Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

openssl_1_1 mark as insecure/remove before 23.05 branchoff #210452

Closed
ajs124 opened this issue Jan 12, 2023 · 26 comments · Fixed by #210463 or #232521
Closed

openssl_1_1 mark as insecure/remove before 23.05 branchoff #210452

ajs124 opened this issue Jan 12, 2023 · 26 comments · Fixed by #210463 or #232521
Labels
0.kind: bug

Comments

@ajs124
Copy link
Member

ajs124 commented Jan 12, 2023

OpenSSL 1.1.1 (we call it openssl_1_1) will reach end of life on 11 Sep 2023.

This means we should either mark it insecure or ideally completely remove it before the 23.11 release.

The default was already switched in #150093, so most thing should use openssl_3 now.
For applications that support the OpenSSL 3 API, but need old and broken cryptography, there's also openssl_legacy, which will be supported, because it's just openssl_3 but with the legacy crypto provider enabled.

This is a tracking issue to reference and coordinate this work.

cc @NickCao
@ajs124

This comment was marked as outdated.

Sign in to view
@ajs124 ajs124 mentioned this issue Jan 13, 2023
Merged
13 tasks
@NickCao

This comment was marked as outdated.

Sign in to view
@ajs124
Copy link
Member Author

ajs124 commented Jan 13, 2023

Apparently this https://github.com/loqs/PACKAGES-OSSL3 exists, which might come in handy

@ajs124 ajs124 mentioned this issue Jan 13, 2023
Merged
13 tasks
@0x4A6F 0x4A6F mentioned this issue Jan 13, 2023
Merged
13 tasks
@tazjin tazjin mentioned this issue Jan 13, 2023
Merged
13 tasks
NickCao pushed a commit that referenced this issue Jan 13, 2023
@tazjin
journaldriver: 1.1.0 -> 5656.0.0; new upstream
bdfee7b 
This includes the following upstream changes:

* tvl/cl/7818: bump of all Rust dependency versions
* tvl/cl/7819: bump of version number to current revision

Prompted by #210452
LostAttractor pushed a commit to LostAttractor/nixpkgs that referenced this issue Jan 14, 2023
@tazjin @LostAttractor
journaldriver: 1.1.0 -> 5656.0.0; new upstream
ca4a110 
This includes the following upstream changes:

* tvl/cl/7818: bump of all Rust dependency versions
* tvl/cl/7819: bump of version number to current revision

Prompted by NixOS#210452
@ajs124 ajs124 changed the title openssl_1_1 mark as insecure/remove openssl_1_1 mark as insecure/remove before 23.11 branchoff Jan 14, 2023
@ajs124 ajs124 reopened this Jan 14, 2023
This was referenced Jan 16, 2023
Merged
Merged
Closed
@NickCao NickCao mentioned this issue Jan 17, 2023
Closed
12 tasks
@NickCao
Copy link
Member

NickCao commented Jan 18, 2023
edited by ajs124
Loading

@ajs124 ajs124 mentioned this issue Jan 22, 2023
Merged
13 tasks
@NickCao
Copy link
Member

NickCao commented Jan 25, 2023
edited by ajs124
Loading

adamcstephens pushed a commit to adamcstephens/nixpkgs that referenced this issue Jan 25, 2023
@tazjin @adamcstephens
journaldriver: 1.1.0 -> 5656.0.0; new upstream
758c3cb 
This includes the following upstream changes:

* tvl/cl/7818: bump of all Rust dependency versions
* tvl/cl/7819: bump of version number to current revision

Prompted by NixOS#210452
@ajs124 ajs124 mentioned this issue Feb 1, 2023
Merged
13 tasks
@NickCao NickCao mentioned this issue Feb 3, 2023
Merged
13 tasks
NickCao added a commit to NickCao/nixpkgs that referenced this issue Feb 4, 2023
@NickCao
yarn2nix-moretea-openssl_1_1: drop
b0ffb11 
As OpenSSL 1.1.1 will reach end of life on 11 Sep 2023.
Reference: NixOS#210452
NickCao added a commit to NickCao/nixpkgs that referenced this issue Feb 4, 2023
@NickCao
nodejs-16_x-openssl_1_1: drop
6a08edd 
As OpenSSL 1.1.1 will reach end of life on 11 Sep 2023.
Reference: NixOS#210452
winterqt pushed a commit that referenced this issue Feb 4, 2023
@NickCao @winterqt
yarn2nix-moretea-openssl_1_1: drop
0ca39c3 
As OpenSSL 1.1.1 will reach end of life on 11 Sep 2023.
Reference: #210452
@ajs124 ajs124 mentioned this issue Feb 17, 2023
Merged
13 tasks
@mdarocha
Copy link
Contributor

mdarocha commented Feb 18, 2023
edited
Loading

Related: #214843, which is blocked by removal of .NET 3.1 (#202572)

