Skip to content

gtls: drop support for GnuTLS < 3.6.5 #19609

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
bagder wants to merge 4 commits into from
Closed

gtls: drop support for GnuTLS < 3.6.5 #19609

bagder wants to merge 4 commits into from

Conversation

@bagder
Copy link
Member

@bagder bagder commented Nov 19, 2025

Release date 2018-12-01. Has TLS 1.3 support.

@bagder bagder added the TLS label Nov 19, 2025
@bagder bagder marked this pull request as ready for review November 19, 2025 14:07
@bagder
Copy link
Member Author

bagder commented Nov 19, 2025

The Linux old job uses GnuTLS 3.5.8 it seems!

@vszakats
Copy link
Member

vszakats commented Nov 19, 2025
edited
Loading

Old Linux has OpenSSL 1.0.2, and I moved to GnuTLS to keep TLS.
wolfSSL might work, but it's missing pre-Bullseye as per
https://sources.debian.org/src/wolfssl/, so probably not easy.

Option is maybe installing something manually from a newer release
that fits? or bumping to a Linux just old enough have a supported backend,
or bumping minimum to 3.5.8 (2017-01-09, -2 years compared to 3.6.5) only.

We could also build and cache a supported version there, but I don't
know how cache in a container and it may a rabbit hole to make the
build work.

@bagder
Copy link
Member Author

bagder commented Nov 20, 2025

or bumping minimum to 3.5.8

Right, but I think it make sense to raise it to a TLS 1.3 capable version. Still seven years old.

@bagder bagder force-pushed the bagder/gnutls-3.6.5 branch from 737ab6b to 5ac4987 Compare November 20, 2025 21:14
@bagder
Copy link
Member Author

bagder commented Nov 20, 2025

So maybe bump linux-old to Debian bullseye or something?

@dfandrich
Copy link
Contributor

dfandrich commented Nov 20, 2025 via email

@vszakats
Copy link
Member

vszakats commented Nov 21, 2025

Leaving linux-old at the current version allows us to test old build tools, especially cmake, autotools & perl. I would rather leave the current linux-old alone so we can verify those even if it means dropping some dependencies. I think it's more important to verify those fundamental build tools than being able to test more old libraries.

Agreed, a TLS-less job would still be useful for this.

That said, I wouldn't mind a CMake bump to 3.17 (6y old,
vs current 3.7.2 which is 10yo). More details at
#18704. If we decide
to do it, it may allow bumping Linux old too and restore TLS,
perhaps also libssh2 that we had to let go earlier.

@bagder
Copy link
Member Author

bagder commented Nov 21, 2025

I just suspect we test older versions than we need to, thus taking on more work than necessary. I think Debian Bullseye could be a fair oldest Linux to test on for now.

Freexian offers LTS services for older releases, sure, but I don't think we need bend over backwards to help their business when it comes at a cost for us.

@bagder
gtls: drop support for GnuTLS < 3.6.5
9d75a25 
Release date 2018-12-01. Has TLS 1.3 support.
@bagder
GHA: disable TLS in the linux-old build
016171a 
There are no supported TLS libraries left in "stretch".
@bagder bagder force-pushed the bagder/gnutls-3.6.5 branch from 5ac4987 to 016171a Compare November 21, 2025 08:20
@github-actions github-actions bot added the CI Continuous Integration label Nov 21, 2025
@bagder bagder closed this in 49ab46c Nov 21, 2025
@bagder bagder deleted the bagder/gnutls-3.6.5 branch November 21, 2025 10:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

CI Continuous Integration TLS

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bagder @vszakats @dfandrich