Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:90997
Return-Path: <jakub.php@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 40421 invoked from network); 28 Jan 2016 15:17:49 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 28 Jan 2016 15:17:49 -0000
Authentication-Results: pb1.pair.com smtp.mail=jakub.php@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=jakub.php@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.54 as permitted sender)
X-PHP-List-Original-Sender: jakub.php@gmail.com
X-Host-Fingerprint: 209.85.213.54 mail-vk0-f54.google.com  
Received: from [209.85.213.54] ([209.85.213.54:36421] helo=mail-vk0-f54.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 11/46-19998-A113AA65 for <internals@lists.php.net>; Thu, 28 Jan 2016 10:17:47 -0500
Received: by mail-vk0-f54.google.com with SMTP id n1so25364321vkb.3
        for <internals@lists.php.net>; Thu, 28 Jan 2016 07:17:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:date:message-id:subject
         :from:to:cc:content-type;
        bh=px2q760X4PHx6Gt72M9FyWfhp8pxPpTOVtrqZ5jEUSU=;
        b=TuSszT1izAvF3lyqGOvnNGyyK/7963Vah2KDNhiMVe/vnbOeIm3dVL4wLlvpsXm3Eg
         Do2ETnJiicLVY/BaQklkXWZc3ORU5TAqgeWd19qoc+CtHCVeRfDIH4KTAv0rIIox2GME
         m+KcjZOuk91lLGYFJSOp+vnZRWBywMu5DKG8gJF0df3Cp03CHhXNYlPBShjLyYpqMo35
         A6kZZvR5zf+R4pKK3s5h1riBFnHKulkksydACs8Na8w8mYrNFJVsTkBa7zpEvKojL1IR
         nuKBvrQrZq265r0zi9PTYcCpFkuIffA6kf2/HZ4th7OoynqEcLThmVqc9+ZRK2KlWLTD
         nfOw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:date
         :message-id:subject:from:to:cc:content-type;
        bh=px2q760X4PHx6Gt72M9FyWfhp8pxPpTOVtrqZ5jEUSU=;
        b=bPdRCIS+cS7JCYJL/wTiiSUCt2svD5KnxPtvXXBkKJuI8l1IjSG7VrXoreaqV7DwHe
         G2X/8D6ito6jS//ag5dHuhtYMx2YtWO1SfVkcr/O/CwmuAphkWrgXtE/jyyuHFD8K1cj
         kj7Wd7IPyKFonrDXSlicnRqDwPpGu7+8OWRqBpklwY4ldd0XZUNfwzZc67NomSUjxZP4
         ZHxC54fSUZHK0/oGtKYLxAeaxzTVKlTItSV74HfaCgj8a4HYMXUzF4yVefzQQtCu9P2B
         Q3EnqlTSwimfjE/4nst1rFyNyjd8h9P1GuzjAbxKvWTEyseAJkCmLbTUqRVaFVSXOahy
         zh0w==
X-Gm-Message-State: AG10YOTC48kpffrEmfIIppN3EMUqyXDyhnaZiAq6DPOPFHr4mpmEZ0X1ntJtlEvIgIO+kYhEtBCMWqY1G0GA3w==
MIME-Version: 1.0
X-Received: by 10.31.149.135 with SMTP id x129mr2495346vkd.62.1453994264444;
 Thu, 28 Jan 2016 07:17:44 -0800 (PST)
Sender: jakub.php@gmail.com
Received: by 10.31.65.202 with HTTP; Thu, 28 Jan 2016 07:17:44 -0800 (PST)
In-Reply-To: <CAEYWF=6PdYsjV4U67heZuGas_iy_hPysBBRzE3iyHsNVnMY2gw@mail.gmail.com>
References: <CAEKnhAH53BWSJY0hZADh3CQAUEojBP2pdZ7gvKp-EecnhwQiuA@mail.gmail.com>
	<CAEYWF=6PdYsjV4U67heZuGas_iy_hPysBBRzE3iyHsNVnMY2gw@mail.gmail.com>
Date: Thu, 28 Jan 2016 15:17:44 +0000
X-Google-Sender-Auth: 5pRMr30TjoiadjNIBHoEvVI-qXc
Message-ID: <CAEKnhAE=f9j=JbGQaJuUXK5Juq+tPdAbyC6MAx_sh83mZ9xd9g@mail.gmail.com>
To: Bishop Bettini <bishop@php.net>
Cc: PHP internals list <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a1141c87ea34375052a666bd2
Subject: Re: [PHP-DEV] Bumping minimal OpenSSL version to 1.0.1 in master for
 PHP 7.1
From: bukka@php.net (Jakub Zelenka)

--001a1141c87ea34375052a666bd2
Content-Type: text/plain; charset=UTF-8

Hi

On Thu, Jan 28, 2016 at 2:44 PM, Bishop Bettini <bishop@php.net> wrote:

> On Thu, Jan 28, 2016 at 8:39 AM, Jakub Zelenka <bukka@php.net> wrote:
>
>> I would like to bump a minimal OpenSSL version to 1.0.1 in our master. It
>> means dropping support for OpenSSL 0.9.8 and 1.0.0 in master. Both of
>> these
>> versions are EOL as of 2015/12/31 and users should not use them. It will
>> help with maintainability (simplify code and testing) and porting to
>> OpenSSL 1.1.0.
>>
>> This would be just for master which means next minor version (7.1). We
>> already quickly discussed this in
>> https://www.mail-archive.com/internals@lists.php.net/msg80502.html some
>> time ago and I think that now is the right time to do that (before looking
>> to OpenSSL 1.1 compatibility).
>>
>> Are there any objections?
>
>
> No objection to the requirement. Perhaps we should "recommend" 1.0.1r+ and
> 1.0.2f+, because of security vulnerabilities in earlier versions:
>
> https://mta.openssl.org/pipermail/openssl-announce/2016-January/000058.html
>
>

I wouldn't go too far. The thing is that some distros picks one version and
then applies their security patches on top of it. For example RHEL 7 picked
1.0.1e and then it has releases like openssl-1.0.1e-51.el7 (not sure if
it's the last one... :) ) which still has the security fixes. Also I'm
almost sure that new vulnerabilities will happen and we would have to bump
that recommendation every time it happens. From our point of view, the most
important thing are the api changes and range of versions that we need to
test. So bumping the requirement to 1.0.1 will be enough IMHO ;)

Anyway thanks for your feedback!

Cheers

Jakub

--001a1141c87ea34375052a666bd2--