@cyntheticfox
Copy link
Contributor

Not sure if I'm just doing this wrong, but openssl_legacy, as-written in top-level, performs an override on openssl to apply the patch. As such setting for ~/.config/nixpkgs/config.nix,

{
  packageOverrides = pkgs: rec {
    openssl = pkgs.openssl_legacy;
  };
}

fails due to infinite recursion. Should we instead have openssl_legacy as a package definition output to enable this use case, or am I approaching this in the wrong manner (should I be trying to overlay, define my own, write some kind of legacyOpenSSL option into the Nixpkgs config system)?

@ajs124
Copy link
Member Author

ajs124 commented Mar 14, 2023

This should work with an overlay, I think. Are you sure you want to enable the legacy provider for everything that you're building though?

tm-drtina pushed a commit to awakesecurity/nixpkgs that referenced this issue Feb 27, 2024
@mweinelt @tm-drtina
openssl_1_1: mark end-of-life
3037d63 
https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/

Closes: NixOS#210452
awake-bot pushed a commit to awakesecurity/nixpkgs that referenced this issue Apr 6, 2024
@mweinelt @tm-drtina
openssl_1_1: mark end-of-life
a42fa0b 
https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/

Closes: NixOS#210452
tm-drtina pushed a commit to awakesecurity/nixpkgs that referenced this issue Apr 8, 2024
@mweinelt @tm-drtina
openssl_1_1: mark end-of-life
c1e6aa4 
https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/

Closes: NixOS#210452
tm-drtina pushed a commit to awakesecurity/nixpkgs that referenced this issue Apr 8, 2024
@mweinelt @tm-drtina
openssl_1_1: mark end-of-life
e9fa444 
https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/

Closes: NixOS#210452
tm-drtina pushed a commit to awakesecurity/nixpkgs that referenced this issue Apr 8, 2024
@mweinelt @tm-drtina
openssl_1_1: mark end-of-life
a209475 
https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/

Closes: NixOS#210452
tm-drtina pushed a commit to awakesecurity/nixpkgs that referenced this issue Apr 8, 2024
@mweinelt @tm-drtina
openssl_1_1: mark end-of-life
b661d65 
https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/

Closes: NixOS#210452
tm-drtina pushed a commit to awakesecurity/nixpkgs that referenced this issue Apr 8, 2024
@mweinelt @tm-drtina
openssl_1_1: mark end-of-life
8cb7e33 
https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/

Closes: NixOS#210452
tm-drtina pushed a commit to awakesecurity/nixpkgs that referenced this issue Apr 8, 2024
@mweinelt @tm-drtina
openssl_1_1: mark end-of-life
eeaa4ad 
https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/

Closes: NixOS#210452
tm-drtina pushed a commit to awakesecurity/nixpkgs that referenced this issue Apr 8, 2024
@mweinelt @tm-drtina
openssl_1_1: mark end-of-life
d9cd470 
https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/

Closes: NixOS#210452
tm-drtina pushed a commit to awakesecurity/nixpkgs that referenced this issue Apr 8, 2024
@mweinelt @tm-drtina
openssl_1_1: mark end-of-life
291d3dc 
https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/

Closes: NixOS#210452
tm-drtina pushed a commit to awakesecurity/nixpkgs that referenced this issue Apr 8, 2024
@mweinelt @tm-drtina
openssl_1_1: mark end-of-life
0bcdef8 
https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/

Closes: NixOS#210452
tm-drtina pushed a commit to awakesecurity/nixpkgs that referenced this issue Apr 8, 2024
@mweinelt @tm-drtina
openssl_1_1: mark end-of-life
93a6c62 
https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/

Closes: NixOS#210452
tm-drtina pushed a commit to awakesecurity/nixpkgs that referenced this issue Apr 8, 2024
@mweinelt @tm-drtina
openssl_1_1: mark end-of-life
3b784ab 
https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/

