Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:88189 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 61107 invoked from network); 14 Sep 2015 20:17:15 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 14 Sep 2015 20:17:15 -0000 Authentication-Results: pb1.pair.com smtp.mail=anatol.php@belski.net; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=anatol.php@belski.net; sender-id=unknown Received-SPF: error (pb1.pair.com: domain belski.net from 85.214.73.107 cause and error) X-PHP-List-Original-Sender: anatol.php@belski.net X-Host-Fingerprint: 85.214.73.107 klapt.com Received: from [85.214.73.107] ([85.214.73.107:52409] helo=h1123647.serverkompetenz.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id DC/B1-48700-A4B27F55 for ; Mon, 14 Sep 2015 16:17:15 -0400 Received: by h1123647.serverkompetenz.net (Postfix, from userid 1006) id BF35E6D20C9; Mon, 14 Sep 2015 22:17:11 +0200 (CEST) Received: from w530phpdev (pD9FE88ED.dip0.t-ipconnect.de [217.254.136.237]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by h1123647.serverkompetenz.net (Postfix) with ESMTPSA id 355B26D20C9; Mon, 14 Sep 2015 22:17:08 +0200 (CEST) To: "'Jakub Zelenka'" , "'PHP internals list'" References: In-Reply-To: Date: Mon, 14 Sep 2015 22:17:05 +0200 Message-ID: <031f01d0ef2a$55776fa0$00664ee0$@belski.net> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook 15.0 Thread-Index: AQMjgmdrxwvUET8b12ee7AWKoWcJ+5uXTLyg Content-Language: en-us Subject: RE: [PHP-DEV] Bumping minimal OpenSSL version to 0.9.8 From: anatol.php@belski.net ("Anatol Belski") Hi Jakub, > -----Original Message----- > From: jakub.php@gmail.com [mailto:jakub.php@gmail.com] On Behalf Of = Jakub > Zelenka > Sent: Monday, September 14, 2015 2:04 PM > To: PHP internals list ; Anatol Belski > > Subject: [PHP-DEV] Bumping minimal OpenSSL version to 0.9.8 >=20 > Hi, >=20 > At the moment the minimal OpenSSL version is 0.9.6. >=20 > I realised yesterday that there are some types changes between 0.9.7 = and > 0.9.8 that would have to be address in overflow checks = (EVP_DigestUpdate and > related). I also noticed that 0.9.6 might not even compile without = warnings as > it's checking return type for some function that did not return = anything in 0.9.6. > We also have few other old places where we don't check retval because = of that. >=20 > The thing is that the last update for 0.9.7 stable branch is in 2008 = and > 0.9.6 in 2005. Both of them have been long time EOL so I don't think = that it > makes any sense to spend any time on making them compatible for PHP 7. > So I think we should bump minimal version to 0.9.8. >=20 > Anatol would you be ok if this is done for 7.0? I don't think that = anyone would > ever use PHP 7 and such an old version of OpenSSL together so there = should be > no issue IMHO. >=20 0.9.8 as the lowest supported OpenSSL sounds plausible to me. Despite = the OpenSSL team announcend EOL of the 0.9.8 and 1.0.0 series for the = end of this year, distributions like CentOS will support it probably = even longer (but not sure how they keep their 0.9.8 builds secure after = its official EOL, probably some painful backporting). Fe Debian old = stable has OpenSSL 1.0.1. Still 0.9.8 were a plausible option for = today's situation, IMHO. Maybe it can be raised once more at the PHP 7.1 = times, but that's something to see then. If there are no objections, = raising the requirement to 0.9.8 should be done for 7.0 Regards Anatol