[CentOS] Getting a boost patch into RHEL 7

Wed Jan 13 13:39:48 UTC 2016
Alice Wonder <alice at domblogger.net>

There is a patch to boost that should get into both CentOS and RHEL 7.

I already sent an e-mail to the person who last modified the rpm spec 
file but I have no idea if he will even see the e-mail.

The small patch -


The problem it fixes -

boost assumes that the TLS supports SSLv3 which the OpenSSL currently in 
RHEL / CentOS 7 does.

However SSLv3 is incredibly old and is no longer considered to be secure 
and should not be used, so some alternative TLS implementations do not 
even include support for it.

LibreSSL is one such example, and some distributions (e.g. Debian) have 
removed SSLv3 support from the OpenSSL library they ship.

Given how old and insecure SSLv3 is and given the incredibly long 
support cycle of RHEL 7 it would not surprise me at all if removal of 
SSLv3 from the OpenSSL library in RHEL 7 is going to happen at some 
point in the next few years.

As such getting this patch into boost will be necessary.

The patch does not have any impact on boost when using TLS libraries 
that do support SSLv3 so it will not do any harm to get it into the 
packaging now.

Getting it into the packaging now means boost is ready when the change 
is made, and it also makes life a lot easier for people like me who have 
to use an alternate TLS implementation because we need the EC stuff that 
RHEL removed from OpenSSL due to potential patent reasons that the 
lawyers were afraid of.

I'm hoping someone on this list with some influence understands the 
issue. Filing a bug report with CentOS I suppose is also an option, but 
given that the patch doesn't solve a problem with any *current* CentOS 
packages, I doubt that would result in the bug trickling up to RHEL and 
they are the ones that have to apply the patch for it to make it into 

Thank you for your time