Re: openssl 3.0 when

Tue, 02 Nov 2021 04:03:27 -0700 


> Am 02.11.2021 um 11:56 schrieb Ruediger Pluem <rpl...@apache.org>:
> 
> 
> 
> On 11/2/21 10:31 AM, Joe Orton wrote:
>> On Tue, Nov 02, 2021 at 09:23:32AM +0100, ste...@eissing.org wrote:
>>> 
>>>> Am 01.11.2021 um 15:24 schrieb Joe Orton <jor...@redhat.com>:
>>>> 
>>>> On Sun, Oct 31, 2021 at 01:35:09PM +0100, ste...@eissing.org wrote:
>>>>> I would like us to come to an understanding what our roadmap in
>>>>> regard to OpenSSL 3.0 is. People keep on asking about it.
>>>>> 
>>>>> Yesterday, I spent some hours hacking at mod_ssl and mod_md to
>>>>> get it running. I managed to compile it, but it was not working
>>>>> reliably. Maybe I took some wrong turns somewhere. My observations
>>>>> below.
>>>> 
>>>> What are you talking about exactly here?  trunk should compile and run 
>>>> fine already with 3.0 except if you build OpenSSL without deprecated 
>>>> functions which AFAIK nobody sane will do, or at least, no sane 
>>>> distributor will do, because the world is not ready.
>>> 
>>> I was trying to make it work without deprecated functions. Sorry,
>>> to have not been more clear. If we regard 3.0 conformance including
>>> those, then this is a non-issue, aside from actually testing that
>>> it still works.
>> 
>> IMO at least it's a non-issue in the "short"-ish term. Other opinions 
>> are available ;)
>> 
>> Maybe a good transition plan would be to drop use of the deprecated 
>> functions at the same time we drop support for versions < 3.0, to ease 
>> the pain of having to support both?  Upstream say they will support 
> 
> +1
> 
>> 1.1.1 until the late 2023, since OS vendors will support it beyond that 
>> I'd expect there's consensus here to support it for longer.  Thoughts?
> 
> I think we should keep supporting 1.1.1 for longer as at least RedHat 8 and 
> Ubuntu 20 ship with it.
> Using a different OpenSSL lib, than the OS provided one becomes a real pain 
> once you want to use
> further OS packages for modules that in turn use the system provided OpenSSL 
> library.
> There are even still supported LTS distributions out there which still use 
> 1.0.2.

+1

Do we have a common way to build against openssl 3.0 without the deprecations 
being errors? Just want to be sure we all use the same.

Cheers,
Stefan





















					Reply via email to