There is a patch to boost that should get into both CentOS and RHEL 7. I already sent an e-mail to the person who last modified the rpm spec file but I have no idea if he will even see the e-mail. The small patch - https://github.com/boostorg/asio/pull/23/files The problem it fixes - boost assumes that the TLS supports SSLv3 which the OpenSSL currently in RHEL / CentOS 7 does. However SSLv3 is incredibly old and is no longer considered to be secure and should not be used, so some alternative TLS implementations do not even include support for it. LibreSSL is one such example, and some distributions (e.g. Debian) have removed SSLv3 support from the OpenSSL library they ship. Given how old and insecure SSLv3 is and given the incredibly long support cycle of RHEL 7 it would not surprise me at all if removal of SSLv3 from the OpenSSL library in RHEL 7 is going to happen at some point in the next few years. As such getting this patch into boost will be necessary. The patch does not have any impact on boost when using TLS libraries that do support SSLv3 so it will not do any harm to get it into the packaging now. Getting it into the packaging now means boost is ready when the change is made, and it also makes life a lot easier for people like me who have to use an alternate TLS implementation because we need the EC stuff that RHEL removed from OpenSSL due to potential patent reasons that the lawyers were afraid of. I'm hoping someone on this list with some influence understands the issue. Filing a bug report with CentOS I suppose is also an option, but given that the patch doesn't solve a problem with any *current* CentOS packages, I doubt that would result in the bug trickling up to RHEL and they are the ones that have to apply the patch for it to make it into CentOS. Thank you for your time
On Wed, Jan 13, 2016 at 05:39:48AM -0800, Alice Wonder wrote:> There is a patch to boost that should get into both CentOS and RHEL 7. > > I already sent an e-mail to the person who last modified the rpm spec file > but I have no idea if he will even see the e-mail.Did you submit anything to bugzilla.redhat.com? What's the BZ ID number? -- Jonathan Billings <billings at negate.org>
On 01/13/2016 05:45 AM, Jonathan Billings wrote:> On Wed, Jan 13, 2016 at 05:39:48AM -0800, Alice Wonder wrote: >> There is a patch to boost that should get into both CentOS and RHEL 7. >> >> I already sent an e-mail to the person who last modified the rpm spec file >> but I have no idea if he will even see the e-mail. > > Did you submit anything to bugzilla.redhat.com? What's the BZ ID > number? >No I didn't, I was under the impression one had to have an RHEL license to do that. I suppose I should have tried, I'll try now.