Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Drop support for OpenSSL < 1.1.1 #15423

Open
ysbaddaden opened this issue Feb 6, 2025 · 4 comments
Open

Drop support for OpenSSL < 1.1.1 #15423

ysbaddaden opened this issue Feb 6, 2025 · 4 comments
Labels
kind:chore topic:stdlib:concurrency topic:stdlib:crypto

Comments

@ysbaddaden
Copy link
Contributor

ysbaddaden commented Feb 6, 2025
edited
Loading

As outlined by @straight-shoota in #15419:

It appears that for older versions libssl, every SSL client socket may mutate the context for hostname validation 😮

See last line in this excerpt:

crystal/src/openssl/ssl/socket.cr

Lines 8 to 29 in 0da1746

LibSSL.ssl_ctrl(
@ssl,
LibSSL::SSLCtrl::SET_TLSEXT_HOSTNAME,
LibSSL::TLSExt::NAMETYPE_host_name,
hostname.to_unsafe.as(Pointer(Void))
)
{% if LibSSL.has_method?(:ssl_get0_param) %}
param = LibSSL.ssl_get0_param(@ssl)
if ::Socket::IPAddress.valid?(hostname)
unless LibCrypto.x509_verify_param_set1_ip_asc(param, hostname) == 1
raise OpenSSL::Error.new("X509_VERIFY_PARAM_set1_ip_asc")
end
else
unless LibCrypto.x509_verify_param_set1_host(param, hostname, 0) == 1
raise OpenSSL::Error.new("X509_VERIFY_PARAM_set1_host")
end
end
{% else %}
context.set_cert_verify_callback(hostname)
{% end %}

That would suggest that SSL context reuse isn't even concurrency safe when used to connect to different hostnames... When ssl_get0_param is missing which was introduced in OpenSSL 1.0.2. That's been EOL for a long time but we still support it.

Indeed, we must consider dropping support for OpenSSL < 1.1.1.

1.0.2 reached EOL in 2019. Even Ubuntu 18.04 (EOL in 2023) had OpenSSL 1.1.1. Despite being EOL 1.1.1 is still supported by the Ubuntu security team until 2025 (when 20.04 will reach EOL). We can look at other operating systems and distributions but most should use 3.0.0 or newer, and at worst 1.1.1 (with backported patches).
@straight-shoota
Copy link
Member

Technically, there is still premium support for 1.0.2: https://openssl-library.org/policies/releasestrat/index.html

Versions 1.1.1 and 1.0.2 are no longer supported. Extended support for 1.1.1 and 1.0.2 to gain access to security fixes for those versions is available.

But yeah that doesn't mean we must keep it. If somebody want's to pay for Crystal premium support for outdated SSL libraries, I suppse we could reconsider though 😏💸

@ysbaddaden
Copy link
Contributor Author

ysbaddaden commented Feb 6, 2025
edited
Loading

The 1.0.2 integration ain't thread-safe either since we don't define the locking_function and threadid_func callbacks. See https://docs.openssl.org/1.0.2/man3/threads/

In 1.1.1 the library is "thread-safe" by default.

@straight-shoota
Copy link
Member

I suppose we should also drop support for similar LibreSSL versions. Probably <= 3.3 (released 2020) or something like that?

@straight-shoota
Copy link
Member

Also related:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind:chore topic:stdlib:concurrency topic:stdlib:crypto
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ysbaddaden @straight-shoota