[Development] Removal/deprecation of OpenSSL 1 in Qt
Ville Voutilainen
ville.voutilainen at gmail.com
Thu Dec 7 09:50:22 CET 2023
On Thu, 30 Nov 2023 at 12:52, Giuseppe D'Angelo via Development
<development at qt-project.org> wrote:
>
> Hi,
>
> OpenSSL 1 has reached EOL last September:
>
> > https://www.openssl.org/blog/blog/2023/09/11/eol-111/
>
>
> Qt has supported OpenSSL 3 for a while, and so last week I pushed a
> patch to drop OpenSSL 1 support from Qt. "This has made a lot of people
> very angry and been widely regarded as a bad move."
>
>
> It turns out that not every platform officially supported by Qt ships
> OpenSSL 3 yet. Some of these platforms are promising to maintain OpenSSL
> 1 for a little while longer, for instance Ubuntu 20.04 LTS:
>
> > https://canonical.com/blog/running-openssl-1-1-1-after-eol-with-ubuntu-pro
>
>
> How to move forward from here: "revert the patch", sure, but also not so
> fast:
>
> * First and foremost, I'd like a semi-formal insurance from Qt SSL
> maintainers that they're willing to maintain OpenSSL 1 code in Qt as
> long as needed. This should be done publicly, in docs + blog posts,
> because users are going to depend on this information.
>
> * For "how long" is that exactly? Also a very good question. Can we
> gather 1) which supported platforms are still offering only OpenSSL 1,
> and 2) for how long do they plan to support OpenSSL 1, and 3) for how
> long Qt would like to support these platforms? (Basically, assessing
> whether the "insurance" above is realistic)
>
> * Then, a plain revert isn't a good idea either: the whole point of the
> original commit is that using OpenSSL 1 is outright dangerous if you
> don't know what you're doing. (Using unmaintained security-sensitive
> code is a terrible idea). Therefore, a revert must also include make
> OpenSSL 1 entirely opt-in (cmake switch), and not using any automatic
> detection whatsoever: users of Qt should never ever be enabling it "by
> accident".
Well, this is straightforward in the sense that QNX doesn't support
openssl3 yet.
Dropping OpenSSL1 support is dropping support for TLS on QNX, and we don't
want to do that.
I don't quite follow why the revert "must" include making OpenSSL1
entirely an opt-in.
That doesn't change anything in how we build our release packages, at
the end of the day.
Innocent users should just build with an OpenSSL3-enabled system.
More information about the Development
mailing list