Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade OpenSSL to 1.1.1 #4267

Closed
fcharlie opened this issue Sep 12, 2018 · 52 comments
Closed

Upgrade OpenSSL to 1.1.1 #4267

fcharlie opened this issue Sep 12, 2018 · 52 comments
Assignees
Labels

Comments

@fcharlie
Copy link
Contributor

@fcharlie fcharlie commented Sep 12, 2018

Good News OpenSSL 1.1.1 has been released, it supports TLS1.3 RFC 8446.
OpenSSl 1.1.1 is New LTS. OpenSSL 1.1.1 is API and ABI compliant with OpenSSL 1.1.0.

Support for various new cryptographic algorithms including:

  • SHA3
  • SHA512/224 and SHA512/256
  • EdDSA (including Ed25519 and Ed448)
  • X448 (adding to the existing X25519 support in 1.1.0)
  • Multi-prime RSA
  • SM2
  • SM3
  • SM4
  • SipHash
  • ARIA (including TLS support)

In fact, some ports cannot be upgraded to the latest version because the version of openssl of vcpkg is too low, such as libssh.

Our previous LTS release (OpenSSL 1.0.2) will continue to receive full support until the end of this year. After that it will receive security fixes only. It will stop receiving all support at the end of 2019. Users of that release are strongly advised to upgrade to OpenSSL 1.1.1.

It's time to upgrade OpenSSL.

See: https://www.openssl.org/blog/blog/2018/09/11/release111/

Here are the ports that depend on openssl:

ports support OpenSSL 1.1.1
librabbitmq
aws-sdk-cpp
wt
azure-c-shared-utility
libimobiledevice
yara
libwebsockets
podofo
thrift
ffmpeg
qpid-proton
folly
libssh ✔ (0.8.* Only 1.1.*) (2019-07 move to mbedTLS)
paho-mqtt
websocketpp
apr-util
libarchive
cppcms
libmysql
mongo-c-driver
fastrtps
freerdp
qt5-base ✔ (5.13)
caf
curl
opusfile
librtmp
libevent
mosquitto
uwebsoockets
libgit2
libpq ✔ (11.4 test OK, ubuntu 18.04 apt install openssl 1.1.1)
boost-asio
cpprestsdk
libtorrent
wangle
grpc
libssh2
@fcharlie

This comment has been minimized.

Copy link
Contributor Author

@fcharlie fcharlie commented Sep 12, 2018

@madig

This comment has been minimized.

Copy link

@madig madig commented Sep 13, 2018

I think this calls for splitting the openssl package into a 1.0.x and 1.1.x branch. The API changed considerably in 1.1.x and older applications must be updated...

@zhulika

This comment has been minimized.

Copy link

@zhulika zhulika commented Oct 27, 2018

In case someone else is tripped up by this, I'd like to point out that this problem may also cause vcpkg's integration for Visual Studio to break other projects. It may not spring to mind when you first see the errors, because openssl tends to be installed implicitly as a dependency by vcpkg, but vcpkg's version of OpenSSL will take precedence during the link phase over any local copy of OpenSSL that is part of the project's distribution.

I have just spent some time tracing the cause of a bunch of duplicate-symbol linker errors when trying to build NodeJS and it turned out to have been the copy of OpenSSL 1.0.2 that is being inserted at the top of MSBUILD's stack by vcpkg's integration with Visual Studio.

@fcharlie

This comment has been minimized.

Copy link
Contributor Author

@fcharlie fcharlie commented Oct 29, 2018

@ras0219-msft @alexkaratarakis Only a handful of ports do not support OpenSSL 1.1.1

@alexkaratarakis

This comment has been minimized.

Copy link
Contributor

@alexkaratarakis alexkaratarakis commented Oct 30, 2018

Very nice! qt5 concerns me a bit; the others look more easily patchable.

@fcharlie

This comment has been minimized.

Copy link
Contributor Author

@fcharlie fcharlie commented Oct 31, 2018

@anluoma

This comment has been minimized.

Copy link

@anluoma anluoma commented Jan 9, 2019

Just asking that are we waiting for Qt bug to finish before this gets fixed? We are interested of updating to 1.1.1 as well. Or is my assumption wrong?

@jozefizso

This comment has been minimized.

Copy link
Contributor

@jozefizso jozefizso commented Feb 18, 2019

Is there OpenSSL 1.1 port available which can be used internally?

It looks like Qt will block this port for some time.

@Rastaban

This comment has been minimized.

Copy link
Contributor

@Rastaban Rastaban commented Mar 5, 2019

it looks like PR #4983 may be dependent on this.

@mjaafar

This comment has been minimized.

