Update openssl to 1.0.2o #652
Conversation
|
I'd like to propose switching libssh2's backend to mbedTLS, because I don't think #648 can be realistically made to work without any external dependencies. @pietbrauer @phatblat Opinions ? |
|
I haven't heard of mbedTLS before, but I'm game as long as there's a decent community to support it and we can build it on Apple platforms. Would this replace the CommonCrypto used by macOS in libssh2? As for the license, they say it is dual licensed as both Apache 2 or GPL 2. I would think we'd want to use Apache 2 so that it would be compatible with this repo's MIT license. I just want to make sure people can use this repo to build apps that they make money from, without having to give away the source code. It looks like they have the Apache 2 license in their github repo, so probably a non-issue. |
|
What version of OpenSSL does this PR bring us up to? Are we on 1.0.2p-dev now as the readme in the OpenSSL_1_0_2-stable branch says? |
|
It seems the world moved since I updated my submodule, so I've pointed it at 1.0.2o which was released 27/03 instead of tracking stable.
We don't have that, and AFAICT we're not likely to have it (see #648). Arguably, I'm not even sure of my reasons for asking a change, since whatever we do we'd have to package ourselves, it just felt like mbedTLS might be easier but it's a hunch. |
|
Ah, that’s right. Well, it would be nice to get rid of openssl |
|
Can you rename the PR to reflect the version? |
|
|
@pks-t mentioned CVEs against the version we're using, so let's update.
Extracted from #645, because that fix will need more work.