about summary refs log tree commit diff
path: root/pkgs/development/libraries/openssl/default.nix
diff options
context:
space:
mode:
Diffstat (limited to 'pkgs/development/libraries/openssl/default.nix')
-rw-r--r--pkgs/development/libraries/openssl/default.nix29
1 files changed, 27 insertions, 2 deletions
diff --git a/pkgs/development/libraries/openssl/default.nix b/pkgs/development/libraries/openssl/default.nix
index c0b4fe75b610e..0e144726cf85f 100644
--- a/pkgs/development/libraries/openssl/default.nix
+++ b/pkgs/development/libraries/openssl/default.nix
@@ -237,6 +237,8 @@ let
 in {
   # intended version "policy":
   # - 1.1 as long as some package exists, which does not build without it
+  #   (tracking issue: https://github.com/NixOS/nixpkgs/issues/269713)
+  #   try to remove in 24.05 for the first time, if possible then
   # - latest 3.x LTS
   # - latest 3.x non-LTS as preview/for development
   #
@@ -245,7 +247,7 @@ in {
 
   # If you do upgrade here, please update in pkgs/top-level/release.nix
   # the permitted insecure version to ensure it gets cached for our users
-  # and backport this to stable release (23.05).
+  # and backport this to stable release (at time of writing this 23.11).
   openssl_1_1 = common {
     version = "1.1.1w";
     hash = "sha256-zzCYlQy02FOtlcCEHx+cbT3BAtzPys1SHZOSUgi3asg=";
@@ -259,7 +261,7 @@ in {
     withDocs = true;
     extraMeta = {
       knownVulnerabilities = [
-        "OpenSSL 1.1 is reaching its end of life on 2023/09/11 and cannot be supported through the NixOS 23.05 release cycle. https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/"
+        "OpenSSL 1.1 is reaching its end of life on 2023/09/11 and cannot be supported through the NixOS 23.11 release cycle. https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/"
       ];
     };
   };
@@ -309,4 +311,27 @@ in {
       license = licenses.asl20;
     };
   };
+
+  openssl_3_3 = common {
+    version = "3.3.0";
+    hash = "sha256-U+ZrBDMipgar8Ah+dpmg4DOjf6E/65dC3zXDozsY+wI=";
+
+    patches = [
+      ./3.0/nix-ssl-cert-file.patch
+
+      # openssl will only compile in KTLS if the current kernel supports it.
+      # This patch disables build-time detection.
+      ./3.0/openssl-disable-kernel-detection.patch
+
+      (if stdenv.hostPlatform.isDarwin
+       then ./3.2/use-etc-ssl-certs-darwin.patch
+       else ./3.2/use-etc-ssl-certs.patch)
+    ];
+
+    withDocs = true;
+
+    extraMeta = with lib; {
+      license = licenses.asl20;
+    };
+  };
 }
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-06-02 07:58:58 +0000