Copy link
Contributor

@mjaafar mjaafar commented Mar 5, 2019

Hi there I want to know if there is any chance that it supports EVP_sha256. Thanls cause I do need it in my integration #5529

It the other hand If there is any possibility to check if there is an option in the confiuration easy and fast to activate.

@fcharlie

This comment has been minimized.

@mjaafar

This comment has been minimized.

Copy link
Contributor

@mjaafar mjaafar commented Mar 9, 2019

The issue is related to configure the default options put sha256 in no option I hope in openssl 1.1.1 integration it will be activated @fcharlie

@LilyWangL LilyWangL added port update and removed port feature labels Apr 16, 2019
@illera88

This comment has been minimized.

Copy link

@illera88 illera88 commented Apr 19, 2019

any update here? there are several ports that depends on this

@fcharlie

This comment has been minimized.

Copy link
Contributor Author

@fcharlie fcharlie commented Apr 19, 2019

@illera88 It seems difficult, OpenSSL 1.1.1 for the UWP transplant for a long time without movement, I recommend that you build your own OpenSSL 1.1.1, which is much better than waiting to be built with vcpkg.

@HLXEasy

This comment has been minimized.

Copy link

@HLXEasy HLXEasy commented May 4, 2019

Is there some kind of a roadmap? It would be very cool to use the whole vcpkg content but as long as OpenSSL is stuck on 1.0.x, it's impossible to migrate.

@MouriNaruto

This comment has been minimized.

Copy link

@MouriNaruto MouriNaruto commented May 12, 2019

I have opened a new PR in the offical OpenSSL repo. (openssl/openssl#8917)

@HLXEasy

This comment has been minimized.

Copy link

@HLXEasy HLXEasy commented Jun 9, 2019

Any news here?

@illera88

This comment has been minimized.

Copy link

@illera88 illera88 commented Jun 10, 2019

Waiting for OpenSSL devs to merge openssl/openssl#8917

@HLXEasy

This comment has been minimized.

Copy link

@HLXEasy HLXEasy commented Jun 10, 2019

Nice, openssl/openssl#8917 get's merged some minutes ago.

@HLXEasy

This comment has been minimized.

Copy link

@HLXEasy HLXEasy commented Jun 10, 2019

@MouriNaruto What do you think? Which steps are the next ones to get this PR closed?

@MouriNaruto

This comment has been minimized.

Copy link

@MouriNaruto MouriNaruto commented Jun 10, 2019

@HLXEasy I have open an issue. (openssl/openssl#9125)

@illera88

This comment has been minimized.

Copy link

@illera88 illera88 commented Jun 18, 2019

@kelteseth

This comment has been minimized.

Copy link

@kelteseth kelteseth commented Jun 19, 2019

@illera88 Qt 5.13 Apps now require OpenSSL 1.1.1 and Qt itself does not ship it with the binaries. I was hoping to simply use vcpkg for this...

@wegylexy

This comment has been minimized.

Copy link

@wegylexy wegylexy commented Sep 11, 2019

It's been a year. I realize that OpenSSL changed a lot since 1.1.0 for building on Windows. Has someone got the time to make any progress?

@fcharlie

This comment has been minimized.

Copy link
Contributor Author

@fcharlie fcharlie commented Sep 12, 2019

OpenSSL 1.0.2 EOL 2019-12-31

Reference: https://www.openssl.org/news/secadv/20190910.txt

OpenSSL 1.0.2 is currently only receiving security updates. Support for 1.0.2
will end on 31st December 2019.

@fcharlie

This comment has been minimized.

Copy link
Contributor Author

@fcharlie fcharlie commented Sep 13, 2019

The current upgrade to openssl 1.1.1 has been successful, but many ports have not been tested.
Branch: https://github.com/fcharlie/vcpkg/tree/openssl
RP: #8142

@alcroito

This comment has been minimized.

Copy link
Contributor

@alcroito alcroito commented Sep 17, 2019

Would like to chime in and say that Qt 6 built with CMake would also benefit from having openssl 1.1 in vcpkg, instead of forcing users to download and install a package manually.

@dilin-MS

This comment has been minimized.

Copy link

@dilin-MS dilin-MS commented Dec 9, 2019

Hi, any update on openssl exposing option to override version instead of hardcoded to 1.0.2s?

We rely on azure iot c sdk which depends on openssl. This openssl vcpkg hardcoded to 1.0.2 cause azure iot c sdk to be unable to be compiled with openssl 1.1.1. (Cross-compile application with openssl 1.0.2 fails in openssl 1.1.1 environment #1341)

Any plan or update on enabling openssl 1.1.1? Thanks!

@fcharlie

This comment has been minimized.

Copy link
Contributor Author

@fcharlie fcharlie commented Dec 12, 2019

@dilin-MS

See: #8566

Some ports have not been migrated and upgrade to openssl 1.1.1 is blocked

@SilviuArdelean

This comment has been minimized.

