OpenSSL 1.1 and openssl 0.9 API breaking changes


#1

This week, OpenSSL 1.1 has reached Debian Sid. It’s also the version currently on Fedora rawhide.

Rust crates using OpenSSL use the openssl crate, generally ^0.7. This 0.7 branch isn’t compatible with OpenSSL 1.1.

That means out of the box, any Rust application using the 0.7 version of the openssl crate doesn’t compile on Debian Sid or Fedora Rawhide. This includes Hyper, so it’s a large issue for the Rust web applications.

Upgrade path

To fix this, crates could updated to ^0.9: the openssl 0.9 crate is compatible both with OpenSSL 1.0.1 and OpenSSL 1.1 branch.

We also should do this migration rather quickly to avoid the issues to have half the crates on openssl 0.9, the other half stuck to 0.7.

Upgrade howto

This update isn’t always trivial. The API of the openssl create has been modified, for example the error handling. A migration guide from openssl 0.7 to openssl 0.9 would be welcome.

Add to that the OpenSSL 1.1 API changed too. For example TLS is now “TLS” and not “Sslv23” anymore.

Current state of OpenSSL 1.1 among OS and distros

Debian and Fedora release versions (including Fedora 25) still use OpenSSL 1.0. Next versions will use OpenSSL 1.1 : Fedora 26 is for June (2017-06-06), Debian Stretch release date not yet announced.

If we look to the distributions where rolling release is the preferred model, Arch is still 1.0, but is marked outdated.

FreeBSD currently maintain a security/openssl port at 1.0 version, a security/openssl-devel port at 1.1.


#2

If anyone’s having trouble figuring out the upgrade on one of their crates, feel free to ping me in IRC or file an issue on the rust-openssl repo: https://github.com/sfackler/rust-openssl.


#3

FWIW, Fedora Rawhide has a compat-openssl10 package to ease the transition a little. But it’s currently pretty sketchy, as some dependents have transitioned while others are still behind, so it’s easy to get multiple versions of openssl loaded in a process (#badidea).

I look forward to a release of the updated Cargo so we can get off this mess, at least in terms of Fedora’s Rust packages. But thankfully Cargo barely uses openssl anyway.


#4

Debian stretch is a bit in a middle of a transition as well, with significant parts of the distribution still using 1.0.