Hi,
I would like to bump a minimal OpenSSL version to 1.0.1 in our master. It
means dropping support for OpenSSL 0.9.8 and 1.0.0 in master. Both of these
versions are EOL as of 2015/12/31 and users should not use them. It will
help with maintainability (simplify code and testing) and porting to
OpenSSL 1.1.0.
This would be just for master which means next minor version (7.1). We
already quickly discussed this in
internals@lists.php.net/msg80502.html" rel="nofollow" target="_blank">https://www.mail-archive.com/internals@lists.php.net/msg80502.html some
time ago and I think that now is the right time to do that (before looking
to OpenSSL 1.1 compatibility).
Are there any objections?
Cheers
Jakub
I would like to bump a minimal OpenSSL version to 1.0.1 in our master. It
means dropping support for OpenSSL 0.9.8 and 1.0.0 in master. Both of these
versions are EOL as of 2015/12/31 and users should not use them. It will
help with maintainability (simplify code and testing) and porting to
OpenSSL 1.1.0.This would be just for master which means next minor version (7.1). We
already quickly discussed this in
internals@lists.php.net/msg80502.html" rel="nofollow" target="_blank">https://www.mail-archive.com/internals@lists.php.net/msg80502.html some
time ago and I think that now is the right time to do that (before looking
to OpenSSL 1.1 compatibility).Are there any objections?
No objection to the requirement. Perhaps we should "recommend" 1.0.1r+ and
1.0.2f+, because of security vulnerabilities in earlier versions:
https://mta.openssl.org/pipermail/openssl-announce/2016-January/000058.html
Hi
I would like to bump a minimal OpenSSL version to 1.0.1 in our master. It
means dropping support for OpenSSL 0.9.8 and 1.0.0 in master. Both of
these
versions are EOL as of 2015/12/31 and users should not use them. It will
help with maintainability (simplify code and testing) and porting to
OpenSSL 1.1.0.This would be just for master which means next minor version (7.1). We
already quickly discussed this in
internals@lists.php.net/msg80502.html" rel="nofollow" target="_blank">https://www.mail-archive.com/internals@lists.php.net/msg80502.html some
time ago and I think that now is the right time to do that (before looking
to OpenSSL 1.1 compatibility).Are there any objections?
No objection to the requirement. Perhaps we should "recommend" 1.0.1r+ and
1.0.2f+, because of security vulnerabilities in earlier versions:https://mta.openssl.org/pipermail/openssl-announce/2016-January/000058.html
I wouldn't go too far. The thing is that some distros picks one version and
then applies their security patches on top of it. For example RHEL 7 picked
1.0.1e and then it has releases like openssl-1.0.1e-51.el7 (not sure if
it's the last one... :) ) which still has the security fixes. Also I'm
almost sure that new vulnerabilities will happen and we would have to bump
that recommendation every time it happens. From our point of view, the most
important thing are the api changes and range of versions that we need to
test. So bumping the requirement to 1.0.1 will be enough IMHO ;)
Anyway thanks for your feedback!
Cheers
Jakub
Hi Jakub,
-----Original Message-----
From: jakub.php@gmail.com [mailto:jakub.php@gmail.com] On Behalf Of Jakub
Zelenka
Sent: Thursday, January 28, 2016 2:39 PM
To: PHP internals list internals@lists.php.net
Subject: [PHP-DEV] Bumping minimal OpenSSL version to 1.0.1 in master for PHP
7.1Hi,
I would like to bump a minimal OpenSSL version to 1.0.1 in our master. It means
dropping support for OpenSSL 0.9.8 and 1.0.0 in master. Both of these versions
are EOL as of 2015/12/31 and users should not use them. It will help with
maintainability (simplify code and testing) and porting to OpenSSL 1.1.0.This would be just for master which means next minor version (7.1). We already
quickly discussed this in https://www.mail-
internals@lists.php.net/msg80502.html" rel="nofollow" target="_blank">archive.com/internals@lists.php.net/msg80502.html some time ago and I think
that now is the right time to do that (before looking to OpenSSL 1.1
compatibility).Are there any objections?
Yeah, we was discussing that. Probably now is the correct timeframe to handle it. IMHO that would be a sufficient move.
