Progress resolving OpenSSL 1.1.0 issues

jpbion at jpbion at
Tue Dec 20 01:13:46 AEDT 2016

I know it has been stated that OpenSSL 1.1.0 is a non-starter for 
OpenSSH until a better compatibility system is provided by OpenSSL, 
allowing a single code-base to support interacting with both OpenSSL 
1.0.x and 1.1.x.

I also know various people have provided patches to OpenSSH offering 
such support, but it also seems as if OpenSSH is waiting for something 
official. These patches offered to OpenSSH may have forced users of 
OpenSSH to move to OpenSSL 1.1.x - I haven't checked that out, and I 
know that would be a non-starter. But perhaps they did offer a 
compatibility layer.

Finally, I also realize OpenSSH has to work with multiple different SSL 
providers, not just OpenSSL, and that OpenSSL has forced a whole slew of 
changes on its 'customers'.

I worry about a deadlock, though. Does the OpenSSL team even know that 
the OpenSSH project will not move toward 1.1.0 support until it provides 
a simpler and official multi-version compatibility system? If there is 
no communication with them, it is unlikely they'll think of working on 
the compatibility system themselves (else it would have already been 
provided, because it's a rather obvious and important need.) Or is the 
OpenSSH team simply saying "until there is one, we won't support OpenSSL 
1.1.0" - hoping it just happens - but not making effort to see that it 

OpenSSH is one of the more important SSL 'customers' The view of "nope; 
I won't code a custom compatibility system" may absolutely be the right 
thing to say and do. But do we even have OpenSSL's ear, to make sure 
what was said here was heard?


More information about the openssh-unix-dev mailing list