Discover Centmin Mod today
Register Now

Feedback OpenSSL 1.1.1 upstream support is ending

Discussion in 'AlmaLinux 8 & Rocky Linux 8 Beta Testing' started by buik, Sep 27, 2022.

  1. buik

    buik “The best traveler is one without a camera.”

    1,969
    513
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,635
    Local Time:
    6:47 AM
    As current OpenSSL 1.1.1 upstream support is ending in about 11 months and CMM is compiling from the upstream source. I would like an option in CMM8 for PHP and Nginx to compile with OpenSSL 3.
    That would be ≥ Nginx 1.22.0/1.23.* and PHP ≥ 8.1

     
  2. eva2000

    eva2000 Administrator Staff Member

    52,186
    11,998
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,501
    Local Time:
    2:47 PM
    Nginx 1.25.x
    MariaDB 10.x
    But wouldn't EL8/RHEL8 be supporting OpenSSL 1.1.1 system version until 2029 at least? Would probably be easiest on EL8 at least for Centmin Mod to switch from own OpenSSL 1.1.1 to EL8 system OpenSSL. Though Centmin Mod 130.00beta01 already supports OpenSSL 3.0 compilations for Nginx at least as it's needed for Centmin Mod's optional Nginx kTLS support Improving NGINX Performance with Kernel TLS and SSL_sendfile( ) - NGINX :)

    Though I'd have to look into EL8 PHP and OpenSSL 3.0 support. But EL8 PHP would already use EL8 native OpenSSL which is supported until 2029. So really just leave Nginx's OpenSSL usage direction choices.
     
  3. eva2000

    eva2000 Administrator Staff Member

    52,186
    11,998
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,501
    Local Time:
    2:47 PM
    Nginx 1.25.x
    MariaDB 10.x
    Ok did a quick check on AlmaLinux 8.6 with 130.00beta01 and Nginx 1.23.1 built against OpenSSL 3.0.5 which seems ok at first glance :)

    To test set in the persistent config file /etc/centminmod/custom_config.inc prior to centmin.sh menu option 4 run
    Code (Text):
    OPENSSL_VERSION='3.0.5'

    So for Nginx and OpenSSL usage, we should be all set when OpenSSL 1.1.1 EOL upstream in ~11 months on September 11, 2023. Hopefully, by then OpenSSL 3.0 performance regressions compared to OpenSSL 1.1.1 are resolved.

    Though we may need to go to some variant of OpenSSL 3 if using Nginx with forked OpenSSL 3 quictls for HTTP/3 over QUIC/UDP support eventually.
     
  4. buik

    buik “The best traveler is one without a camera.”

    1,969
    513
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,635
    Local Time:
    6:47 AM
    I don't mean that you reject OpenSSL 1.1.1 but that you add OpenSSL 3 as an option.
    OpenSSL from Red Hat is heavily modified test it well before using it.

    By the way, you can also just grab their security patches and implement them at your own :)

    The fact is that when OpenSSL 1.1.1 is EOL more and more software is moving away from 1.1.1.
    I wonder if PHP 8.3+ etc is still OpenSSL 1.1.1 compatible.

    I am opening this thread because a lot of software is going to be EOL in the next few months. PHP 7.4, OpenSSL 1.1.1. CentOS 7 even has the end in sight already.
     
  5. eva2000

    eva2000 Administrator Staff Member

    52,186
    11,998
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,501
    Local Time:
    2:47 PM
    Nginx 1.25.x
    MariaDB 10.x
    Yeah, that's logical. I am already building custom Centmin Mod RPMs for EL7/EL8/EL9 for some stuff that I am testing via Terraform right now including my own Centmin Mod YUM repo :) Cloudflare made it even easier with CF Workers and GA release of R2 S3 compatible storage. This mainly came about to EL9 system OpenSSL 3.0 not being compatible with PHP versions <8.1, so the aim was to support building PHP 7.4 and PHP 8.0 using custom OpenSSL 1.1.1 and extended curl built on OpenSSL 1.1.1 for those PHP versions for EL9 systems.

    But I guess can also look at for EL8 systems and the reverse for PHP supporting OpenSSL 3.0 and curl build on OpenSSL 3.0.
    Oh that is definitely within Centmin Mod's capabilities and the way I build Centmin Mod :)

    Indeed. Though there's been a long history of legacy PHP version hold outs in terms of adoption.

    Yeah changing of the guard period. Though distro's LTS OSes will soften that change interval still :)