Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:128398 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: by lists.php.net (Postfix, from userid 65534) id 3F2631A00BD; Tue, 5 Aug 2025 13:49:16 +0000 (UTC) To: internals@lists.php.net Subject: Re: [PHP-DEV] Update OpenSSL *minor* version on Windows? Date: Tue, 05 Aug 2025 15:49:27 +0200 Message-ID: <7n249klsjh201edigfqehjdr10bknb9qu0@4ax.com> References: <223b29d5-ec13-4380-ae54-a474e2354429@gmx.de> X-Newsreader: Forte Agent 3.3/32.846 Precedence: list list-help: list-post: List-Id: x-ms-reactions: disallow MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Posted-By: 77.174.241.57 From: phpdev@ehrhardt.nl (Jan Ehrhardt) "Christoph M. Becker" in php.internals (Thu, 5 Sep 2024 19:19:45 +0200): >I'm still not happy considering that this would still leave more than >one year of lacking upstream support, where our Windows builds might >need to be fixed with some publicly available patches, in case there are >any security vulnerabilites (I'm presuming that the PHP project will not >afford a support contract; it seems these don't even apply to Open >Source downstream consumers). > >So I wonder about the stability of OpenSSL minor versions nowadays, and >whether we want to update to a new minor version during the lifecycle of >a PHP minor release. For instance regarding PHP 8.3, we may consider >updating OpenSSL to 3.4 roughly in a year, when PHP 8.3 has still actve >support for about four months, so we could still react to issues with >that update. OpenSSL 3.5 has been marked as LTS now and supported up until 2030-04-08. https://openssl-library.org/policies/releasestrat/index.html This might be a good time to update OpenSSL to 3.5. OpenSSL 3.5.2 has been released today. Could we release PHP 8.5 with OpenSSL 3.5.2 and implement this change before the feature freeze? -- Jan