Re: connection_reuse

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: connection_reuse

Viktor Dukhovni
> On Jun 17, 2020, at 9:34 PM, Peter <[hidden email]> wrote:
>
> I'd like to avoid this if possible.  CentOS 7 has openssl 1.0.2k and doesn't go EOL until 2024.  I'd like to be able to support new Postfix releases for it for at least another two or three years.

Postfix 3.5 will be supported until 3.9 comes out.  The only
major changes I'd expect in 3.6, 3.7 and 3.8 that you might
want on some older platforms would in fact be support for
newer versions of OpenSSL and the like, but then you don't
need OpenSSL 1.0.2 (no longer supported upstream).

So you can keep using Centos 7 till 2024 if you wish, but the
latest supported Postfix would be 3.5, plus whatever backports
the vendor decides to do.

Continuing to support OpenSSL 1.0.2 holds back progress and has
a non-trivial complexity cost.  It is time to move on.  OpenSSL
3.0 will ship soon, and it gets increasingly difficult to cover
the full spectrum of features from 1.0.2 through 3.0.0.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: connection_reuse

Peter Ajamian
On 18/06/20 12:07 pm, Viktor Dukhovni wrote:
>> On Jun 17, 2020, at 9:34 PM, Peter <[hidden email]> wrote:
>>
>> I'd like to avoid this if possible.  CentOS 7 has openssl 1.0.2k and doesn't go EOL until 2024.  I'd like to be able to support new Postfix releases for it for at least another two or three years.
>
> Postfix 3.5 will be supported until 3.9 comes out.  The only
> major changes I'd expect in 3.6, 3.7 and 3.8 that you might
> want on some older platforms would in fact be support for
> newer versions of OpenSSL and the like, but then you don't
> need OpenSSL 1.0.2 (no longer supported upstream).

That's fair enough.  In that case I can just keep my CentOS 7 packages
on 3.5 until EOL and it shouldn't be an issue (this is similar to what I
am doing for CentOS 6 on 3.3).  In the worst-case scenario if there ends
up being a newer must-have feature that I get a significant number of
requests for I can package a newer parallel installible openssl for it.

> Continuing to support OpenSSL 1.0.2 holds back progress and has
> a non-trivial complexity cost.  It is time to move on.  OpenSSL
> 3.0 will ship soon, and it gets increasingly difficult to cover
> the full spectrum of features from 1.0.2 through 3.0.0

That's fine, I just wanted to voice that there are still platforms with
older openssl in case that affects your decision.  What you've said
above is quite reasonable, though.

That said, CentOS 8 is on openssl 1.1.1c so I'm hoping that will
continue to be supported for the foreseeable future.


Peter
Reply | Threaded
Open this post in threaded view
|

Re: connection_reuse

Viktor Dukhovni
On Thu, Jun 18, 2020 at 12:52:43PM +1200, Peter wrote:

> That said, CentOS 8 is on openssl 1.1.1c so I'm hoping that will
> continue to be supported for the foreseeable future.

Presently, OpenSSL 1.1.1c is the only LTS OpenSSL release, and even
3.0.0 is not yet expected an LTS release, that'll likely be a later
version.  So yes, 1.1.1c support is not going away any time soon.

--
    Viktor.