaori
2019年2月27日(水) 6:32 Bryan Call <bc...@apache.org>:
> +1
>
> -Bryan
>
> > On Feb 25, 2019, at 5:06 PM, Masaori Koshiba <ma...@apache.org> wrote:
> >
> > Our conclusion is below
> >
> > 1). Move minimum OpenSSL version of ATS v9.0.0 to 1.0.2.
> >
> > 2). ATS v9.0.0 also drop support for the following platforms because of
> > openssl version
> >
> > - CentOS 6 (OpenSSL v1.0.1e)
> > - Ubuntu 14.04 (OpenSSL v1.0.1f)
> >
> > 3). ATS v8.x.x keeps OpenSSL 1.0.1 support until EOL
> >
> > For the vulnerabilities, I forgot about that. Thanks for pointing out.
> >
> > Thanks,
> > Masaori
> >
> > 2019年2月25日(月) 23:13 Susan Hinrichs <sh...@verizonmedia.com.invalid>:
> >
> >> Masaori,
> >>
> >> Sounds like good reasoning. I am completely ok with moving the minimum
> >> with 1.0.2 as long as CentOS 6 is dropped at the same time.
> >>
> >> WRT the vulnerabilities in 1.0.1, RedHat has been cherry-picking back
> >> security fixes from newer openssl's into their Openssl 1.0.1 version,
> so it
> >> is probably not that dangerous to use it.
> >>
> >> Susan
> >>
> >> On Sun, Feb 24, 2019 at 7:25 PM Masaori Koshiba <ma...@apache.org>
> >> wrote:
> >>
> >>> This is incompatible change, so the change will be done on next major
> >>> release, ATS 9.
> >>> We’re going to have OpenSSL 1.0.1 with CentOS 6 support on ATS 8
> anyway.
> >> It
> >>> looks like
> >>> ATS 8 will end of life at similar timing of CentOS 6[*1]. So people
> using
> >>> CentOS 6 can use
> >>> OpenSSL 1.0.1 and ATS 8 until late 2020 by taking their own risks.
> >>>
> >>> # EOLs
> >>> CentOS 6 : November 30, 2020
> >>> ATS 8 : September 2020
> >>> ATS 9 : July 2021
> >>>
> >>> ATS 9 looks good timing for dropping support of OpenSSL 1.0.1 and
> CentOS
> >> 6.
> >>>
> >>> FWIW, 15 vulnerabilities of OpenSSL were found last 2 years[*1]. I’m
> not
> >>> sure how many of
> >>> them affect version 1.0.1, but it looks quite dangerous to use it.
> >>>
> >>> [*1]
> >>>
> >>>
> >>
> https://wiki.centos.org/FAQ/General#head-fe8a0be91ee3e7dea812e8694491e1dde5b75e6d
> >>> [*2] https://www.openssl.org/news/vulnerabilities.html
> >>>
> >>> Thanks,
> >>> Masaori
> >>>
> >>> 2019年2月23日(土) 5:39 Susan Hinrichs <sh...@verizonmedia.com.invalid>:
> >>>
> >>>> A quick search shows only instructions for how to build openssl 1.0.2
> >>> from
> >>>> source on Rhel6/Centos6. If there is an epel-like rpm it does not
> seem
> >>> to
> >>>> be well advertised.
> >>>>
> >>>> I'd suggest keeping the openssl minimum version to 1.0.1 until we stop
> >>>> support for Centos 6.
> >>>>
> >>>> On Fri, Feb 22, 2019 at 11:41 AM Leif Hedstrom <zw...@apache.org>
> >> wrote:
> >>>>
> >>>>>
> >>>>>
> >>>>>> On Feb 22, 2019, at 10:15 AM, Susan Hinrichs <
> >>>> shinrich@verizonmedia.com.INVALID>
> >>>>> wrote:
> >>>>>>
> >>>>>> Definitely at least drawing the line at openssl 1.0.1 makes sense.
> >>> As
> >>>>> Leif
> >>>>>> notes moving to 1.0.2 for the baseline means that some supported
> >>>>>> distributions cannot use the system openssl. For Centos6 anyway we
> >>>>> require
> >>>>>> a replacement for the system compiler which you can acquire from
> >>>>>> devtoolset. Is there a similar epel mechanism to get a package
> >> for a
> >>>>> more
> >>>>>> modern openssl?
> >>>>>
> >>>>>
> >>>>> I could not find one on my existing CentOS 6 images, which has both
> >>> EPEL
> >>>>> and DevToolSet yum repos enabled. That doesn’t mean that there aren’t
> >>>>> other, non-standard repos with newer OpenSSLs, but I think we should
> >> be
> >>>>> cautious recommending people to enable “rogue” yum repos in general.
> >>>>>
> >>>>> Cheers,
> >>>>>
> >>>>> — Leif
> >>>>>
> >>>>>>
> >>>>>> On Fri, Feb 22, 2019 at 9:53 AM Leif Hedstrom <zw...@apache.org>
> >>>> wrote:
> >>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>> On Feb 21, 2019, at 11:37 PM, Masaori Koshiba <
> >> masaori@apache.org>
> >>>>>>> wrote:
> >>>>>>>>
> >>>>>>>> Hi all,
> >>>>>>>>
> >>>>>>>> Could we bump minimum requirements of OpenSSL version to 1.0.2 on
> >>>> next
> >>>>>>>> major release?
> >>>>>>>>
> >>>>>>>> I just noticed that SSLUtils says that Traffic Server requires an
> >>>>> OpenSSL
> >>>>>>>> library version 0.9.4 or greater [*1].
> >>>>>>>> But I think nobody is using such old OpenSSL. So we can bump
> >>> minimum
> >>>>>>>> version of OpenSSL.
> >>>>>>>>
> >>>>>>>> According to OpenSSL Release Strategy [*2], version 1.0.2 is
> >>> current
> >>>>>>>> minimum supported version by OpenSSL community.
