Skip to content

Require OpenSSL 1.1.1+ or LibreSSL 3+#16480

Merged
straight-shoota merged 4 commits intocrystal-lang:masterfrom
ysbaddaden:chore/require-openssl1.1.1-and-libressl3.0.0-or-later
Dec 8, 2025
Merged

Require OpenSSL 1.1.1+ or LibreSSL 3+#16480
straight-shoota merged 4 commits intocrystal-lang:masterfrom
ysbaddaden:chore/require-openssl1.1.1-and-libressl3.0.0-or-later

Conversation

@ysbaddaden
Copy link
Collaborator

@ysbaddaden ysbaddaden commented Dec 4, 2025
edited
Loading

Drops support for OpenSSL 1.0.2, OpenSSL 1.1.0 and LibreSSL 2 that don't appear in any supported system anymore. One of the oldest, Debian 12 bullseye (oldoldstable) for example, distributes OpenSSL 1.1.1, same for Ubuntu 22.04, ...

There should be no impact, but since we drop some support, it's still a breaking change.

Closes #15423.
Related to #16475.

@ysbaddaden ysbaddaden self-assigned this Dec 4, 2025
@ysbaddaden ysbaddaden added topic:stdlib:crypto kind:breaking Intentional breaking change with significant impact. Shows up on top of the changelog. kind:chore labels Dec 4, 2025
@ysbaddaden
Copy link
Collaborator Author

ysbaddaden commented Dec 4, 2025
edited
Loading

We could probably drop support for LibreSSL < 4 since supported OpenBSD and DragonflyBSD releases come with LibreSSL 4. Same for Alpine Linux or FreeBSD (optional package).

@straight-shoota straight-shoota added this to the 1.19.0 milestone Dec 4, 2025
@straight-shoota straight-shoota moved this from Review to Approved in Multi-threading Dec 4, 2025
@ysbaddaden
Further cleanup
b540e82
@ysbaddaden
Fix: cleanup led to fix OpenSSL::SSL::Context#default_verify_param
b6e1a3a 
We checked for the existence of functions on LibSSL but the functions
are defined on LibCrypto (oops). The cleanup correctly enables the
verify param!
@ysbaddaden
Copy link
Collaborator Author

ysbaddaden commented Dec 5, 2025

I made some additional cleanup: we don't need to check for functions that are now always present (e.g. ALPN) or set removed options.

I also realized that the default verify params feature... was always disabled because we checked for functions on LibSSL while they are defined on LibCrypto (oops). Now it's enabled 😓

Notes:

  • the context options specs are smoke tests since the options it tests have been set to zero for a while (oops);
  • there might be other ssl context options that have been removed (and others added);
  • doc examples refer to deprecated ssl context options.

Sija
Sija reviewed Dec 5, 2025
View reviewed changes
@ysbaddaden @Sija
Fix: typo in error message
b9b2518 
Co-authored-by: Sijawusz Pur Rahnama <sija@sija.pl>
@straight-shoota straight-shoota merged commit 0d75d3d into crystal-lang:master Dec 8, 2025
47 of 48 checks passed
@github-project-automation github-project-automation bot moved this from Approved to Done in Multi-threading Dec 8, 2025
@ysbaddaden ysbaddaden deleted the chore/require-openssl1.1.1-and-libressl3.0.0-or-later branch December 8, 2025 16:29
ysbaddaden added a commit to crystal-lang/crystal-book that referenced this pull request Dec 16, 2025
@ysbaddaden
Update OpenSSL and LibreSSL versions
114ecb8 
We dropped support for OpenSSL < 1.1.1 and LibreSSL < 3 in crystal-lang/crystal#16480
@ysbaddaden ysbaddaden mentioned this pull request Dec 16, 2025
Merged
straight-shoota pushed a commit to crystal-lang/crystal-book that referenced this pull request Dec 18, 2025
@ysbaddaden
Update OpenSSL and LibreSSL versions (#864)
44de931 
We dropped support for OpenSSL < 1.1.1 and LibreSSL < 3 in crystal-lang/crystal#16480
@ysbaddaden ysbaddaden mentioned this pull request Feb 5, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@straight-shoota straight-shoota straight-shoota approved these changes

+1 more reviewer

@Sija Sija Sija left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@ysbaddaden ysbaddaden

Labels

kind:breaking Intentional breaking change with significant impact. Shows up on top of the changelog. kind:chore topic:stdlib:crypto

Projects

Multi-threading
Status: Done

Milestone

1.19.0

Development

Successfully merging this pull request may close these issues.

Drop support for OpenSSL < 1.1.1

3 participants

@ysbaddaden @Sija @straight-shoota