Hi On Thu, Jan 28, 2016 at 2:44 PM, Bishop Bettini <bis...@php.net> wrote:
> On Thu, Jan 28, 2016 at 8:39 AM, Jakub Zelenka <bu...@php.net> wrote: > >> I would like to bump a minimal OpenSSL version to 1.0.1 in our master. It >> means dropping support for OpenSSL 0.9.8 and 1.0.0 in master. Both of >> these >> versions are EOL as of 2015/12/31 and users should not use them. It will >> help with maintainability (simplify code and testing) and porting to >> OpenSSL 1.1.0. >> >> This would be just for master which means next minor version (7.1). We >> already quickly discussed this in >> https://www.mail-archive.com/internals@lists.php.net/msg80502.html some >> time ago and I think that now is the right time to do that (before looking >> to OpenSSL 1.1 compatibility). >> >> Are there any objections? > > > No objection to the requirement. Perhaps we should "recommend" 1.0.1r+ and > 1.0.2f+, because of security vulnerabilities in earlier versions: > > https://mta.openssl.org/pipermail/openssl-announce/2016-January/000058.html > > I wouldn't go too far. The thing is that some distros picks one version and then applies their security patches on top of it. For example RHEL 7 picked 1.0.1e and then it has releases like openssl-1.0.1e-51.el7 (not sure if it's the last one... :) ) which still has the security fixes. Also I'm almost sure that new vulnerabilities will happen and we would have to bump that recommendation every time it happens. From our point of view, the most important thing are the api changes and range of versions that we need to test. So bumping the requirement to 1.0.1 will be enough IMHO ;) Anyway thanks for your feedback! Cheers Jakub