> >>>>>>>> And version 1.0.1 was end of support 2 years ago (at 2016-12-31).
> >>>>> Version
> >>>>>>>> 1.0.2 looks reasonable choice.
> >>>>>>>
> >>>>>>>
> >>>>>>> Yes, we should do this for v9.0.0. This would effectively drop
> >>> support
> >>>>> for
> >>>>>>> “stock” CentOS6, which only comes with OpenSSL v1.0.1, but I think
> >>>>> that’s
> >>>>>>> fine. For two reasons:
> >>>>>>>
> >>>>>>> 1) It’s the right thing to require at least 1.0.2, since 1.0.1 is
> >>> not
> >>>>>>> supported.
> >>>>>>>
> >>>>>>> 2) It’s not difficult to install a custom OpenSSL build if
> >>> necessary.
> >>>>>>>
> >>>>>>>
> >>>>>>> So, +1 on this, with the amendment that we also drop official
> >>> support
> >>>>> for
> >>>>>>> the following platforms that are currently on the CI:
> >>>>>>>
> >>>>>>> CentOS 6 (OpenSSL v1.0.1e)
> >>>>>>> Ubuntu 14.04 (OpenSSL v1.0.1f)
> >>>>>>>
> >>>>>>> (Debian7 was already dropped, because of lack of compiler
> >> support).
> >>>>>>>
> >>>>>>>
> >>>>>>> Cheers,
> >>>>>>>
> >>>>>>> — Leif
> >>>>>>>
> >>>>>>>
> >>>>>
> >>>>>
> >>>>
> >>>
> >>
>
>
Re: [DISCUSS] Minimum version of OpenSSL
Posted by Bryan Call <bc...@apache.org>.
+1
-Bryan
> On Feb 25, 2019, at 5:06 PM, Masaori Koshiba <ma...@apache.org> wrote:
>
> Our conclusion is below
>
> 1). Move minimum OpenSSL version of ATS v9.0.0 to 1.0.2.
>
> 2). ATS v9.0.0 also drop support for the following platforms because of
> openssl version
>
> - CentOS 6 (OpenSSL v1.0.1e)
> - Ubuntu 14.04 (OpenSSL v1.0.1f)
>
> 3). ATS v8.x.x keeps OpenSSL 1.0.1 support until EOL
>
> For the vulnerabilities, I forgot about that. Thanks for pointing out.
>
> Thanks,
> Masaori
>
> 2019年2月25日(月) 23:13 Susan Hinrichs <sh...@verizonmedia.com.invalid>:
>
>> Masaori,
>>
>> Sounds like good reasoning. I am completely ok with moving the minimum
>> with 1.0.2 as long as CentOS 6 is dropped at the same time.
>>
>> WRT the vulnerabilities in 1.0.1, RedHat has been cherry-picking back
>> security fixes from newer openssl's into their Openssl 1.0.1 version, so it
>> is probably not that dangerous to use it.
>>
>> Susan
>>
>> On Sun, Feb 24, 2019 at 7:25 PM Masaori Koshiba <ma...@apache.org>
>> wrote:
>>
>>> This is incompatible change, so the change will be done on next major
>>> release, ATS 9.
>>> We’re going to have OpenSSL 1.0.1 with CentOS 6 support on ATS 8 anyway.
>> It
>>> looks like
>>> ATS 8 will end of life at similar timing of CentOS 6[*1]. So people using
>>> CentOS 6 can use
>>> OpenSSL 1.0.1 and ATS 8 until late 2020 by taking their own risks.
>>>
>>> # EOLs
>>> CentOS 6 : November 30, 2020
>>> ATS 8 : September 2020
>>> ATS 9 : July 2021
>>>
>>> ATS 9 looks good timing for dropping support of OpenSSL 1.0.1 and CentOS
>> 6.
>>>
>>> FWIW, 15 vulnerabilities of OpenSSL were found last 2 years[*1]. I’m not
>>> sure how many of
>>> them affect version 1.0.1, but it looks quite dangerous to use it.
>>>
>>> [*1]
>>>
>>>
>> https://wiki.centos.org/FAQ/General#head-fe8a0be91ee3e7dea812e8694491e1dde5b75e6d
>>> [*2] https://www.openssl.org/news/vulnerabilities.html
>>>
>>> Thanks,
>>> Masaori
>>>
>>> 2019年2月23日(土) 5:39 Susan Hinrichs <sh...@verizonmedia.com.invalid>:
>>>
>>>> A quick search shows only instructions for how to build openssl 1.0.2
>>> from
>>>> source on Rhel6/Centos6. If there is an epel-like rpm it does not seem
>>> to
>>>> be well advertised.
>>>>
>>>> I'd suggest keeping the openssl minimum version to 1.0.1 until we stop
>>>> support for Centos 6.
>>>>
>>>> On Fri, Feb 22, 2019 at 11:41 AM Leif Hedstrom <zw...@apache.org>
>> wrote:
>>>>
>>>>>
>>>>>
>>>>>> On Feb 22, 2019, at 10:15 AM, Susan Hinrichs <
>>>> shinrich@verizonmedia.com.INVALID>
>>>>> wrote:
>>>>>>
>>>>>> Definitely at least drawing the line at openssl 1.0.1 makes sense.
>>> As
>>>>> Leif
>>>>>> notes moving to 1.0.2 for the baseline means that some supported
>>>>>> distributions cannot use the system openssl. For Centos6 anyway we
>>>>> require
>>>>>> a replacement for the system compiler which you can acquire from
>>>>>> devtoolset. Is there a similar epel mechanism to get a package
>> for a
>>>>> more
>>>>>> modern openssl?
>>>>>
>>>>>
>>>>> I could not find one on my existing CentOS 6 images, which has both
>>> EPEL
>>>>> and DevToolSet yum repos enabled. That doesn’t mean that there aren’t
>>>>> other, non-standard repos with newer OpenSSLs, but I think we should
>> be
>>>>> cautious recommending people to enable “rogue” yum repos in general.
