Dropping support for OpenSSL <1.1.1, LibreSSL <3.1.0
Chris Rapier
rapier at psc.edu
Tue Feb 21 03:32:58 AEDT 2023
We've just made a similar move for hpnssh. We won't support anything
older than OSSL 1.1.1g. We've also dropped support for LibreSSL as a
whole until they implement EVP_CIPHER_meth_new(). We can't provide our
full feature set without it and I don't want to ship less functional
versions.
So I'm all in favor of this move.
Chris
On 2/16/23 11:17 PM, Damien Miller wrote:
> Hi,
>
> We carry some compat code for old OpenSSL <1.1.1 and LibreSSL <3.1.0.
> OpenSSL 1.0.x is no longer supported upstream and AFAIK LibreSSL do
> not support old versions at all.
>
> I'd like to retire this config code, which would mean that users on
> platforms that include the versions of libcrypto would have to either
> bring their own libcrypto or compile OpenSSH --without-openssl (and
> accept the very limited crypto algorithm selection in the resulting
> build).
>
> AFAIK most supported mainstream OSs have long since moved on from
> these versions. The only OSs that seem to use OpenSSL 1.0.x are RHEL7
> (in some commercial limited extended support mode) and Ubuntu 14.04
> (supported until 2024/04).
>
> IMO almost nobody will be upgrading OpenSSH on these systems, and
> (also IMO) they aren't worth the cost of maintaining the
> compatibility code.
>
> Before I go ahead and delete it, does anyone have opinions to the
> contrary?
>
> -d
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
More information about the openssh-unix-dev
mailing list