Closed andrew-m-leonard closed 3 years ago
Willsparker
commented
3 years ago To do list:
Willsparker
commented
3 years ago Looking at the Windows machines, there's a lot of old OpenSSL versions. I'll double check build scripts, but I think it'd be fairly sensible to delete all but the new version and the current used version.
sxa
commented
3 years ago I would be reluctant to add in the final bullet point other than for a very short transitional period e.g. becuase we haven't deployed it on all the systems yet. We cannot want to risk accidentally releasing builds which use a known-insecure release.
Willsparker
commented
3 years ago From the looks, the mac build machines are setup with LibreSSL
build-macstadium-macos1014-x64-1:~ zeus$ openssl version
LibreSSL 2.6.5Otherwise, the latest version on Brew is 1.1.1g, at least on macos1014
build-macstadium-macos1014-x64-1:~ zeus$ brew info openssl
openssl@1.1: stable 1.1.1g (bottled) [keg-only]
...On macos1010, it's only 1.1.1f
I can build it from source though, if needed. (https://github.com/openssl/openssl/releases/tag/OpenSSL_1_1_1h)
sxa
commented
3 years ago I think that the mac builds use --with-openssl=fetched and therefore will pull the correct one down automatically.
Willsparker
commented
3 years ago Excellent, I'll update the issue title :-)
Willsparker
commented
3 years ago Azure & Softlayer machines have OpenSSL 1.1.1h on them. I wasn't able to run Ansible on the Softlayer machines for some reason, however, considering #1594 , that probably won't matter soon. Build PR has been put in, and a VPC Run has been kicked off that tests both the infra PR and the build PR: https://ci.adoptopenjdk.net/job/VagrantPlaybookCheck/886/
OpenSSL have release a fix update 1.1.1h : https://www.openssl.org/source/openssl-1.1.1h.tar.gz
OpenJ9 Win & Mac machines and build config needs updating to use 1.1.1h