Regards
Anatol
Hi,
I would like to bump a minimal OpenSSL version to 1.0.1 in our master. It
means dropping support for OpenSSL 0.9.8 and 1.0.0 in master. Both of
these
versions are EOL as of 2015/12/31 and users should not use them. It will
help with maintainability (simplify code and testing) and porting to
OpenSSL 1.1.0.This would be just for master which means next minor version (7.1). We
already quickly discussed this in
internals@lists.php.net/msg80502.html" rel="nofollow" target="_blank">https://www.mail-archive.com/internals@lists.php.net/msg80502.html some
time ago and I think that now is the right time to do that (before looking
to OpenSSL 1.1 compatibility).Are there any objections?
I am all for it. Thanks for your work!
Pierre
Hi,
I would like to bump a minimal OpenSSL version to 1.0.1 in our master. It
means dropping support for OpenSSL 0.9.8 and 1.0.0 in master. Both of these
versions are EOL as of 2015/12/31 and users should not use them. It will
help with maintainability (simplify code and testing) and porting to
OpenSSL 1.1.0.This would be just for master which means next minor version (7.1). We
already quickly discussed this in
internals@lists.php.net/msg80502.html" rel="nofollow" target="_blank">https://www.mail-archive.com/internals@lists.php.net/msg80502.html some
time ago and I think that now is the right time to do that (before looking
to OpenSSL 1.1 compatibility).Are there any objections?
Bob has made a point about Mac OS X where the system lib is still 0.9.8.
Although the lib and headers seems to be removed in OS X 10.11, there are
still users of 10.10-. The system OpenSSL lib is deprecated [1] and it's a
bit unclear if it's still getting security fixes (haven't found any
official Apple info about that but I might have missed it) but I guess it
still might be patched by Apple. Also it might become a bit tricky for some
users on Mac to compile PHP after we bump a minimal OpenSSL version.
For that reason I'm thinking about postponing this. I would also love to
hear your thoughts and possibly if someone is able to dig up the OS X
OpenSSL support info, that would be great too!
Cheers
Jakub
Hi!
For that reason I'm thinking about postponing this. I would also love to
hear your thoughts and possibly if someone is able to dig up the OS X
OpenSSL support info, that would be great too!
As somebody working almost exclusively on OS X for my php builds for the
last couple of years - I don't care too much what Apple ships or does
not ship by default. It's usually out-of-date and hard to use anyway.
And many libraries aren't there so you have to use external packages in
any case, and if you already do, homebrew is one of the best.
It's much easier to spend a little time once and install all necessary
libs from homebrew and build against that. So for master, I wouldn't
have too many worries in this regard.
BTW, homebrew is now on 1.0.2g. Which is not latest-greatest, but not
bad. And it is also not hard to use more recent sources IIRC.
Stas Malyshev
smalyshev@gmail.com
hi,
Hi!
For that reason I'm thinking about postponing this. I would also love to
hear your thoughts and possibly if someone is able to dig up the OS X
OpenSSL support info, that would be great too!As somebody working almost exclusively on OS X for my php builds for the
last couple of years - I don't care too much what Apple ships or does
not ship by default. It's usually out-of-date and hard to use anyway.
And many libraries aren't there so you have to use external packages in
any case, and if you already do, homebrew is one of the best.It's much easier to spend a little time once and install all necessary
libs from homebrew and build against that. So for master, I wouldn't
have too many worries in this regard.BTW, homebrew is now on 1.0.2g. Which is not latest-greatest, but not
bad. And it is also not hard to use more recent sources IIRC.
I agree with Stas about OSX. It will take (a lot of) time until Apple
ships 7.1 with OSX. Most developers use either a VM, homebrew or an
alternative due to many outdated components. They do provide latest
versions as far as I remember.
All in all I think we should drop these features and also require 1.x.
Cheers,
Pierre
@pierrejoye | http://www.libgd.org
Hi,
hi,
On Fri, Jul 15, 2016 at 5:07 AM, Stanislav Malyshev smalyshev@gmail.com
wrote:Hi!
For that reason I'm thinking about postponing this. I would also love to
hear your thoughts and possibly if someone is able to dig up the OS X
OpenSSL support info, that would be great too!As somebody working almost exclusively on OS X for my php builds for the
last couple of years - I don't care too much what Apple ships or does
not ship by default. It's usually out-of-date and hard to use anyway.
