Please upgrade to OpenSSL to 1.1.0

[skid9000]

• I was not able to find an open or closed issue matching what I'm seeing

Setup

• Which version of Git for Windows are you using? Is it 32-bit or 64-bit?

$ git --version --build-options

git version 2.16.2.windows.1
cpu: x86_64
built from commit: e1848984d1004040ec5199e749b5f282ddf4bb09
sizeof-long: 4

• Which version of Windows are you running? Vista, 7, 8, 10? Is it 32-bit or 64-bit?

$ cmd.exe /c ver

Microsoft Windows [version 6.3.9600]

• What options did you set as part of the installation? Or did you choose the
  defaults?

# One of the following:

$ cat /etc/install-options.txt

Editor Option: VisualStudioCode
Path Option: BashOnly
SSH Option: OpenSSH
CURL Option: OpenSSL
CRLF Option: CRLFAlways
Bash Terminal Option: MinTTY
Performance Tweaks FSCache: Enabled
Use Credential Manager: Enabled
Enable Symlinks: Disabled

• Any other interesting things about your environment that might be related
  to the issue you're seeing?

No

Details

• Which terminal/shell are you running Git from? e.g Bash/CMD/PowerShell/other

Bash

• What commands did you run to trigger this issue? If you can provide a
  Minimal, Complete, and Verifiable example
  this will help us understand the issue.

openssl version

• What did you expect to occur after running these commands?

OpenSSL 1.1.0h 7 Mar 2018

• What actually happened instead?

OpenSSL 1.0.2n 7 Dec 2017

[shiftkey]

@skid9000 please upgrade to Git 2.17.0:

$ openssl version
OpenSSL 1.0.2o  27 Mar 2018

[dscho]

@skid9000 okay, you asked for it (by suggesting a feature to an Open Source project that is welcoming contributions):

As OpenSSL 1.1.x is not intended to be API compatible with OpenSSL 1.0.x, I think this would either require the .dll files of OpenSSL 1.1.x to encode the version in their name, or it would require a rebuild of all dependencees of OpenSSL.

To find out what needs to be rebuilt, install Git for Windows' SDK and call this command:

pactree -r mingw-w64-x86_64-openssl

These will have to be remade, and the safest way to do so is to provide a Pull Request for https://github.com/Alexpux/MINGW-packages that updates OpenSSL (i.e. mingw-w64-git/PKGBUILD and possibly some of the files in the same directory) and all of its dependencees.

[rimrul]

It seems Open SSH is currently not compatible with OpenSSL 1.1.x. This would be a big problem, wouldn't it? There are apparently patches from debian and fedora that we could potentialy borrow, though.

[skid9000]

Oh i didn't knew that U_u
I thought it was using the openssl on the system.

The problem that i have actually is that i force the CHACHA20 cipher for the openssh server, so openssl 1.0.x should not work ('cause not implemented).

But know i'm perplex, on my debian, it is openssh 7.4p1 compiled with openssl 1.0.2l O.o
And it can connect to the CHACHA20 only server ....

SO i retested on git bash (OpenSSH 7.6p1 with openssl 1.0.2n ...
and it didn't worked U_u

$ ssh root@xxx -p xxxxx
Unable to negotiate with xxx.xxx.xxx.xxx port xxxxx: no matching cipher found. Their offer: [email protected]

[rimrul]

1. Prerequisites
   [...]
   libcrypto (LibreSSL or OpenSSL >= 1.0.1 < 1.1.0)
   LibreSSL http://www.libressl.org/ ; or
   OpenSSL http://www.openssl.org/
   [...]
   Note that because of API changes,
   OpenSSL 1.1.x is not currently supported.

However, there is some kind of patch by the debian package maintainers, AFAIK. I just can't find it currently.

[1] https://github.com/openssh/openssh-portable/blob/master/INSTALL
[2] openssh/openssh-portable#48

[magneticflux-]

@dscho @rimrul It looks like OpenSSH supports versions of OpenSSL >= 1.1.0g now, as of 17 days ago: here

They included the OpenSSL compat layer 26 days ago: openssh/openssh-portable@31b4952.

It also looks like upstream (Alexpux/MINGW-packages) has already updated OpenSSL to 1.1.1: here. It looks like they already rebuilt dependents in this commit: Alexpux/MINGW-packages@391ba31

Does this make it easier to upgrade? I currently need to use PostgreSQL and Git, which require 1.1 and 1.0 of OpenSSL respectively, so they're incompatible.

[dscho]

Does this make it easier to upgrade?

Nothing makes this easier to upgrade. This is a friggin' nightmare, and nobody helps.

[PhilipOakley]

@Magneticflux, To paraphrase Dscho, a fully tested PR would be of more assistance. One that covers all the points made above. If it's important, then hopefully you can get a bit of time allocated to having a look.

PR welcome.

[magneticflux-]

@dscho It seems like your idea to "just keep the fork of Git for Windows running indefinitely" from here msys2/MSYS2-packages#786 (comment) may not be the most efficient course of action. I don't think it's sustainable in the long-run to keep rebasing this fork-of-patches. In fact, I believe the original repository-of-patches that is MSYS2-packages and MINGW-packages should also focus on contributing platform-agnostic fixes (using these platform checks) to its numerous "upstreams" rather than keeping an ever-growing backlog of patches like you referred to here msys2/MSYS2-packages#786 (comment).

In short, I think that it's vital for the future of MSYS2 to have a working Git client, and vital for the future of Git-for-Windows to have a working (and up-to-date) GNU- and POSIX-friendly environment for outside of Git. These are just my opinions, so take with a grain of salt.