OpenSSL 1.1.0 support

Jakub Jelen jjelen at redhat.com
Tue Nov 15 02:36:28 AEDT 2016


On 11/02/2016 11:33 PM, Damien Miller wrote:
> On Wed, 2 Nov 2016, Stuart Henderson wrote:
>
>> On 2016-11-02, Jakub Jelen <jjelen at redhat.com> wrote:
>>> The current set of patches are rebased on current upstream is attached
>>> with few more tweaks needed to build, pass testsuite and make it work.
>>> The upstream review and insight would be helpful.
>> Since these are going to break things with LibreSSL, I doubt they'll be
>> acceptable as-is.
> This is the nub of the problem: upstream (OpenBSD) OpenSSH targets
> LibreSSL natively (it's also used by Apple for their OS X builds). If we
> pick up the 1.1.0 patch, we'd probably have to do it in portable because
> there's little point in patching OpenBSD for API that doesn't exist
> there. I don't want to have to carry such a major divergence in just the
> portable tree.

Thank you for the comments. I understand the upstream directions and 
that the OpenSSL step is not ideal. The distros will probably have to 
carry these patches until the changes will settle down a bit.

Other possible solution we were discussing here was implementation of 
non-OpenSSL specific abstract layer for crypto operations, which would 
allow implementation of cryto-library specific bits in separate file 
(unlike current situation with calls all over the place) and would 
possibly allow different crypto library providers, similar way how the 
audit is handled at this moment. It would also abstract the code from 
the changes in one or the other crypto library interface. Would 
something like this  be acceptable for OpenSSH upstream?

Kind regards,

-- 
Jakub Jelen
Software Engineer
Security Technologies
Red Hat



More information about the openssh-unix-dev mailing list