OpenSSL ENIGNE support for OpenSSH
Sergio Gelato
Sergio.Gelato at astro.su.se
Mon Jul 5 00:54:53 EST 2004
* Darren Tucker [2004-07-04 11:39:07 +1000]:
> The ENGINE functionality is not available in all OpenSSL versions that
> OpenSSH supports (it's not in 0.9.5 and it's a separate package for
> 0.9.6), so your patch will fail to compile on those.
Also, the changelog for OpenSSL 0.9.7a reveals that the developers have
seen it fit to allow ENGINE support to be disabled at compile time.
>
> I don't know about adding it to the main tree.. comments?
I don't know either, but would expect the OpenBSD development team to have
a reasonably informed opinion about this.
As to why the OpenSSL developers don't turn ENGINE support on by
default, perhaps one can interpolate some of their reasons from
the contents of README.ENGINE in recent OpenSSL releases. If I
understood it right, their concerns include: not getting blamed
for bugs in third-party plug-ins; the fact that the ENGINE
support is still not feature-complete; and the limited amount of
testing it has had so far. But please don't take my word for this;
read theirs and decide for yourselves on the interpretation.
> If it is, it
> should be either detected automatically at build time or be a configure
> option (eg --with-ssl-engine). Maybe just something like this in defines.h:
>
> #if defined(OPENSSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER > 0x0090700f)
> # define USE_OPENSSL_ENGINE
> #endif
In light of the changelog entry I just mentioned, this seems a little
too simple. (Even after the s/||/&&/ bugfix.) That leaves us with
configure-time detection/selection.
More information about the openssh-unix-dev
mailing list