Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

openssl_1_1 mark as insecure/remove before 23.05 branchoff #210452

Closed
ajs124 opened this issue Jan 12, 2023 · 26 comments · Fixed by #210463 or #232521
Closed

openssl_1_1 mark as insecure/remove before 23.05 branchoff #210452

ajs124 opened this issue Jan 12, 2023 · 26 comments · Fixed by #210463 or #232521
Labels
0.kind: bug Something is broken

Comments

@ajs124
Copy link
Member

ajs124 commented Jan 12, 2023

OpenSSL 1.1.1 (we call it openssl_1_1) will reach end of life on 11 Sep 2023.

This means we should either mark it insecure or ideally completely remove it before the 23.11 release.

The default was already switched in #150093, so most thing should use openssl_3 now.
For applications that support the OpenSSL 3 API, but need old and broken cryptography, there's also openssl_legacy, which will be supported, because it's just openssl_3 but with the legacy crypto provider enabled.

This is a tracking issue to reference and coordinate this work.

cc @NickCao
@ajs124 ajs124 added the 0.kind: bug Something is broken label Jan 12, 2023
@ajs124

This comment was marked as outdated.

Sign in to view
@ajs124 ajs124 mentioned this issue Jan 13, 2023
Merged
13 tasks
@NickCao

This comment was marked as outdated.

Sign in to view
@ajs124
Copy link
Member Author

ajs124 commented Jan 13, 2023

Apparently this https://github.com/loqs/PACKAGES-OSSL3 exists, which might come in handy

@ajs124 ajs124 mentioned this issue Jan 13, 2023
Merged
13 tasks
@0x4A6F 0x4A6F mentioned this issue Jan 13, 2023
Merged
13 tasks
@tazjin tazjin mentioned this issue Jan 13, 2023
Merged
13 tasks
NickCao pushed a commit that referenced this issue Jan 13, 2023
@tazjin
journaldriver: 1.1.0 -> 5656.0.0; new upstream
bdfee7b 
This includes the following upstream changes:

* tvl/cl/7818: bump of all Rust dependency versions
* tvl/cl/7819: bump of version number to current revision

Prompted by #210452
@ajs124 ajs124 changed the title openssl_1_1 mark as insecure/remove openssl_1_1 mark as insecure/remove before 23.11 branchoff Jan 14, 2023
@ajs124 ajs124 reopened this Jan 14, 2023
This was referenced Jan 16, 2023
Merged
Merged
Closed
@NickCao NickCao mentioned this issue Jan 17, 2023
Closed
12 tasks
@NickCao
Copy link
Member

NickCao commented Jan 18, 2023
edited by ajs124
Loading

@ajs124 ajs124 mentioned this issue Jan 22, 2023
Merged
13 tasks
@NickCao
Copy link
Member

NickCao commented Jan 25, 2023
edited by ajs124
Loading

adamcstephens pushed a commit to adamcstephens/nixpkgs that referenced this issue Jan 25, 2023
@tazjin @adamcstephens
journaldriver: 1.1.0 -> 5656.0.0; new upstream
758c3cb 
This includes the following upstream changes:

* tvl/cl/7818: bump of all Rust dependency versions
* tvl/cl/7819: bump of version number to current revision

Prompted by NixOS#210452
@ajs124 ajs124 mentioned this issue Feb 1, 2023
Merged
13 tasks
@NickCao NickCao mentioned this issue Feb 3, 2023
Merged
13 tasks
NickCao added a commit to NickCao/nixpkgs that referenced this issue Feb 4, 2023
@NickCao
yarn2nix-moretea-openssl_1_1: drop
b0ffb11 
As OpenSSL 1.1.1 will reach end of life on 11 Sep 2023.
Reference: NixOS#210452
NickCao added a commit to NickCao/nixpkgs that referenced this issue Feb 4, 2023
@NickCao
nodejs-16_x-openssl_1_1: drop
6a08edd 
As OpenSSL 1.1.1 will reach end of life on 11 Sep 2023.
Reference: NixOS#210452
winterqt pushed a commit that referenced this issue Feb 4, 2023
@NickCao @winterqt
yarn2nix-moretea-openssl_1_1: drop
0ca39c3 
As OpenSSL 1.1.1 will reach end of life on 11 Sep 2023.
Reference: #210452
@ajs124 ajs124 mentioned this issue Feb 17, 2023
Merged
13 tasks
@mdarocha
Copy link
Contributor

mdarocha commented Feb 18, 2023
edited
Loading

Related: #214843, which is blocked by removal of .NET 3.1 (#202572)

@cyntheticfox
Copy link
Contributor

Not sure if I'm just doing this wrong, but openssl_legacy, as-written in top-level, performs an override on openssl to apply the patch. As such setting for ~/.config/nixpkgs/config.nix,

{
  packageOverrides = pkgs: rec {
    openssl = pkgs.openssl_legacy;
  };
}

fails due to infinite recursion. Should we instead have openssl_legacy as a package definition output to enable this use case, or am I approaching this in the wrong manner (should I be trying to overlay, define my own, write some kind of legacyOpenSSL option into the Nixpkgs config system)?

@ajs124
Copy link
Member Author

ajs124 commented Mar 14, 2023

This should work with an overlay, I think. Are you sure you want to enable the legacy provider for everything that you're building though?

tm-drtina pushed a commit to awakesecurity/nixpkgs that referenced this issue Feb 27, 2024
@mweinelt @tm-drtina
openssl_1_1: mark end-of-life
3037d63 
https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/

Closes: NixOS#210452
tm-drtina pushed a commit to awakesecurity/nixpkgs that referenced this issue Apr 8, 2024
@mweinelt @tm-drtina
openssl_1_1: mark end-of-life
646f6aa 
https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/

Closes: NixOS#210452
tm-drtina pushed a commit to awakesecurity/nixpkgs that referenced this issue May 16, 2024
@mweinelt @tm-drtina
openssl_1_1: mark end-of-life
d9c449b 
https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/

Closes: NixOS#210452
tm-drtina pushed a commit to awakesecurity/nixpkgs that referenced this issue Jun 7, 2024
@mweinelt @tm-drtina
openssl_1_1: mark end-of-life
ee96540 
https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/

Closes: NixOS#210452
tm-drtina pushed a commit to awakesecurity/nixpkgs that referenced this issue Jul 3, 2024
@mweinelt @tm-drtina
openssl_1_1: mark end-of-life
a0067cc 
https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/

Closes: NixOS#210452
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
0.kind: bug Something is broken
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

eidolon: openssl_1_1 -> openssl_3 0x4A6F/nixpkgs
openssl_1_1: mark end-of-life mweinelt/nixpkgs