Dropping support for OpenSSL <1.1.1, LibreSSL <3.1.0

Chris Rapier rapier at psc.edu
Tue Feb 21 03:32:58 AEDT 2023


We've just made a similar move for hpnssh. We won't support anything 
older than OSSL 1.1.1g. We've also dropped support for LibreSSL as a 
whole until they implement EVP_CIPHER_meth_new(). We can't provide our 
full feature set without it and I don't want to ship less functional 
versions.

So I'm all in favor of this move.

Chris

On 2/16/23 11:17 PM, Damien Miller wrote:
> Hi,
> 
> We carry some compat code for old OpenSSL <1.1.1 and LibreSSL <3.1.0.
> OpenSSL 1.0.x is no longer supported upstream and AFAIK LibreSSL do
> not support old versions at all.
> 
> I'd like to retire this config code, which would mean that users on
> platforms that include the versions of libcrypto would have to either
> bring their own libcrypto or compile OpenSSH --without-openssl (and
> accept the very limited crypto algorithm selection in the resulting
> build).
> 
> AFAIK most supported mainstream OSs have long since moved on from
> these versions. The only OSs that seem to use OpenSSL 1.0.x are RHEL7
> (in some commercial limited extended support mode) and Ubuntu 14.04
> (supported until 2024/04).
> 
> IMO almost nobody will be upgrading OpenSSH on these systems, and
> (also IMO) they aren't worth the cost of maintaining the
> compatibility code.
> 
> Before I go ahead and delete it, does anyone have opinions to the
> contrary?
> 
> -d
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


More information about the openssh-unix-dev mailing list