PHP 8.1 and OpenSSL

+1, we don't want to bundle and maintain and monkey-patch 1.1.1
ourselves for 14.4 months,
which I guess would be the alternative.

Hi all!

While the official builds for PHP 8.2 already use OpenSSL 3.0, the PHP
8.1 builds are still using OpenSSL 1.1.1. However, OpenSSL 1.1.1 is
only supported till 2023-09-11[1], while PHP 8.1 is supported till
2024-11-25[2]. Although I don't like bumping the OpenSSL version in the
middle of PHP 8.1's lifetime, I suppose it is necessary to avoid falling
behind security support. And if we do that bump, we better do it sooner
than later.

So, if there are no unforeseen problems, I suggest to build PHP
8.1.16RC1 with OpenSSL 3.0 (PHP 8.1.15RC1 has already been built with
OpenSSL 1.1.1).

Thoughts? Objections?

[1] https://www.openssl.org/policies/releasestrat.html
[2] https://www.php.net/supported-versions.php

--
Christoph M. Becker

--

To unsubscribe, visit: https://www.php.net/unsub.php

"Christoph M. Becker" in php.internals (Wed, 18 Jan 2023 13:20:41 +0100):

Hi all!

While the official builds for PHP 8.2 already use OpenSSL 3.0, the PHP
8.1 builds are still using OpenSSL 1.1.1. However, OpenSSL 1.1.1 is
only supported till 2023-09-11[1], while PHP 8.1 is supported till
2024-11-25[2]. Although I don't like bumping the OpenSSL version in the
middle of PHP 8.1's lifetime, I suppose it is necessary to avoid falling
behind security support. And if we do that bump, we better do it sooner
than later.

So, if there are no unforeseen problems, I suggest to build PHP
8.1.16RC1 with OpenSSL 3.0 (PHP 8.1.15RC1 has already been built with
OpenSSL 1.1.1).

I do not mind, but I just noticed that even the official PHP 8.1.19 RC1
still ships with OpenSSL 1.1.1. What is the status?

Jan