And many libraries aren't there so you have to use external packages in
any case, and if you already do, homebrew is one of the best.It's much easier to spend a little time once and install all necessary
libs from homebrew and build against that. So for master, I wouldn't
have too many worries in this regard.BTW, homebrew is now on 1.0.2g. Which is not latest-greatest, but not
bad. And it is also not hard to use more recent sources IIRC.I agree with Stas about OSX. It will take (a lot of) time until Apple
ships 7.1 with OSX. Most developers use either a VM, homebrew or an
alternative due to many outdated components. They do provide latest
versions as far as I remember.All in all I think we should drop these features and also require 1.x.
I have been thinking about it more and I think you are right. We should
drop the support for 0.9.8 and 1.0.0 that are EOL. Just the fact that Apple
deprecated it and suggested not using the system lib says a lot. When we
add that OS X 10.11 (El Capitan) doesn't even ship header and lib files and
the back-patching is not probably great, then there is probably no reason
to keep it for the cost of the maintenance of these old versions which
slows the development of openssl ext up. Especially after I add support for
OpenSSL 1.1.
Unless someone has got a strong feeling and good reason why we shouldn't
drop it, I will bump the minimal version in the next couple of days.
Thanks for the feedback!
P.S. forgot to send link for the Apple info about OpenSSL before so here it
is :) :
Cheers
Jakub
2016-07-15 18:30 GMT+02:00 Jakub Zelenka bukka@php.net:
Hi,
hi,
On Fri, Jul 15, 2016 at 5:07 AM, Stanislav Malyshev <smalyshev@gmail.com
wrote:
Hi!
For that reason I'm thinking about postponing this. I would also love
to
hear your thoughts and possibly if someone is able to dig up the OS X
OpenSSL support info, that would be great too!As somebody working almost exclusively on OS X for my php builds for
the
last couple of years - I don't care too much what Apple ships or does
not ship by default. It's usually out-of-date and hard to use anyway.
And many libraries aren't there so you have to use external packages in
any case, and if you already do, homebrew is one of the best.It's much easier to spend a little time once and install all necessary
libs from homebrew and build against that. So for master, I wouldn't
have too many worries in this regard.BTW, homebrew is now on 1.0.2g. Which is not latest-greatest, but not
bad. And it is also not hard to use more recent sources IIRC.I agree with Stas about OSX. It will take (a lot of) time until Apple
ships 7.1 with OSX. Most developers use either a VM, homebrew or an
alternative due to many outdated components. They do provide latest
versions as far as I remember.All in all I think we should drop these features and also require 1.x.
I have been thinking about it more and I think you are right. We should
drop the support for 0.9.8 and 1.0.0 that are EOL. Just the fact that Apple
deprecated it and suggested not using the system lib says a lot. When we
add that OS X 10.11 (El Capitan) doesn't even ship header and lib files and
the back-patching is not probably great, then there is probably no reason
to keep it for the cost of the maintenance of these old versions which
slows the development of openssl ext up. Especially after I add support for
OpenSSL 1.1.Unless someone has got a strong feeling and good reason why we shouldn't
drop it, I will bump the minimal version in the next couple of days.Thanks for the feedback!
P.S. forgot to send link for the Apple info about OpenSSL before so here it
is :) :Cheers
Jakub
I'm not sure, but I guess it would be good if this happened before feature
freeze / beta1 which will be tagged on 18th / 19th July.
Regards, Niklas
2016-07-15 18:30 GMT+02:00 Jakub Zelenka bukka@php.net:
Hi,
On Fri, Jul 15, 2016 at 9:48 AM, Pierre Joye pierre.php@gmail.com
wrote:hi,
On Fri, Jul 15, 2016 at 5:07 AM, Stanislav Malyshev <
smalyshev@gmail.com>
wrote:Hi!
For that reason I'm thinking about postponing this. I would also
love to
hear your thoughts and possibly if someone is able to dig up the OS X
OpenSSL support info, that would be great too!As somebody working almost exclusively on OS X for my php builds for
the
last couple of years - I don't care too much what Apple ships or does
not ship by default. It's usually out-of-date and hard to use anyway.