>>>>>
>>>>> Cheers,
>>>>>
>>>>> — Leif
>>>>>
>>>>>>
>>>>>> On Fri, Feb 22, 2019 at 9:53 AM Leif Hedstrom <zw...@apache.org>
>>>> wrote:
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> On Feb 21, 2019, at 11:37 PM, Masaori Koshiba <
>> masaori@apache.org>
>>>>>>> wrote:
>>>>>>>>
>>>>>>>> Hi all,
>>>>>>>>
>>>>>>>> Could we bump minimum requirements of OpenSSL version to 1.0.2 on
>>>> next
>>>>>>>> major release?
>>>>>>>>
>>>>>>>> I just noticed that SSLUtils says that Traffic Server requires an
>>>>> OpenSSL
>>>>>>>> library version 0.9.4 or greater [*1].
>>>>>>>> But I think nobody is using such old OpenSSL. So we can bump
>>> minimum
>>>>>>>> version of OpenSSL.
>>>>>>>>
>>>>>>>> According to OpenSSL Release Strategy [*2], version 1.0.2 is
>>> current
>>>>>>>> minimum supported version by OpenSSL community.
>>>>>>>> And version 1.0.1 was end of support 2 years ago (at 2016-12-31).
>>>>> Version
>>>>>>>> 1.0.2 looks reasonable choice.
>>>>>>>
>>>>>>>
>>>>>>> Yes, we should do this for v9.0.0. This would effectively drop
>>> support
>>>>> for
>>>>>>> “stock” CentOS6, which only comes with OpenSSL v1.0.1, but I think
>>>>> that’s
>>>>>>> fine. For two reasons:
>>>>>>>
>>>>>>> 1) It’s the right thing to require at least 1.0.2, since 1.0.1 is
>>> not
>>>>>>> supported.
>>>>>>>
>>>>>>> 2) It’s not difficult to install a custom OpenSSL build if
>>> necessary.
>>>>>>>
>>>>>>>
>>>>>>> So, +1 on this, with the amendment that we also drop official
>>> support
>>>>> for
>>>>>>> the following platforms that are currently on the CI:
>>>>>>>
>>>>>>> CentOS 6 (OpenSSL v1.0.1e)
>>>>>>> Ubuntu 14.04 (OpenSSL v1.0.1f)
>>>>>>>
>>>>>>> (Debian7 was already dropped, because of lack of compiler
>> support).
>>>>>>>
>>>>>>>
>>>>>>> Cheers,
>>>>>>>
>>>>>>> — Leif
>>>>>>>
>>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
Re: [DISCUSS] Minimum version of OpenSSL
Posted by "Steven R. Feltner" <sf...@godaddy.com>.
This sounds like a solid plan for deprecating support for older OSes and updating our requirements for OpenSSL.
Thanks,
Steven
On 2/25/19, 9:06 PM, "Masaori Koshiba" <ma...@apache.org> wrote:
Our conclusion is below
1). Move minimum OpenSSL version of ATS v9.0.0 to 1.0.2.
2). ATS v9.0.0 also drop support for the following platforms because of
openssl version
- CentOS 6 (OpenSSL v1.0.1e)
- Ubuntu 14.04 (OpenSSL v1.0.1f)
3). ATS v8.x.x keeps OpenSSL 1.0.1 support until EOL
For the vulnerabilities, I forgot about that. Thanks for pointing out.
Thanks,
Masaori
2019年2月25日(月) 23:13 Susan Hinrichs <sh...@verizonmedia.com.invalid>:
> Masaori,
>
> Sounds like good reasoning. I am completely ok with moving the minimum
> with 1.0.2 as long as CentOS 6 is dropped at the same time.
>
> WRT the vulnerabilities in 1.0.1, RedHat has been cherry-picking back
> security fixes from newer openssl's into their Openssl 1.0.1 version, so it
> is probably not that dangerous to use it.
>
> Susan
>
> On Sun, Feb 24, 2019 at 7:25 PM Masaori Koshiba <ma...@apache.org>
> wrote:
>
> > This is incompatible change, so the change will be done on next major
> > release, ATS 9.
> > We’re going to have OpenSSL 1.0.1 with CentOS 6 support on ATS 8 anyway.
> It
> > looks like
> > ATS 8 will end of life at similar timing of CentOS 6[*1]. So people using
> > CentOS 6 can use
> > OpenSSL 1.0.1 and ATS 8 until late 2020 by taking their own risks.
> >
> > # EOLs
> > CentOS 6 : November 30, 2020
> > ATS 8 : September 2020
> > ATS 9 : July 2021
> >
> > ATS 9 looks good timing for dropping support of OpenSSL 1.0.1 and CentOS
> 6.
> >
> > FWIW, 15 vulnerabilities of OpenSSL were found last 2 years[*1]. I’m not
> > sure how many of
> > them affect version 1.0.1, but it looks quite dangerous to use it.
> >
> > [*1]
> >
> >
> https://wiki.centos.org/FAQ/General#head-fe8a0be91ee3e7dea812e8694491e1dde5b75e6d
> > [*2] https://www.openssl.org/news/vulnerabilities.html
> >
> > Thanks,
> > Masaori
> >
> > 2019年2月23日(土) 5:39 Susan Hinrichs <sh...@verizonmedia.com.invalid>:
> >
> > > A quick search shows only instructions for how to build openssl 1.0.2
> > from
> > > source on Rhel6/Centos6. If there is an epel-like rpm it does not seem
> > to
> > > be well advertised.
> > >
> > > I'd suggest keeping the openssl minimum version to 1.0.1 until we stop
> > > support for Centos 6.
