Update to openssl 3.0 LTS stable branch

[syphyr]

Openssl 1.1.1 has reached EOL on 11th September 2023 and is no longer getting security updates.

[syphyr]

Rebased to latest on 3.0 Stable LTS branch

[bitmold]

Thanks for this, we absolutely need to move to openssl3.

The branch that you pulled from openssl3.3 contains ongoing work for v3.3.0 which is in beta. I'm going to use the last stable release 3.2.1 until openssl properly releases the next version

[syphyr]

The branch this is pulled from is openssl-3.0 not 3.3. I would recommend using latest LTS branch, which is 3.0.

[bitmold]

Sorry, I meant the branch openssl-3.0 contains code that is currently beta, if you look at the releases for openssl the latest non-beta and stable release is 3.2.1

[syphyr]

Sorry, I meant the branch openssl-3.0 contains code that is currently beta, if you look at the releases for openssl the latest non-beta and stable release is 3.2.1

I thought it was 3.0.13

[syphyr]

The latest stable version is the 3.2 series supported until 23rd November 2025. Also available is the 3.1 series supported until 14th March 2025, and the 3.0 series which is a Long Term Support (LTS) version and is supported until 7th September 2026.

but using lts would be easier to maintain

[syphyr]

The latest Beta version is 3.3.0. I was using the latest stable LTS branch which is version 3.0.13. Actually it would be 3.0.14-dev if you pulled latest from openssl-3.0 branch. The 3.0.13 version is definitely not beta.

[bitmold]

If I checkout your branch then run:

./tor-droid-make.sh fetch 
cd external/openssl
git log -n 1 

you get a commit from just a few days ago, not something from any of the stable releases

commit 3cd67d10b6bd182a8006dfc04bb48d4dedce82e5 (HEAD, origin/openssl-3.0)
Author: Dmitry Misharov <dmitry@openssl.org>
Date:   Wed Apr 3 13:47:39 2024 +0200

    downgrade upload-artifact action to v3
    
    GitHub Enterpise Server is not compatible with upload-artifact@v4+.
    https://github.com/actions/upload-artifact/tree/v4
    
    Reviewed-by: Hugo Landau <hlandau@openssl.org>
    Reviewed-by: Neil Horman <nhorman@openssl.org>
    Reviewed-by: Tomas Mraz <tomas@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/24029)
    
    (cherry picked from commit 089271601a1d085f33ef7b7d8c3b6879045be370)

[bitmold]

You are right we want 3.0.13 LTS like tor browser uses.

To get this, on my WIP branch I used the release tag openssl used rather than pulling from any particular branch

cd external/openssl 
git checkout openssl-3.0.13

[syphyr]

You are right we want 3.0.13 LTS like tor browser uses.

To get this, on my WIP branch I used the release tag openssl used rather than pulling from any particular branch

cd external/openssl 
git checkout openssl-3.0.13

Why not use the HEAD of the openssl-3.0 branch which is openssl-3.0.13-47-g3cd67d10b6. You would be getting an additional 47 commits.

[syphyr]

git checkout -b openssl-3.0 origin/openssl-3.0

[syphyr]

The reason why I would choose HEAD over a release tag on an LTS branch is because every change on the LTS branch is either a CVE or bugfix. Nothing additional. Chances are the latest commit is the best one.

[bitmold]

There aren't any CVE/bugfixes added onto that branch! in fact, whenever there is a CVE they immediately make a new release since it is a critical vulnerability