openssl: drop support for old OpenSSL/LibreSSL versions #16104
Conversation
vszakats
added
TLS
feature-window
This comment was marked as outdated.
This comment was marked as outdated.
`lib/vtls/wolfssl.c` enforces it via a hard #error. Cherry-picked from #16104
vszakats
force-pushed
the
osslver
branch
3 times, most recently
from
d578d51 to
b5804c9
Compare
There was a problem hiding this comment.
Looks good to me in general, but maybe we should announce that first? Going from 0.9.7 to 1.0.2a is quite a huge jump.
Or maybe go with a safer minimum first? From a usability perspective, 1.0.1 might make sense, which was the first version to support TLS 1.2 and 1.1. It was supported until January 1, 2017.
From a workaround perspective, even 0.9.8h would be great. It was supported until January 1, 2016.
It terms of cryptography and bugs, I think OpenSSL 1.0.1 and 0.9.8 did not age Is there any major platform using 1.0.1 or 0.9.8? curl is also deprecating TLS backends without TLS 1.3 support, in May. This The oldest version we CI test is 1.0.2 (in Old Linux). Hard to say if earlier Upgrading from those to 1.0.2 used to be easy (IIRC). Certainly not like the 1.1.0 For these reasons IMO abandoning 1.0.1 and older seems fine. Announcing it |
|
OpenSSL 1.0.2 was first released on 22 January 2015, which makes it a nice round number: we drop support for the OpenSSL versions released > 10 years ago. No one building modern systems that care for security and functionality use anything older. Those who do, they probably use older libcurl versions as well. I think this is a good change. |
|
I bumped the minimum to 1.0.2a (2015-03-19), because it allowed to It should be trivial (and much recommended) to use the latest bugfix (The 10 years will also stand when this PR gets into the next release.) |
Require OpenSSL 1.0.2a (2015-03-19) or LibreSSL 2.9.1 (2019-04-13).
w/o whitespace: https://github.com/curl/curl/pull/16104/files?w=1