It's time to upgrade openssl to version 3.0.x!

Question

It's time to upgrade openssl to version 3.0.x!

goodve opened this issue 8 months ago · comments

It is well known that openssl version 1.x has been end of life.
In the meantime, nginx has been actively upgraded to openSSL 3.0.x

computinglife · Answer 1 · Thu Oct 12 2023 21:45:05 GMT+0800 (China Standard Time)

Any timelines for this please? This is becoming a blocker

goodve · Answer 2 · Fri Oct 13 2023 13:46:27 GMT+0800 (China Standard Time)

Any timelines for this please? This is becoming a blocker
All older versions (including 1.1.0, 1.0.2, 1.0.0 and 0.9.8) are now out of support and should not be used. Users of these older versions are encouraged to upgrade to 3.1 or 3.0 as soon as possible. Extended support for 1.1.1 and 1.0.2 to gain access to security fixes for that version is available.

refer to https://www.openssl.org/source/

computinglife · Answer 3 · Fri Oct 13 2023 13:58:57 GMT+0800 (China Standard Time)

Well, the extended support from openssl is hardly practical since we / others use the OpenREsty binary directly since custom Lua builds is heavily discouraged according to the official documentation, due to the complexity involved.

So the OpenResty images are the only source for kosher builds containing latest versions of OpenSSL. The later builds are also importance from compliance perspective and it is not just a question of support.

goodve · Answer 4 · Fri Oct 13 2023 14:06:04 GMT+0800 (China Standard Time)

Well, the extended support from openssl is hardly practical since we / others use the OpenREsty binary directly since custom Lua builds is heavily discouraged according to the official documentation, due to the complexity involved.

So the OpenResty images are the only source for kosher builds containing latest versions of OpenSSL. The later builds are also importance from compliance perspective and it is not just a question of support.

Currently, countries around the world are paying close attention to network security. openssl1.x may be directly disabled if it fails the security baseline test, and if it cannot be upgraded. Is it possible to find a way to cheat the test, for example, just change the version number 🤣🤣🤣🤣🤣🤣🤣

computinglife · Answer 5 · Fri Oct 13 2023 20:15:07 GMT+0800 (China Standard Time)

Do we know if this work is planned ? Is someone working on this ? Can we help in any ways possible ?

耗子 · Answer 6 · Fri Oct 27 2023 01:52:47 GMT+0800 (China Standard Time)

Do we know if this work is planned ? Is someone working on this ? Can we help in any ways possible ?

They promised in a previous issue to release 1.25.x before the end of the year.

computinglife · Answer 7 · Fri Oct 27 2023 10:10:18 GMT+0800 (China Standard Time)

Do we know if this work is planned ? Is someone working on this ? Can we help in any ways possible ?

They promised in a previous issue to release 1.25.x before the end of the year.

Can you please share a reference to this promise, so that i can check in on it whenever i need to get tensed up in my free time ?

耗子 · Answer 8 · Fri Oct 27 2023 12:00:02 GMT+0800 (China Standard Time)

Do we know if this work is planned ? Is someone working on this ? Can we help in any ways possible ?

They promised in a previous issue to release 1.25.x before the end of the year.

Can you please share a reference to this promise, so that i can check in on it whenever i need to get tensed up in my free time ?

#905 (comment)
#905 (comment)

Vikash Tiwari · Answer 9 · Fri Oct 27 2023 22:25:55 GMT+0800 (China Standard Time)

@zhuizhuhaomeng Can you please comment if OpenSSL 3 upgrade is going to be part of Nginx 1.25.x upgrade?

lijunlong · Answer 10 · Sun Oct 29 2023 09:12:43 GMT+0800 (China Standard Time)

At least, there are two things to do:
Port openssl-1.1.1f-sess_set_get_cb_yield.patch to OpenSSL 3.x.
Test the performance of OpenSSL 3.x to make sure there is not much regression.

If anyone can submit a PR, it would be appreciated!