> > >
> > > On Fri, Feb 22, 2019 at 11:41 AM Leif Hedstrom <zw...@apache.org>
> wrote:
> > >
> > > >
> > > >
> > > > > On Feb 22, 2019, at 10:15 AM, Susan Hinrichs <
> > > shinrich@verizonmedia.com.INVALID>
> > > > wrote:
> > > > >
> > > > > Definitely at least drawing the line at openssl 1.0.1 makes sense.
> > As
> > > > Leif
> > > > > notes moving to 1.0.2 for the baseline means that some supported
> > > > > distributions cannot use the system openssl. For Centos6 anyway we
> > > > require
> > > > > a replacement for the system compiler which you can acquire from
> > > > > devtoolset. Is there a similar epel mechanism to get a package
> for a
> > > > more
> > > > > modern openssl?
> > > >
> > > >
> > > > I could not find one on my existing CentOS 6 images, which has both
> > EPEL
> > > > and DevToolSet yum repos enabled. That doesn’t mean that there aren’t
> > > > other, non-standard repos with newer OpenSSLs, but I think we should
> be
> > > > cautious recommending people to enable “rogue” yum repos in general.
> > > >
> > > > Cheers,
> > > >
> > > > — Leif
> > > >
> > > > >
> > > > > On Fri, Feb 22, 2019 at 9:53 AM Leif Hedstrom <zw...@apache.org>
> > > wrote:
> > > > >
> > > > >>
> > > > >>
> > > > >>> On Feb 21, 2019, at 11:37 PM, Masaori Koshiba <
> masaori@apache.org>
> > > > >> wrote:
> > > > >>>
> > > > >>> Hi all,
> > > > >>>
> > > > >>> Could we bump minimum requirements of OpenSSL version to 1.0.2 on
> > > next
> > > > >>> major release?
> > > > >>>
> > > > >>> I just noticed that SSLUtils says that Traffic Server requires an
> > > > OpenSSL
> > > > >>> library version 0.9.4 or greater [*1].
> > > > >>> But I think nobody is using such old OpenSSL. So we can bump
> > minimum
> > > > >>> version of OpenSSL.
> > > > >>>
> > > > >>> According to OpenSSL Release Strategy [*2], version 1.0.2 is
> > current
> > > > >>> minimum supported version by OpenSSL community.
> > > > >>> And version 1.0.1 was end of support 2 years ago (at 2016-12-31).
> > > > Version
> > > > >>> 1.0.2 looks reasonable choice.
> > > > >>
> > > > >>
> > > > >> Yes, we should do this for v9.0.0. This would effectively drop
> > support
> > > > for
> > > > >> “stock” CentOS6, which only comes with OpenSSL v1.0.1, but I think
> > > > that’s
> > > > >> fine. For two reasons:
> > > > >>
> > > > >> 1) It’s the right thing to require at least 1.0.2, since 1.0.1 is
> > not
> > > > >> supported.
> > > > >>
> > > > >> 2) It’s not difficult to install a custom OpenSSL build if
> > necessary.
> > > > >>
> > > > >>
> > > > >> So, +1 on this, with the amendment that we also drop official
> > support
> > > > for
> > > > >> the following platforms that are currently on the CI:
> > > > >>
> > > > >> CentOS 6 (OpenSSL v1.0.1e)
> > > > >> Ubuntu 14.04 (OpenSSL v1.0.1f)
> > > > >>
> > > > >> (Debian7 was already dropped, because of lack of compiler
> support).
> > > > >>
> > > > >>
> > > > >> Cheers,
> > > > >>
> > > > >> — Leif
> > > > >>
> > > > >>
> > > >
> > > >
> > >
> >
>
Re: [DISCUSS] Minimum version of OpenSSL
Posted by Masaori Koshiba <ma...@apache.org>.
Our conclusion is below
1). Move minimum OpenSSL version of ATS v9.0.0 to 1.0.2.
2). ATS v9.0.0 also drop support for the following platforms because of
openssl version
- CentOS 6 (OpenSSL v1.0.1e)
- Ubuntu 14.04 (OpenSSL v1.0.1f)
3). ATS v8.x.x keeps OpenSSL 1.0.1 support until EOL
For the vulnerabilities, I forgot about that. Thanks for pointing out.
Thanks,
Masaori
2019年2月25日(月) 23:13 Susan Hinrichs <sh...@verizonmedia.com.invalid>:
> Masaori,
>
> Sounds like good reasoning. I am completely ok with moving the minimum
> with 1.0.2 as long as CentOS 6 is dropped at the same time.
>
> WRT the vulnerabilities in 1.0.1, RedHat has been cherry-picking back
> security fixes from newer openssl's into their Openssl 1.0.1 version, so it
> is probably not that dangerous to use it.
>
> Susan
>
> On Sun, Feb 24, 2019 at 7:25 PM Masaori Koshiba <ma...@apache.org>
> wrote:
>
> > This is incompatible change, so the change will be done on next major
> > release, ATS 9.
> > We’re going to have OpenSSL 1.0.1 with CentOS 6 support on ATS 8 anyway.
> It
> > looks like
> > ATS 8 will end of life at similar timing of CentOS 6[*1]. So people using
> > CentOS 6 can use
> > OpenSSL 1.0.1 and ATS 8 until late 2020 by taking their own risks.
> >
> > # EOLs
> > CentOS 6 : November 30, 2020
> > ATS 8 : September 2020
> > ATS 9 : July 2021
> >
> > ATS 9 looks good timing for dropping support of OpenSSL 1.0.1 and CentOS
> 6.
> >
> > FWIW, 15 vulnerabilities of OpenSSL were found last 2 years[*1]. I’m not
> > sure how many of
> > them affect version 1.0.1, but it looks quite dangerous to use it.
> >
> > [*1]
> >
> >
> https://wiki.centos.org/FAQ/General#head-fe8a0be91ee3e7dea812e8694491e1dde5b75e6d
> > [*2] https://www.openssl.org/news/vulnerabilities.html
> >
> > Thanks,
> > Masaori
> >
> > 2019年2月23日(土) 5:39 Susan Hinrichs <sh...@verizonmedia.com.invalid>:
> >
> > > A quick search shows only instructions for how to build openssl 1.0.2
> > from
> > > source on Rhel6/Centos6. If there is an epel-like rpm it does not seem
> > to
> > > be well advertised.
