Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:88220
Return-Path: <jakub.php@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 82811 invoked from network); 15 Sep 2015 18:46:10 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 15 Sep 2015 18:46:10 -0000
Authentication-Results: pb1.pair.com header.from=jakub.php@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=jakub.php@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.223.172 as permitted sender)
X-PHP-List-Original-Sender: jakub.php@gmail.com
X-Host-Fingerprint: 209.85.223.172 mail-io0-f172.google.com  
Received: from [209.85.223.172] ([209.85.223.172:34984] helo=mail-io0-f172.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id B7/39-28087-07768F55 for <internals@lists.php.net>; Tue, 15 Sep 2015 14:46:09 -0400
Received: by ioiz6 with SMTP id z6so208020544ioi.2
        for <internals@lists.php.net>; Tue, 15 Sep 2015 11:46:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:date:message-id:subject
         :from:to:cc:content-type;
        bh=7olnrRVlZdEdnlV19O0ZzOMldSAqC5U3xaFfu8xOTCQ=;
        b=cphD0BALCm1z8/0Y5sFvUt785c43V2sAVABupPUx4ExEHQY7LoGUHpqlywUU+18j9Y
         m7I5rrhdxm+H3R+1LPKmzZTjQ8XPw57Ghv5REm7d1tKf87t+6W2CSlTsNLrsOOgRAXun
         Qu+sGAw20HlptWaJq/aGO6HOnqtDojCqSPrX5pUp2KuiD9+b/2AaYOFvgxHJ956WIlkZ
         gd12d+wDuPrusbRd6CdUhPlcBUhwixZACJxNQv4dASkW9lcr7R9GZ0snhB8hJAVHlDDV
         OrIUVpa2mwXtSzV5KichrrOZl94heMk/GIwy4dhhGQy35R99YJXwn/tJaJ2E9E9vU9EI
         CMeQ==
MIME-Version: 1.0
X-Received: by 10.107.152.134 with SMTP id a128mr35876258ioe.164.1442342766530;
 Tue, 15 Sep 2015 11:46:06 -0700 (PDT)
Sender: jakub.php@gmail.com
Received: by 10.107.145.69 with HTTP; Tue, 15 Sep 2015 11:46:06 -0700 (PDT)
In-Reply-To: <031f01d0ef2a$55776fa0$00664ee0$@belski.net>
References: <CAEKnhAHGBdx_DZO-Fn5ABan821V_aDFvVDwZDEcSfzfaqTPKqw@mail.gmail.com>
	<031f01d0ef2a$55776fa0$00664ee0$@belski.net>
Date: Tue, 15 Sep 2015 19:46:06 +0100
X-Google-Sender-Auth: m4Q_Ncfk9pIbyjw8MtYHYXkkb4k
Message-ID: <CAEKnhAGYPxXAz5DkVB8N1O90Xt-wupz0p98yXWdBCLB0nzobQA@mail.gmail.com>
To: Anatol Belski <anatol.php@belski.net>
Cc: PHP internals list <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a1140e6c83e5c7b051fcd987b
Subject: Re: [PHP-DEV] Bumping minimal OpenSSL version to 0.9.8
From: bukka@php.net (Jakub Zelenka)

--001a1140e6c83e5c7b051fcd987b
Content-Type: text/plain; charset=UTF-8

Hi Anatol,

On Mon, Sep 14, 2015 at 9:17 PM, Anatol Belski <anatol.php@belski.net>
wrote:

> Hi Jakub,
> > At the moment the minimal OpenSSL version is 0.9.6.
> >
> > I realised yesterday that there are some types changes between 0.9.7 and
> > 0.9.8 that would have to be address in overflow checks (EVP_DigestUpdate
> and
> > related). I also noticed that 0.9.6 might not even compile without
> warnings as
> > it's checking return type for some function that did not return anything
> in 0.9.6.
> > We also have few other old places where we don't check retval because of
> that.
> >
> > The thing is that the last update for 0.9.7 stable branch is in 2008 and
> > 0.9.6 in 2005. Both of them have been long time EOL so I don't think
> that it
> > makes any sense to spend any time on making them compatible for PHP 7.
> > So I think we should bump minimal version to 0.9.8.
> >
> > Anatol would you be ok if this is done for 7.0? I don't think that
> anyone would
> > ever use PHP 7 and such an old version of OpenSSL together so there
> should be
> > no issue IMHO.
> >
> 0.9.8 as the lowest supported OpenSSL sounds plausible to me. Despite the
> OpenSSL team announcend EOL of the 0.9.8 and 1.0.0 series for the end of
> this year, distributions like CentOS will support it probably even longer
> (but not sure how they keep their 0.9.8 builds secure after its official
> EOL, probably some painful backporting). Fe Debian old stable has OpenSSL
> 1.0.1. Still 0.9.8 were a plausible option for today's situation, IMHO.
> Maybe it can be raised once more at the PHP 7.1 times, but that's something
> to see then. If there are no objections, raising the requirement to 0.9.8
> should be done for 7.0
>

Cool. I will wait few days if no one objects, I'll bump it to 0.9.8 in 7.0
branch. As you say it will be EOL end of the year so we can consider other
bumping (maybe for 7.1) then... :)

Cheers

Jakub

--001a1140e6c83e5c7b051fcd987b--