OpenSSL 1.1 support status : what next?

Ingo Schwarze schwarze at
Fri Jun 23 09:26:31 AEST 2017

Hi Emmanuel,

Emmanuel Deloget wrote on Fri, Jun 23, 2017 at 12:26:47AM +0200:

> * the openssl team has no real incentive to propose a shim ;

If major application projects refuse to support their new release,
thus putting pressure on operating system distributions to not
completely switch to 1.1 either, that is not an incentive?

> Did I miss something?

Maybe you are striving for the wrong goal.  It is not a goal to
clobber something together and encourage OpenSSL to repeat such
recklessness in the future, and leave users out in the rain once
again.  It is not a goal either to create a shim that is not
officially audited and thoroughly tested by the original authors
who know their original code best, to create a shim that creates
additional dangers for security.  We are talking about security
software here, so this is not the place at all to lightly cobble
something together, in particular not in ways involving many lines
of additional code.

If a few important projects keep up resistance and refuse support
for 1.1 until OpenSSL rolls up their sleeves and fixes the mess
they have created, maybe they will eventually realize that they
started a job here, wandered off half-way, and failed to ever
properly finish it.

So, such resistance has a chance to improve the situation for
everybody.  And i can't think of many projects that are in as
widespread use as OpenSSH, and hence can be more valuable with
respect to such resistance.

Just my personal 2 cents,

More information about the openssh-unix-dev mailing list