And many libraries aren't there so you have to use external packages
in
any case, and if you already do, homebrew is one of the best.It's much easier to spend a little time once and install all necessary
libs from homebrew and build against that. So for master, I wouldn't
have too many worries in this regard.BTW, homebrew is now on 1.0.2g. Which is not latest-greatest, but not
bad. And it is also not hard to use more recent sources IIRC.I agree with Stas about OSX. It will take (a lot of) time until Apple
ships 7.1 with OSX. Most developers use either a VM, homebrew or an
alternative due to many outdated components. They do provide latest
versions as far as I remember.All in all I think we should drop these features and also require 1.x.
I have been thinking about it more and I think you are right. We should
drop the support for 0.9.8 and 1.0.0 that are EOL. Just the fact that
Apple
deprecated it and suggested not using the system lib says a lot. When we
add that OS X 10.11 (El Capitan) doesn't even ship header and lib files
and
the back-patching is not probably great, then there is probably no reason
to keep it for the cost of the maintenance of these old versions which
slows the development of openssl ext up. Especially after I add support
for
OpenSSL 1.1.Unless someone has got a strong feeling and good reason why we shouldn't
drop it, I will bump the minimal version in the next couple of days.Thanks for the feedback!
P.S. forgot to send link for the Apple info about OpenSSL before so here
it
is :) :Cheers
Jakub
I'm not sure, but I guess it would be good if this happened before feature
freeze / beta1 which will be tagged on 18th / 19th July.Regards, Niklas
Yes, it's been merged!
Cheers
Jakub
OpenSSL support for 1.0.1 will end this year.
Support for version 1.0.1 will cease on 2016-12-31. No further releases of
1.0.1 will be made after that date. Security fixes only will be applied to
1.0.1 until then.
Version 1.0.0 is no longer supported.
Version 0.9.8 is no longer supported.
We dropped 0.9.8 and 1.0.0 in 7.1.
Should we drop support for 1.0.1 in master, so it's dropped for 7.2 then,
as it will be unsupported then?
Regards, Niklas
OpenSSL support for 1.0.1 will end this year.
Support for version 1.0.1 will cease on 2016-12-31. No further releases of
1.0.1 will be made after that date. Security fixes only will be applied to
1.0.1 until then.
Version 1.0.0 is no longer supported.
Version 0.9.8 is no longer supported.We dropped 0.9.8 and 1.0.0 in 7.1.
Should we drop support for 1.0.1 in master, so it's dropped for 7.2 then,
as it will be unsupported then?Regards, Niklas
Will support also then be dropped for LibreSSL? It was forked from 1.0.1g
Right now it is a minority player but I really prefer it over OpenSSL.
I can discuss why but there are lots of discussions on that if the
points aren't already heard.
OpenSSL support for 1.0.1 will end this year.
Support for version 1.0.1 will cease on 2016-12-31. No further releases of
1.0.1 will be made after that date. Security fixes only will be applied to
1.0.1 until then.
Version 1.0.0 is no longer supported.
Version 0.9.8 is no longer supported.We dropped 0.9.8 and 1.0.0 in 7.1.
Should we drop support for 1.0.1 in master, so it's dropped for 7.2 then,
as it will be unsupported then?
I think some distros like RHEL 6 and 7 still uses 1.0.1e and applies
security and possibly other patches so the support should be much longer.
CC'd Remi as he probably knows more about that and can confirm how it is
with the support of OpenSSL in RHEL..
Cheers
Jakub
OpenSSL support for 1.0.1 will end this year.
Support for version 1.0.1 will cease on 2016-12-31. No further releases of
1.0.1 will be made after that date. Security fixes only will be applied to
1.0.1 until then.
Version 1.0.0 is no longer supported.
Version 0.9.8 is no longer supported.We dropped 0.9.8 and 1.0.0 in 7.1.
Should we drop support for 1.0.1 in master, so it's dropped for 7.2 then,
as it will be unsupported then?
Please no.
Ubuntu's 14.04 LTS is on 1.0.1f and gets security backports. EOL is April 2019.
Unless there is a hard reason (API changes or whatever) that PHP 7.2 absolutely cannot live without, it's a bad idea, as folks on 14.04 or similar (think RHEL etc) then have to either rely on third parties for updates, or vendor in a newer version, even though their system libssl is still receiving security updates.
David