OpenSSL 1.1.0 support

Roumen Petrov openssh at
Sat Nov 19 19:56:59 AEDT 2016

Jakub Jelen wrote:
> On 11/15/2016 12:02 AM, Damien Miller wrote:
>> On Mon, 14 Nov 2016, Jakub Jelen wrote:
>>> Thank you for the comments. I understand the upstream directions and
>>> that the OpenSSL step is not ideal. The distros will probably have to
>>> carry these patches until the changes will settle down a bit.
>> AFAIK Red Hat employs at least one OpenSSL maintainer. What is their
>> view on this situation?
> Yes, you got a message off-the-list from Tomas Mraz, our OpenSSL 
> maintainer, one week ago. The OpenSSL certainly wants to resolve these 
> issues from their side (compat library in addition to 1.0.2 from 
> OpenSSL side). 
I don't think that this is so important. Each project has specific use 
of crypto library and is not so difficult to write compatibility layer. 
I know a number of projects that already has such layer.

> But that will not help us with compatibility against LibreSSL if I see 
> right.
If compatibility layer is written properly OpenSSL compatible libraries 
will be supported as well.
For instance PKIX-SSH mainly tests for the presence of each feature and 
as result supported builds with various OpenSSL versions, including FIPS 
or Kerberos enable. Such tests ensure builds with OpenSSL compatible 

Using cryptographic library A or B version c or d and etc. depends of 
many things. One criteria is that know defects are fixed, but this is 
off-topic to  OpenSSL API 1.1 support.

Just one remark: Long time ago OpenSSL team announce plan to hide 
structures to ensure better compatibility between releases. Team miss 
1.0 release but now this is fact.

Roumen Petrov

Secure shell with X.509 certificate support

More information about the openssh-unix-dev mailing list