OpenSSL 1.1 support status : what next?
Aris Adamantiadis
aris at 0xbadc0de.be
Tue Jun 27 05:16:46 AEST 2017
Having done this with libssh, this is far from trivial, even for the
rather simple primitives required by SSH. Abstracting some concepts
across very different libraries that deal with them in different ways
(e.g. libcrypto vs libgcrypt) can introduce some nasty bugs. OpenSSH has
always had KISS in mind so I wouldn't blame them to avoid supporting
additional libraries or dropping OpenSSL 1.1 and sticking to LibreSSL
altogether.
On the subject of OpenSSL, Jakub Jelen provided us with an
OpenSSL1.1-to-1.0 shim that works, but is not free of bugs.
I would have definitively have appreciated that OpenSSL wrote that shim
by themselves (they say it's trivial, of course it is not). The big
problem currently is that any application that does nontrivial low-level
cryptography cannot use a single API that will work with both of them,
they're 100% incompatible.
Aris
On 24/06/17 14:06, George M. Garner Jr. wrote:
> I think that this is the better approach. The question I have is why
> the SSH logic should be dependent on the implementation details of ANY
> particular cryptographic library (be it openssl, libressl or
> whatever)? Proper software design would develop an abstraction layer
> with some measure of forward compatibility built in.
>
> On 6/23/2017 3:16 PM, Douglas E Engert wrote:
>> OpenSC has taken a different approach to OpenSSL-1.1. Rather then
>> writing
>> a shim for OpenSSL-1.1, the OpenSC code has been converted to
>> the OpenSSL-1.1 API and a sc-ossl-compat.h" file consisting of
>> defines and
>> macros was written to support older versions of OpenSSL and Libressl.
>>
>> https://github.com/OpenSC/OpenSC/blob/master/src/libopensc/sc-ossl-compat.h
>>
>>
>> The nice part of this approach is when using OpenSSL-1.1
>> sc-ossl-compat.h
>> does not do anything. It sole purpose to provide calls to the older APIs
>> that are not going to change and eventually the sc-ossl-compat.h
>> could be
>> removed.
>>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
More information about the openssh-unix-dev
mailing list