Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. OpenSSH>
  3. Dev
Dropping support for OpenSSL <1.1.1, LibreSSL <3.1.0
djm at mindrot
Feb 16, 2023, 8:17 PM
Post #1 of 3 (184 views)
Permalink
Hi,

We carry some compat code for old OpenSSL <1.1.1 and LibreSSL <3.1.0.
OpenSSL 1.0.x is no longer supported upstream and AFAIK LibreSSL do
not support old versions at all.

I'd like to retire this config code, which would mean that users on
platforms that include the versions of libcrypto would have to either
bring their own libcrypto or compile OpenSSH --without-openssl (and
accept the very limited crypto algorithm selection in the resulting
build).

AFAIK most supported mainstream OSs have long since moved on from
these versions. The only OSs that seem to use OpenSSL 1.0.x are RHEL7
(in some commercial limited extended support mode) and Ubuntu 14.04
(supported until 2024/04).

IMO almost nobody will be upgrading OpenSSH on these systems, and
(also IMO) they aren't worth the cost of maintaining the
compatibility code.

Before I go ahead and delete it, does anyone have opinions to the
contrary?

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Dropping support for OpenSSL <1.1.1, LibreSSL <3.1.0 [ In reply to ]
doctor at doctor
Feb 20, 2023, 7:44 AM
Post #2 of 3 (184 views)
Permalink
On Fri, Feb 17, 2023 at 03:17:58PM +1100, Damien Miller wrote:
> Hi,
>
> We carry some compat code for old OpenSSL <1.1.1 and LibreSSL <3.1.0.
> OpenSSL 1.0.x is no longer supported upstream and AFAIK LibreSSL do
> not support old versions at all.
>
> I'd like to retire this config code, which would mean that users on
> platforms that include the versions of libcrypto would have to either
> bring their own libcrypto or compile OpenSSH --without-openssl (and
> accept the very limited crypto algorithm selection in the resulting
> build).
>
> AFAIK most supported mainstream OSs have long since moved on from
> these versions. The only OSs that seem to use OpenSSL 1.0.x are RHEL7
> (in some commercial limited extended support mode) and Ubuntu 14.04
> (supported until 2024/04).
>
> IMO almost nobody will be upgrading OpenSSH on these systems, and
> (also IMO) they aren't worth the cost of maintaining the
> compatibility code.
>
> Before I go ahead and delete it, does anyone have opinions to the
> contrary?
>

Good idea!

> -d
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

--
Member - Liberal International This is doctor@nk.ca Ici doctor@nk.ca
Yahweh, King & country!Never Satan President Republic!Beware AntiChrist rising!
Look at Psalms 14 and 53 on Atheism https://www.empire.kred/ROOTNK?t=94a1f39b
Rather than confront their ways and turn from folly they seek lies to cover themselves, and so all their work will be destroyed. -unknown Beware https://mindspring.com
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Dropping support for OpenSSL <1.1.1, LibreSSL <3.1.0 [ In reply to ]
rapier at psc
Feb 20, 2023, 8:32 AM
Post #3 of 3 (184 views)
Permalink
We've just made a similar move for hpnssh. We won't support anything
older than OSSL 1.1.1g. We've also dropped support for LibreSSL as a
whole until they implement EVP_CIPHER_meth_new(). We can't provide our
full feature set without it and I don't want to ship less functional
versions.

So I'm all in favor of this move.

Chris

On 2/16/23 11:17 PM, Damien Miller wrote:
> Hi,
>
> We carry some compat code for old OpenSSL <1.1.1 and LibreSSL <3.1.0.
> OpenSSL 1.0.x is no longer supported upstream and AFAIK LibreSSL do
> not support old versions at all.
>
> I'd like to retire this config code, which would mean that users on
> platforms that include the versions of libcrypto would have to either
> bring their own libcrypto or compile OpenSSH --without-openssl (and
> accept the very limited crypto algorithm selection in the resulting
> build).
>
> AFAIK most supported mainstream OSs have long since moved on from
> these versions. The only OSs that seem to use OpenSSL 1.0.x are RHEL7
> (in some commercial limited extended support mode) and Ubuntu 14.04
> (supported until 2024/04).
>
> IMO almost nobody will be upgrading OpenSSH on these systems, and
> (also IMO) they aren't worth the cost of maintaining the
> compatibility code.
>
> Before I go ahead and delete it, does anyone have opinions to the
> contrary?
>
> -d
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal