We've just made a similar move for hpnssh. We won't support anything
older than OSSL 1.1.1g. We've also dropped support for LibreSSL as a
whole until they implement EVP_CIPHER_meth_new(). We can't provide our
full feature set without it and I don't want to ship less functional
versions.
So I'm all in favor of this move.
Chris
On 2/16/23 11:17 PM, Damien Miller wrote:
Hi,
We carry some compat code for old OpenSSL <1.1.1 and LibreSSL <3.1.0.
OpenSSL 1.0.x is no longer supported upstream and AFAIK LibreSSL do
not support old versions at all.
I'd like to retire this config code, which would mean that users on
platforms that include the versions of libcrypto would have to either
bring their own libcrypto or compile OpenSSH --without-openssl (and
accept the very limited crypto algorithm selection in the resulting
build).
AFAIK most supported mainstream OSs have long since moved on from
these versions. The only OSs that seem to use OpenSSL 1.0.x are RHEL7
(in some commercial limited extended support mode) and Ubuntu 14.04
(supported until 2024/04).
IMO almost nobody will be upgrading OpenSSH on these systems, and
(also IMO) they aren't worth the cost of maintaining the
compatibility code.
Before I go ahead and delete it, does anyone have opinions to the
contrary?
-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
