Michael Paquier <michael@paquier.xyz> writes:
> Navigating through the logs of the buildfarm, it is actually not really
> easy to find out which version of OpenSSL a build is using at compile
> time. Perhaps we would want first to report this information?
+1 if we can figure a way to do it. ISTR having looked for a way
and not found a good one. The obvious answer is "ssh -V", but that
could report a library version that's different from what we're
linking to --- and indeed *would*, on several of my buildfarm
animals, because I point them to the appropriate openssl version with
--with-includes and --with-libs, neither of which touch PATH.
> ... Making HAVE_X509_GET_SIGNATURE_NID a hard requirement bumps the
> minimal version of OpenSSL supported to 1.0.2, which is something I
> would not feel much sorry about either like Heikki, as I have heard of
> many vendors maintaining OpenSSL past versions on Linux, but not yet on
> Windows. It is easy to be wrong when it comes to any company policies
> though.
I have assorted pet dinosaurs using 0.9.8x or 0.9.8y, but I'm not
sure that any of those still represent credible real-world cases.
More concerning is that RHEL6 is on 1.0.1e:
$ ssh -V
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
That's definitely still a live platform.
regards, tom lane