[CentOS] OpenSSL Version 1.0.2 is not supported

Tue Mar 3 14:01:45 UTC 2020
Jonathan Billings <billings at negate.org>

On Tue, Mar 03, 2020 at 07:02:40PM +0530, Kaushal Shriyan wrote:
> I have gone through the article
> https://access.redhat.com/security/updates/backporting/. I am having a
> follow up question. Do I need to wait for the OpenSSL version 1.1.1d to be
> available on CentOS 7.x once it is tested in the upstream RHEL 7.x
> version?  Please correct me if I misunderstood anything. I look forward to
> hearing from you and thanks in advance.

To quote the article:

> We use the term backporting to describe the action of taking a fix
> for a security flaw out of the most recent version of an upstream
> software package and applying that fix to an older version of the
> package we distribute. 

Basically, you'll likely never see version 1.1.1d in CentOS 7.  Any
software fixes will be backported to the version in CentOS 7, 1.0.2k.

The release will be incremented as new updates in CentOS come out, but 
it'll continue to be 1.0.2k until Red Hat decides to do a rebase.
That doesn't happen until there are features that are needed that are
too difficult to backport.  There have been OpenSSL rebases
mid-release (in c5 and c6 I think), and I remember it caused a lot of
problems, so I don't look forward to it.

I think you need to back up and ask yourself *WHY* you are demanding
the latest release of OpenSSL.  Do you need features that are not
available in the OpenSSL in CentOS 7?  Is there an auditor saying you
must have some version to be secure? 

If you must have versions of OpenSSL not in CentOS7, I suggest looking
at packaging your application that uses SSL in a docker container that
has that version available.  Perhaps CentOS 8 will work for you.

Jonathan Billings <billings at negate.org>