OpenSSL 1.1.0 support
Roumen Petrov
openssh at roumenpetrov.info
Sat Nov 19 19:56:59 AEDT 2016
Jakub Jelen wrote:
> On 11/15/2016 12:02 AM, Damien Miller wrote:
>> On Mon, 14 Nov 2016, Jakub Jelen wrote:
>>> Thank you for the comments. I understand the upstream directions and
>>> that the OpenSSL step is not ideal. The distros will probably have to
>>> carry these patches until the changes will settle down a bit.
>> AFAIK Red Hat employs at least one OpenSSL maintainer. What is their
>> view on this situation?
> Yes, you got a message off-the-list from Tomas Mraz, our OpenSSL
> maintainer, one week ago. The OpenSSL certainly wants to resolve these
> issues from their side (compat library in addition to 1.0.2 from
> OpenSSL side).
I don't think that this is so important. Each project has specific use
of crypto library and is not so difficult to write compatibility layer.
I know a number of projects that already has such layer.
> But that will not help us with compatibility against LibreSSL if I see
> right.
If compatibility layer is written properly OpenSSL compatible libraries
will be supported as well.
For instance PKIX-SSH mainly tests for the presence of each feature and
as result supported builds with various OpenSSL versions, including FIPS
or Kerberos enable. Such tests ensure builds with OpenSSL compatible
libraries.
Using cryptographic library A or B version c or d and etc. depends of
many things. One criteria is that know defects are fixed, but this is
off-topic to OpenSSL API 1.1 support.
Just one remark: Long time ago OpenSSL team announce plan to hide
structures to ensure better compatibility between releases. Team miss
1.0 release but now this is fact.
Regards,
Roumen Petrov
--
Secure shell with X.509 certificate support
http://roumenpetrov.info/secsh/
More information about the openssh-unix-dev
mailing list