Closed andrew-m-leonard closed 3 years ago
To do list:
Looking at the Windows machines, there's a lot of old OpenSSL versions. I'll double check build scripts, but I think it'd be fairly sensible to delete all but the new version and the current used version.
I would be reluctant to add in the final bullet point other than for a very short transitional period e.g. becuase we haven't deployed it on all the systems yet. We cannot want to risk accidentally releasing builds which use a known-insecure release.
From the looks, the mac build machines are setup with LibreSSL
build-macstadium-macos1014-x64-1:~ zeus$ openssl version
LibreSSL 2.6.5
Otherwise, the latest version on Brew is 1.1.1g
, at least on macos1014
build-macstadium-macos1014-x64-1:~ zeus$ brew info openssl
openssl@1.1: stable 1.1.1g (bottled) [keg-only]
...
On macos1010, it's only 1.1.1f
I can build it from source though, if needed. (https://github.com/openssl/openssl/releases/tag/OpenSSL_1_1_1h)
I think that the mac builds use --with-openssl=fetched
and therefore will pull the correct one down automatically.
Excellent, I'll update the issue title :-)
Azure & Softlayer machines have OpenSSL 1.1.1h on them. I wasn't able to run Ansible on the Softlayer machines for some reason, however, considering #1594 , that probably won't matter soon. Build PR has been put in, and a VPC Run has been kicked off that tests both the infra PR and the build PR: https://ci.adoptopenjdk.net/job/VagrantPlaybookCheck/886/
OpenSSL have release a fix update 1.1.1h : https://www.openssl.org/source/openssl-1.1.1h.tar.gz
OpenJ9 Win & Mac machines and build config needs updating to use 1.1.1h