> > >
> > > I'd suggest keeping the openssl minimum version to 1.0.1 until we stop
> > > support for Centos 6.
> > >
> > > On Fri, Feb 22, 2019 at 11:41 AM Leif Hedstrom <zw...@apache.org>
> wrote:
> > >
> > > >
> > > >
> > > > > On Feb 22, 2019, at 10:15 AM, Susan Hinrichs <
> > > shinrich@verizonmedia.com.INVALID>
> > > > wrote:
> > > > >
> > > > > Definitely at least drawing the line at openssl 1.0.1 makes sense.
> > As
> > > > Leif
> > > > > notes moving to 1.0.2 for the baseline means that some supported
> > > > > distributions cannot use the system openssl. For Centos6 anyway we
> > > > require
> > > > > a replacement for the system compiler which you can acquire from
> > > > > devtoolset. Is there a similar epel mechanism to get a package
> for a
> > > > more
> > > > > modern openssl?
> > > >
> > > >
> > > > I could not find one on my existing CentOS 6 images, which has both
> > EPEL
> > > > and DevToolSet yum repos enabled. That doesn’t mean that there aren’t
> > > > other, non-standard repos with newer OpenSSLs, but I think we should
> be
> > > > cautious recommending people to enable “rogue” yum repos in general.
> > > >
> > > > Cheers,
> > > >
> > > > — Leif
> > > >
> > > > >
> > > > > On Fri, Feb 22, 2019 at 9:53 AM Leif Hedstrom <zw...@apache.org>
> > > wrote:
> > > > >
> > > > >>
> > > > >>
> > > > >>> On Feb 21, 2019, at 11:37 PM, Masaori Koshiba <
> masaori@apache.org>
> > > > >> wrote:
> > > > >>>
> > > > >>> Hi all,
> > > > >>>
> > > > >>> Could we bump minimum requirements of OpenSSL version to 1.0.2 on
> > > next
> > > > >>> major release?
> > > > >>>
> > > > >>> I just noticed that SSLUtils says that Traffic Server requires an
> > > > OpenSSL
> > > > >>> library version 0.9.4 or greater [*1].
> > > > >>> But I think nobody is using such old OpenSSL. So we can bump
> > minimum
> > > > >>> version of OpenSSL.
> > > > >>>
> > > > >>> According to OpenSSL Release Strategy [*2], version 1.0.2 is
> > current
> > > > >>> minimum supported version by OpenSSL community.
> > > > >>> And version 1.0.1 was end of support 2 years ago (at 2016-12-31).
> > > > Version
> > > > >>> 1.0.2 looks reasonable choice.
> > > > >>
> > > > >>
> > > > >> Yes, we should do this for v9.0.0. This would effectively drop
> > support
> > > > for
> > > > >> “stock” CentOS6, which only comes with OpenSSL v1.0.1, but I think
> > > > that’s
> > > > >> fine. For two reasons:
> > > > >>
> > > > >> 1) It’s the right thing to require at least 1.0.2, since 1.0.1 is
> > not
> > > > >> supported.
> > > > >>
> > > > >> 2) It’s not difficult to install a custom OpenSSL build if
> > necessary.
> > > > >>
> > > > >>
> > > > >> So, +1 on this, with the amendment that we also drop official
> > support
> > > > for
> > > > >> the following platforms that are currently on the CI:
> > > > >>
> > > > >> CentOS 6 (OpenSSL v1.0.1e)
> > > > >> Ubuntu 14.04 (OpenSSL v1.0.1f)
> > > > >>
> > > > >> (Debian7 was already dropped, because of lack of compiler
> support).
> > > > >>
> > > > >>
> > > > >> Cheers,
> > > > >>
> > > > >> — Leif
> > > > >>
> > > > >>
> > > >
> > > >
> > >
> >
>
Re: [DISCUSS] Minimum version of OpenSSL
Posted by Susan Hinrichs <sh...@verizonmedia.com.INVALID>.
Masaori,
Sounds like good reasoning. I am completely ok with moving the minimum
with 1.0.2 as long as CentOS 6 is dropped at the same time.
WRT the vulnerabilities in 1.0.1, RedHat has been cherry-picking back
security fixes from newer openssl's into their Openssl 1.0.1 version, so it
is probably not that dangerous to use it.
Susan
On Sun, Feb 24, 2019 at 7:25 PM Masaori Koshiba <ma...@apache.org> wrote:
> This is incompatible change, so the change will be done on next major
> release, ATS 9.
> We’re going to have OpenSSL 1.0.1 with CentOS 6 support on ATS 8 anyway. It
> looks like
> ATS 8 will end of life at similar timing of CentOS 6[*1]. So people using
> CentOS 6 can use
> OpenSSL 1.0.1 and ATS 8 until late 2020 by taking their own risks.
>
> # EOLs
> CentOS 6 : November 30, 2020
> ATS 8 : September 2020
> ATS 9 : July 2021
>
> ATS 9 looks good timing for dropping support of OpenSSL 1.0.1 and CentOS 6.
>
> FWIW, 15 vulnerabilities of OpenSSL were found last 2 years[*1]. I’m not
> sure how many of
> them affect version 1.0.1, but it looks quite dangerous to use it.
>
> [*1]
>
> https://wiki.centos.org/FAQ/General#head-fe8a0be91ee3e7dea812e8694491e1dde5b75e6d
> [*2] https://www.openssl.org/news/vulnerabilities.html
>
> Thanks,
> Masaori
>
> 2019年2月23日(土) 5:39 Susan Hinrichs <sh...@verizonmedia.com.invalid>:
>
> > A quick search shows only instructions for how to build openssl 1.0.2
> from
> > source on Rhel6/Centos6. If there is an epel-like rpm it does not seem
> to
> > be well advertised.
