require OpenSSL >= 1.0.2 and LibreSSL >= 3.1 #396
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Clean up old version guards in preparation for the upcoming OpenSSL 3.0 support. OpenSSL 1.0.1 reached its EOL on 2016-12-31. At that time, we decided to keep 1.0.1 support because many major Linux distributions were still shipped with 1.0.1. Now, nearly 4 years later, most Linux distributions are reaching their EOL and it should be safe to assume nobody uses them anymore. Major ones that were using 1.0.1: - Ubuntu 14.04 is EOL since 2019-04-30 - RHEL 6 will reach EOL on 2020-11-30 LibreSSL 3.0 and older versions are no longer supported by the LibreSSL team as of October 2020. Note that OpenSSL 1.0.2 also reached EOL on 2019-12-31 and 1.1.0 also did on 2018-08-31.
SSL_CTX_set_ecdh_auto() exists in OpenSSL 1.1.0 and LibreSSL 2.6.1, but it is made no-op and the automatic curve selection cannot be disabled. Wrap it with ifdef to make it clear that it is safe to remove it completely when we drop support for OpenSSL 1.0.2.
LibreSSL 2.2.2 introduced TLS_method(), but with different semantics from OpenSSL: TLS_method() enabled TLS >= 1.0 while SSLv23_method() enabled all available versions, which included SSL 3.0 in addition. However, LibreSSL 2.3.0 removed SSL 3.0 support completely and now TLS_method() and SSLv23_method() are equivalent.
Similarly to OpenSSL >= 1.1.0, LibreSSL 2.9.0 ensures thread safety without requiring applications to set locking callbacks and made related functions no-op.
rhenium
force-pushed
the
ky/drop-openssl-1.0.1
branch
from
013aa9b
to
7276233
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
OpenSSL 3.0 support (#369) will need us to add new version guards. To keep it maintainable, I would like to do some cleanup before that happens.
Nearly 4 years have passed since OpenSSL 1.0.1's EOL and I think we are good with dropping it now. FWIW, rubyci.org at the moment has one instance running OpenSSL 1.0.1 -
Ubuntu armv7l eabihfwhich is Ubuntu 14.04 LTS.The first commit updates code where we had explicit version guards. The following commits are to catch up with recent LibreSSL releases which merged features from OpenSSL.
require OpenSSL >= 1.0.2 and LibreSSL >= 3.1
Clean up old version guards in preparation for the upcoming OpenSSL 3.0
support.
OpenSSL 1.0.1 reached its EOL on 2016-12-31. However, we decided to keep
1.0.1 support as that time because many major Linux distributions were
still shipped with 1.0.1. Now, nearly 4 years later, most Linux
distributions are reaching their EOL and it should be safe to assume
nobody uses them anymore.
LibreSSL versions before 3.0 are no longer supported by the LibreSSL
team and 3.1 will also be unsupported by October 2020.
Note that OpenSSL 1.0.2 is also EOL since 2019-12-31 and 1.1.0 is since
2018-08-31, but we would need to keep them for some time.
ssl: call SSL_CTX_set_ecdh_auto() on OpenSSL 1.0.2 only
SSL_CTX_set_ecdh_auto() exists in OpenSSL 1.1.0 and LibreSSL 2.6.1, but
it is made no-op and the automatic curve selection cannot be disabled.
Wrap it with ifdef to make it clear that it is safe to remove it
completely when we drop support for OpenSSL 1.0.2.
ssl: use TLS_method() instead of SSLv23_method() for LibreSSL
LibreSSL 2.2.2 introduced TLS_method(), but with different semantics
from OpenSSL: TLS_method() enabled TLS >= 1.0 while SSLv23_method()
enabled all available versions, which included SSL 3.0 in addition.
However, LibreSSL 2.3.0 removed SSL 3.0 support completely and now
TLS_method() and SSLv23_method() are equivalent.
ossl.c: do not set locking callbacks on LibreSSL
Similarly to OpenSSL >= 1.1.0, LibreSSL 2.9.0 ensures thread safety
without requiring applications to set locking callbacks and related
functions are made no-op.