[CentOS] OpenSSL Version 1.0.2 is not supported

Tue Mar 3 17:16:11 UTC 2020
Kaushal Shriyan <kaushalshriyan at gmail.com>

On Tue, Mar 3, 2020 at 7:32 PM Jonathan Billings <billings at negate.org>
wrote:

> On Tue, Mar 03, 2020 at 07:02:40PM +0530, Kaushal Shriyan wrote:
> > I have gone through the article
> > https://access.redhat.com/security/updates/backporting/. I am having a
> > follow up question. Do I need to wait for the OpenSSL version 1.1.1d to
> be
> > available on CentOS 7.x once it is tested in the upstream RHEL 7.x
> > version?  Please correct me if I misunderstood anything. I look forward
> to
> > hearing from you and thanks in advance.
>
> To quote the article:
>
> > We use the term backporting to describe the action of taking a fix
> > for a security flaw out of the most recent version of an upstream
> > software package and applying that fix to an older version of the
> > package we distribute.
>
> Basically, you'll likely never see version 1.1.1d in CentOS 7.  Any
> software fixes will be backported to the version in CentOS 7, 1.0.2k.
>
> The release will be incremented as new updates in CentOS come out, but
> it'll continue to be 1.0.2k until Red Hat decides to do a rebase.
> That doesn't happen until there are features that are needed that are
> too difficult to backport.  There have been OpenSSL rebases
> mid-release (in c5 and c6 I think), and I remember it caused a lot of
> problems, so I don't look forward to it.
>
> I think you need to back up and ask yourself *WHY* you are demanding
> the latest release of OpenSSL.  Do you need features that are not
> available in the OpenSSL in CentOS 7?  Is there an auditor saying you
> must have some version to be secure?
>
> If you must have versions of OpenSSL not in CentOS7, I suggest looking
> at packaging your application that uses SSL in a docker container that
> has that version available.  Perhaps CentOS 8 will work for you.
>
> --
> Jonathan Billings <billings at negate.org>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos


Thanks Jonathan and  Leon for the explanation and much appreciated.

Best Regards,

Kaushal