OpenSSL 1.1.0 support

Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem root at doctor.nl2k.ab.ca
Tue Nov 15 04:31:25 AEDT 2016 

On Mon, Nov 14, 2016 at 04:36:28PM +0100, Jakub Jelen wrote:
> On 11/02/2016 11:33 PM, Damien Miller wrote:
> > On Wed, 2 Nov 2016, Stuart Henderson wrote:
> >
> >> On 2016-11-02, Jakub Jelen <jjelen at redhat.com> wrote:
> >>> The current set of patches are rebased on current upstream is attached
> >>> with few more tweaks needed to build, pass testsuite and make it work.
> >>> The upstream review and insight would be helpful.
> >> Since these are going to break things with LibreSSL, I doubt they'll be
> >> acceptable as-is.
> > This is the nub of the problem: upstream (OpenBSD) OpenSSH targets
> > LibreSSL natively (it's also used by Apple for their OS X builds). If we
> > pick up the 1.1.0 patch, we'd probably have to do it in portable because
> > there's little point in patching OpenBSD for API that doesn't exist
> > there. I don't want to have to carry such a major divergence in just the
> > portable tree.
> 
> Thank you for the comments. I understand the upstream directions and 
> that the OpenSSL step is not ideal. The distros will probably have to 
> carry these patches until the changes will settle down a bit.
> 
> Other possible solution we were discussing here was implementation of 
> non-OpenSSL specific abstract layer for crypto operations, which would 
> allow implementation of cryto-library specific bits in separate file 
> (unlike current situation with calls all over the place) and would 
> possibly allow different crypto library providers, similar way how the 
> audit is handled at this moment. It would also abstract the code from 
> the changes in one or the other crypto library interface. Would 
> something like this  be acceptable for OpenSSH upstream?
>

All SSL developers have to take into account

1) LibreSSL

2) Openssl 1.0.X and below

and
3) OPenssl 1.1 +


So stop stop living in the past and march towards the future.
 
> Kind regards,
> 
> -- 
> Jakub Jelen
> Software Engineer
> Security Technologies
> Red Hat
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

-- 
For effective Internet Etiquette and communications read 
http://catb.org/jargon/html/T/top-post.html, http://idallen.com/topposting.html
& http://www.caliburn.nl/topposting.html

More information about the openssh-unix-dev mailing list