Copy link

@SilviuArdelean SilviuArdelean commented Dec 14, 2019

Looking forward to see the vcpkg based on openSSL 1.1.1+.
Accidentally, it caused me some headaches the last period.
https://silviuardelean.ro/2019/12/14/openssl-vs-vcpkg-some-strange-experiences/

@qis

This comment has been minimized.

Copy link
Contributor

@qis qis commented Dec 30, 2019

I think this calls for splitting the openssl package into a 1.0.x and 1.1.x branch. The API changed considerably in 1.1.x and older applications must be updated...

Stalling this issue solved the problem of requiring to split it into two versioned ports. The best course of action would be to just merge it and fix remaining problems afterwards.

Since I don't believe that there will be any major development done in the next 46 hours, which you have left until 1.0 is officially unsupported anymore, you could just merge it and be done with it!

P.S.: I'm talking about #8566.

@JackBoosY JackBoosY self-assigned this Jan 2, 2020
@dhkatz

This comment has been minimized.

Copy link
Contributor

@dhkatz dhkatz commented Jan 6, 2020

Was going to write a port for Valve's GameNetworkingSockets but the build fails because it requires at least OpenSSL 1.1.0.

This is just going to end up causing more and more problems for upgrading and adding new ports in the future the longer OpenSSL isn't updated.

@JackBoosY

This comment has been minimized.

Copy link
Contributor

@JackBoosY JackBoosY commented Jan 7, 2020

If the interface changes too much after openssl update, I think it is better to create a new port name openssl1_1.

@qis

This comment has been minimized.

Copy link
Contributor

@qis qis commented Jan 7, 2020

If the interface changes too much after openssl update, I think it is better to create a new port name openssl1_1.

@JackBoosY I strongly disagree and urge you not to do it! This is not a simple major release!

Using OpenSSL 1.0 from now on is not only a bad choice, it's outright dangerous for both, developer and his customers. Leaving it as the default and requiring the user to tag 1_1 will result in tragedy (lost money, lost reputation, lawsuits, etc.).

Look at Linux distros: they didn't add OpenSSL 1.1 - they replaced OpenSSL and added OpenSSL 1.0:

openssl/bionic-updates,bionic-security,now 1.1.1-1ubuntu2.1~18.04.4 amd64 [installed,automatic]
  Secure Sockets Layer toolkit - cryptographic utility

openssl1.0/bionic-updates,bionic-security 1.0.2n-1ubuntu5.3 amd64
  Secure Sockets Layer toolkit 1.0 - cryptographic utility

Using OpenSSL 1.0 is a risk now. Let the users make a conscious decision if they want to do it. I'd even suggest outright removing 1.0 and treating it like all version upgrades in vcpkg: You want the old stuff? Use an old vcpkg commit!

@JackBoosY

This comment has been minimized.

Copy link
Contributor

@JackBoosY JackBoosY commented Jan 7, 2020

@qis If we completely upgrade openssl without keeping the old version, we must fix many ports that currently do NOT support openssl 1.1.
Updates for each port in vcpkg must be compatible with ports that depend on it.

So my suggestion is to add a new port first, support the new version of openssl as other ports update, and then remove the old version of openssl.

@dhkatz

This comment has been minimized.

Copy link
Contributor

@dhkatz dhkatz commented Jan 7, 2020

But library maintainers have known for over a year that OpenSSL was ending its support for 1.0.2. 1.0.2 ended main LTS support in 2018! It was only receiving security updates in 2019.

As the main post shows, a lot more ports support 1.1.1 than don't. So many newer ports would also probably require at least 1.1.0. I don't see the point of holding back this change for a few stragglers.

@jozefizso

This comment has been minimized.

Copy link
Contributor

@jozefizso jozefizso commented Jan 7, 2020

The package name should stay openssl.

As 1.0 is totally unsupported now, it does not make sense to build other packages against such version.

Does somebody really compile for outdated security library? They can checkout earlier git release and/or maintain their own local version.

PS: we must maintain local version of openssl 1.1 because vcpkg was not able to provide the most recent release for several months now. And this is huge pain for us.

@fcharlie

This comment has been minimized.

Copy link
Contributor Author

@fcharlie fcharlie commented Jan 7, 2020

@jozefizso This is actually a common problem with package management software, and specific software packages are always difficult to upgrade in time. Actually when I use openssl, I always manually build from source.

@qis

This comment has been minimized.

