Bumping minimal OpenSSL version to 0.9.8

9 years ago by Jakub Zelenka — view source

unread

Hi,

At the moment the minimal OpenSSL version is 0.9.6.

I realised yesterday that there are some types changes between 0.9.7 and
0.9.8 that would have to be address in overflow checks (EVP_DigestUpdate
and related). I also noticed that 0.9.6 might not even compile without
warnings as it's checking return type for some function that did not return
anything in 0.9.6. We also have few other old places where we don't check
retval because of that.

The thing is that the last update for 0.9.7 stable branch is in 2008 and
0.9.6 in 2005. Both of them have been long time EOL so I don't think that
it makes any sense to spend any time on making them compatible for PHP 7.
So I think we should bump minimal version to 0.9.8.

Anatol would you be ok if this is done for 7.0? I don't think that anyone
would ever use PHP 7 and such an old version of OpenSSL together so there
should be no issue IMHO.

Cheers

Jakub

9 years ago by Anatol Belski — view source

unread

Hi Jakub,

-----Original Message-----
From: jakub.php@gmail.com [mailto:jakub.php@gmail.com] On Behalf Of Jakub
Zelenka
Sent: Monday, September 14, 2015 2:04 PM
To: PHP internals list internals@lists.php.net; Anatol Belski
anatol.php@belski.net
Subject: [PHP-DEV] Bumping minimal OpenSSL version to 0.9.8

Hi,

At the moment the minimal OpenSSL version is 0.9.6.

I realised yesterday that there are some types changes between 0.9.7 and
0.9.8 that would have to be address in overflow checks (EVP_DigestUpdate and
related). I also noticed that 0.9.6 might not even compile without warnings as
it's checking return type for some function that did not return anything in 0.9.6.
We also have few other old places where we don't check retval because of that.

The thing is that the last update for 0.9.7 stable branch is in 2008 and
0.9.6 in 2005. Both of them have been long time EOL so I don't think that it
makes any sense to spend any time on making them compatible for PHP 7.
So I think we should bump minimal version to 0.9.8.

Anatol would you be ok if this is done for 7.0? I don't think that anyone would
ever use PHP 7 and such an old version of OpenSSL together so there should be
no issue IMHO.

0.9.8 as the lowest supported OpenSSL sounds plausible to me. Despite the OpenSSL team announcend EOL of the 0.9.8 and 1.0.0 series for the end of this year, distributions like CentOS will support it probably even longer (but not sure how they keep their 0.9.8 builds secure after its official EOL, probably some painful backporting). Fe Debian old stable has OpenSSL 1.0.1. Still 0.9.8 were a plausible option for today's situation, IMHO. Maybe it can be raised once more at the PHP 7.1 times, but that's something to see then. If there are no objections, raising the requirement to 0.9.8 should be done for 7.0

Regards

Anatol

9 years ago by Jakub Zelenka — view source

unread

Hi Anatol,

On Mon, Sep 14, 2015 at 9:17 PM, Anatol Belski anatol.php@belski.net
wrote:

Hi Jakub,

At the moment the minimal OpenSSL version is 0.9.6.

I realised yesterday that there are some types changes between 0.9.7 and
0.9.8 that would have to be address in overflow checks (EVP_DigestUpdate
and
related). I also noticed that 0.9.6 might not even compile without
warnings as
it's checking return type for some function that did not return anything
in 0.9.6.
We also have few other old places where we don't check retval because of
that.

The thing is that the last update for 0.9.7 stable branch is in 2008 and
0.9.6 in 2005. Both of them have been long time EOL so I don't think
that it
makes any sense to spend any time on making them compatible for PHP 7.
So I think we should bump minimal version to 0.9.8.

Anatol would you be ok if this is done for 7.0? I don't think that
anyone would
ever use PHP 7 and such an old version of OpenSSL together so there
should be
no issue IMHO.

0.9.8 as the lowest supported OpenSSL sounds plausible to me. Despite the
OpenSSL team announcend EOL of the 0.9.8 and 1.0.0 series for the end of
this year, distributions like CentOS will support it probably even longer
(but not sure how they keep their 0.9.8 builds secure after its official
EOL, probably some painful backporting). Fe Debian old stable has OpenSSL
1.0.1. Still 0.9.8 were a plausible option for today's situation, IMHO.
Maybe it can be raised once more at the PHP 7.1 times, but that's something
to see then. If there are no objections, raising the requirement to 0.9.8
should be done for 7.0

Cool. I will wait few days if no one objects, I'll bump it to 0.9.8 in 7.0
branch. As you say it will be EOL end of the year so we can consider other
bumping (maybe for 7.1) then... :)

Cheers

Jakub

9 years ago by Thomas Hruska — view source

unread

Hi,

At the moment the minimal OpenSSL version is 0.9.6.

I realised yesterday that there are some types changes between 0.9.7 and
0.9.8 that would have to be address in overflow checks (EVP_DigestUpdate
and related). I also noticed that 0.9.6 might not even compile without
warnings as it's checking return type for some function that did not return
anything in 0.9.6. We also have few other old places where we don't check
retval because of that.

The thing is that the last update for 0.9.7 stable branch is in 2008 and
0.9.6 in 2005. Both of them have been long time EOL so I don't think that
it makes any sense to spend any time on making them compatible for PHP 7.
So I think we should bump minimal version to 0.9.8.

Anatol would you be ok if this is done for 7.0? I don't think that anyone
would ever use PHP 7 and such an old version of OpenSSL together so there
should be no issue IMHO.

Cheers

Jakub

No one should be using anything less than 0.9.8 latest. Allowing
anything less than 0.9.8 should be considered a security vulnerability
in PHP.

--
Thomas Hruska
CubicleSoft President

I've got great, time saving software that you will find useful.

http://cubiclesoft.com/

9 years ago by Remi Collet — view source

unread

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Le 14/09/2015 14:03, Jakub Zelenka a écrit :

Hi,

At the moment the minimal OpenSSL version is 0.9.6.

I realised yesterday that there are some types changes between
0.9.7 and 0.9.8 that would have to be address in overflow checks
(EVP_DigestUpdate and related). I also noticed that 0.9.6 might not
even compile without warnings as it's checking return type for some
function that did not return anything in 0.9.6. We also have few
other old places where we don't check retval because of that.

The thing is that the last update for 0.9.7 stable branch is in
2008 and 0.9.6 in 2005. Both of them have been long time EOL so I
don't think that it makes any sense to spend any time on making
them compatible for PHP 7. So I think we should bump minimal
version to 0.9.8.

Anatol would you be ok if this is done for 7.0? I don't think that
anyone would ever use PHP 7 and such an old version of OpenSSL
together so there should be no issue IMHO.

RHEL-7 have 1.0.1e
RHEL-6 have 1.0.1e
RHEL-5 have 0.9.8e (and already doesn't support PHP 7)

Remi

Cheers

Jakub

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlX4GbYACgkQYUppBSnxahhofgCeLMoQfhBIZM6cwxRU+r0BSVhB
nWcAn2x0NKfN3ceJH/MNmcNl9CcTmPM1
=+SqR
-----END PGP SIGNATURE

9 years ago by Rowan Collins — view source

unread

Remi Collet wrote on 15/09/2015 14:14:

RHEL-7 have 1.0.1e
RHEL-6 have 1.0.1e
RHEL-5 have 0.9.8e (and already doesn't support PHP 7)

FYI, Debian is similar:

Squeeze: 0.9.8o
Wheezy: 1.0.1e
Jessie: 1.0.1k
Stretch: 1.0.2d