Closes: NixOS#210452
tm-drtina pushed a commit to awakesecurity/nixpkgs that referenced this issue Apr 8, 2024
@mweinelt @tm-drtina
openssl_1_1: mark end-of-life
646f6aa 
https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/

Closes: NixOS#210452
awake-bot pushed a commit to awakesecurity/nixpkgs that referenced this issue Apr 19, 2024
@mweinelt @tm-drtina
openssl_1_1: mark end-of-life
f7564d6 
https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/

Closes: NixOS#210452
tm-drtina pushed a commit to awakesecurity/nixpkgs that referenced this issue Apr 22, 2024
@mweinelt @tm-drtina
openssl_1_1: mark end-of-life
d37b082 
https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/

Closes: NixOS#210452
tm-drtina pushed a commit to awakesecurity/nixpkgs that referenced this issue Apr 22, 2024
@mweinelt @tm-drtina
openssl_1_1: mark end-of-life
5d95a5b 
https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/

Closes: NixOS#210452
tm-drtina pushed a commit to awakesecurity/nixpkgs that referenced this issue Apr 22, 2024
@mweinelt @tm-drtina
openssl_1_1: mark end-of-life
55cb5c0 
https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/

Closes: NixOS#210452
tm-drtina pushed a commit to awakesecurity/nixpkgs that referenced this issue Apr 22, 2024
@mweinelt @tm-drtina
openssl_1_1: mark end-of-life
4bd6e17 
https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/

Closes: NixOS#210452
tm-drtina pushed a commit to awakesecurity/nixpkgs that referenced this issue Apr 22, 2024
@mweinelt @tm-drtina
openssl_1_1: mark end-of-life
e4a40e5 
https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/

Closes: NixOS#210452
tm-drtina pushed a commit to awakesecurity/nixpkgs that referenced this issue Apr 29, 2024
@mweinelt @tm-drtina
openssl_1_1: mark end-of-life
c5f2073 
https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/

Closes: NixOS#210452
tm-drtina pushed a commit to awakesecurity/nixpkgs that referenced this issue May 10, 2024
@mweinelt @tm-drtina
openssl_1_1: mark end-of-life
1f91d28 
https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/

Closes: NixOS#210452
tm-drtina pushed a commit to awakesecurity/nixpkgs that referenced this issue May 16, 2024
@mweinelt @tm-drtina
openssl_1_1: mark end-of-life
d9c449b 
https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/

Closes: NixOS#210452
awake-bot pushed a commit to awakesecurity/nixpkgs that referenced this issue Jun 6, 2024
@mweinelt @tm-drtina
openssl_1_1: mark end-of-life
23214be 
https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/

Closes: NixOS#210452
tm-drtina pushed a commit to awakesecurity/nixpkgs that referenced this issue Jun 6, 2024
@mweinelt @tm-drtina
openssl_1_1: mark end-of-life
53f6200 
https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/

Closes: NixOS#210452
tm-drtina pushed a commit to awakesecurity/nixpkgs that referenced this issue Jun 7, 2024
@mweinelt @tm-drtina
openssl_1_1: mark end-of-life
ed4c4b4 
https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/

Closes: NixOS#210452
tm-drtina pushed a commit to awakesecurity/nixpkgs that referenced this issue Jun 7, 2024
@mweinelt @tm-drtina
openssl_1_1: mark end-of-life
ee96540 
https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/

Closes: NixOS#210452
awake-bot pushed a commit to awakesecurity/nixpkgs that referenced this issue Jul 3, 2024
@mweinelt @tm-drtina
openssl_1_1: mark end-of-life
1b0fbab 
https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/

Closes: NixOS#210452
tm-drtina pushed a commit to awakesecurity/nixpkgs that referenced this issue Jul 3, 2024
@mweinelt @tm-drtina
openssl_1_1: mark end-of-life
471ea42 
https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/

Closes: NixOS#210452
tm-drtina pushed a commit to awakesecurity/nixpkgs that referenced this issue Jul 3, 2024
@mweinelt @tm-drtina
openssl_1_1: mark end-of-life
a0067cc 
https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/

Closes: NixOS#210452
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
0.kind: bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

eidolon: openssl_1_1 -> openssl_3 0x4A6F/nixpkgs
openssl_1_1: mark end-of-life mweinelt/nixpkgs