Skip to content

Revert to curl 8.17.0 #351

@mathomp4

Description

@mathomp4

Well, it looks like curl 8.18.0 needs openssl v3:

checking for OpenSSL >= v3... configure: error: OpenSSL 3.0.0 or upper required.
make[1]: *** [GNUmakefile:861: curl.config] Error 1

and I see that in their changelog.

Per @badger (see curl/curl#18330 (comment)):

is there a way to make easy local changes for those who prefer to stay with latest 1.1.1w? Any particular reason 1.1.1w misses something that's needed after this pr?

We deliberately took away support for all OpenSSL versions before version 3 because OpenSSL themselves don't provide updates for those versions anymore, unless you are a paying customer of theirs.

If you are using the free OpenSSL version, version 1.x.x is now a security risk.

If you are paying OpenSSL for support for version 1 and thus not vulnerable, then I am happy to offer you a version of curl with support for OpenSSL 1.x - available with a support contract.

So, to get OpenSSL 1.x support:

get a support contract
revert the curl/curl@69c89bf commit and fix the fallout (there might be a little more to it as well, but that's the major part)
stay on 8.17.0 and backport all (current and future) security patches to that version

Now, do I want to revert? Of course not, but I we need to for now. It looks like Discover has OpenSSL 3 (maybe?):

> rpm -qa | grep ssl
libopenssl-3-devel-3.0.8-150400.4.42.1.x86_64
libopenssl3-3.0.8-150400.4.42.1.x86_64

as does TOSS5 at NAS:

openssl-devel-3.5.1-4.el9_7.x86_64
openssl-3.5.1-4.el9_7.x86_64

But NAS TOSS4 and our internal dev servers are running RHEL 8 and moving RHEL 8 to OpenSSL3 is apparently "a thing" (see https://www.redhat.com/en/blog/experience-bringing-openssl-30-rhel-and-fedora and https://computingforgeeks.com/installing-openssl-3-x-on-rocky-alma-centos-rhel-8/)

I'm sure I could probably work with our folks to get RHEL 9 on our dev server. But moving a supercomputer...oof. But I'll ask if they have OpenSSL3 around somewhere.

Metadata

Metadata

Assignees

Labels

revert libraryRevert a library to previous version

Type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions