git.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: svn commit: r29575 - /dev/httpd/ /release/httpd/


On 09/21/2018 12:27 PM, William A Rowe Jr wrote:
You may want to use this opportunity to drop md5 and sha1 hashes, you will be yelled at by ops when you attempt to publish new instances of these obsoleted hashes.

In the apr release case, the announce was modded through anyways, but a subsequent thread on dev@apr determined that only sha256 is both useful and portable.

Adding a sha512 undermines our direction to users to rely on the asc pgp sig.

Even on very stale OS's without sha256 in their tool chain, they likely have openssl 0.9.8 or later with sha256 support.


I can tell you that I have seen unpatched barely maintained Solaris 10
servers in the wild. Chugging along. Sadly. Those things have :

# /usr/sfw/bin/openssl version
OpenSSL 0.9.7d 17 Mar 2004 (+ security fixes for: ... long list here )

Sure enough .. no sha512 there nor even sha256. Or much in fact.

However anything with a recent set of security updates :

jupiter # /usr/bin/openssl version
OpenSSL 1.0.2n  7 Dec 2017

Anything hugged by me :

# /usr/local/bin/openssl version
OpenSSL 1.1.1  11 Sep 2018


At least three flavours of OpenSSL may exist and that includes the lib
madness and RPATH fun therein. Stale may be a measure of "maintained".


Dennis