> >
> > I'd suggest keeping the openssl minimum version to 1.0.1 until we stop
> > support for Centos 6.
> >
> > On Fri, Feb 22, 2019 at 11:41 AM Leif Hedstrom <zw...@apache.org> wrote:
> >
> > >
> > >
> > > > On Feb 22, 2019, at 10:15 AM, Susan Hinrichs <
> > shinrich@verizonmedia.com.INVALID>
> > > wrote:
> > > >
> > > > Definitely at least drawing the line at openssl 1.0.1 makes sense.
> As
> > > Leif
> > > > notes moving to 1.0.2 for the baseline means that some supported
> > > > distributions cannot use the system openssl. For Centos6 anyway we
> > > require
> > > > a replacement for the system compiler which you can acquire from
> > > > devtoolset. Is there a similar epel mechanism to get a package for a
> > > more
> > > > modern openssl?
> > >
> > >
> > > I could not find one on my existing CentOS 6 images, which has both
> EPEL
> > > and DevToolSet yum repos enabled. That doesn’t mean that there aren’t
> > > other, non-standard repos with newer OpenSSLs, but I think we should be
> > > cautious recommending people to enable “rogue” yum repos in general.
> > >
> > > Cheers,
> > >
> > > — Leif
> > >
> > > >
> > > > On Fri, Feb 22, 2019 at 9:53 AM Leif Hedstrom <zw...@apache.org>
> > wrote:
> > > >
> > > >>
> > > >>
> > > >>> On Feb 21, 2019, at 11:37 PM, Masaori Koshiba <ma...@apache.org>
> > > >> wrote:
> > > >>>
> > > >>> Hi all,
> > > >>>
> > > >>> Could we bump minimum requirements of OpenSSL version to 1.0.2 on
> > next
> > > >>> major release?
> > > >>>
> > > >>> I just noticed that SSLUtils says that Traffic Server requires an
> > > OpenSSL
> > > >>> library version 0.9.4 or greater [*1].
> > > >>> But I think nobody is using such old OpenSSL. So we can bump
> minimum
> > > >>> version of OpenSSL.
> > > >>>
> > > >>> According to OpenSSL Release Strategy [*2], version 1.0.2 is
> current
> > > >>> minimum supported version by OpenSSL community.
> > > >>> And version 1.0.1 was end of support 2 years ago (at 2016-12-31).
> > > Version
> > > >>> 1.0.2 looks reasonable choice.
> > > >>
> > > >>
> > > >> Yes, we should do this for v9.0.0. This would effectively drop
> support
> > > for
> > > >> “stock” CentOS6, which only comes with OpenSSL v1.0.1, but I think
> > > that’s
> > > >> fine. For two reasons:
> > > >>
> > > >> 1) It’s the right thing to require at least 1.0.2, since 1.0.1 is
> not
> > > >> supported.
> > > >>
> > > >> 2) It’s not difficult to install a custom OpenSSL build if
> necessary.
> > > >>
> > > >>
> > > >> So, +1 on this, with the amendment that we also drop official
> support
> > > for
> > > >> the following platforms that are currently on the CI:
> > > >>
> > > >> CentOS 6 (OpenSSL v1.0.1e)
> > > >> Ubuntu 14.04 (OpenSSL v1.0.1f)
> > > >>
> > > >> (Debian7 was already dropped, because of lack of compiler support).
> > > >>
> > > >>
> > > >> Cheers,
> > > >>
> > > >> — Leif
> > > >>
> > > >>
> > >
> > >
> >
>
Re: [DISCUSS] Minimum version of OpenSSL
Posted by Masaori Koshiba <ma...@apache.org>.
This is incompatible change, so the change will be done on next major
release, ATS 9.
We’re going to have OpenSSL 1.0.1 with CentOS 6 support on ATS 8 anyway. It
looks like
ATS 8 will end of life at similar timing of CentOS 6[*1]. So people using
CentOS 6 can use
OpenSSL 1.0.1 and ATS 8 until late 2020 by taking their own risks.
# EOLs
CentOS 6 : November 30, 2020
ATS 8 : September 2020
ATS 9 : July 2021
ATS 9 looks good timing for dropping support of OpenSSL 1.0.1 and CentOS 6.
FWIW, 15 vulnerabilities of OpenSSL were found last 2 years[*1]. I’m not
sure how many of
them affect version 1.0.1, but it looks quite dangerous to use it.
[*1]
https://wiki.centos.org/FAQ/General#head-fe8a0be91ee3e7dea812e8694491e1dde5b75e6d
[*2] https://www.openssl.org/news/vulnerabilities.html
Thanks,
Masaori
2019年2月23日(土) 5:39 Susan Hinrichs <sh...@verizonmedia.com.invalid>:
> A quick search shows only instructions for how to build openssl 1.0.2 from
> source on Rhel6/Centos6. If there is an epel-like rpm it does not seem to
> be well advertised.
>
> I'd suggest keeping the openssl minimum version to 1.0.1 until we stop
> support for Centos 6.
>
> On Fri, Feb 22, 2019 at 11:41 AM Leif Hedstrom <zw...@apache.org> wrote:
>
> >
> >
> > > On Feb 22, 2019, at 10:15 AM, Susan Hinrichs <
> shinrich@verizonmedia.com.INVALID>
> > wrote:
> > >
> > > Definitely at least drawing the line at openssl 1.0.1 makes sense. As
> > Leif
> > > notes moving to 1.0.2 for the baseline means that some supported
> > > distributions cannot use the system openssl. For Centos6 anyway we
> > require
> > > a replacement for the system compiler which you can acquire from
> > > devtoolset. Is there a similar epel mechanism to get a package for a
> > more
> > > modern openssl?
