Hi Anatol, On Mon, Sep 14, 2015 at 9:17 PM, Anatol Belski <anatol....@belski.net> wrote:
> Hi Jakub, > > At the moment the minimal OpenSSL version is 0.9.6. > > > > I realised yesterday that there are some types changes between 0.9.7 and > > 0.9.8 that would have to be address in overflow checks (EVP_DigestUpdate > and > > related). I also noticed that 0.9.6 might not even compile without > warnings as > > it's checking return type for some function that did not return anything > in 0.9.6. > > We also have few other old places where we don't check retval because of > that. > > > > The thing is that the last update for 0.9.7 stable branch is in 2008 and > > 0.9.6 in 2005. Both of them have been long time EOL so I don't think > that it > > makes any sense to spend any time on making them compatible for PHP 7. > > So I think we should bump minimal version to 0.9.8. > > > > Anatol would you be ok if this is done for 7.0? I don't think that > anyone would > > ever use PHP 7 and such an old version of OpenSSL together so there > should be > > no issue IMHO. > > > 0.9.8 as the lowest supported OpenSSL sounds plausible to me. Despite the > OpenSSL team announcend EOL of the 0.9.8 and 1.0.0 series for the end of > this year, distributions like CentOS will support it probably even longer > (but not sure how they keep their 0.9.8 builds secure after its official > EOL, probably some painful backporting). Fe Debian old stable has OpenSSL > 1.0.1. Still 0.9.8 were a plausible option for today's situation, IMHO. > Maybe it can be raised once more at the PHP 7.1 times, but that's something > to see then. If there are no objections, raising the requirement to 0.9.8 > should be done for 7.0 > Cool. I will wait few days if no one objects, I'll bump it to 0.9.8 in 7.0 branch. As you say it will be EOL end of the year so we can consider other bumping (maybe for 7.1) then... :) Cheers Jakub
