[exim-announce] OpenSSL < 1.0.2 unsupported; HTTPS websites

Top Page

Reply to this message
Author: Phil Pennock
Date:  
To: Exim Announce
Subject: [exim-announce] OpenSSL < 1.0.2 unsupported; HTTPS websites
Two pieces of TLS-related news: OpenSSL support status; and Exim
websites and HTTPS.

First, a reminder: as of 2017 (Happy New Year!) no version of OpenSSL
in a series less than 1.0.2 is supported by the OpenSSL project:

https://www.openssl.org/policies/releasestrat.html

OpenSSL release series 0.9.8, 1.0.0 and 1.0.1 are all now unsupported.
OpenSSL 1.0.2 is an LTS release.

The Exim Maintainers are not going to rush out to break support for
older series, but we're also not going to be constrained to keep working
with systems which are unsupported.

For you this means: if you're using OS packages, keep using the OS
packages. An OS which locks OpenSSL to an old version and backports
fixes is also already doing that for Exim. They're unlikely to change
this practice. If you're building Exim from source, then you should be
prepared to also keep your OpenSSL up-to-date too. We'll add something
to the Exim install steps to walk you through the very simple steps.


Second, for those who track certificate authorities with paranoia: the
Exim HTTPS-enabled websites are all now using certificates from Let's
Encrypt. A couple more websites (git.exim.org and ftp.exim.org) are
also now additionally available over HTTPS.

Exim releases can thus be found at:

https://ftp.exim.org/pub/exim/exim4/

although PGP signatures of releases should still be verified, as always.
Existing download URLs are unchanged, this is an addition, not a
replacement.

Our thanks to https://letsencrypt.org/ for an excellent free service,
helping to move the web towards HTTPS everywhere.


Regards,
-Phil Pennock, pp The Exim Maintainers