> >
> >
> > I could not find one on my existing CentOS 6 images, which has both EPEL
> > and DevToolSet yum repos enabled. That doesn’t mean that there aren’t
> > other, non-standard repos with newer OpenSSLs, but I think we should be
> > cautious recommending people to enable “rogue” yum repos in general.
> >
> > Cheers,
> >
> > — Leif
> >
> > >
> > > On Fri, Feb 22, 2019 at 9:53 AM Leif Hedstrom <zw...@apache.org>
> wrote:
> > >
> > >>
> > >>
> > >>> On Feb 21, 2019, at 11:37 PM, Masaori Koshiba <ma...@apache.org>
> > >> wrote:
> > >>>
> > >>> Hi all,
> > >>>
> > >>> Could we bump minimum requirements of OpenSSL version to 1.0.2 on
> next
> > >>> major release?
> > >>>
> > >>> I just noticed that SSLUtils says that Traffic Server requires an
> > OpenSSL
> > >>> library version 0.9.4 or greater [*1].
> > >>> But I think nobody is using such old OpenSSL. So we can bump minimum
> > >>> version of OpenSSL.
> > >>>
> > >>> According to OpenSSL Release Strategy [*2], version 1.0.2 is current
> > >>> minimum supported version by OpenSSL community.
> > >>> And version 1.0.1 was end of support 2 years ago (at 2016-12-31).
> > Version
> > >>> 1.0.2 looks reasonable choice.
> > >>
> > >>
> > >> Yes, we should do this for v9.0.0. This would effectively drop support
> > for
> > >> “stock” CentOS6, which only comes with OpenSSL v1.0.1, but I think
> > that’s
> > >> fine. For two reasons:
> > >>
> > >> 1) It’s the right thing to require at least 1.0.2, since 1.0.1 is not
> > >> supported.
> > >>
> > >> 2) It’s not difficult to install a custom OpenSSL build if necessary.
> > >>
> > >>
> > >> So, +1 on this, with the amendment that we also drop official support
> > for
> > >> the following platforms that are currently on the CI:
> > >>
> > >> CentOS 6 (OpenSSL v1.0.1e)
> > >> Ubuntu 14.04 (OpenSSL v1.0.1f)
> > >>
> > >> (Debian7 was already dropped, because of lack of compiler support).
> > >>
> > >>
> > >> Cheers,
> > >>
> > >> — Leif
> > >>
> > >>
> >
> >
>
Re: [DISCUSS] Minimum version of OpenSSL
Posted by Susan Hinrichs <sh...@verizonmedia.com.INVALID>.
A quick search shows only instructions for how to build openssl 1.0.2 from
source on Rhel6/Centos6. If there is an epel-like rpm it does not seem to
be well advertised.
I'd suggest keeping the openssl minimum version to 1.0.1 until we stop
support for Centos 6.
On Fri, Feb 22, 2019 at 11:41 AM Leif Hedstrom <zw...@apache.org> wrote:
>
>
> > On Feb 22, 2019, at 10:15 AM, Susan Hinrichs <sh...@verizonmedia.com.INVALID>
> wrote:
> >
> > Definitely at least drawing the line at openssl 1.0.1 makes sense. As
> Leif
> > notes moving to 1.0.2 for the baseline means that some supported
> > distributions cannot use the system openssl. For Centos6 anyway we
> require
> > a replacement for the system compiler which you can acquire from
> > devtoolset. Is there a similar epel mechanism to get a package for a
> more
> > modern openssl?
>
>
> I could not find one on my existing CentOS 6 images, which has both EPEL
> and DevToolSet yum repos enabled. That doesn’t mean that there aren’t
> other, non-standard repos with newer OpenSSLs, but I think we should be
> cautious recommending people to enable “rogue” yum repos in general.
>
> Cheers,
>
> — Leif
>
> >
> > On Fri, Feb 22, 2019 at 9:53 AM Leif Hedstrom <zw...@apache.org> wrote:
> >
> >>
> >>
> >>> On Feb 21, 2019, at 11:37 PM, Masaori Koshiba <ma...@apache.org>
> >> wrote:
> >>>
> >>> Hi all,
> >>>
> >>> Could we bump minimum requirements of OpenSSL version to 1.0.2 on next
> >>> major release?
> >>>
> >>> I just noticed that SSLUtils says that Traffic Server requires an
> OpenSSL
> >>> library version 0.9.4 or greater [*1].
> >>> But I think nobody is using such old OpenSSL. So we can bump minimum
> >>> version of OpenSSL.
> >>>
> >>> According to OpenSSL Release Strategy [*2], version 1.0.2 is current
> >>> minimum supported version by OpenSSL community.
> >>> And version 1.0.1 was end of support 2 years ago (at 2016-12-31).
> Version
> >>> 1.0.2 looks reasonable choice.
> >>
> >>
> >> Yes, we should do this for v9.0.0. This would effectively drop support
> for
> >> “stock” CentOS6, which only comes with OpenSSL v1.0.1, but I think
> that’s
> >> fine. For two reasons:
> >>
> >> 1) It’s the right thing to require at least 1.0.2, since 1.0.1 is not
> >> supported.
> >>
> >> 2) It’s not difficult to install a custom OpenSSL build if necessary.
> >>
> >>
> >> So, +1 on this, with the amendment that we also drop official support
> for
> >> the following platforms that are currently on the CI:
> >>
> >> CentOS 6 (OpenSSL v1.0.1e)
> >> Ubuntu 14.04 (OpenSSL v1.0.1f)
> >>
> >> (Debian7 was already dropped, because of lack of compiler support).
> >>
> >>
> >> Cheers,
> >>
> >> — Leif
> >>
> >>
>
>
Re: [DISCUSS] Minimum version of OpenSSL
Posted by Leif Hedstrom <zw...@apache.org>.
