Re: Dropping support for OpenSSL <1.1.1, LibreSSL <3.1.0

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


We've just made a similar move for hpnssh. We won't support anything older than OSSL 1.1.1g. We've also dropped support for LibreSSL as a whole until they implement EVP_CIPHER_meth_new(). We can't provide our full feature set without it and I don't want to ship less functional versions.

So I'm all in favor of this move.


On 2/16/23 11:17 PM, Damien Miller wrote:

We carry some compat code for old OpenSSL <1.1.1 and LibreSSL <3.1.0.
OpenSSL 1.0.x is no longer supported upstream and AFAIK LibreSSL do
not support old versions at all.

I'd like to retire this config code, which would mean that users on
platforms that include the versions of libcrypto would have to either
bring their own libcrypto or compile OpenSSH --without-openssl (and
accept the very limited crypto algorithm selection in the resulting

AFAIK most supported mainstream OSs have long since moved on from
these versions. The only OSs that seem to use OpenSSL 1.0.x are RHEL7
(in some commercial limited extended support mode) and Ubuntu 14.04
(supported until 2024/04).

IMO almost nobody will be upgrading OpenSSH on these systems, and
(also IMO) they aren't worth the cost of maintaining the
compatibility code.

Before I go ahead and delete it, does anyone have opinions to the

openssh-unix-dev mailing list
openssh-unix-dev mailing list

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux