I have a question about the support expiration date for openssl 1.1.1 and a concern about the RHEL issue.
I am using AlmaLinux8.5 and the support for openssl1.1.1 bundled with this OS is about to expire on September 11, 2023.
The official openssl website explains support for openssl bundled with the OS as follows link
If you got your copy of OpenSSL 1.1.1 from your Operating System vendor (e.g. via .rpm or .deb packages) or some other third party then the support periods You should check with your OS vendor/other third party what You should check with your OS vendor/other third party what support for OpenSSL you might expect from them.
Also, RHEL has recently decided to limit the release of source code to their customers.
If I continue to use AlmaLinux 8.5 and a vulnerability is discovered in openssl1.1.1, will AlmaLinux provide a fix for the openssl1.1.1 vulnerability via the repositories?
First, Red Hat (as Operating System vendor) has decided that RHEL 8 has openssl 1.1.1 and therefore they will support the openssl in RHEL 8 as long as they support RHEL 8. At least to 2029.
RHEL 8 is now at 8.8. If a critical vulnerability is found now, then Red Hat will release fixed version for RHEL 8.8, (and for RHEL 8.6 for Extended Update and SAP customers). No updates will be released for 8.5 (nor 8.7) – the 8.8 is the update for older point updates.
Up to this summer AlmaLinux was able to use the released sources of RHEL 8. Only the 8.8 fix would have appeared now, since EUS/SAP sources have never been public. At the moment AlmaLinux 8.8 is the only supported AlmaLinux 8. The 8.5 did “EOL” the moment the 8.6 was released. Previous point releases have never been supported.
Red Hat emphasizes the point that they support open source. That is, that they push content (like fixes) to upstream. The openssl 1.1.1 will be an interesting case after the upstream is dead. (Python 2.7 is already at that state.) Will the code fixes that Red Hat does for RHEL 8 version of openssl appear anywhere else?
So far AlmaLinux (and Rocky Linux) have found ways to get source code and they attempt to continue to do so.
you shouldn’t use AlmaLinux 8.5 at all, please upgrade to 8.8 so you’ll get updates at all.
The OpenSSL version in RHEL and all its derivatives is not directly affected by the EOL of the 1.1.1 tree. Since RHEL is a LTS distribution, OpenSSL will receive critical security fixes until its EOL in 2029.
In rare occasions however, Red Hat did rebase programs or libs in RHEL in the past and they did for example, rebase OpenSSL in RHEL 6 too. Either way, OpenSSL will continue to receive critical security fixes in one or the other form and since AlmaLinux is commited to maintain their EL8 until 2029 as well, so, you shouldn’t need to be worried.
Thank you for your reply.
According to the following document, RHEL8.6 (I checked carefully and my RHEL is 8.6, not 8.5.) will have Extend Update Support until around June 2024 and Update Services for SAP Solutions until around June 2026, but will these support be available for AlmaLinux? Is this not possible with AlmaLinux?
Also, it seems that RHEL8.9 will be released around December 2023. Is it correct to understand that AlmaLinux8.8 will reach EOL at the same time as AlmaLinux8.9 is released?
Red Hat Enterprise Linux 8 and 9 Life Cycle
Those who pay for EUS (or US for SAP) subscription of RHEL 8.6 will get critical (bug/security) updates from RHEL.
Red Hat has never made source code of those updates public. Without sources one cannot build such update packages. No clone of RHEL (like CentOS, AlmaLinux, etc) has ever attempted to get sources for those updates by other means, AFAIK. No sources → no build of new packages (with fixes) – and no “support”.
The default in RHEL is to automatically update to latest available point update, but there is option to pin to – stay at specific older point update even if one does not purchase EUS. That way there is no security updates, but your system remains unchanged. Same as not running “dnf up” ever again.
The clones do not really offer the pin option. As said, you “stay” in old version trivially by never running ‘dnf’ again. If you want “security”, then that is not an option for you.
AlmaLinux has shifted focus from bug-for-bug compability to ABI compability. See AlmaLinux OS - Forever-Free Enterprise-Grade Operating System
How that will affect various bits and pieces is still evolving.
Thank you for your response. We appreciate it.
I have Almalinux 8 on both the server and development machine.
On the server I recompiled nginx with openssl 3 to be able to use TLS 3,openssl 1 stops at TLS 2, as some other application needs it I will recompile that too.
On the development machine same thing.
However, I have a clone of the server locally and I tried to replace openssl directly without major problems, obviously in production it is better to be very careful