> On Feb 22, 2019, at 10:15 AM, Susan Hinrichs <sh...@verizonmedia.com.INVALID> wrote:
>
> Definitely at least drawing the line at openssl 1.0.1 makes sense. As Leif
> notes moving to 1.0.2 for the baseline means that some supported
> distributions cannot use the system openssl. For Centos6 anyway we require
> a replacement for the system compiler which you can acquire from
> devtoolset. Is there a similar epel mechanism to get a package for a more
> modern openssl?
I could not find one on my existing CentOS 6 images, which has both EPEL and DevToolSet yum repos enabled. That doesn’t mean that there aren’t other, non-standard repos with newer OpenSSLs, but I think we should be cautious recommending people to enable “rogue” yum repos in general.
Cheers,
— Leif
>
> On Fri, Feb 22, 2019 at 9:53 AM Leif Hedstrom <zw...@apache.org> wrote:
>
>>
>>
>>> On Feb 21, 2019, at 11:37 PM, Masaori Koshiba <ma...@apache.org>
>> wrote:
>>>
>>> Hi all,
>>>
>>> Could we bump minimum requirements of OpenSSL version to 1.0.2 on next
>>> major release?
>>>
>>> I just noticed that SSLUtils says that Traffic Server requires an OpenSSL
>>> library version 0.9.4 or greater [*1].
>>> But I think nobody is using such old OpenSSL. So we can bump minimum
>>> version of OpenSSL.
>>>
>>> According to OpenSSL Release Strategy [*2], version 1.0.2 is current
>>> minimum supported version by OpenSSL community.
>>> And version 1.0.1 was end of support 2 years ago (at 2016-12-31). Version
>>> 1.0.2 looks reasonable choice.
>>
>>
>> Yes, we should do this for v9.0.0. This would effectively drop support for
>> “stock” CentOS6, which only comes with OpenSSL v1.0.1, but I think that’s
>> fine. For two reasons:
>>
>> 1) It’s the right thing to require at least 1.0.2, since 1.0.1 is not
>> supported.
>>
>> 2) It’s not difficult to install a custom OpenSSL build if necessary.
>>
>>
>> So, +1 on this, with the amendment that we also drop official support for
>> the following platforms that are currently on the CI:
>>
>> CentOS 6 (OpenSSL v1.0.1e)
>> Ubuntu 14.04 (OpenSSL v1.0.1f)
>>
>> (Debian7 was already dropped, because of lack of compiler support).
>>
>>
>> Cheers,
>>
>> — Leif
>>
>>
Re: [DISCUSS] Minimum version of OpenSSL
Posted by Susan Hinrichs <sh...@verizonmedia.com.INVALID>.
Definitely at least drawing the line at openssl 1.0.1 makes sense. As Leif
notes moving to 1.0.2 for the baseline means that some supported
distributions cannot use the system openssl. For Centos6 anyway we require
a replacement for the system compiler which you can acquire from
devtoolset. Is there a similar epel mechanism to get a package for a more
modern openssl?
On Fri, Feb 22, 2019 at 9:53 AM Leif Hedstrom <zw...@apache.org> wrote:
>
>
> > On Feb 21, 2019, at 11:37 PM, Masaori Koshiba <ma...@apache.org>
> wrote:
> >
> > Hi all,
> >
> > Could we bump minimum requirements of OpenSSL version to 1.0.2 on next
> > major release?
> >
> > I just noticed that SSLUtils says that Traffic Server requires an OpenSSL
> > library version 0.9.4 or greater [*1].
> > But I think nobody is using such old OpenSSL. So we can bump minimum
> > version of OpenSSL.
> >
> > According to OpenSSL Release Strategy [*2], version 1.0.2 is current
> > minimum supported version by OpenSSL community.
> > And version 1.0.1 was end of support 2 years ago (at 2016-12-31). Version
> > 1.0.2 looks reasonable choice.
>
>
> Yes, we should do this for v9.0.0. This would effectively drop support for
> “stock” CentOS6, which only comes with OpenSSL v1.0.1, but I think that’s
> fine. For two reasons:
>
> 1) It’s the right thing to require at least 1.0.2, since 1.0.1 is not
> supported.
>
> 2) It’s not difficult to install a custom OpenSSL build if necessary.
>
>
> So, +1 on this, with the amendment that we also drop official support for
> the following platforms that are currently on the CI:
>
> CentOS 6 (OpenSSL v1.0.1e)
> Ubuntu 14.04 (OpenSSL v1.0.1f)
>
> (Debian7 was already dropped, because of lack of compiler support).
>
>
> Cheers,
>
> — Leif
>
>
Re: [DISCUSS] Minimum version of OpenSSL
Posted by Leif Hedstrom <zw...@apache.org>.
> On Feb 21, 2019, at 11:37 PM, Masaori Koshiba <ma...@apache.org> wrote:
>
> Hi all,
>
> Could we bump minimum requirements of OpenSSL version to 1.0.2 on next
> major release?
>
> I just noticed that SSLUtils says that Traffic Server requires an OpenSSL
> library version 0.9.4 or greater [*1].
> But I think nobody is using such old OpenSSL. So we can bump minimum
> version of OpenSSL.
>
> According to OpenSSL Release Strategy [*2], version 1.0.2 is current
> minimum supported version by OpenSSL community.
> And version 1.0.1 was end of support 2 years ago (at 2016-12-31). Version
> 1.0.2 looks reasonable choice.
Yes, we should do this for v9.0.0. This would effectively drop support for “stock” CentOS6, which only comes with OpenSSL v1.0.1, but I think that’s fine. For two reasons:
1) It’s the right thing to require at least 1.0.2, since 1.0.1 is not supported.
2) It’s not difficult to install a custom OpenSSL build if necessary.
So, +1 on this, with the amendment that we also drop official support for the following platforms that are currently on the CI:
CentOS 6 (OpenSSL v1.0.1e)
Ubuntu 14.04 (OpenSSL v1.0.1f)
(Debian7 was already dropped, because of lack of compiler support).
Cheers,
— Leif