Opened 13 months ago

Last modified 5 months ago

#31820 needs_revision task

Drop support for OpenSSL < 1.1.1

Reported by: nickm Owned by: nickm
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version:
Severity: Normal Keywords: 043-deferred, 044-deferred
Cc: Actual Points: .3
Parent ID: Points: .2
Reviewer: teor Sponsor:

Description

As of 1 January 2020, there will be no supported OpenSSL version earlier than version 1.1.1. (See https://www.openssl.org/policies/releasestrat.html)

We can clean up our code by dropping backward-compatibility support for earlier versions.

As we do this, we should test with supported versions of LibreSSL as well, since we try to support that too.

Child Tickets

TicketStatusOwnerSummaryComponent
#32773newRemove Jenkins tor master jobs which don't have OpenSSL 1.1.1Core Tor/Tor
#32820closedteorMove the chutney pypy jobs to 0.4.2 xenialCore Tor/Chutney

Change History (18)

comment:1 Changed 11 months ago by nickm

Owner: set to nickm
Status: newaccepted

comment:2 Changed 11 months ago by nickm

(If I am reading the openbsd people right, the oldest supported version of libressl is 2.9.x, since that's what was released in 6.5, and only the two most recent openbsd releases are supported.)

comment:3 Changed 11 months ago by nickm

Points: .2
Status: acceptedneeds_review

Branch is ticket31820 with PR at https://github.com/torproject/tor/pull/1556 .

 17 files changed, 58 insertions(+), 801 deletions(-)

I tested with OpenSSL, LibreSSL, and NSS.

I didn't remove the OPENSSL_OPAQUE unit tests with this patch, since I want to look at them more closely and see if any can be saved.

comment:4 Changed 11 months ago by nickm

Interestingly, it appears that two of our builders are failing because of soon-to-be-obsolete openssl versions. We'll need to make a decision about them before we merge.

comment:5 Changed 11 months ago by dgoulet

Reviewer: teor

comment:6 in reply to:  4 Changed 11 months ago by teor

Status: needs_reviewneeds_revision

Replying to nickm:

Interestingly, it appears that two of our builders are failing because of soon-to-be-obsolete openssl versions. We'll need to make a decision about them before we merge.

Homebrew needs to be configured to use "openssl@1.1" in .travis.yml.

chutney is a bit more problematic. We can either:

  • patch chutney/tor/Travis to fix #32240, and stop running chutney on Ubuntu trusty
    • I think CHUTNEY_NET_DIR=TRAVIS_BUILD_... would be a good first step?
  • add OpenSSL 1.1 from trusty-backports to our Travis trusty config
    • trusty-backports isn't supported by ubuntu any more, so this should be a last resort

I'll also do a review on the pull request.

comment:7 Changed 11 months ago by teor

Seems good, I added some comments on the PR.

It also looks like you missed a OPENSSL_V_SERIES(1,1,0) in the unit tests.

comment:8 Changed 11 months ago by nickm

Status: needs_revisionneeds_review

I've fixed the issues on the review and pushed a new version of the branch.

The usage of OPENSSL_V_SERIES(1,1,0) in the tests is intentional: I've added a comment about it, and I've opened #32688 for repairing the API.

We _probably_ shouldn't merge this till we have the CI fix worked out, though.

comment:9 Changed 11 months ago by teor

Status: needs_reviewneeds_revision

This looks good, but we need to fix #32240 before merging.

I don't know what status we should use for "Merge ready, but blocked on another ticket".

comment:10 Changed 11 months ago by teor

Actual Points: .3
Status: needs_revisionmerge_ready

This ticket can merge after #32240 merges to tor, and #32630 merges to chutney.

comment:11 Changed 11 months ago by teor

These jenkins master builds will fail after this ticket merges:

  • jessie: OpenSSL 1.0.1t
  • stretch: OpenSSL 1.1.0
  • xenial: OpenSSL 1.0.2g

comment:12 Changed 10 months ago by teor

Hi Nick, just checking if we need to fix the jenkins jobs (#32773 ) before we merge this ticket?

We might also need to move the chtuney pypy jobs off master, because they are stuck on xenial. I'll open a child ticket.

#32630 and #32240 are merged.

comment:13 Changed 10 months ago by nickm

Hm. I'm not concerned about the jenkins issue per se, but I do want us to think longer before we have the latest versions of Tor drop support for still-supported debian versions. We like relays to keep upgrading, and stranding a bunch of relays on tor 0.3.5.x would be at least somewhat troublesome.

I don't suppose that debian/ubuntu have plans to ship openssl 1.1.1 once their current openssl versions are at end-of-life?

In any case, let's consider this in the new year.

comment:14 Changed 10 months ago by nickm

Status: merge_readyneeds_review

comment:15 in reply to:  13 Changed 10 months ago by teor

Status: needs_reviewneeds_revision

Replying to nickm:

Hm. I'm not concerned about the jenkins issue per se, but I do want us to think longer before we have the latest versions of Tor drop support for still-supported debian versions. We like relays to keep upgrading, and stranding a bunch of relays on tor 0.3.5.x would be at least somewhat troublesome.

I don't suppose that debian/ubuntu have plans to ship openssl 1.1.1 once their current openssl versions are at end-of-life?

stretch has a mix of OpenSSL 1.1 and 1.0 users, they're on 1.1.0 at the moment, and there are no signs that stretch will upgrade to 1.1.1:

It seems that some packages might be blocking upgrades to 1.1.1:

The FAQ seems to imply that jessie won't get OpenSSL 1.1, and there's no libssl-1.1 in jessie:

As for Ubuntu, bionic should have 1.1.1 soon, but it looks like xenial is stuck on 1.0.2g:

comment:16 Changed 9 months ago by nickm

Keywords: 043-deferred added

All 0.4.3.x tickets without 043-must, 043-should, or 043-can are about to be deferred.

comment:17 Changed 9 months ago by nickm

Milestone: Tor: 0.4.3.x-finalTor: 0.4.4.x-final

comment:18 Changed 5 months ago by nickm

Keywords: 044-deferred added
Milestone: Tor: 0.4.4.x-finalTor: unspecified

Bulk-remove tickets from 0.4.4. Add the 044-deferred label to them.

Note: See TracTickets for help on using tickets.