OpenSSL 1.1.x EOL - upgrade to 3.x planned?

[Stefan Beck <s....@codesys.com>]

Dear Sir or Madam,

OpenSSL 1.1.x, which I understand is used by the most current version of Apache Subversion, is reaching its end-of-life in September 2023: https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/

I put quite an effort in searching for information on an upgrade of OpenSSL , however I could not find any reliable information on the Subversion web site<https://subversion.apache.org/security/>, the public Jira bug tracker<https://issues.apache.org/jira/browse/SVN-3472?jql=project%20%3D%20SVN%20AND%20text%20~%20%22openssl%22%20and%20status%20in%20(Open%2C%20%22In%20Progress%22%2C%20Abandoned%2C%20Completed)>, the mailing lists of the past year<https://lists.apache.org/list?*@subversion.apache.org:gte=0d:openssl>, or the developer documentation in Confluence<https://cwiki.apache.org/confluence/display/SVN/Apache+Subversion+Wiki>.

Is there any work in progress or are there any plans to upgrade to the recommended OpenSSL version 3.1.x.?

Best regards,
Stefan Beck

Re: OpenSSL 1.1.x EOL - upgrade to 3.x planned?

[Daniel Sahlberg <da...@gmail.com>]

Den ons 5 apr. 2023 kl 20:51 skrev Andreas Stieger <An...@gmx.de>:

> Hello,
>
> > [OpenSSL 3.0 and Apache Subversion]
>
> Subversion supports OpenSSL 3 if serf (it's http library dependency) or,
> respectivey, httpd (for mod_dav_svn) are build against it:
>

FWIW: I spent the weekend switching TortoiseSVN to OpenSSL 3.1.0. It was a
very straightforward process apart with only some minor adjustments in the
TSVN build process and the issue below.

If you are looking for a patch to make serf work with OpenSSL 3 here is one:
>
> https://build.opensuse.org/package/view_file/devel:libraries:c_c++/libserf/openssl3.patch
> I can check if this is still needed. If not this may be easier for you. If
> not serf might want to do a release.
>

Serf has been patched to work with OpenSSL (r1901937), but it has not been
released yet, so there might be some patching needed for building Serf
1.3.9. I've sent a mail to the Serf mailing list [1] to see if something
can be done to speed up a release. I ended up building against Serf trunk
for the moment.

Kind regards,
Daniel Sahlberg

[1] https://lists.apache.org/thread/6m7s6pwjzvjh4w8rvc133rq3jmwqtjmg

Re: OpenSSL 1.1.x EOL - upgrade to 3.x planned?

[Andreas Stieger <An...@gmx.de>]

Hello,

> [OpenSSL 3.0 and Apache Subversion]
 
Subversion supports OpenSSL 3 if serf (it's http library dependency) or, respectivey, httpd (for mod_dav_svn) are build against it:

$ ldd `which svn` | grep -E "lib(crypto|ssl)"
        libssl.so.3 => /usr/lib64/libssl.so.3 (0x00007feeae680000)
        libcrypto.so.3 => /usr/lib64/libcrypto.so.3 (0x00007feeae250000)
$ rpm -qf /usr/lib64/libssl.so.3 /usr/lib64/libcrypto.so.3
libopenssl3-3.0.8-2.4.x86_64
libopenssl3-3.0.8-2.4.x86_64

The Subversionn project does not distribute binaries, If you are using a binary distribution please contact the vendor or distribution.

If you are looking for a patch to make serf work with OpenSSL 3 here is one:
https://build.opensuse.org/package/view_file/devel:libraries:c_c++/libserf/openssl3.patch
I can check if this is still needed. If not this may be easier for you. If not serf might want to do a release.

There is no work planned because there is not needed, at least none that I am aware of.

Andreas