What
Remove OpenSSL 1.1.1 fallback support and enforce OpenSSL 3.0+ as the minimum required version for PostgreSQL SSL connections and other encrypted database transports.
Why
- Security risk: OpenSSL 1.1.1 reached End of Life (EOL) on September 11, 2023. Database connection encryption with an EOL library is a critical vulnerability.
- SOUP compliance: For safety-critical systems (IEC 62304), using EOL cryptographic libraries in data transport is a high-risk finding requiring immediate mitigation.
- Consistency: logger_system and network_system are also migrating to OpenSSL 3.0+ only. Ecosystem-wide alignment reduces testing complexity.
- PostgreSQL compatibility: PostgreSQL 16+ recommends OpenSSL 3.x for SSL connections.
Where
CMakeLists.txt or cmake/FindSystemDependency.cmake: OpenSSL detectiondatabase/CMakeLists.txt: PostgreSQL backend SSL linkagescripts/dependency.sh: Platform dependency installation- CI/CD workflows
How
- Update OpenSSL version requirement to 3.0.0 minimum
- Remove any OpenSSL 1.1.x conditional code paths
- Update
scripts/dependency.sh to install OpenSSL 3.x packages
- Verify PostgreSQL SSL connections work with OpenSSL 3.x
- Update README prerequisites
Acceptance Criteria
What
Remove OpenSSL 1.1.1 fallback support and enforce OpenSSL 3.0+ as the minimum required version for PostgreSQL SSL connections and other encrypted database transports.
Why
Where
CMakeLists.txtorcmake/FindSystemDependency.cmake: OpenSSL detectiondatabase/CMakeLists.txt: PostgreSQL backend SSL linkagescripts/dependency.sh: Platform dependency installationHow
scripts/dependency.shto install OpenSSL 3.x packagesAcceptance Criteria
scripts/dependency.shinstalls OpenSSL 3.x