Hi Jakub, > -----Original Message----- > From: jakub....@gmail.com [mailto:jakub....@gmail.com] On Behalf Of Jakub > Zelenka > Sent: Monday, September 14, 2015 2:04 PM > To: PHP internals list <internals@lists.php.net>; Anatol Belski > <anatol....@belski.net> > Subject: [PHP-DEV] Bumping minimal OpenSSL version to 0.9.8 > > Hi, > > At the moment the minimal OpenSSL version is 0.9.6. > > I realised yesterday that there are some types changes between 0.9.7 and > 0.9.8 that would have to be address in overflow checks (EVP_DigestUpdate and > related). I also noticed that 0.9.6 might not even compile without warnings as > it's checking return type for some function that did not return anything in > 0.9.6. > We also have few other old places where we don't check retval because of that. > > The thing is that the last update for 0.9.7 stable branch is in 2008 and > 0.9.6 in 2005. Both of them have been long time EOL so I don't think that it > makes any sense to spend any time on making them compatible for PHP 7. > So I think we should bump minimal version to 0.9.8. > > Anatol would you be ok if this is done for 7.0? I don't think that anyone > would > ever use PHP 7 and such an old version of OpenSSL together so there should be > no issue IMHO. > 0.9.8 as the lowest supported OpenSSL sounds plausible to me. Despite the OpenSSL team announcend EOL of the 0.9.8 and 1.0.0 series for the end of this year, distributions like CentOS will support it probably even longer (but not sure how they keep their 0.9.8 builds secure after its official EOL, probably some painful backporting). Fe Debian old stable has OpenSSL 1.0.1. Still 0.9.8 were a plausible option for today's situation, IMHO. Maybe it can be raised once more at the PHP 7.1 times, but that's something to see then. If there are no objections, raising the requirement to 0.9.8 should be done for 7.0
Regards Anatol -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
