Page MenuHomeSolus

OpenSSL 1.0.0 Deprecated
Closed, InvalidPublic

Description

Looks like we're still using this.

"Support for version 1.0.1 ended on 31st December 2016. Support for versions
0.9.8 and 1.0.0 ended on 31st December 2015. Those versions are no longer
receiving security updates."

There was a slew of security fixes just in the past few weeks. It sounds like 1.1.0d is the latest as of this report. See openssl.org

Event Timeline

JoshStrobl closed this task as Invalid.EditedFeb 9 2017, 10:04 AM
JoshStrobl added a subscriber: JoshStrobl.

Okay that's great and all, but we're on 1.0.2 series, which is supported, it is their LTS. https://www.openssl.org/policies/releasestrat.html

Expanding on this - we're on 1.0.2 and it's supported until 2019. The 1.1.x branch represents a massive ABI break so we currently
have no intention in chasing it. Notice we're on 1.0.2k which has many security fixes.

Wait a second... then why do we have libssl.so.1.0.0 instead of libssl.so.1.0.2?

Because that's how the ABI is defined. Look at ldd /usr/bin/curl:

	libssl.so.1.0.0 => /usr/lib/libssl.so.1.0.0 (0x00007f47a23f7000)

If the soname changes they break the ABI completely. Look at eopkg info openssl:

Name                : openssl, version: 1.0.2k, release: 28

Thanks for the clarification, and I'm pleased to see that you're actively monitoring OpenSSL security alerts. You might want to mention this issue in the docs, especially if it applies to other libs as well. Seriously no one would think that libxyz.4.3 means version 5.1. I guess we need to disregard the name and use "eopkg info xyz" instead.

It's not an issue - it's how ABI works. This is the 1.0.0 ABI. No sense documenting it. :)