[Development] Removal/deprecation of OpenSSL 1 in Qt

Giuseppe D'Angelo giuseppe.dangelo at kdab.com
Thu Nov 30 11:49:45 CET 2023 

Hi,

OpenSSL 1 has reached EOL last September:

> https://www.openssl.org/blog/blog/2023/09/11/eol-111/


Qt has supported OpenSSL 3 for a while, and so last week I pushed a 
patch to drop OpenSSL 1 support from Qt. "This has made a lot of people 
very angry and been widely regarded as a bad move."


It turns out that not every platform officially supported by Qt ships 
OpenSSL 3 yet. Some of these platforms are promising to maintain OpenSSL 
1 for a little while longer, for instance Ubuntu 20.04 LTS:

> https://canonical.com/blog/running-openssl-1-1-1-after-eol-with-ubuntu-pro


How to move forward from here: "revert the patch", sure, but also not so 
fast:

* First and foremost, I'd like a semi-formal insurance from Qt SSL 
maintainers that they're willing to maintain OpenSSL 1 code in Qt as 
long as needed. This should be done publicly, in docs + blog posts, 
because users are going to depend on this information.

* For "how long" is that exactly? Also a very good question. Can we 
gather 1) which supported platforms are still offering only OpenSSL 1, 
and 2) for how long do they plan to support OpenSSL 1, and 3) for how 
long Qt would like to support these platforms? (Basically, assessing 
whether the "insurance" above is realistic)

* Then, a plain revert isn't a good idea either: the whole point of the 
original commit is that using OpenSSL 1 is outright dangerous if you 
don't know what you're doing. (Using unmaintained security-sensitive 
code is a terrible idea). Therefore, a revert must also include make 
OpenSSL 1 entirely opt-in (cmake switch), and not using any automatic 
detection whatsoever: users of Qt should never ever be enabling it "by 
accident".


Thank you,

-- 
Giuseppe D'Angelo | giuseppe.dangelo at kdab.com | Senior Software Engineer
KDAB (France) S.A.S., a KDAB Group company
Tel. France +33 (0)4 90 84 08 53, http://www.kdab.com
KDAB - Trusted Software Excellence
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4244 bytes
Desc: Firma crittografica S/MIME
URL: <http://lists.qt-project.org/pipermail/development/attachments/20231130/92cf41cd/attachment.bin>

More information about the Development mailing list