Hi everyone,
I'd like to propose that we release serf 1.3.10 with OpenSSL 3 support.
All currently released versions of serf don't build or work with OpenSSL 3.
OpenSSL 1.1.1 series will reach EOL starting from 11th September 2023 [1],
leaving OpenSSL 3 as the only supported version, so this seems to be an
urgent issue.
The current state is as follows:
- I prepared a set of nominated fixes in ^/serf/branches/1.3.x/STATUS.
- Most of them are required for OpenSSL 3 support, but there are some
general improvements as well.
- Below you'll find a detailed list of these nominations, which I think
should be included in the new release.
- All of these nominations are currently in a pending state, requiring
*one more vote* to be backported.
I can RM if needed, but before that, it would be nice if someone could
provide the remaining votes for these nominations.
The shortlog of currently pending nominations:
---------------------------------------------------------
* r1712131, r1807594, r1811088, r1861036, r1909315, r1909316
Add support for building with VS2017-VS2022, assuming a new enough scons.
* r1901040
Fix test_ssl_handshake() failure with OpenSSL 1.1.1i+.
Justification:
Serf should test cleanly against upstreams.
* r1901937
Remove the use of ERR_GET_FUNC() to allow building against OpenSSL 3.
Justification:
Serf should work with OpenSSL 3.
* r1902208, r1902304
Rework BIO control handlers to support BIO_CTRL_EOF and to properly respond
to unknown control values.
Justification:
- Fixes "unexpected eof while reading" errors with OpenSSL 3, also
observed in the test suite.
- Fixes a user-reported issue with OpenSSL 3 where serf BIOs are
incorrectly assumed to support KTLS:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=253135
* r1909252, r1909385, r1909406, r1909413, r1909433
Do not use OpenSSL functions that operate with FILE to avoid potential CRT
versions mismatch. Use BIO based functions instead.
Justification:
Avoids a potential source of CRT versions mismatch. Removes a dependency
on openssl/applink.c.
---------------------------------------------------------
Also, below is a list of changes that have already been backported to the
1.3.x branch and will be included in the new release. Some of those, such
as r1805301, seem to be important enough to justify the new release as well:
* Fix error handling that can cause invalid or undefined behavior when
reading the outgoing request's body (r1804534, r1804543, r1804553)
* Properly handle invalid chunk lengths in the dechunk bucket (r1804005,
r1804008, r1804016)
* Fix an endless loop in the deflate bucket with truncated input (r1805301)
* Build changes to support Python 3.x (r1875933)
[1] https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/
Thanks,
Evgeny Kotkov
