openssl bump?

[yosifkit]

The current OpenSSL versions we follow for each RabbitMQ release are here:

rabbitmq/versions.sh

Lines 28 to 33 in d4fe156

	declare -A opensslMajors=(
	[3.13]='3.1'
	[4.0]='3.3'
	[4.1]='3.3'
	[4.2]='3.3'
	)

OpenSSL 3.1 is already end of life. Can/should that be updated in the RabbitMQ 3.13 image? I'm leaning no, because 3.13 is basically end of life (at least community support). When should we drop the image entirely?

OpenSSL 3.3 will be end of life in about 5 months (2026-04-09). Should any of the 4.x RabbitMQ images be updated to OpenSSL 3.5 before April? That is the newer LTS that is supported until 2030. They are all on Erlang 27 which, as far as I can tell, supports OpenSSL 3.5.

---

Ref: https://openssl-library.org/policies/releasestrat/index.html

[lukebakken]

I don't see any reason to at least use 3.5, if not 3.6. Locally I always build Erlang against the latest OpenSSL version (3.6.0 right now), which I also compile myself.

Would there be an issue with adding a cron task to automatically update OpenSSL to the latest version?

[michaelklishin]

I run RabbitMQ on Erlang built against OpelSSL 3.5.x locally and see no reason not to bump to 3.5 for the 4.2, 4.1 image variants.

[tianon]

If we should update even more aggressively/automatically, we can definitely adjust this script -- this script is itself the "cron job" for doing those updates. 😄

It sounds like maybe Michael would prefer that we be slightly more conservative and keep the minor updates more manual so that we can go to only 3.5 for now and consider 3.6 in the future? (Trying to read between the lines a little, so apologies if I've misread!) 👀

[michaelklishin]

It's not that we should but it seems to be safe in practice (if the last couple of years are any indication), and I'd argue it's the right thing to do for a piece of infrastructure.

[lukebakken]

3.5.4 at the minimum, for sure.

Erlang only uses the cryptographic functions in OpenSSL, so we could also review the release notes to see if anything stands out. For instance, it doesn't seem like anything in the 3.6.0 release is relevant to the typical RabbitMQ user.

[michaelklishin]

So perhaps 4.1 and 4.2 can be bumped to 3.5.4 for now with automatic updates limited to 3.5.x? We can always go to 3.6.x and so on over time as those series accumulate mileage and more patch releases.