OpenSSL 3.0 support for Debian11

[Shaheena Kazi]

Hello Team,

We are using Debian 11 with OpenSSL 1.1.1n

As OpenSSL 1.1.1 series is going EOL on 11th September 2023.

We would like to know if Debian is planning to add OpenSSL 3.0 support on Debian 11 any time soon.

Regards,

[The Wanderer]

While I have no special inside knowledge on the subject:

Debian 11 is, from what I understand, the current stable release.

It is unlikely that such an important package would be updated from one
major version to another within a stable release. It's not entirely
impossible, e,g, via the stable-security repository, but I would not
expect it to happen.

However, we are apparently currently approaching the freeze date for
preparing the next stable release of Debian, which would presumably be
Debian 12. Current Debian testing (which will, following the polishing
process during the freeze period, be released as the new stable)
includes OpenSSL 3.x, so it is nearly certain that that will be included
in the next stable release.

The length of the freeze period varies depending on how long it takes
for things to become ready to release, but my understanding is that it
will typically be four to six months.

Given that 2023-09-11 is a little less than eight months away, I think
that there should be a new stable release - including OpenSSL 3.x - out
before that happens.

However, you probably won't be able to update to that version while
remaining on Debian 11; you will probably need to update to Debian 12 in
order to get it.

--
The Wanderer

The reasonable man adapts himself to the world; the unreasonable one
persists in trying to adapt the world to himself. Therefore all
progress depends on the unreasonable man. -- George Bernard Shaw

[to...@tuxteam.de]

It seems to be in bookworm. You can search yourself via https://packages.debian.org/:

https://packages.debian.org/search?keywords=openssl&searchon=names&suite=all&section=all

Cheers
--
t

[Ben Lavender]

Stable releases don't always provide the latest software, generally that
isn't always respectively "stable".

The latest seems to be available via the repositories Debian testing and
unstable of which you can still run on Debian 11 if you configure it so.

https://tracker.debian.org/pkg/openssl

[to...@tuxteam.de]

On Tue, Jan 17, 2023 at 11:23:41PM +0000, Ben Lavender wrote:
> Stable releases don't always provide the latest software, generally that
> isn't always respectively "stable".

To be more precise, "stable" means "it doesn't change". In general,
no new major versions, especially not libraries (which would imply
a flurry of updates of dependencies).

Of course, security updates, bug fixes, etc. still come in. If an
upstream library only gets an important (e.g.) security update in
a later major version, the maintainer tries hard to backport this
fix.

The result is a "no surprises" upgrade process whithin a stable
release.

Cheers
--
t

[David]

On Wed, 18 Jan 2023 at 10:24, Ben Lavender <b...@benlavender.co.uk> wrote:

> Stable releases don't always provide the latest software, generally that
> isn't always respectively "stable".
>
> The latest seems to be available via the repositories Debian testing and
> unstable of which you can still run on Debian 11 if you configure it so.

Hi,

Debian 11 is current Debian Stable release.
There's a page on the Debian wiki titled
"Advice For New Users On Not Breaking Their Debian System" [1]

and the very first item of advice there is
"If you're trying to install software that isn't available in the current Debian
Stable release, it's not a good idea to add repositories for other
Debian releases."

So it might be a good idea for anyone considering adding additional software
outside of what is officially packaged for a Debian Stable release to evaluate
the information given on that page regarding different methods of doing so,
and possible consequences.

[1] https://wiki.debian.org/DontBreakDebian

[Ben Lavender]

You are correct, perhaps I shouldn't have recommended that given I'm not
sure of the OP's experience with Debian. I personally run it like this
with no issues.

[Jeffrey Walton]

On Wed, Jan 18, 2023 at 1:19 AM David <bounci...@gmail.com> wrote:
>
> On Wed, 18 Jan 2023 at 10:24, Ben Lavender <b...@benlavender.co.uk> wrote:
>
> > Stable releases don't always provide the latest software, generally that
> > isn't always respectively "stable".
> >
> > The latest seems to be available via the repositories Debian testing and
> > unstable of which you can still run on Debian 11 if you configure it so.
>

> Debian 11 is current Debian Stable release.
> There's a page on the Debian wiki titled
> "Advice For New Users On Not Breaking Their Debian System" [1]
>
> and the very first item of advice there is
> "If you're trying to install software that isn't available in the current Debian
> Stable release, it's not a good idea to add repositories for other
> Debian releases."
>
> So it might be a good idea for anyone considering adding additional software
> outside of what is officially packaged for a Debian Stable release to evaluate
> the information given on that page regarding different methods of doing so,
> and possible consequences.

I've seen manual OpenSSL upgrades break a few systems over the years.
OpenSSL is needed to check signatures on packages, so it's almost
impossible to bring a system back from a break. In this case, a break
usually includes overwriting Debian's copy of libcrypto.so and
libssl.so in /usr/lib.

If OpenSSL is installed locally at /usr/local, then things should be
Ok. I do it all the time. The rub is, be sure to set a RPATH or
RUNPATH so the proper dynamic libraries are found at runtime. Also see
https://wiki.openssl.org/index.php/Compilation_and_Installation#Using_RPATHs
.

Jeff