Release for OpenSSL 3.0.0?

[limburgher]

I see that #1777 is complete, but it doesn't cleanly apply to 3.00 due to the new submodule. Is there an ETA for a release with that change?

[mikedld]

There's no ETA for a release.

I would assume it's not a blocker for you to upgrade to OpenSSL v3 though, API-wise Transmission should be compatible (despite a few deprecation warnings for DH functions) and just work, it's just that RC4 algorithm got moved to a separate provider that's not enabled by default.

According to https://www.openssl.org/docs/man3.0/man7/migration_guide.html,

Legacy Algorithms

These legacy EVP algorithms are still available in OpenSSL 3.0 but not by default. If you want to use them then you must load the legacy provider. This can be as simple as a config file change, or can be done programmatically.

Then based on https://www.openssl.org/docs/manmaster/man5/config.html, I would assume that something like this is possible to configure (not tested):

openssl_conf = openssl_init

[openssl_init]
providers = providers

[providers]
default = default_provider
legacy = legacy_provider

# https://www.openssl.org/docs/manmaster/man7/OSSL_PROVIDER-default.html
[default_provider]
activate = 1

# https://www.openssl.org/docs/manmaster/man7/OSSL_PROVIDER-legacy.html
[legacy_provider]
activate = 1

[limburgher]

I believe those are system-wide changes, and I don't think the package maintainers are interested in enabling the legacy provider system-wide by default. Is there a flag or environment variable that would work?

[mikedld]

The fact that they're now considered legacy doesn't affect the programs unless those algorithms are in fact used. IMHO it doesn't make the system any less secure compared to using OpenSSL 1.1 and not upgrading to 3.0.

There's no "flag or environment variable" that affects Transmission in particular. There're, however, environment variables that affect OpenSSL (described there in https://www.openssl.org/docs/manmaster/man5/config.html#ENVIRONMENT) that you can set to e.g. use a different configuration file for a particular process (OPENSSL_CONF, OPENSSL_CONF_INCLUDE), or potentially branch out within a single configuration file (by using $ENV::name).

[Tockman]

That's fine but what to do us, who use macOS version of Transmission on Monterey and suffer problems connecting to some SSL trackers (infamous "could not connect to tracker" error)? I highly appreciate any treat, patch or configuration change before migrating from Transmission (which's the last I'd want to do).

[ckerr]

There are several other "new release" discussion threads, so I'm locking this one.