httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Covener <cove...@gmail.com>
Subject Re: mod_md OpenSSL version requirement 1.0.0
Date Fri, 16 Mar 2018 12:11:37 GMT
On Fri, Mar 16, 2018 at 7:57 AM, Stefan Eissing
<stefan.eissing@greenbytes.de> wrote:
> Hi Rainer,
>
> thanks for solving this issue. The version check indeed was missing. I do not think supporting
ACME on servers with such old OpenSSL is really something to strive for. I'd have settled
for a check von 1.0.2 even. If your changed check makes it working for 1.0.1 also, that's
fine.
>
> My (a tad philosophical) point of view is that security on the public network is only
achievable and *maintainable* by ever moving forward to the lastest, best efforts of the community.
If you stick on version, even if that worked fine at the time, you'll get owned.
>
> Again, 2.4.x promises support for 0.9.8a+, so the check was missing. Maybe this is a
reason for a 2.6.x that is a re-vamped 2.4.x but with a revisited baseline? Without mpm-prefork,
http/0.9 and other cruft? A man can dream...

2.6 aside, should we just pick a date that openssl < 1.0.1 (or
whatever) compat will be dropped from 2.4 and add it to the
announcement template/website?  I don't think we're ultimately doing
anyone favors here.

Mime
View raw message