Copy link
Contributor

@qis qis commented Jan 7, 2020

@jozefizso I think you misunderstood dhkatz - you two argue for the same outcome.
@fcharlie We currently use the PR to build OpenSSL with vcpkg and it works quite well:

git clone git@github.com:microsoft/vcpkg && cd vcpkg
git remote add neumann git@github.com:neumann-a/vcpkg
git fetch neumann
git merge --strategy-option theirs neumann/libpq_with_openssl_111d
@JackBoosY

This comment has been minimized.

Copy link
Contributor

@JackBoosY JackBoosY commented Jan 7, 2020

I hope #8566 can solve these problems completely.

@MikeGitb

This comment has been minimized.

Copy link
Contributor

@MikeGitb MikeGitb commented Jan 7, 2020

Here is another vote for upgrading the openssl package. If absolutely necessary add a openssl-1.0 package, but don't let the unsupported version stay the default.

The other way around only creates more work (first pointing compatible packages to 1.1 and then back to main), more people with insecure software configurations and less visibility of the problem.

@dhkatz

This comment has been minimized.

Copy link
Contributor

@dhkatz dhkatz commented Jan 7, 2020

Just because I care so much I decided to go through every single port that depended on OpenSSL in some way and check if it had support for OpenSSL > 1.1

I wouldn't consider this an extremely thorough search, but my process was essentially:

  • Check the README for mentions of OpenSSL version
  • Check the code for mentions of OpenSSL version or function calls
  • Check commit and PR history for addition of 1.1 support

Any port with a check I'm pretty sure will support 1.1, and with a question I couldn't really tell but nothing suggests it wouldn't work. Any port with an X, I believe may not work due the age of the library and its use of OpenSSL.

Please note that this isn't suggesting the current versions of all ports with checks will work with OpenSSL, I'm sure many require updates but there are at least newer versions that DO support OpenSSL 1.1

Port OpenSSL 1.1 Support Port Updated (Supports 1.1+)
ace ✔️ ✔️
amqpcpp ✔️ ✔️
apr-util ✔️
aws-sdk-cpp ✔️ ✔️
azure-c-shared-utility ✔️ ✔️
boost-asio ✔️ ✔️
caf ✔️ ✔️
cppcms ✔️
cppfs
cpprestsdk ✔️ ✔️
curl ✔️ ✔️
evpp
fastrtps ✔️
ffmpeg ✔️
fizz ✔️
fmi4cpp ✔️
folly ✔️
freerdp ✔️
freetds ✔️
grpc ✔️
hiredis
ixwebsocket ✔️
libarchive ✔️
libevent ✔️
libgit2 ✔️
libimobiledevice
libmysql ✔️
libnice
libpq ✔️
librabbitmq ✔️
librdkafka ✔️
librtmp
libsrt ✔️
libssh ✔️
libssh2 ✔️
libtorrent ✔️
libu2f-server ✔️
libwebsockets ✔️
libzip ✔️
live555
mongo-c-driver ✔️
mongoose ✔️
mosquitto ✔️
msix
nmap ✔️
opendnp3 ✔️
openscap
opusfile ✔️
paho-mqtt ✔️
paho-mqttpp3
podofo ✔️
ppconsul ✔️
proxygen ✔️
python3 ✔️ ✔️
qpid-proton ✔️
qt5-base ✔️
quickfix ✔️
restbed ✔️
signalrclient
slikenet
thrift ✔️
wampcc ✔️
wangle ✔️
websocketpp ✔️
wt ✔️ ✔️
xeus ✔️ ✔️
xmlsec ✔️ ✔️
yara ✔️ ✔️
@JackBoosY

This comment has been minimized.

Copy link
Contributor

@JackBoosY JackBoosY commented Jan 8, 2020

@dhkatz So, at least we need to support openssl 1.1.

@dhkatz

This comment has been minimized.

Copy link
Contributor

@dhkatz dhkatz commented Jan 8, 2020

@JackBoosY As was mentioned in the original post OpenSSL 1.1.1 is API and ABI compliant with OpenSSL 1.1.0. Any library that has added support for at least 1.1.0 will also support 1.1.1

@JunielKatarn

This comment has been minimized.

Copy link

@JunielKatarn JunielKatarn commented Jan 10, 2020

@fcharlie Does your port to 1.1.1d build successfully?

@fcharlie

This comment has been minimized.

Copy link
Contributor Author

@fcharlie fcharlie commented Jan 10, 2020

@JunielKatarn I have closed it because there is better: #8566

@JackBoosY

This comment has been minimized.

Copy link
Contributor

@JackBoosY JackBoosY commented Jan 14, 2020

OpenSSl has been updated in #8566, thank you for your contribution, can I close this PR now?

@fcharlie

This comment has been minimized.

Copy link
Contributor Author

@fcharlie fcharlie commented Jan 14, 2020

@JackBoosY I close this issue now

@fcharlie fcharlie closed this Jan 14, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
You can’t perform that action at this time.