Status of OpenSSL 1.1 support
Ingo Schwarze
schwarze at usta.de
Sat Oct 14 10:24:11 AEDT 2017
Hi Sebastian,
Sebastian Andrzej Siewior wrote on Fri, Oct 13, 2017 at 11:58:12PM +0200:
> more or less a year ago Kurt Roeckx provided an initial port towards the
> OpenSSL 1.1 API [0]. The patch has been left untouched [1] and it has
> been complained about a missing compat layer of the new vs the old API
> within the OpenSSL library [2].
> This is how I reconstructed the situation as of today and I am not
> aware of any progress in regard to the newer library within the OpenSSH
> project. Did I miss any significant development?
No, i'm not aware that OpenSSL provided any further help for
downstream projects who are forced to provide continued support
for the 1.0 API.
Note that even switching over LibreSSL to the OpenSSL-1.1 API - which
would be a huge effort, and it's unclear if and when it might happen -
would not solve the main problem because OpenSSH must remain able
to build on operating systems that provide OpenSSL-1.0 only.
> In the `meantime', OpenSSL provides a kind of compat layer [3] which
> (they suggested) should be included in the downstream projects [4].
>
> Is this enough / acceptable? What would the project like to see? I know
> that OpenBSD itself is more focused on the LibreSSL library but I would
> like to avoid that every one carries (and maintains) a big patch around.
>
> [0] https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-September/035378.html
> [1] I know that Fedora ships it.
> [2] https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-November/035456.html
> [3] https://wiki.openssl.org/images/e/ed/Openssl-compat.tar.gz
> [4] https://wiki.openssl.org/index.php/OpenSSL_1.1.0_Changes#Compatibility_Layer
That question is slowly turning into a frequently answered one:
https://lists.mindrot.org/pipermail/openssh-unix-dev/2017-July/036115.html
Nobody commented on that cautious assessment, so i think it is safe to
reword the answer more explicitly, even though that may seem slightly
more aggressive:
The so-called "compatibility layer" on that wiki page [4] you quote
appears to be incomplete, untested, unmaintained, hence untrustworthy
and unusable in a security context like OpenSSH.
Consequently, no support for OpenSSL-1.1 is in sight.
If you want to run on an operating system that burnt all bridges
and only supports OpenSSL-1.1 but no longer OpenSSL-1.0, then the
only responsible thing you can do is to build OpenSSH against
LibreSSL rather than against OpenSSL on that platform. It should
work quite well because LibreSSL supports a wide range of modern
platforms by now:
https://www.libressl.org/releases.html
Note that on operating systems with a good package manager,
it *is* possible to install LibreSSL and OpenSSL in parallel.
For example, OpenBSD contains LibreSSL by default, yet you can
easily install a port of OpenSSL in parallel if you want to,
simply by issuing the command
# pkg_add openssl
without need for any further manual configuration.
The reverse can be implemented on systems that use OpenSSL by default.
Yours,
Ingo
More information about the openssh-unix-dev
mailing list